Merge parser: fix encoding of unix permissions for setopt and getopt

The permissions for AA_NET_OPT need to be bounded by mask so we can make sure it matches when a policy specified only setopt or only getopt. This was causing failures on the regression tests unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and unix_socket_autobind Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1079 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-31 06:16:03 +00:00 · 2023-08-02 11:13:40 +00:00
parent 93dff6a806 64c1eb9cda
commit 313366fbbc
2 changed files with 8 additions and 3 deletions
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			tmp << "..";
 			buf = tmp.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
-							 map_perms(AA_NET_OPT),
+							 map_perms(mask & AA_NET_OPT),
 							 map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0),
 							 parseopts))
 				goto fail;
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -70,9 +70,14 @@ kernel_features()
 			# check if feature is in file
 			feature=$(basename "$features_dir/$f")
 			file=$(dirname "$features_dir/$f")
-			if [ -f $file ] && ! grep -q $feature $file; then
+			if [ -f $file ]; then
+				if ! grep -q $feature $file; then
+					echo "Required feature '$f' not available."
+					return 2;
+				fi
+			else
 				echo "Required feature '$f' not available."
-				return 2;
+				return 3;
 			fi
 		fi
 	done