On Fri, Aug 18, 2017 at 05:02:15PM -0700, John Johansen wrote: > with unix rules we output a downgraded rule compatible with network rules so > that policy will work on kernels that support network socket controls but not > the extended af_unix rules > > however this is currently broken if the socket type is left unspecified > (initialized to -1), resulting in denials for kernels that don't support the > extended af_unix rules. > > ---
Acked-by: Seth Arnold <[email protected]> Thanks > === modified file 'parser/af_unix.cc' > --- parser/af_unix.cc 2015-02-12 18:19:16 +0000 > +++ parser/af_unix.cc 2017-08-18 11:25:26 +0000 > @@ -196,16 +196,20 @@ > #define CMD_OPT 4 > > void unix_rule::downgrade_rule(Profile &prof) { > + unsigned int mask = (unsigned int) -1; > + > if (!prof.net.allow && !prof.alloc_net_table()) > yyerror(_("Memory allocation error.")); > + if (sock_type_n != -1) > + mask = 1 << sock_type_n; > if (deny) { > - prof.net.deny[AF_UNIX] |= 1 << sock_type_n; > + prof.net.deny[AF_UNIX] |= mask; > if (!audit) > - prof.net.quiet[AF_UNIX] |= 1 << sock_type_n; > + prof.net.quiet[AF_UNIX] |= mask; > } else { > - prof.net.allow[AF_UNIX] |= 1 << sock_type_n; > + prof.net.allow[AF_UNIX] |= mask; > if (audit) > - prof.net.audit[AF_UNIX] |= 1 << sock_type_n; > + prof.net.audit[AF_UNIX] |= mask; > } > }
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
