parser: enable create perm when label is defined

Due to how labeling is implemented, during the creation it is not yet defined, so we need to grant create permissions without attaching the label yet. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-31 06:16:03 +00:00 · 2025-04-10 13:11:50 -03:00
parent ccf1b25d3d
commit 306b656ba2
2 changed files with 32 additions and 0 deletions
--- a/parser/mqueue.cc
+++ b/parser/mqueue.cc
@@ -238,6 +238,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
 						vec, parseopts, false))
 				goto fail;
+
+			/* create should be allowed when label is present since the
+			 * queue needs to be created to have a label associated to it
+			 */
+			if (perms & AA_MQUEUE_CREATE &&
+			    !prof.policy.rules->add_rule_vec(
+						priority,
+						rule_mode,
+						map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
+						vec, parseopts, false))
+				goto fail;
+
 			/* also provide label match with perm */
 			if (!prof.policy.rules->add_rule_vec(priority,
 						rule_mode,
@@ -282,6 +295,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
 						vec, parseopts, false))
 				goto fail;
+
+			/* create should be allowed when label is present since the
+			 * queue needs to be created to have a label associated to it
+			 */
+			if (perms & AA_MQUEUE_CREATE &&
+			    !prof.policy.rules->add_rule_vec(
+						priority,
+						rule_mode,
+						map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
+						vec, parseopts, false))
+				goto fail;
+
 			/* also provide label match with perm */
 			if (!prof.policy.rules->add_rule_vec(priority,
 						rule_mode,