parser: Allow AF_UNSPEC family in network rules

https://launchpad.net/bugs/1546455 Don't filter out AF_UNSPEC from the list of valid protocol families so that the parser will accept rules such as 'network unspec,'. There are certain syscalls, such as socket(2), where the LSM hooks are called before the protocol family is validated. In these cases, AppArmor was emitting denials even though socket(2) will eventually fail. There may be cases where AF_UNSPEC sockets are accepted and we need to make sure that we're mediating those appropriately. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Suggested-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> [cboltz: Add 'unspec' to the network domain keywords of the utils]
2025-03-04 16:35:02 +01:00 · 2016-02-18 16:31:56 -06:00 · 2016-02-18 16:31:56 -06:00 · 85be9528ec
commit 85be9528ec
parent 5493e01408
5 changed files with 16 additions and 2 deletions
--- a/common/Make.rules
+++ b/common/Make.rules
@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.

-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX

 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')

--- a/parser/tst/simple_tests/network/network_ok_2.sd
+++ b/parser/tst/simple_tests/network/network_ok_2.sd
@ -3,6 +3,7 @@
 #=EXRESULT PASS
 #
 /usr/bin/foo {
+  network unspec,
  network inet,
  network ax25,
  network ipx,
--- a/parser/tst/simple_tests/network/network_ok_7.sd
+++ b/parser/tst/simple_tests/network/network_ok_7.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION basic unspec network tests
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network unspec stream,
+  network unspec dgram,
+  network unspec raw,
+}
--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
 genprofile network:inet 
 runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23

+# FAIL TEST - make sure that unspec doesn't match
+genprofile network:unspec
+runchecktest "TCP (accept, connect) wrong socket family" fail 23
+
 exit 0

 # PASS TEST - accept via interface
--- a/utils/apparmor/rule/network.py
+++ b/utils/apparmor/rule/network.py
@ -24,7 +24,7 @@ from apparmor.translations import init_translation
 _ = init_translation()


-network_domain_keywords   = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
+network_domain_keywords   = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                              'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                              'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]