[apparmor] [PATCH 1/5] parser: Add dbus eavesdrop permission support to apparmor_parser

Tyler Hicks tyhicks at canonical.com
Wed Nov 20 02:16:21 UTC 2013 

Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:

  # Grant send, receive, bind, and eavesdrop
  dbus,

  # Grant send, receive, bind, and eavesdrop on the session bus
  dbus bus=session,

  # Grant send and eavesdrop on the system bus
  dbus (send eavesdrop) bus=system,

  # Grant eavesdrop on any bus
  dbus eavesdrop,

Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 libraries/libapparmor/src/apparmor.h |  1 +
 parser/dbus.c                        | 14 +++++++++++---
 parser/immunix.h                     |  3 ++-
 parser/parser_lex.l                  |  1 +
 parser/parser_misc.c                 |  1 +
 parser/parser_regex.c                |  7 +++++++
 parser/parser_yacc.y                 |  4 ++++
 7 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h
index 21c9e20..7648eae 100644
--- a/libraries/libapparmor/src/apparmor.h
+++ b/libraries/libapparmor/src/apparmor.h
@@ -50,6 +50,7 @@ __BEGIN_DECLS
 
 #define AA_DBUS_SEND		AA_MAY_WRITE
 #define AA_DBUS_RECEIVE		AA_MAY_READ
+#define AA_DBUS_EAVESDROP	(1 << 5)
 #define AA_DBUS_BIND		AA_MAY_BIND
 
 
diff --git a/parser/dbus.c b/parser/dbus.c
index 7996aa0..d408478 100644
--- a/parser/dbus.c
+++ b/parser/dbus.c
@@ -129,12 +129,18 @@ struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds,
 			yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n");
 		else if (service_rule && (ent->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)))
 			yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n");
+		else if (ent->mode & AA_DBUS_EAVESDROP &&
+			 (ent->path || ent->interface || ent->member ||
+			  ent->peer_label || ent->name)) {
+			yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n");
+		}
 	} else {
-		ent->mode = AA_VALID_DBUS_PERMS;
 		if (message_rule)
-			ent->mode &= ~AA_DBUS_BIND;
+			ent->mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE);
 		else if (service_rule)
-			ent->mode &= ~(AA_DBUS_SEND | AA_DBUS_RECEIVE);
+			ent->mode = (AA_DBUS_BIND);
+		else
+			ent->mode = AA_VALID_DBUS_PERMS;
 	}
 
 out:
@@ -184,6 +190,8 @@ void print_dbus_entry(struct dbus_entry *ent)
 		fprintf(stderr, "receive ");
 	if (ent->mode & AA_DBUS_BIND)
 		fprintf(stderr, "bind ");
+	if (ent->mode & AA_DBUS_EAVESDROP)
+		fprintf(stderr, "eavesdrop ");
 	fprintf(stderr, ")");
 
 	if (ent->bus)
diff --git a/parser/immunix.h b/parser/immunix.h
index f5064e8..c53d18f 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -42,10 +42,11 @@
 
 #define AA_DBUS_SEND			AA_MAY_WRITE
 #define AA_DBUS_RECEIVE			AA_MAY_READ
+#define AA_DBUS_EAVESDROP		(1 << 5)
 #define AA_DBUS_BIND			(1 << 6)
 
 #define AA_VALID_DBUS_PERMS		(AA_DBUS_SEND | AA_DBUS_RECEIVE | \
-					 AA_DBUS_BIND)
+					 AA_DBUS_BIND | AA_DBUS_EAVESDROP)
 
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index b887800..ad2f0f7 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -468,6 +468,7 @@ LT_EQUAL	<=
 	bind		{ RETURN_TOKEN(TOK_BIND); }
 	read		{ RETURN_TOKEN(TOK_READ); }
 	write		{ RETURN_TOKEN(TOK_WRITE); }
+	eavesdrop	{ RETURN_TOKEN(TOK_EAVESDROP); }
 	{OPEN_PAREN}	{
 			yy_push_state(LIST_VAL_MODE);
 			RETURN_TOKEN(TOK_OPENPAREN);
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 36149af..36285e8 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -146,6 +146,7 @@ static struct keyword_table keyword_table[] = {
 	{"bind",                TOK_BIND},
 	{"read",                TOK_READ},
 	{"write",               TOK_WRITE},
+	{"eavesdrop",		TOK_EAVESDROP},
 	{"peer",		TOK_PEER},
 
 	/* terminate */
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 469ba8b..6dee472 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -1127,6 +1127,13 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
 				6, vec, dfaflags))
 			goto fail;
 	}
+	if (entry->mode & AA_DBUS_EAVESDROP) {
+		if (!aare_add_rule_vec(dfarules, entry->deny,
+				entry->mode & AA_DBUS_EAVESDROP,
+				entry->audit & AA_DBUS_EAVESDROP,
+				1, vec, dfaflags))
+			goto fail;
+	}
 	return TRUE;
 
 fail:
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index aa21ec9..166798e 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -132,6 +132,7 @@ void add_local_entry(Profile *prof);
 %token TOK_BIND
 %token TOK_READ
 %token TOK_WRITE
+%token TOK_EAVESDROP
 %token TOK_PEER
 
  /* rlimits */
@@ -1165,6 +1166,8 @@ dbus_perm: TOK_VALUE
 			$$ = AA_DBUS_SEND;
 		else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0)
 			$$ = AA_DBUS_RECEIVE;
+		else if (strcmp($1, "eavesdrop") == 0)
+			$$ = AA_DBUS_EAVESDROP;
 		else if ($1) {
 			parse_dbus_mode($1, &$$, 1);
 		} else
@@ -1178,6 +1181,7 @@ dbus_perm: TOK_VALUE
 	| TOK_RECEIVE { $$ = AA_DBUS_RECEIVE; }
 	| TOK_READ { $$ = AA_DBUS_RECEIVE; }
 	| TOK_WRITE { $$ = AA_DBUS_SEND; }
+	| TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; }
 	| TOK_MODE
 	{
 		parse_dbus_mode($1, &$$, 1);
-- 
1.8.3.2

More information about the AppArmor mailing list