Merge parser: ensure mqueue obeys abi

The abi is not being respected by mqueue rules in many cases. If policy does ot specify an mqueue rule the abi is correctly applied but if an mqueue rule is specified explicitly or implicitly (eg. allow all). without setting the mqueue type OR setting the mqueue type to sysv. The abi will be ignored and mqueue will be enforced for policy regadless. Known good mqueue rule that respects abi mqueue type=posix, # and all variations that keep type=posix Known bad mqueue rules that do not respect abi mqueue, # and all variants that do not specify the type= option mqueue type=sysv, # and all variants that specify the type=sysv option Issue: https://gitlab.com/apparmor/apparmor/-/issues/412 Fixes: d98c5c4cf ("parser: add parser support for message queue mediation") Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1277 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2024-07-20 20:05:47 +00:00 · 2024-07-20 20:05:47 +00:00 · d0d75abd02
commit d0d75abd02
parent 766881b040 30d57a6bf0
1 changed files with 2 additions and 2 deletions
--- a/parser/mqueue.cc
+++ b/parser/mqueue.cc
@ -192,14 +192,14 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		return RULE_NOT_SUPPORTED;
 	} else if (qtype == mqueue_sysv && !features_supports_sysv_mqueue) {
 		warn_once(prof.name);
-		//	return RULE_NOT_SUPPORTED;
+		return RULE_NOT_SUPPORTED;
 	} else if (qtype == mqueue_unspecified &&
 		   !(features_supports_posix_mqueue ||
 		     features_supports_sysv_mqueue)) {
 		warn_once(prof.name);
 		// should split into warning where posix and sysv can
 		// be separated from nothing being enforced
-		//	return RULE_NOT_SUPPORTED;
+		return RULE_NOT_SUPPORTED;
 	}

 	/* always generate a label and mqueue entry */