parser: Allow AF_UNSPEC family in network rules

https://launchpad.net/bugs/1546455

Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.

There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>

common/Make.rules

@@ -198,7 +198,7 @@ list_capabilities: /usr/include/linux/capability.h
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.
 
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX
 
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
 

parser/tst/simple_tests/network/network_ok_2.sd

@@ -3,6 +3,7 @@
 #=EXRESULT PASS
 #
 /usr/bin/foo {
+  network unspec,
   network inet,
   network ax25,
   network ipx,

parser/tst/simple_tests/network/network_ok_7.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION basic unspec network tests
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network unspec stream,
+  network unspec dgram,
+  network unspec raw,
+}

tests/regression/apparmor/tcp.sh

@@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
 genprofile network:inet 
 runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
 
+# FAIL TEST - make sure that unspec doesn't match
+genprofile network:unspec
+runchecktest "TCP (accept, connect) wrong socket family" fail 23
+
 exit 0
 
 # PASS TEST - accept via interface