[apparmor] [patch 15/12] v3 unix socket rules

Jamie Strandboge jamie at canonical.com
Sun Aug 31 21:06:29 UTC 2014 

On 08/30/2014 09:19 PM, John Johansen wrote:
> fix output of listen and setopts commands
> 
> The listen and setopts commands have broken encodings because the
> tmp stream they use to handle diverging from the other commands
> has does not set its write position to to the end of the copied data.
> Instead the write head is set to the beginning so that when the
> new data for the command is written it overwrites the begging of
> the command instead of appending to it.
> 
So, before this patch, I was seeing denials like this:
  apparmor="DENIED" operation="setsockopt" profile="/usr/sbin/cupsd" pid=4283
  comm="cupsd" family="unix" sock_type="stream" protocol=0
  requested_mask="setopt" denied_mask="setopt" peer_name=none

Yet none of this policy would make the denial go away:
  unix (setopt) type=stream peer=(addr=none),
  unix (setopt) type=stream,
  unix (setopt),

Does this patch fix that?

Also, I had a similar problem with getopt. Eg, I saw denials like this:
apparmor="DENIED" operation="getsockopt"
profile="/usr/lib/thunderbird/thunderbird{,*[^s][^h]}" pid=3798
comm="threaded-ml" family="unix" sock_type="stream" protocol=0
requested_mask="getopt" denied_mask="getopt" peer_name=none

Yet this policy didn't make it go away:
  unix (getopt) type=stream peer=(addr=none),

(I even tried 'unix (getopt) type=stream addr=none,' for giggles even though it
shouldn't have worked, and it correctly didn't :).

I'm guessing that the getopt issue I saw is not addressed in this patch?

Thanks for working on this! :)


> Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> ---
> 
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc	2014-08-30 05:32:14 +0000
> +++ parser/af_unix.cc	2014-08-31 02:09:00 +0000
> @@ -316,7 +312,7 @@
>   */
>  int unix_rule::gen_policy_re(Profile &prof)
>  {
> -	std::ostringstream buffer, tmp;
> +	std::ostringstream buffer;
>  	std::string buf;
>  
>  	int mask = mode;
> @@ -371,7 +367,8 @@
>  		}
>  
>  		if (mask & AA_NET_LISTEN) {
> -			tmp.str(buffer.str());
> +			std::ostringstream tmp(buffer.str());
> +			tmp.seekp(0, ios_base::end);
>  			tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
>  			/* TODO: backlog conditional: for now match anything*/
>  			tmp << "..";
> @@ -383,7 +380,8 @@
>  				goto fail;
>  		}
>  		if (mask & AA_NET_OPT) {
> -			tmp.str(buffer.str());
> +			std::ostringstream tmp(buffer.str());
> +			tmp.seekp(0, ios_base::end);
>  			tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
>  			/* TODO: sockopt conditional: for now match anything */
>  			tmp << "..";
> 
> 
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140831/5ef5b378/attachment.pgp>

More information about the AppArmor mailing list