[apparmor] [patch 14/XX] (v2) convert af_unix rules to support addr= rather than path=
Steve Beattie
steve at nxnw.org
Fri Aug 22 23:24:46 UTC 2014
On Fri, Aug 22, 2014 at 04:05:12PM -0500, Jamie Strandboge wrote:
> Since we are actually talking about abstract sockets and both the unix(7) man
> page and the sun_path contains what the man page refers to as the socket address
> *and* this address does not live in the filesystem (it just happens to look like
> a filesystem path) *and* future consistency would be better served by making
> these look like network, I think I most prefer 'addr' over 'name' or 'path'. We
> therefore have:
>
> unix addr="@/path", # local abstract, log uses: addr="@/path"
> unix peer=(addr="@/path"), # peer abstract, log uses: peer_addr="@/path"
> unix addr=none, # local anonymous, log uses: addr=none
> unix peer=(addr=none), # peer anonymous, log uses: peer_addr=none
>
> A future network syntax could therefore be:
> network addr=192.168.0.1, # local address, log uses: laddr=192.168.0.1
> network peer=(addr=10.0.0.1), # foreign address, log uses: faddr=10.0.0.1
This is probably the least bad option. Patch updated to do this:
This patch converts the path= modifier to the af_unix rules to use
addr= instead.
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
parser/af_unix.cc | 2
parser/apparmor.d.pod | 64 +++++++++++++--------------
parser/tst/simple_tests/unix/bad_bind_1.sd | 2
parser/tst/simple_tests/unix/bad_bind_2.sd | 2
parser/tst/simple_tests/unix/bad_peer_1.sd | 4 -
parser/tst/simple_tests/unix/bad_regex_01.sd | 4 -
parser/tst/simple_tests/unix/bad_regex_02.sd | 2
parser/tst/simple_tests/unix/bad_regex_04.sd | 4 -
parser/tst/simple_tests/unix/ok_bind_1.sd | 2
parser/tst/simple_tests/unix/ok_msg_7.sd | 2
parser/tst/simple_tests/unix/ok_msg_8.sd | 2
parser/tst/simple_tests/unix/ok_msg_9.sd | 2
12 files changed, 47 insertions(+), 45 deletions(-)
Index: b/parser/af_unix.cc
===================================================================
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -37,7 +37,7 @@ int parse_unix_mode(const char *str_mode
static struct supported_cond supported_conds[] = {
- { "path", true, false, false, either_cond },
+ { "addr", true, false, false, either_cond },
{ NULL, false, false, false, local_cond }, /* sentinal */
};
Index: b/parser/apparmor.d.pod
===================================================================
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -175,13 +175,13 @@ B<TYPE COND> = 'type' '=' ( <AARE> | '(
B<PROTO COND> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
-B<UNIX LOCAL EXPR> = ( I<UNIX PATH COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )*
+B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )*
each cond can appear at most once
-B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX PATH COND> | I<UNIX LABEL COND> )+
+B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+
each cond can appear at most once
-B<UNIX PATH COND> 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
+B<UNIX ADDRESS COND> 'addr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
B<UNIX LABEL COND> 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
@@ -897,26 +897,28 @@ domain sockets, see man 7 unix for more
=head3 Unix socket paths
-The path component of a unix domain socket is specified by the
- path=
-conditional. If a path conditional is not specified as part of a rule
-then the rule matches both abstract and anonymous sockets.
-
-In apparmor the path of an abstract unix domain socket begins with the
-I<@> character, similar to how they are reported by netstat -x. The name
-then follows and may contain pattern matching and any characters including
-the null character. In apparmor null characters must be specified by using
-an escape sequence I<\000> or I<\x00>. The pattern matching is the same
-as is used by path matching so * will not match I</> even though it
-has no special meaning with in an abstract socket name. Eg.
- unix path=@*,
-
-Anonymous unix domain sockets have no path associated with them, however
-it can be specified with the special I<none> keyword to indicate the
-rule only applies to anonymous unix domain sockets. Eg.
- unix path=none,
+The path address component of a unix domain socket is specified by the
+ addr=
-If the path component of a rule is not specified then the rule applies
+conditional. If an address conditional is not specified as part of
+a rule then the rule matches both abstract and anonymous sockets.
+
+In apparmor the address of an abstract unix domain socket begins with
+the I<@> character, similar to how they are reported (as paths) by
+netstat -x. The address then follows and may contain pattern matching
+and any characters including the null character. In apparmor null
+characters must be specified by using an escape sequence I<\000> or
+I<\x00>. The pattern matching is the same as is used by path matching
+so * will not match I</> even though it has no special meaning with
+in an abstract socket name. Eg.
+ unix addr=@*,
+
+Anonymous unix domain sockets have no address associated with
+them, however it can be specified with the special I<none> keyword
+to indicate the rule only applies to anonymous unix domain sockets. Eg.
+ unix addr=none,
+
+If the address component of a rule is not specified then the rule applies
to both abstract and anonymous sockets.
=head3 Unix socket permissions
@@ -925,7 +927,7 @@ socket permissions are the union of all
Unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
-the path and label level. The content of the communication is not
+the address and label level. The content of the communication is not
examined.
Unix socket rule permissions are implied when a rule does not explicitly
@@ -961,20 +963,20 @@ create, bind, listen, shutdown, getattr,
unix type=dgram,
- unix path=none
+ unix addr=none
- unix path=@foo,
+ unix addr=@foo,
- unix type=stream path=@foo,
+ unix type=stream addr=@foo,
- unix server path=@foo,
+ unix server addr=@foo,
- unix accept path=@foo peer=(label=/bar),
+ unix accept addr=@foo peer=(label=/bar),
- unix receive path=@foo peer=(label=/bar),
+ unix receive addr=@foo peer=(label=/bar),
- unix path=none
+ unix addr=none
=head3 Abstract unix domain sockets autobind
@@ -1000,7 +1002,7 @@ Eg.
Fine grained mediation rules however can not be lossly converted back
to the coarse grained network rule. Eg
- unix bind path=@example,
+ unix bind addr=@example,
Has no exact match under coarse grained network rules, the closest match is
the much wider permission rule of.
Index: b/parser/tst/simple_tests/unix/bad_bind_1.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_bind_1.sd
+++ b/parser/tst/simple_tests/unix/bad_bind_1.sd
@@ -4,5 +4,5 @@
#
profile foo {
- unix bind peer=(path=@foo ),
+ unix bind peer=(addr=@foo ),
}
Index: b/parser/tst/simple_tests/unix/bad_bind_2.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_bind_2.sd
+++ b/parser/tst/simple_tests/unix/bad_bind_2.sd
@@ -4,5 +4,5 @@
#
profile foo {
- unix bind label=foo path=@bar,
+ unix bind label=foo addr=@bar,
}
Index: b/parser/tst/simple_tests/unix/bad_peer_1.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_peer_1.sd
+++ b/parser/tst/simple_tests/unix/bad_peer_1.sd
@@ -3,7 +3,7 @@
#=EXRESULT FAIL
#
-# path must be none for anonymous or start with @ for abstract
+# path address must be none for anonymous or start with @ for abstract
profile foo {
- unix send peer(path=wat),
+ unix send peer(addr=wat),
}
Index: b/parser/tst/simple_tests/unix/bad_regex_01.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_regex_01.sd
+++ b/parser/tst/simple_tests/unix/bad_regex_01.sd
@@ -1,8 +1,8 @@
#
-#=DESCRIPTION unix rule with a bad path regex expansion
+#=DESCRIPTION unix rule with a bad addr regex expansion
#=EXRESULT FAIL
#
profile foo {
- unix send path=@foo{one,two peer=(label=splat),
+ unix send addr=@foo{one,two peer=(label=splat),
}
Index: b/parser/tst/simple_tests/unix/bad_regex_02.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_regex_02.sd
+++ b/parser/tst/simple_tests/unix/bad_regex_02.sd
@@ -4,5 +4,5 @@
#
profile foo {
- unix bind path=abcd]efg,
+ unix bind addr=abcd]efg,
}
Index: b/parser/tst/simple_tests/unix/bad_regex_04.sd
===================================================================
--- a/parser/tst/simple_tests/unix/bad_regex_04.sd
+++ b/parser/tst/simple_tests/unix/bad_regex_04.sd
@@ -1,8 +1,8 @@
#
-#=DESCRIPTION unix rule with a bad path regex expansion
+#=DESCRIPTION unix rule with a bad path address regex expansion
#=EXRESULT FAIL
#
profile foo {
- unix send path=/some/random/{path peer=(label=splat),
+ unix send addr=/some/random/{path peer=(label=splat),
}
Index: b/parser/tst/simple_tests/unix/ok_bind_1.sd
===================================================================
--- a/parser/tst/simple_tests/unix/ok_bind_1.sd
+++ b/parser/tst/simple_tests/unix/ok_bind_1.sd
@@ -3,5 +3,5 @@
#=EXRESULT PASS
profile a_profile {
- unix path=@SomeService,
+ unix addr=@SomeService,
}
Index: b/parser/tst/simple_tests/unix/ok_msg_7.sd
===================================================================
--- a/parser/tst/simple_tests/unix/ok_msg_7.sd
+++ b/parser/tst/simple_tests/unix/ok_msg_7.sd
@@ -3,5 +3,5 @@
#=EXRESULT PASS
profile a_profile {
- unix (send) path=none,
+ unix (send) addr=none,
}
Index: b/parser/tst/simple_tests/unix/ok_msg_8.sd
===================================================================
--- a/parser/tst/simple_tests/unix/ok_msg_8.sd
+++ b/parser/tst/simple_tests/unix/ok_msg_8.sd
@@ -3,5 +3,5 @@
#=EXRESULT PASS
profile a_profile {
- unix (send) path=@foo,
+ unix (send) addr=@foo,
}
Index: b/parser/tst/simple_tests/unix/ok_msg_9.sd
===================================================================
--- a/parser/tst/simple_tests/unix/ok_msg_9.sd
+++ b/parser/tst/simple_tests/unix/ok_msg_9.sd
@@ -3,5 +3,5 @@
#=EXRESULT PASS
profile a_profile {
- unix (send) peer=(path=@foo),
+ unix (send) peer=(addr=@foo),
}
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140822/fccb723f/attachment.pgp>
More information about the AppArmor
mailing list