[apparmor] [patch 14/12] v3 unix socket rules

[Seth Arnold]

On Fri, Aug 29, 2014 at 10:45:59PM -0700, John Johansen wrote:
> On 08/29/2014 12:40 PM, John Johansen wrote:
> > This changes/fixes the encoding for unix socket rules.
> > 
> > the changes look larger than they are because it refactors the code, instead
> > of duplicating.
> > 
> > The major changes are:
> > - it changes where the accept perm is stored
> > - it moves anyone_match_pattern to default_match_pattern
> > - it fixes the layout of the local addr only being written when local perms
> >   are present
> 
> Fix to allow specifying the unix perm with peer perms. This is allowed now
> and even supported, since for unix sockets the peer accept is mediated in
> the unix_stream_connect hook (something that is not possible in the
> lsm accept hook).

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Heh, "yes", "yes we do want to loosen this" :)

Thanks

> 
> ---
> 
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc	2014-08-30 05:32:14 +0000
> +++ parser/af_unix.cc	2014-08-30 05:34:21 +0000
> @@ -123,10 +123,6 @@
>  			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
>  			/* Do we want to loosen this? */
>  			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> -		else if ((mode & AA_NET_ACCEPT) &&
> -			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> -			/* Do we want to loosen this? */
> -			yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n");
>  	} else {
>  		mode = AA_VALID_NET_PERMS;
>  	}
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140829/db5fdc2a/attachment.pgp>