From dc48e1417d26146d0f19467f17903d0cc1803dd9 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Thu, 13 Jun 2024 15:22:31 -0300 Subject: [PATCH] parser: don't add mediation classes to unconfined profiles Adding mediation classes in unconfined profiles caused nested profiles to be mediated, inside a container for example. As a first step, skip the addition of mediation classes into the dfa. The creation of unprivileged user namespaces is an exception, where we always want to mediate it. Fixes: https://bugs.launchpad.net/apparmor/+bug/2067900 Signed-off-by: Georgia Garcia --- parser/parser_regex.c | 69 +++++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index ef5c2c1f4..1af5eaf58 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -1000,41 +1000,46 @@ int process_profile_policydb(Profile *prof) * to be supported */ - /* note: this activates fs based unix domain sockets mediation on connect */ - if (kernel_abi_version > 5 && - !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_mount && - !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_dbus && - !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_signal && - !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_ptrace && - !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_networkv8 && - !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_unix && - (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) || - !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts))) - goto out; if (features_supports_userns && !prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts)) goto out; - if (features_supports_posix_mqueue && - !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_sysv_mqueue && - !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts)) - goto out; - if (features_supports_io_uring && - !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts)) - goto out; + + /* don't add mediated classes to unconfined profiles */ + if (prof->flags.mode != MODE_UNCONFINED && + prof->flags.mode != MODE_DEFAULT_ALLOW) { + /* note: this activates fs based unix domain sockets mediation on connect */ + if (kernel_abi_version > 5 && + !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_mount && + !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_dbus && + !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_signal && + !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_ptrace && + !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_networkv8 && + !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_unix && + (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) || + !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts))) + goto out; + if (features_supports_posix_mqueue && + !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_sysv_mqueue && + !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts)) + goto out; + if (features_supports_io_uring && + !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts)) + goto out; + } if (prof->policy.rules->rule_count > 0) { int xmatch_len = 0;