[apparmor] [patch 07/26] Add tag indicating file policy is mediated.

Seth Arnold seth.arnold at canonical.com
Wed Apr 16 23:34:06 UTC 2014 

On Tue, Apr 15, 2014 at 10:22:14AM -0700, john.johansen at canonical.com wrote:
> Tag start of entries in the policydb as being mediated. This makes
> the start state for any class being mediated be none 0. The kernel
> can detect this to determine whether the parser expected mediation
> for the class.
> 
> This is just a way of encoding what features expect mediation within
> the policydb it self so that a separate table isn't needed.
> 
> This is also used to indicate the new unix semantics for mediation of
> unix domain sockets on connect should be applied.
> 
> Note: this does cause a fail open on situation on Ubuntu Saucy, which
> did not properly indicate support. That is if a kernel using this patch
> is installed on an Ubuntu Saucy system, unix domain socket mediation
> on connect won't happen, instead the older behavior will be applied.
> This won't cause policy failures as it is less strict than what
> Ubuntu Saucy applies.

Unfortunate, but we can't really change what has already happened. At
least saucy hits EOL in July, this won't be hanging over our heads for an
eternity either.

> This is necessary so that AppArmor can properly function on older
> userspaces without a compile time configuration on the kernel to determine
> behavior. A kernel expecting this behavior will function correctly
> with all old userspaces expect it will not enforce connect time mediation
> on Ubuntu Saucy. However Ubuntu does not support Trusty (or newer)
> kernels as backports to Saucy, so this does not break them.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  parser/parser.h           |    2 ++
>  parser/parser_common.c    |    2 ++
>  parser/parser_interface.c |    3 +--
>  parser/parser_main.c      |    4 ++++
>  parser/parser_regex.c     |    5 +++++
>  5 files changed, 14 insertions(+), 2 deletions(-)
> 
> --- 2.9-test.orig/parser/parser.h
> +++ 2.9-test/parser/parser.h
> @@ -257,7 +257,9 @@
>  extern int perms_create;
>  extern int net_af_max_override;
>  extern int kernel_load;
> +extern int kernel_policy_version;
>  extern int kernel_supports_network;
> +extern int kernel_supports_policydb;
>  extern int kernel_supports_mount;
>  extern int kernel_supports_dbus;
>  extern int conf_verbose;
> --- 2.9-test.orig/parser/parser_common.c
> +++ 2.9-test/parser/parser_common.c
> @@ -25,7 +25,9 @@
>  int perms_create = 0;                   /* perms contain create flag */
>  int net_af_max_override = -1;           /* use kernel to determine af_max */
>  int kernel_load = 1;
> +int kernel_policy_version = 5;		/* default to base version */
>  int kernel_supports_network = 0;        /* kernel supports network rules */
> +int kernel_supports_policydb = 0;	/* kernel supports new policydb */
>  int kernel_supports_mount = 0;	        /* kernel supports mount rules */
>  int kernel_supports_dbus = 0;		/* kernel supports dbus rules */
>  int conf_verbose = 0;
> --- 2.9-test.orig/parser/parser_interface.c
> +++ 2.9-test/parser/parser_interface.c
> @@ -61,7 +61,6 @@
>  #define SD_CODE_SIZE (sizeof(u8))
>  #define SD_STR_LEN (sizeof(u16))
>  
> -#define SUBDOMAIN_INTERFACE_DFA_VERSION 5
>  
>  int __sd_serialize_profile(int option, Profile *prof);
>  
> @@ -683,7 +682,7 @@
>  {
>  	int version;
>  
> -	version = SUBDOMAIN_INTERFACE_DFA_VERSION;
> +	version = kernel_policy_version;
>  
>  	if (!sd_write_name(p, "version"))
>  		return 0;
> --- 2.9-test.orig/parser/parser_main.c
> +++ 2.9-test/parser/parser_main.c
> @@ -838,6 +838,10 @@
>  	perms_create = 1;
>  
>  	/* TODO: make this real parsing and config setting */
> +	if (strstr(features_string, "file {"))	/* pre policydb is file= */
> +		kernel_supports_policydb = 1;
> +	if (strstr(features_string, "v6"))
> +		kernel_policy_version = 6;
>  	if (strstr(features_string, "network"))
>  		kernel_supports_network = 1;
>  	if (strstr(features_string, "mount"))
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -672,6 +672,7 @@
>  #define MAKE_STR(X) #X
>  #define CLASS_STR(X) "\\d" MAKE_STR(X)
>  
> +static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
>  static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
>  static const char *mediates_dbus =  CLASS_STR(AA_CLASS_DBUS);
>  
> @@ -690,6 +691,10 @@
>  	 * to be supported
>  	 */
>  
> +	/* note: this activates unix domain sockets mediation on connect */
> +	if (kernel_policy_version > 5 &&
> +	    !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, dfaflags))
> +		goto out;
>  	if (kernel_supports_mount &&
>  	    !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
>  			goto out;
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140416/2490ccbf/attachment.pgp>

More information about the AppArmor mailing list