mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
parser: don't add mediation classes to unconfined profiles
Adding mediation classes in unconfined profiles caused nested profiles to be mediated, inside a container for example. As a first step, skip the addition of mediation classes into the dfa. The creation of unprivileged user namespaces is an exception, where we always want to mediate it. Fixes: https://bugs.launchpad.net/apparmor/+bug/2067900 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
parent
70ddb0ca5b
commit
dc48e1417d
1 changed files with 37 additions and 32 deletions
|
|
@ -1000,41 +1000,46 @@ int process_profile_policydb(Profile *prof)
|
||||||
* to be supported
|
* to be supported
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* note: this activates fs based unix domain sockets mediation on connect */
|
|
||||||
if (kernel_abi_version > 5 &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_mount &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_dbus &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_signal &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_ptrace &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_networkv8 &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_unix &&
|
|
||||||
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
|
|
||||||
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
|
|
||||||
goto out;
|
|
||||||
if (features_supports_userns &&
|
if (features_supports_userns &&
|
||||||
!prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
|
!prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
|
||||||
goto out;
|
goto out;
|
||||||
if (features_supports_posix_mqueue &&
|
|
||||||
!prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
/* don't add mediated classes to unconfined profiles */
|
||||||
goto out;
|
if (prof->flags.mode != MODE_UNCONFINED &&
|
||||||
if (features_supports_sysv_mqueue &&
|
prof->flags.mode != MODE_DEFAULT_ALLOW) {
|
||||||
!prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
/* note: this activates fs based unix domain sockets mediation on connect */
|
||||||
goto out;
|
if (kernel_abi_version > 5 &&
|
||||||
if (features_supports_io_uring &&
|
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
|
||||||
!prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
|
goto out;
|
||||||
goto out;
|
if (features_supports_mount &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_dbus &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_signal &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_ptrace &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_networkv8 &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_unix &&
|
||||||
|
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
|
||||||
|
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_posix_mqueue &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_sysv_mqueue &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
if (features_supports_io_uring &&
|
||||||
|
!prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
if (prof->policy.rules->rule_count > 0) {
|
if (prof->policy.rules->rule_count > 0) {
|
||||||
int xmatch_len = 0;
|
int xmatch_len = 0;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue