parser: Add dbus eavesdrop permission support to apparmor_parser

Allows for the policy writer to grant permission to eavesdrop on the specified bus. Some example rules for granting the eavesdrop permission are: # Grant send, receive, bind, and eavesdrop dbus, # Grant send, receive, bind, and eavesdrop on the session bus dbus bus=session, # Grant send and eavesdrop on the system bus dbus (send eavesdrop) bus=system, # Grant eavesdrop on any bus dbus eavesdrop, Eavesdropping rules can contain the bus conditional. Any other conditionals are not compatible with eavesdropping rules and the parser will return an error. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-22 10:07:12 +00:00 · 2013-12-06 11:17:43 -08:00 · 2013-12-06 11:17:43 -08:00 · 1580ba5ac1
commit 1580ba5ac1
parent b7e9efdc98
7 changed files with 27 additions and 4 deletions
--- a/libraries/libapparmor/src/apparmor.h
+++ b/libraries/libapparmor/src/apparmor.h
@ -50,6 +50,7 @@ __BEGIN_DECLS

 #define AA_DBUS_SEND		AA_MAY_WRITE
 #define AA_DBUS_RECEIVE		AA_MAY_READ
+#define AA_DBUS_EAVESDROP	(1 << 5)
 #define AA_DBUS_BIND		AA_MAY_BIND


--- a/parser/dbus.c
+++ b/parser/dbus.c
@ -129,12 +129,18 @@ struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds,
 			yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n");
 		else if (service_rule && (ent->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)))
 			yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n");
+		else if (ent->mode & AA_DBUS_EAVESDROP &&
+			 (ent->path || ent->interface || ent->member ||
+			  ent->peer_label || ent->name)) {
+			yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n");
+		}
 	} else {
-		ent->mode = AA_VALID_DBUS_PERMS;
 		if (message_rule)
-			ent->mode &= ~AA_DBUS_BIND;
+			ent->mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE);
 		else if (service_rule)
-			ent->mode &= ~(AA_DBUS_SEND | AA_DBUS_RECEIVE);
+			ent->mode = (AA_DBUS_BIND);
+		else
+			ent->mode = AA_VALID_DBUS_PERMS;
 	}

 out:
@ -184,6 +190,8 @@ void print_dbus_entry(struct dbus_entry *ent)
 		fprintf(stderr, "receive ");
 	if (ent->mode & AA_DBUS_BIND)
 		fprintf(stderr, "bind ");
+	if (ent->mode & AA_DBUS_EAVESDROP)
+		fprintf(stderr, "eavesdrop ");
 	fprintf(stderr, ")");

 	if (ent->bus)
--- a/parser/immunix.h
+++ b/parser/immunix.h
@ -42,10 +42,11 @@

 #define AA_DBUS_SEND			AA_MAY_WRITE
 #define AA_DBUS_RECEIVE			AA_MAY_READ
+#define AA_DBUS_EAVESDROP		(1 << 5)
 #define AA_DBUS_BIND			(1 << 6)

 #define AA_VALID_DBUS_PERMS		(AA_DBUS_SEND | AA_DBUS_RECEIVE | \
-					 AA_DBUS_BIND)
+					 AA_DBUS_BIND | AA_DBUS_EAVESDROP)

 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@ -468,6 +468,7 @@ LT_EQUAL	<=
 	bind		{ RETURN_TOKEN(TOK_BIND); }
 	read		{ RETURN_TOKEN(TOK_READ); }
 	write		{ RETURN_TOKEN(TOK_WRITE); }
+	eavesdrop	{ RETURN_TOKEN(TOK_EAVESDROP); }
 	{OPEN_PAREN}	{
 			yy_push_state(LIST_VAL_MODE);
 			RETURN_TOKEN(TOK_OPENPAREN);
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@ -146,6 +146,7 @@ static struct keyword_table keyword_table[] = {
 	{"bind",                TOK_BIND},
 	{"read",                TOK_READ},
 	{"write",               TOK_WRITE},
+	{"eavesdrop",		TOK_EAVESDROP},
 	{"peer",		TOK_PEER},

 	/* terminate */
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -1139,6 +1139,13 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
 				6, vec, dfaflags))
 			goto fail;
 	}
+	if (entry->mode & AA_DBUS_EAVESDROP) {
+		if (!aare_add_rule_vec(dfarules, entry->deny,
+				entry->mode & AA_DBUS_EAVESDROP,
+				entry->audit & AA_DBUS_EAVESDROP,
+				1, vec, dfaflags))
+			goto fail;
+	}
 	return TRUE;

 fail:
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -132,6 +132,7 @@ void add_local_entry(Profile *prof);
 %token TOK_BIND
 %token TOK_READ
 %token TOK_WRITE
+%token TOK_EAVESDROP
 %token TOK_PEER

 /* rlimits */
@ -1165,6 +1166,8 @@ dbus_perm: TOK_VALUE
 			$$ = AA_DBUS_SEND;
 		else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0)
 			$$ = AA_DBUS_RECEIVE;
+		else if (strcmp($1, "eavesdrop") == 0)
+			$$ = AA_DBUS_EAVESDROP;
 		else if ($1) {
 			parse_dbus_mode($1, &$$, 1);
 		} else
@ -1178,6 +1181,7 @@ dbus_perm: TOK_VALUE
 	| TOK_RECEIVE { $$ = AA_DBUS_RECEIVE; }
 	| TOK_READ { $$ = AA_DBUS_RECEIVE; }
 	| TOK_WRITE { $$ = AA_DBUS_SEND; }
+	| TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; }
 	| TOK_MODE
 	{
 		parse_dbus_mode($1, &$$, 1);