mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 23:05:11 +00:00
Code Issues Releases Wiki Activity

parser: Sync parser and man page regarding local and peer perms

Browse Source 
This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.

The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Tyler Hicks
2014-09-22 11:34:32 -05:00
parent ffa2f682ea
commit a154d14f5a
2 changed files with 10 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
parser/af_unix.cc
View File

@@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
mode = mode_p;
if (mode & ~AA_VALID_NET_PERMS)
yyerror("mode contains invalid permissions for unix socket rules\n");
else if ((mode & AA_NET_BIND) && has_peer_conds())
/* Do we want to loosen this? */
yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
else if ((mode & AA_NET_LISTEN) && has_peer_conds())
/* Do we want to loosen this? */
yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
} else {
mode = AA_VALID_NET_PERMS;
}