From 1580ba5ac1b38f135f8b5f9751aece0c1c54e743 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Fri, 6 Dec 2013 11:17:43 -0800
Subject: [PATCH] parser: Add dbus eavesdrop permission support to
 apparmor_parser

Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:

  # Grant send, receive, bind, and eavesdrop
  dbus,

  # Grant send, receive, bind, and eavesdrop on the session bus
  dbus bus=session,

  # Grant send and eavesdrop on the system bus
  dbus (send eavesdrop) bus=system,

  # Grant eavesdrop on any bus
  dbus eavesdrop,

Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
 libraries/libapparmor/src/apparmor.h |  1 +
 parser/dbus.c                        | 14 +++++++++++---
 parser/immunix.h                     |  3 ++-
 parser/parser_lex.l                  |  1 +
 parser/parser_misc.c                 |  1 +
 parser/parser_regex.c                |  7 +++++++
 parser/parser_yacc.y                 |  4 ++++
 7 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h
index 21c9e20c5..7648eae09 100644
--- a/libraries/libapparmor/src/apparmor.h
+++ b/libraries/libapparmor/src/apparmor.h
@@ -50,6 +50,7 @@ __BEGIN_DECLS
 
 #define AA_DBUS_SEND		AA_MAY_WRITE
 #define AA_DBUS_RECEIVE		AA_MAY_READ
+#define AA_DBUS_EAVESDROP	(1 << 5)
 #define AA_DBUS_BIND		AA_MAY_BIND
 
 
diff --git a/parser/dbus.c b/parser/dbus.c
index 7996aa068..d408478c6 100644
--- a/parser/dbus.c
+++ b/parser/dbus.c
@@ -129,12 +129,18 @@ struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds,
 			yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n");
 		else if (service_rule && (ent->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)))
 			yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n");
+		else if (ent->mode & AA_DBUS_EAVESDROP &&
+			 (ent->path || ent->interface || ent->member ||
+			  ent->peer_label || ent->name)) {
+			yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n");
+		}
 	} else {
-		ent->mode = AA_VALID_DBUS_PERMS;
 		if (message_rule)
-			ent->mode &= ~AA_DBUS_BIND;
+			ent->mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE);
 		else if (service_rule)
-			ent->mode &= ~(AA_DBUS_SEND | AA_DBUS_RECEIVE);
+			ent->mode = (AA_DBUS_BIND);
+		else
+			ent->mode = AA_VALID_DBUS_PERMS;
 	}
 
 out:
@@ -184,6 +190,8 @@ void print_dbus_entry(struct dbus_entry *ent)
 		fprintf(stderr, "receive ");
 	if (ent->mode & AA_DBUS_BIND)
 		fprintf(stderr, "bind ");
+	if (ent->mode & AA_DBUS_EAVESDROP)
+		fprintf(stderr, "eavesdrop ");
 	fprintf(stderr, ")");
 
 	if (ent->bus)
diff --git a/parser/immunix.h b/parser/immunix.h
index f5064e841..c53d18f68 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -42,10 +42,11 @@
 
 #define AA_DBUS_SEND			AA_MAY_WRITE
 #define AA_DBUS_RECEIVE			AA_MAY_READ
+#define AA_DBUS_EAVESDROP		(1 << 5)
 #define AA_DBUS_BIND			(1 << 6)
 
 #define AA_VALID_DBUS_PERMS		(AA_DBUS_SEND | AA_DBUS_RECEIVE | \
-					 AA_DBUS_BIND)
+					 AA_DBUS_BIND | AA_DBUS_EAVESDROP)
 
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index b8878009e..ad2f0f748 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -468,6 +468,7 @@ LT_EQUAL	<=
 	bind		{ RETURN_TOKEN(TOK_BIND); }
 	read		{ RETURN_TOKEN(TOK_READ); }
 	write		{ RETURN_TOKEN(TOK_WRITE); }
+	eavesdrop	{ RETURN_TOKEN(TOK_EAVESDROP); }
 	{OPEN_PAREN}	{
 			yy_push_state(LIST_VAL_MODE);
 			RETURN_TOKEN(TOK_OPENPAREN);
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 36149aff8..36285e802 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -146,6 +146,7 @@ static struct keyword_table keyword_table[] = {
 	{"bind",                TOK_BIND},
 	{"read",                TOK_READ},
 	{"write",               TOK_WRITE},
+	{"eavesdrop",		TOK_EAVESDROP},
 	{"peer",		TOK_PEER},
 
 	/* terminate */
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 920a3d88a..20413b716 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -1139,6 +1139,13 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
 				6, vec, dfaflags))
 			goto fail;
 	}
+	if (entry->mode & AA_DBUS_EAVESDROP) {
+		if (!aare_add_rule_vec(dfarules, entry->deny,
+				entry->mode & AA_DBUS_EAVESDROP,
+				entry->audit & AA_DBUS_EAVESDROP,
+				1, vec, dfaflags))
+			goto fail;
+	}
 	return TRUE;
 
 fail:
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index aa21ec9b5..166798e2e 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -132,6 +132,7 @@ void add_local_entry(Profile *prof);
 %token TOK_BIND
 %token TOK_READ
 %token TOK_WRITE
+%token TOK_EAVESDROP
 %token TOK_PEER
 
  /* rlimits */
@@ -1165,6 +1166,8 @@ dbus_perm: TOK_VALUE
 			$$ = AA_DBUS_SEND;
 		else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0)
 			$$ = AA_DBUS_RECEIVE;
+		else if (strcmp($1, "eavesdrop") == 0)
+			$$ = AA_DBUS_EAVESDROP;
 		else if ($1) {
 			parse_dbus_mode($1, &$$, 1);
 		} else
@@ -1178,6 +1181,7 @@ dbus_perm: TOK_VALUE
 	| TOK_RECEIVE { $$ = AA_DBUS_RECEIVE; }
 	| TOK_READ { $$ = AA_DBUS_RECEIVE; }
 	| TOK_WRITE { $$ = AA_DBUS_SEND; }
+	| TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; }
 	| TOK_MODE
 	{
 		parse_dbus_mode($1, &$$, 1);