[apparmor] [PATCH 1/5] parser: Add dbus eavesdrop permission support to apparmor_parser

Seth Arnold seth.arnold at canonical.com
Wed Nov 20 02:49:28 UTC 2013 

On Tue, Nov 19, 2013 at 06:16:21PM -0800, Tyler Hicks wrote:
> Allows for the policy writer to grant permission to eavesdrop on the
> specified bus. Some example rules for granting the eavesdrop permission
> are:
> 
>   # Grant send, receive, bind, and eavesdrop
>   dbus,
> 
>   # Grant send, receive, bind, and eavesdrop on the session bus
>   dbus bus=session,
> 
>   # Grant send and eavesdrop on the system bus
>   dbus (send eavesdrop) bus=system,
> 
>   # Grant eavesdrop on any bus
>   dbus eavesdrop,
> 
> Eavesdropping rules can contain the bus conditional. Any other
> conditionals are not compatible with eavesdropping rules and the parser
> will return an error.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Small notes inline..

> ---
>  libraries/libapparmor/src/apparmor.h |  1 +
>  parser/dbus.c                        | 14 +++++++++++---
>  parser/immunix.h                     |  3 ++-
>  parser/parser_lex.l                  |  1 +
>  parser/parser_misc.c                 |  1 +
>  parser/parser_regex.c                |  7 +++++++
>  parser/parser_yacc.y                 |  4 ++++
>  7 files changed, 27 insertions(+), 4 deletions(-)
> 
> diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h
> index 21c9e20..7648eae 100644
> --- a/libraries/libapparmor/src/apparmor.h
> +++ b/libraries/libapparmor/src/apparmor.h
> @@ -50,6 +50,7 @@ __BEGIN_DECLS
>  
>  #define AA_DBUS_SEND		AA_MAY_WRITE
>  #define AA_DBUS_RECEIVE		AA_MAY_READ
> +#define AA_DBUS_EAVESDROP	(1 << 5)
>  #define AA_DBUS_BIND		AA_MAY_BIND

I'd rather this use AA_MAY_LOCK; if it is going to shadow the value, I
think it should be done explicitly, as the other three are.

>  out:
> @@ -184,6 +190,8 @@ void print_dbus_entry(struct dbus_entry *ent)
>  		fprintf(stderr, "receive ");
>  	if (ent->mode & AA_DBUS_BIND)
>  		fprintf(stderr, "bind ");
> +	if (ent->mode & AA_DBUS_EAVESDROP)
> +		fprintf(stderr, "eavesdrop ");
>  	fprintf(stderr, ")");
>  
>  	if (ent->bus)
> diff --git a/parser/immunix.h b/parser/immunix.h
> index f5064e8..c53d18f 100644
> --- a/parser/immunix.h
> +++ b/parser/immunix.h
> @@ -42,10 +42,11 @@
>  
>  #define AA_DBUS_SEND			AA_MAY_WRITE
>  #define AA_DBUS_RECEIVE			AA_MAY_READ
> +#define AA_DBUS_EAVESDROP		(1 << 5)
>  #define AA_DBUS_BIND			(1 << 6)

Much the same here, but also AA_DBUS_BIND could be AA_EXEC_MMAP.

>  #define AA_VALID_DBUS_PERMS		(AA_DBUS_SEND | AA_DBUS_RECEIVE | \
> -					 AA_DBUS_BIND)
> +					 AA_DBUS_BIND | AA_DBUS_EAVESDROP)
>  
>  #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
>  					 AA_MAY_READ | AA_MAY_APPEND | \
> diff --git a/parser/parser_lex.l b/parser/parser_lex.l
> index b887800..ad2f0f7 100644
> --- a/parser/parser_lex.l
> +++ b/parser/parser_lex.l
> @@ -468,6 +468,7 @@ LT_EQUAL	<=
>  	bind		{ RETURN_TOKEN(TOK_BIND); }
>  	read		{ RETURN_TOKEN(TOK_READ); }
>  	write		{ RETURN_TOKEN(TOK_WRITE); }
> +	eavesdrop	{ RETURN_TOKEN(TOK_EAVESDROP); }
>  	{OPEN_PAREN}	{
>  			yy_push_state(LIST_VAL_MODE);
>  			RETURN_TOKEN(TOK_OPENPAREN);
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index 36149af..36285e8 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -146,6 +146,7 @@ static struct keyword_table keyword_table[] = {
>  	{"bind",                TOK_BIND},
>  	{"read",                TOK_READ},
>  	{"write",               TOK_WRITE},
> +	{"eavesdrop",		TOK_EAVESDROP},
>  	{"peer",		TOK_PEER},
>  
>  	/* terminate */
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 469ba8b..6dee472 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -1127,6 +1127,13 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
>  				6, vec, dfaflags))
>  			goto fail;
>  	}
> +	if (entry->mode & AA_DBUS_EAVESDROP) {
> +		if (!aare_add_rule_vec(dfarules, entry->deny,
> +				entry->mode & AA_DBUS_EAVESDROP,
> +				entry->audit & AA_DBUS_EAVESDROP,
> +				1, vec, dfaflags))
> +			goto fail;
> +	}
>  	return TRUE;
>  
>  fail:
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index aa21ec9..166798e 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -132,6 +132,7 @@ void add_local_entry(Profile *prof);
>  %token TOK_BIND
>  %token TOK_READ
>  %token TOK_WRITE
> +%token TOK_EAVESDROP
>  %token TOK_PEER
>  
>   /* rlimits */
> @@ -1165,6 +1166,8 @@ dbus_perm: TOK_VALUE
>  			$$ = AA_DBUS_SEND;
>  		else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0)
>  			$$ = AA_DBUS_RECEIVE;
> +		else if (strcmp($1, "eavesdrop") == 0)
> +			$$ = AA_DBUS_EAVESDROP;
>  		else if ($1) {
>  			parse_dbus_mode($1, &$$, 1);
>  		} else
> @@ -1178,6 +1181,7 @@ dbus_perm: TOK_VALUE
>  	| TOK_RECEIVE { $$ = AA_DBUS_RECEIVE; }
>  	| TOK_READ { $$ = AA_DBUS_RECEIVE; }
>  	| TOK_WRITE { $$ = AA_DBUS_SEND; }
> +	| TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; }
>  	| TOK_MODE
>  	{
>  		parse_dbus_mode($1, &$$, 1);
> -- 
> 1.8.3.2

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131119/eabc774b/attachment.pgp>

More information about the AppArmor mailing list