[apparmor] [patch 16/12] v3 unix socket rules

John Johansen john.johansen at canonical.com
Sun Aug 31 17:20:29 UTC 2014


 Fix: rejecting of unix rules with listen or bind permissions

Only reject rules with explicit listen or bind permissions if a peer
conditional is specified.

Signed-off-by: John Johansen <john.johansen at canonical.com>

---

=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc	2014-08-31 02:13:35 +0000
+++ parser/af_unix.cc	2014-08-31 17:15:54 +0000
@@ -115,12 +115,10 @@
 		mode = mode_p;
 		if (mode & ~AA_VALID_NET_PERMS)
 			yyerror("mode contains invalid permissions for unix socket rules\n");
-		else if ((mode & AA_NET_BIND) &&
-			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
+		else if ((mode & AA_NET_BIND) && has_peer_conds())
 			/* Do we want to loosen this? */
 			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
-		else if ((mode & AA_NET_LISTEN) &&
-			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
+		else if ((mode & AA_NET_LISTEN) && has_peer_conds())
 			/* Do we want to loosen this? */
 			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
 	} else {





More information about the AppArmor mailing list