[apparmor] [patch 16/12] v3 unix socket rules
Seth Arnold
seth.arnold at canonical.com
Tue Sep 2 23:18:40 UTC 2014
On Sun, Aug 31, 2014 at 10:20:29AM -0700, John Johansen wrote:
> Fix: rejecting of unix rules with listen or bind permissions
>
> Only reject rules with explicit listen or bind permissions if a peer
> conditional is specified.
With this change, do we want to put AA_NET_ACCEPT back in this check?
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
>
> ---
>
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc 2014-08-31 02:13:35 +0000
> +++ parser/af_unix.cc 2014-08-31 17:15:54 +0000
> @@ -115,12 +115,10 @@
> mode = mode_p;
> if (mode & ~AA_VALID_NET_PERMS)
> yyerror("mode contains invalid permissions for unix socket rules\n");
> - else if ((mode & AA_NET_BIND) &&
> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> + else if ((mode & AA_NET_BIND) && has_peer_conds())
> /* Do we want to loosen this? */
> yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
> - else if ((mode & AA_NET_LISTEN) &&
> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> + else if ((mode & AA_NET_LISTEN) && has_peer_conds())
> /* Do we want to loosen this? */
> yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> } else {
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140902/25915212/attachment.pgp>
More information about the AppArmor
mailing list