mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Add tag indicating file policy is mediated.

Browse Source 
Tag start of entries in the policydb as being mediated. This makes
the start state for any class being mediated be none 0. The kernel
can detect this to determine whether the parser expected mediation
for the class.

This is just a way of encoding what features expect mediation within
the policydb it self so that a separate table isn't needed.

This is also used to indicate the new unix semantics for mediation of
unix domain sockets on connect should be applied.

Note: this does cause a fail open on situation on Ubuntu Saucy, which
did not properly indicate support. That is if a kernel using this patch
is installed on an Ubuntu Saucy system, unix domain socket mediation
on connect won't happen, instead the older behavior will be applied.
This won't cause policy failures as it is less strict than what
Ubuntu Saucy applies.

This is necessary so that AppArmor can properly function on older
userspaces without a compile time configuration on the kernel to determine
behavior. A kernel expecting this behavior will function correctly
with all old userspaces expect it will not enforce connect time mediation
on Ubuntu Saucy. However Ubuntu does not support Trusty (or newer)
kernels as backports to Saucy, so this does not break them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen
2014-04-23 10:59:07 -07:00
parent f7e12a9bc5
commit b9b99508e8
5 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
parser/parser_regex.c
View File

@@ -672,6 +672,7 @@ int post_process_policydb_ents(Profile *prof)
#define MAKE_STR(X) #X
#define CLASS_STR(X) "\\d" MAKE_STR(X)
static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
@@ -690,6 +691,10 @@ int process_profile_policydb(Profile *prof)
* to be supported
*/
/* note: this activates unix domain sockets mediation on connect */
if (kernel_policy_version > 5 &&
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_mount &&
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
goto out;