mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

parser: enable create perm when label is defined

Browse Source 
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2025-04-10 13:11:50 -03:00
parent ccf1b25d3d
commit 306b656ba2
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
parser/mqueue.cc
View File

@ -238,6 +238,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
vec, parseopts, false)) vec, parseopts, false))
goto fail; goto fail;
/* create should be allowed when label is present since the
* queue needs to be created to have a label associated to it
*/
if (perms & AA_MQUEUE_CREATE &&
!prof.policy.rules->add_rule_vec(
priority,
rule_mode,
map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
vec, parseopts, false))
goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(priority, if (!prof.policy.rules->add_rule_vec(priority,
rule_mode, rule_mode,
@ -282,6 +295,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
vec, parseopts, false)) vec, parseopts, false))
goto fail; goto fail;
/* create should be allowed when label is present since the
* queue needs to be created to have a label associated to it
*/
if (perms & AA_MQUEUE_CREATE &&
!prof.policy.rules->add_rule_vec(
priority,
rule_mode,
map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
vec, parseopts, false))
goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(priority, if (!prof.policy.rules->add_rule_vec(priority,
rule_mode, rule_mode,

6
parser/mqueue.h
View File

@ -69,6 +69,12 @@
#define AA_VALID_MQUEUE_PERMS (AA_VALID_POSIX_MQ_PERMS | \ #define AA_VALID_MQUEUE_PERMS (AA_VALID_POSIX_MQ_PERMS | \
AA_VALID_SYSV_MQ_PERMS) AA_VALID_SYSV_MQ_PERMS)
/* read and write needed with create because mq_open can be called
* with O_CREAT | O_RDWR, which all show up in the requested perms at
* the same time during creation
*/
#define AA_MQUEUE_CREATE_PERMS (AA_MQUEUE_CREATE | AA_MQUEUE_READ | \
AA_MQUEUE_WRITE)
// warning getting into overlap area // warning getting into overlap area
/* Type of mqueue - can be explicit or implied by rule id/path */ /* Type of mqueue - can be explicit or implied by rule id/path */