mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Do not output local permissions for rules that have peer_conditionals

Browse source 
while it is not possible to specify a rule with local conditionals with
peer conditionals
eg.
   unix listen peer=(addr=@foo),

a rule such as
   unix peer=(addr=@foo),

is possible, and was setting all permissions for local as well as the peer
condition permissions.

Currently this means the create permission must be specified in a separate
rule from a rule with a peer= condition, if create is to be allowed. This
isn't too much of an issue but it does mean rule such as
  unix connect peer=(addr=@foo),

Can not imply the ability to create a socket. Which may indeed be the
behavior if we wish to enforce that the socket was created in another
process and passed in. Is this what we want to do?

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This commit is contained in:
John Johansen 2014-09-22 11:33:49 -05:00 committed by Tyler Hicks
parent 01b754b24d
commit ffa2f682ea
1 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
parser/af_unix.cc
View file

@ -334,7 +334,7 @@ int unix_rule::gen_policy_re(Profile &prof)
}
write_to_prot(buffer);
if (mask & AA_NET_CREATE) {
if ((mask & AA_NET_CREATE) && !has_peer_conds()) {
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_CREATE),
@ -355,16 +355,18 @@ int unix_rule::gen_policy_re(Profile &prof)
buffer << "\\x00";
/* create already masked off */
if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) {
int local_mask = has_peer_conds() ? AA_NET_ACCEPT :
AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD;
if (mask & local_mask) {
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
map_perms(audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
map_perms(mask & local_mask),
map_perms(audit & local_mask),
dfaflags))
goto fail;
}
if (mask & AA_NET_LISTEN) {
if ((mask & AA_NET_LISTEN) && !has_peer_conds()) {
std::ostringstream tmp(buffer.str());
tmp.seekp(0, ios_base::end);
tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
@ -377,7 +379,7 @@ int unix_rule::gen_policy_re(Profile &prof)
dfaflags))
goto fail;
}
if (mask & AA_NET_OPT) {
if ((mask & AA_NET_OPT) && !has_peer_conds()) {
std::ostringstream tmp(buffer.str());
tmp.seekp(0, ios_base::end);
tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;