diff --git a/common/Make.rules b/common/Make.rules index 148f80e8c..8f9cbd157 100644 --- a/common/Make.rules +++ b/common/Make.rules @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h # to mediate. We use PF_ here since that is what is required in # bits/socket.h, but we will rewrite these as AF_. -FILTER_FAMILIES=PF_UNSPEC PF_UNIX +FILTER_FAMILIES=PF_UNIX __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') diff --git a/parser/tst/simple_tests/network/network_ok_2.sd b/parser/tst/simple_tests/network/network_ok_2.sd index bb16a23cc..2ad66afdd 100644 --- a/parser/tst/simple_tests/network/network_ok_2.sd +++ b/parser/tst/simple_tests/network/network_ok_2.sd @@ -3,6 +3,7 @@ #=EXRESULT PASS # /usr/bin/foo { + network unspec, network inet, network ax25, network ipx, diff --git a/parser/tst/simple_tests/network/network_ok_7.sd b/parser/tst/simple_tests/network/network_ok_7.sd new file mode 100644 index 000000000..2a8ccf887 --- /dev/null +++ b/parser/tst/simple_tests/network/network_ok_7.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION basic unspec network tests +#=EXRESULT PASS +# +/usr/bin/foo { + network unspec stream, + network unspec dgram, + network unspec raw, +} diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh index 076ca00e7..703f1c55f 100755 --- a/tests/regression/apparmor/tcp.sh +++ b/tests/regression/apparmor/tcp.sh @@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23 genprofile network:inet runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23 +# FAIL TEST - make sure that unspec doesn't match +genprofile network:unspec +runchecktest "TCP (accept, connect) wrong socket family" fail 23 + exit 0 # PASS TEST - accept via interface diff --git a/utils/apparmor/rule/network.py b/utils/apparmor/rule/network.py index 7c7053f32..d082071c4 100644 --- a/utils/apparmor/rule/network.py +++ b/utils/apparmor/rule/network.py @@ -24,7 +24,7 @@ from apparmor.translations import init_translation _ = init_translation() -network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', +network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]