[apparmor] [patch 02/12] parser: Add support for unix domain socket rules.

Steve Beattie steve at nxnw.org
Wed Aug 27 21:22:00 UTC 2014 

On Wed, Aug 27, 2014 at 04:03:55PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 02:56 PM, Steve Beattie wrote:
> > On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen at canonical.com wrote:
> >> This patch implements parsing of fine grained mediation for unix domain
> >> sockets, that have abstract and anonymous paths. Sockets with file
> >> system paths are handled by regular file access rules.
> >>
> >> the unix network rules follow the general fine grained network
> >> rule pattern of
> >>
> >>   [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
> >>
> >> specifically for af_unix this is
> >>
> >>   [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
> >>
> >>   <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
> >>
> >>   <access expr> = ( <access> | <access list> )
> >>
> >>   <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
> >>                'connect' | 'shutdown' | 'getattr' | 'setattr' |
> >> 	       'getopt' | 'setopt' |
> >>                'send' | 'receive' | 'r' | 'w' | 'rw' )
> >>   (some access modes are incompatible with some rules or require additional
> >>    parameters)
> >>
> >>   <access list> = '(' <access> ( [','] <WS> <access> )* ')' 
> > 
> > So I'm testing a bit with this patch and it seems that the patch doesn't
> > implement this exactly. Currently, the parser does not accept the following:
> > 
> >   unix send,
> >   unix receive,
> >   unix server,
> >   unix (server),
> > 
> > Implementing the latter two requires a bit of complexity that I wasn't
> > prepared to tackle at this moment. The following patch adds support
> > for the first two, as well as adding a bunch more simple acceptance
> > tests for the various access keywords.
> > 
> > Signed-off-by: Steve Beattie <steve at nxnw.org>
> 
> Note, 'server' isn't documented in the man page either. Perhaps we can add
> 'server' later?

Yes. At least on my priority list, it's pretty low. A nice to have
feature, but not critical.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/bcf61ee5/attachment.pgp>

More information about the AppArmor mailing list