mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

parser: Sync parser and man page regarding local and peer perms

Browse Source 
This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.

The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Tyler Hicks 2014-09-22 11:34:32 -05:00
parent ffa2f682ea
commit a154d14f5a
2 changed files with 10 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
parser/af_unix.cc
View File

@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
mode = mode_p; mode = mode_p;
if (mode & ~AA_VALID_NET_PERMS) if (mode & ~AA_VALID_NET_PERMS)
yyerror("mode contains invalid permissions for unix socket rules\n"); yyerror("mode contains invalid permissions for unix socket rules\n");
else if ((mode & AA_NET_BIND) && has_peer_conds()) else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
/* Do we want to loosen this? */ yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
else if ((mode & AA_NET_LISTEN) && has_peer_conds())
/* Do we want to loosen this? */
yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
} else { } else {
mode = AA_VALID_NET_PERMS; mode = AA_VALID_NET_PERMS;
} }

17
parser/apparmor.d.pod
View File

@ -886,15 +886,14 @@ state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local all permissions that are compatible with the specified set of local
and peer conditionals are implied. and peer conditionals are implied.
The create, bind, listen, shutdown, getattr, setattr permissions are The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
applied to the local socket. The accept, connect, send, receive permissions permissions are local socket permissions. They are only applied to the local
apply to the combination of a local and peer. Currently it is required that socket and can't be specified in rules that have a peer component. The accept
create, bind, listen, shutdown, getattr, and settr permission are only permission applies to the combination of a local and peer socket. The connect,
specified in rules that do not have a peer component. send, and receive permissions are peer socket permissions.
If a rule is specified with a peer component it will only imply accept Only the peer socket permissions will be applied to rules that don't specify
(stream), connect (stream), listen, receive and send. It will not imply the permissions and contain a peer component.
create, bind, listen, shutdown, getattr, or setattr permissions.
=head3 Example Unix domain socket rules: =head3 Example Unix domain socket rules:
@ -914,7 +913,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions.
unix (receive) peer=(label=unconfined), unix (receive) peer=(label=unconfined),
# Allow getattr and shutdown on anonymous sockets # Allow getattr and shutdown on anonymous sockets
unix (getattr, shutdown) peer=(addr=none), unix (getattr, shutdown) addr=none,
# Allow SOCK_STREAM connect, receive and send on an abstract socket @bar # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
# with peer running under profile '/foo' # with peer running under profile '/foo'