mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

parser: enable create perm when label is defined

Browse Source 
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 306b656ba2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Georgia Garcia
2025-04-10 13:11:50 -03:00
committed by John Johansen
parent 99680f3086
commit 5a82779c4c
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
parser/mqueue.cc
View File

@@ -238,6 +238,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
vec, parseopts, false))
goto fail;
/* create should be allowed when label is present since the
* queue needs to be created to have a label associated to it
*/
if (perms & AA_MQUEUE_CREATE &&
!prof.policy.rules->add_rule_vec(
priority,
rule_mode,
map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
vec, parseopts, false))
goto fail;
/* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(priority,
rule_mode,
@@ -282,6 +295,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
vec, parseopts, false))
goto fail;
/* create should be allowed when label is present since the
* queue needs to be created to have a label associated to it
*/
if (perms & AA_MQUEUE_CREATE &&
!prof.policy.rules->add_rule_vec(
priority,
rule_mode,
map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS),
audit == AUDIT_FORCE ? map_mqueue_perms(perms & AA_MQUEUE_CREATE_PERMS) : 0, 1,
vec, parseopts, false))
goto fail;
/* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(priority,
rule_mode,

6
parser/mqueue.h
View File

@@ -69,6 +69,12 @@
#define AA_VALID_MQUEUE_PERMS (AA_VALID_POSIX_MQ_PERMS | \
AA_VALID_SYSV_MQ_PERMS)
/* read and write needed with create because mq_open can be called
* with O_CREAT | O_RDWR, which all show up in the requested perms at
* the same time during creation
*/
#define AA_MQUEUE_CREATE_PERMS (AA_MQUEUE_CREATE | AA_MQUEUE_READ | \
AA_MQUEUE_WRITE)
// warning getting into overlap area
/* Type of mqueue - can be explicit or implied by rule id/path */