[apparmor] [PATCH 1/5] parser: Add dbus eavesdrop permission support to apparmor_parser
Tyler Hicks
tyhicks at canonical.com
Wed Nov 20 02:25:06 UTC 2013
On 2013-11-19 18:16:21, Tyler Hicks wrote:
> diff --git a/parser/dbus.c b/parser/dbus.c
> index 7996aa0..d408478 100644
> --- a/parser/dbus.c
> +++ b/parser/dbus.c
> @@ -129,12 +129,18 @@ struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds,
> yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n");
> else if (service_rule && (ent->mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)))
> yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n");
> + else if (ent->mode & AA_DBUS_EAVESDROP &&
> + (ent->path || ent->interface || ent->member ||
> + ent->peer_label || ent->name)) {
> + yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n");
> + }
> } else {
> - ent->mode = AA_VALID_DBUS_PERMS;
> if (message_rule)
> - ent->mode &= ~AA_DBUS_BIND;
> + ent->mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE);
> else if (service_rule)
> - ent->mode &= ~(AA_DBUS_SEND | AA_DBUS_RECEIVE);
> + ent->mode = (AA_DBUS_BIND);
> + else
> + ent->mode = AA_VALID_DBUS_PERMS;
It is worth mentioning that this is the block of code that assigns
permissions when the rule is written using implied permissions.
It was written to grant all D-Bus permissions and then subtract out
certain permissions depending on the type of D-Bus rule that is being
parsed.
Now it is written to only grant certain permissions depending on the
D-Bus rule type. If there is no D-Bus rule type, meaning that it is a
generic D-Bus rule that applies to all D-Bus permissions (send, receive,
bind, and eavesdrop), then all of the D-Bus permissions are granted.
The new logic is a little more future proof when adding new D-Bus
permissions.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131119/c24d53c2/attachment.pgp>
More information about the AppArmor
mailing list