diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 7eba630ba..b7d0098b1 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -238,6 +238,19 @@ int mqueue_rule::gen_policy_re(Profile &prof) audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false)) goto fail; + + /* create should be allowed when label is present since the + * queue needs to be created to have a label associated to it + */ + if (perms & AA_MQUEUE_CREATE && + !prof.policy.rules->add_rule_vec( + priority, + rule_mode, + map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS), + audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1, + vec, parseopts, false)) + goto fail; + /* also provide label match with perm */ if (!prof.policy.rules->add_rule_vec(priority, rule_mode, @@ -282,6 +295,19 @@ int mqueue_rule::gen_policy_re(Profile &prof) audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false)) goto fail; + + /* create should be allowed when label is present since the + * queue needs to be created to have a label associated to it + */ + if (perms & AA_MQUEUE_CREATE && + !prof.policy.rules->add_rule_vec( + priority, + rule_mode, + map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS), + audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1, + vec, parseopts, false)) + goto fail; + /* also provide label match with perm */ if (!prof.policy.rules->add_rule_vec(priority, rule_mode, diff --git a/parser/mqueue.h b/parser/mqueue.h index ebfa5636e..2827180cb 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -69,6 +69,12 @@ #define AA_VALID_MQUEUE_PERMS (AA_VALID_POSIX_MQ_PERMS | \ AA_VALID_SYSV_MQ_PERMS) +/* read and write needed with create because mq_open can be called + * with O_CREAT | O_RDWR, which all show up in the requested perms at + * the same time during creation + */ +#define AA_MQUEUE_CREATE_PERMS (AA_MQUEUE_CREATE | AA_MQUEUE_READ | \ + AA_MQUEUE_WRITE) // warning getting into overlap area /* Type of mqueue - can be explicit or implied by rule id/path */