diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 5fac6c7e8..55549c7f3 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds, mode = mode_p; if (mode & ~AA_VALID_NET_PERMS) yyerror("mode contains invalid permissions for unix socket rules\n"); - else if ((mode & AA_NET_BIND) && has_peer_conds()) - /* Do we want to loosen this? */ - yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n"); - else if ((mode & AA_NET_LISTEN) && has_peer_conds()) - /* Do we want to loosen this? */ - yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n"); + else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds()) + yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n"); } else { mode = AA_VALID_NET_PERMS; } diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 7e5295dd0..1ac8afa14 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -886,15 +886,14 @@ state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. -The create, bind, listen, shutdown, getattr, setattr permissions are -applied to the local socket. The accept, connect, send, receive permissions -apply to the combination of a local and peer. Currently it is required that -create, bind, listen, shutdown, getattr, and settr permission are only -specified in rules that do not have a peer component. +The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt +permissions are local socket permissions. They are only applied to the local +socket and can't be specified in rules that have a peer component. The accept +permission applies to the combination of a local and peer socket. The connect, +send, and receive permissions are peer socket permissions. -If a rule is specified with a peer component it will only imply accept -(stream), connect (stream), listen, receive and send. It will not imply the -create, bind, listen, shutdown, getattr, or setattr permissions. +Only the peer socket permissions will be applied to rules that don't specify +permissions and contain a peer component. =head3 Example Unix domain socket rules: @@ -914,7 +913,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions. unix (receive) peer=(label=unconfined), # Allow getattr and shutdown on anonymous sockets - unix (getattr, shutdown) peer=(addr=none), + unix (getattr, shutdown) addr=none, # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar # with peer running under profile '/foo'