[apparmor] [patch 02/12] parser: Add support for unix domain socket rules.
Jamie Strandboge
jamie at canonical.com
Wed Aug 27 21:03:55 UTC 2014
On 08/27/2014 02:56 PM, Steve Beattie wrote:
> On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen at canonical.com wrote:
>> This patch implements parsing of fine grained mediation for unix domain
>> sockets, that have abstract and anonymous paths. Sockets with file
>> system paths are handled by regular file access rules.
>>
>> the unix network rules follow the general fine grained network
>> rule pattern of
>>
>> [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
>>
>> specifically for af_unix this is
>>
>> [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
>>
>> <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
>>
>> <access expr> = ( <access> | <access list> )
>>
>> <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
>> 'connect' | 'shutdown' | 'getattr' | 'setattr' |
>> 'getopt' | 'setopt' |
>> 'send' | 'receive' | 'r' | 'w' | 'rw' )
>> (some access modes are incompatible with some rules or require additional
>> parameters)
>>
>> <access list> = '(' <access> ( [','] <WS> <access> )* ')'
>
> So I'm testing a bit with this patch and it seems that the patch doesn't
> implement this exactly. Currently, the parser does not accept the following:
>
> unix send,
> unix receive,
> unix server,
> unix (server),
>
> Implementing the latter two requires a bit of complexity that I wasn't
> prepared to tackle at this moment. The following patch adds support
> for the first two, as well as adding a bunch more simple acceptance
> tests for the various access keywords.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Note, 'server' isn't documented in the man page either. Perhaps we can add
'server' later?
> ---
> parser/parser_lex.l | 2 +-
> parser/tst/simple_tests/unix/ok_accept_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_accept_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_4.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_bind_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_bind_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_connect_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_connect_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_create_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_create_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_listen_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_listen_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_11.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_12.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_13.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_14.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_15.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_16.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_17.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_18.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_msg_19.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_4.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_shutdown_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_shutdown_2.sd | 7 +++++++
> 30 files changed, 204 insertions(+), 1 deletion(-)
>
> Index: b/parser/parser_lex.l
> ===================================================================
> --- a/parser/parser_lex.l
> +++ b/parser/parser_lex.l
> @@ -489,7 +489,7 @@ LT_EQUAL <=
> eavesdrop { RETURN_TOKEN(TOK_EAVESDROP); }
> }
>
> -<DBUS_MODE,SIGNAL_MODE>{
> +<DBUS_MODE,SIGNAL_MODE,UNIX_MODE>{
> send { RETURN_TOKEN(TOK_SEND); }
> receive { RETURN_TOKEN(TOK_RECEIVE); }
> }
> Index: b/parser/tst/simple_tests/unix/ok_msg_11.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_11.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix rule
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_12.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_12.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix send test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix send,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_13.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_13.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix receive,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_create_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_create_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix create acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix create,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_create_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_create_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix create acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (create),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_accept_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_accept_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix accept acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix accept,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_accept_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_accept_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix accept acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (accept),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_bind_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_bind_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix bind acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix bind,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_bind_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_bind_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix bind acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (bind),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_listen_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_listen_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix listen acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix listen,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_listen_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_listen_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix listen acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (listen),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getattr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix getattr,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getattr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (getattr),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setattr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix setattr,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_4.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setattr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (setattr),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_connect_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_connect_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix connect acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix connect,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_connect_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_connect_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix connect acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (connect),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getopt acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix getopt,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getopt acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (getopt),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setopt acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix setopt,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_4.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setopt acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (setopt),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_14.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_14.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix r,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_15.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_15.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (r),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_16.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_16.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix w,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_17.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_17.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (w),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_18.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_18.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix rw,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_msg_19.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_msg_19.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix msg test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (rw),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_shutdown_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_shutdown_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix shutdown acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix shutdown,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_shutdown_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_shutdown_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix shutdown acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix (shutdown),
> +}
>
>
>
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/0b0fe081/attachment.pgp>
More information about the AppArmor
mailing list