[apparmor] [patch 14/12] v3 unix socket rules
John Johansen
john.johansen at canonical.com
Sat Aug 30 05:45:59 UTC 2014
On 08/29/2014 12:40 PM, John Johansen wrote:
> This changes/fixes the encoding for unix socket rules.
>
> the changes look larger than they are because it refactors the code, instead
> of duplicating.
>
> The major changes are:
> - it changes where the accept perm is stored
> - it moves anyone_match_pattern to default_match_pattern
> - it fixes the layout of the local addr only being written when local perms
> are present
Fix to allow specifying the unix perm with peer perms. This is allowed now
and even supported, since for unix sockets the peer accept is mediated in
the unix_stream_connect hook (something that is not possible in the
lsm accept hook).
---
=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc 2014-08-30 05:32:14 +0000
+++ parser/af_unix.cc 2014-08-30 05:34:21 +0000
@@ -123,10 +123,6 @@
((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
/* Do we want to loosen this? */
yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
- else if ((mode & AA_NET_ACCEPT) &&
- ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
- /* Do we want to loosen this? */
- yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n");
} else {
mode = AA_VALID_NET_PERMS;
}
More information about the AppArmor
mailing list