diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h index 21c9e20c5..7648eae09 100644 --- a/libraries/libapparmor/src/apparmor.h +++ b/libraries/libapparmor/src/apparmor.h @@ -50,6 +50,7 @@ __BEGIN_DECLS #define AA_DBUS_SEND AA_MAY_WRITE #define AA_DBUS_RECEIVE AA_MAY_READ +#define AA_DBUS_EAVESDROP (1 << 5) #define AA_DBUS_BIND AA_MAY_BIND diff --git a/parser/dbus.c b/parser/dbus.c index 7996aa068..d408478c6 100644 --- a/parser/dbus.c +++ b/parser/dbus.c @@ -129,12 +129,18 @@ struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds, yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n"); else if (service_rule && (ent->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE))) yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n"); + else if (ent->mode & AA_DBUS_EAVESDROP && + (ent->path || ent->interface || ent->member || + ent->peer_label || ent->name)) { + yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n"); + } } else { - ent->mode = AA_VALID_DBUS_PERMS; if (message_rule) - ent->mode &= ~AA_DBUS_BIND; + ent->mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE); else if (service_rule) - ent->mode &= ~(AA_DBUS_SEND | AA_DBUS_RECEIVE); + ent->mode = (AA_DBUS_BIND); + else + ent->mode = AA_VALID_DBUS_PERMS; } out: @@ -184,6 +190,8 @@ void print_dbus_entry(struct dbus_entry *ent) fprintf(stderr, "receive "); if (ent->mode & AA_DBUS_BIND) fprintf(stderr, "bind "); + if (ent->mode & AA_DBUS_EAVESDROP) + fprintf(stderr, "eavesdrop "); fprintf(stderr, ")"); if (ent->bus) diff --git a/parser/immunix.h b/parser/immunix.h index f5064e841..c53d18f68 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -42,10 +42,11 @@ #define AA_DBUS_SEND AA_MAY_WRITE #define AA_DBUS_RECEIVE AA_MAY_READ +#define AA_DBUS_EAVESDROP (1 << 5) #define AA_DBUS_BIND (1 << 6) #define AA_VALID_DBUS_PERMS (AA_DBUS_SEND | AA_DBUS_RECEIVE | \ - AA_DBUS_BIND) + AA_DBUS_BIND | AA_DBUS_EAVESDROP) #define AA_BASE_PERMS (AA_MAY_EXEC | AA_MAY_WRITE | \ AA_MAY_READ | AA_MAY_APPEND | \ diff --git a/parser/parser_lex.l b/parser/parser_lex.l index b8878009e..ad2f0f748 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -468,6 +468,7 @@ LT_EQUAL <= bind { RETURN_TOKEN(TOK_BIND); } read { RETURN_TOKEN(TOK_READ); } write { RETURN_TOKEN(TOK_WRITE); } + eavesdrop { RETURN_TOKEN(TOK_EAVESDROP); } {OPEN_PAREN} { yy_push_state(LIST_VAL_MODE); RETURN_TOKEN(TOK_OPENPAREN); diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 36149aff8..36285e802 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -146,6 +146,7 @@ static struct keyword_table keyword_table[] = { {"bind", TOK_BIND}, {"read", TOK_READ}, {"write", TOK_WRITE}, + {"eavesdrop", TOK_EAVESDROP}, {"peer", TOK_PEER}, /* terminate */ diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 920a3d88a..20413b716 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -1139,6 +1139,13 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry 6, vec, dfaflags)) goto fail; } + if (entry->mode & AA_DBUS_EAVESDROP) { + if (!aare_add_rule_vec(dfarules, entry->deny, + entry->mode & AA_DBUS_EAVESDROP, + entry->audit & AA_DBUS_EAVESDROP, + 1, vec, dfaflags)) + goto fail; + } return TRUE; fail: diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index aa21ec9b5..166798e2e 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -132,6 +132,7 @@ void add_local_entry(Profile *prof); %token TOK_BIND %token TOK_READ %token TOK_WRITE +%token TOK_EAVESDROP %token TOK_PEER /* rlimits */ @@ -1165,6 +1166,8 @@ dbus_perm: TOK_VALUE $$ = AA_DBUS_SEND; else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0) $$ = AA_DBUS_RECEIVE; + else if (strcmp($1, "eavesdrop") == 0) + $$ = AA_DBUS_EAVESDROP; else if ($1) { parse_dbus_mode($1, &$$, 1); } else @@ -1178,6 +1181,7 @@ dbus_perm: TOK_VALUE | TOK_RECEIVE { $$ = AA_DBUS_RECEIVE; } | TOK_READ { $$ = AA_DBUS_RECEIVE; } | TOK_WRITE { $$ = AA_DBUS_SEND; } + | TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; } | TOK_MODE { parse_dbus_mode($1, &$$, 1);