parser: Sync parser and man page regarding local and peer perms

This patch updates the parser code to reject rules that contain local socket permissions and peer conditional elements. The error message for that condition is also corrected to resolve a copy and paste mistake from the D-Bus rule parsing code. The patch also updates the man page to correctly describe the two sets of socket permissions and fixes an example rule that resulted in a parser error after the change described above. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2025-03-04 08:24:42 +01:00 · 2014-09-22 11:34:32 -05:00 · 2014-09-22 11:34:32 -05:00 · a154d14f5a
commit a154d14f5a
parent ffa2f682ea
2 changed files with 10 additions and 15 deletions
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		mode = mode_p;
 		if (mode & ~AA_VALID_NET_PERMS)
 			yyerror("mode contains invalid permissions for unix socket rules\n");
-		else if ((mode & AA_NET_BIND) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
-		else if ((mode & AA_NET_LISTEN) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
+		else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
 	} else {
 		mode = AA_VALID_NET_PERMS;
 	}
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@ -886,15 +886,14 @@ state an access list. By default if a rule does not have an access list
 all permissions that are compatible with the specified set of local
 and peer conditionals are implied.

-The create, bind, listen, shutdown, getattr, setattr permissions are
-applied to the local socket. The accept, connect, send, receive permissions
-apply to the combination of a local and peer. Currently it is required that
-create, bind, listen, shutdown, getattr, and settr permission are only
-specified in rules that do not have a peer component.
+The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
+permissions are local socket permissions. They are only applied to the local
+socket and can't be specified in rules that have a peer component. The accept
+permission applies to the combination of a local and peer socket. The connect,
+send, and receive permissions are peer socket permissions.

-If a rule is specified with a peer component it will only imply accept
-(stream), connect (stream), listen, receive and send. It will not imply the
-create, bind, listen, shutdown, getattr, or setattr permissions.
+Only the peer socket permissions will be applied to rules that don't specify
+permissions and contain a peer component.

 =head3 Example Unix domain socket rules:

@ -914,7 +913,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions.
  unix (receive) peer=(label=unconfined),

  # Allow getattr and shutdown on anonymous sockets
-  unix (getattr, shutdown) peer=(addr=none),
+  unix (getattr, shutdown) addr=none,

  # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
  # with peer running under profile '/foo'