[apparmor] [patch 19/21] Add the ability to mediate signals.
Seth Arnold
seth.arnold at canonical.com
Sat Mar 22 00:48:54 UTC 2014
On Mon, Mar 17, 2014 at 04:29:29PM -0700, john.johansen at canonical.com wrote:
> Add signal rules and make sure the parser encodes support for them
> if the supported feature set reports supporting them.
>
> The current format of the signal rule is
>
> [audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>,
>
> signal_perm := 'send'|'receive'|'r'|'w'|'rw'
> signal_perms := <signal_perm> | '(' <signal_perm> ([,]<signal_perm>)* ')'
> signal := ("hup"|"int"|"quit"|"ill"|"trap"|"abrt"|"bus"|"fpe"|"kill"|
> "usr1"|"segv"|"usr2"|"pipe"|"alrm"|"term"|"tkflt"|"chld"|
Note that the signal you've got in here as "tkflt" should actually be
"stkflt" here and throughout the code.
> "cont"|"stop"|"stp"|"ttin"|"ttou"|"urg"|"xcpu"|"xfsz"|"vtalrm"|
> "prof"|"winch"|"io"|"pwr"|"sys"|"emt"|"exists")
> signal_set := set=<signal> | '(' <signal> ([,]<signal>)* ')'
>
>
> it does not currently follow the peer=() format, and there is some question
> as to whether it should or not. Input welcome.
The peer=() stuff would feel so useless on these rules. I won't whine if
we don't do it, there's no "local" interfaces that could logically have
the same names, unlike dbus or networking.
> +rules: rules opt_prefix signal_rule
> + {
> + if ($2.owner)
> + yyerror(_("owner prefix not allowed on signal rules"));
> + if ($2.deny && $2.audit) {
> + $3->deny = 1;
> + } else if ($2.deny) {
> + $3->deny = 1;
> + $3->audit = $3->mode;
> + } else if ($2.audit) {
> + $3->audit = $3->mode;
> + }
> + $1->rule_ents.push_back($3);
> + $$ = $1;
> + }
Why not support 'owner'? Granted it'd only make sense for root processes
and it is almost redundant with capability kill, but it seems like it
could be useful for someone.
> +void signal_rule::move_conditionals(struct cond_entry *conds)
> +{
> + struct cond_entry *cond_ent;
> +
> + list_for_each(conds, cond_ent) {
> + /* for now disallow keyword 'in' (list) */
> + if (!cond_ent->eq)
> + yyerror("keyword \"in\" is not allowed in signal rules\n");
> + /* use alternation instead????
> + * set=(kill,usr1) vs. set={kill,usr1}
Hrm. Dunno. Sorry.
> +int signal_rule::gen_policy_re(Profile &prof)
> +{
> + std::ostringstream buffer;
> + std::string buf;
> +
> + pattern_t ptype;
> + int pos;
> +
> + /* Currently do not generate the rules if the kernel doesn't support
> + * it. We may want to switch this so that a compile could be
> + * used for full support on kernels that don't support the feature
> + */
> + if (!kernel_supports_signal) {
> + warn_once(prof.name);
> + return RULE_NOT_SUPPORTED;
> + }
> +
> + if (signals.size() == 0) {
> + /* not conditional on signal set, so will generate a label
> + * rule as well
> + */
> + buffer << "(" << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_LABEL << "\\x" << AA_CLASS_SIGNAL << "|";
> + }
Why the AA_CLASS_LABEL here?
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140321/66ed2016/attachment.pgp>
More information about the AppArmor
mailing list