[apparmor] [patch 06/12] parser: Add support for unix domain socket rules.

Seth Arnold seth.arnold at canonical.com
Sat Aug 16 01:45:42 UTC 2014 

On Fri, Aug 15, 2014 at 12:20:41PM -0700, john.johansen at canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.

Sorry, no feedback yet on the questions raised in the POD. I'm leaning
towards just documenting what you've got an changing things if people
raise complaints in deployment testing.

Small comments inline.

Thanks

> +       rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h
>  TOOLS = apparmor_parser
>  
>  OBJECTS = $(SRCS:.c=.o)
> @@ -233,7 +234,7 @@
>  parser_common.o: parser_common.c parser.h
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  
> -mount.o: mount.c mount.h parser.h immunix.h rule.h
> +mount.o: mount.cc mount.h parser.h immunix.h rule.h
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  
>  common_optarg.o: common_optarg.c common_optarg.h parser.h libapparmor_re/apparmor_re.h
> @@ -242,22 +243,28 @@
>  lib.o: lib.c lib.h parser.h
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  
> -dbus.o: dbus.c dbus.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
> +dbus.o: dbus.cc dbus.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  
> -signal.o: signal.c signal.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
> +signal.o: signal.cc signal.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  
> -ptrace.o: ptrace.c ptrace.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
> +ptrace.o: ptrace.cc ptrace.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
>  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>  

There's several changes in the Makefile that aren't reflected in this
patch -- e.g., changing dbus.c to dbus.cc -- that should probably be
moved to the patch that renames those specific files.


> +{
> +	struct supported_cond *i;
> +	for (i = conds; i->name; i++) {
> +		if (strcmp(ent->name, i->name) != 0)
> +			continue;
> +		if (!i->supported)
> +			yyerror("%s rule: '%s' conditional is not currently supported\n", rname, ent->name);
> +		if (!peer && (i->side == peer_cond))
> +			yyerror("%s rule: '%s' conditional is only valid in the peer expression\n", rname, ent->name);
> +		if (peer && (i->side == local_cond))
> +			yyerror("%s rule: '%s' conditional is not allowed in the peer expression\n", rname, ent->name);
> +		if (!ent->eq && !i->in)
> +			yyerror("%s rule: keyword 'in' is not allowed in '%s' socket conditional\n", rname, ent->name);
> +		if (list_len(ent->vals) > 1 && !i->multivalue)
> +			yyerror("%s rule: conditional '%s' only supports a single value\n", rname, ent->name);
> +		return true;
> +	}
> +
> +	/* not in support table */
> +	return false;
> +}
> +
> +/* generic af supported conds.
> + * returns: true if processed, else false
> + */
> +int af_rule::move_base_cond(struct cond_entry *ent, bool peer)
> +{
> +	if (!cond_check(supported_conds, ent, peer, "unknown"))
> +		return false;
> +
> +	if (strcmp(ent->name, "type") == 0) {
> +		move_conditional_value("socket rule", &sock_type, ent);
> +		sock_type_n = net_find_type_val(sock_type);
> +		if (sock_type_n == -1)
> +			yyerror("socket rule: invalid socket type '%s'", sock_type);
> +	} else if (strcmp(ent->name, "protocol") == 0) {
> +		yyerror("socket rule: 'protocol' conditional is not currently supported\n");
> +	} else if (strcmp(ent->name, "label") == 0) {
> +		if (peer)
> +			move_conditional_value("unix", &label, ent);
> +		else
> +			move_conditional_value("unix", &peer_label, ent);
> +	} else
> +		return false;
> +
> +	return true;
> +}
> +

af_rule::cond_check and af_rule::move_base_cond only ever return bools but
are typed to return int; perhaps their prototypes could be tightened.

> +bool Profile::alloc_net_table()
> +{
> +	if (net.allow)
> +		return true;
> +	net.allow = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
> +	net.audit = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
> +	net.deny = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
> +	net.quiet = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));

Some inconsistent spacing here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140815/8b2e14a5/attachment.pgp>

More information about the AppArmor mailing list