[apparmor] [PATCH] parser: Check for kernel support prior to processing dbus entries
John Johansen
john.johansen at canonical.com
Tue Oct 29 22:07:54 UTC 2013
On 10/25/2013 07:19 PM, Tyler Hicks wrote:
> When a parser that is aware of dbus rules is running under a kernel
> that is unaware of dbus rules, the parser should ignore the dbus rules
> instead of attempting to load them into the kernel. Otherwise, the
> kernel will reject the entire profile, leaving the application
> unconfined.
>
> Similar to what is done for mount rules, the features listed in
> apparmorfs should be checked to see if dbus is supported under the
> current kernel.
>
> https://launchpad.net/bugs/1231778
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser.h | 1 +
> parser/parser_common.c | 1 +
> parser/parser_main.c | 2 ++
> parser/parser_regex.c | 16 ++++++++++------
> 4 files changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/parser/parser.h b/parser/parser.h
> index dacf337..4b77ee5 100644
> --- a/parser/parser.h
> +++ b/parser/parser.h
> @@ -224,6 +224,7 @@ extern int net_af_max_override;
> extern int kernel_load;
> extern int kernel_supports_network;
> extern int kernel_supports_mount;
> +extern int kernel_supports_dbus;
> extern int conf_verbose;
> extern int conf_quiet;
> extern int names_only;
> diff --git a/parser/parser_common.c b/parser/parser_common.c
> index c0fa107..53a3e70 100644
> --- a/parser/parser_common.c
> +++ b/parser/parser_common.c
> @@ -27,6 +27,7 @@ int net_af_max_override = -1; /* use kernel to determine af_max */
> int kernel_load = 1;
> int kernel_supports_network = 1; /* kernel supports network rules */
> int kernel_supports_mount = 0; /* kernel supports mount rules */
> +int kernel_supports_dbus = 0; /* kernel supports dbus rules */
> int conf_verbose = 0;
> int conf_quiet = 0;
> int names_only = 0;
> diff --git a/parser/parser_main.c b/parser/parser_main.c
> index 263c7dc..d3a0234 100644
> --- a/parser/parser_main.c
> +++ b/parser/parser_main.c
> @@ -757,6 +757,8 @@ static void get_match_string(void) {
> kernel_supports_network = 0;
> if (strstr(flags_string, "mount"))
> kernel_supports_mount = 1;
> + if (strstr(flags_string, "dbus"))
> + kernel_supports_dbus = 1;
> return;
> }
>
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index aa52ad5..f61af37 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -1157,14 +1157,18 @@ static int post_process_mnt_ents(Profile *prof)
> static int post_process_dbus_ents(Profile *prof)
> {
> int ret = TRUE;
> - struct dbus_entry *entry;
> int count = 0;
>
> - list_for_each(prof->dbus_ents, entry) {
> - if (!process_dbus_entry(prof->policy.rules, entry))
> - ret = FALSE;
> - count++;
> - }
> + if (prof->dbus_ents && kernel_supports_dbus) {
> + struct dbus_entry *entry;
> +
> + list_for_each(prof->dbus_ents, entry) {
> + if (!process_dbus_entry(prof->policy.rules, entry))
> + ret = FALSE;
> + count++;
> + }
> + } else if (prof->dbus_ents && !kernel_supports_dbus)
> + pwarn("profile %s dbus rules not enforced\n", prof->name);
>
> prof->policy.count += count;
> return ret;
>
More information about the AppArmor
mailing list