[apparmor] [PATCH] parser: Sync parser and man page regarding local and peer perms

Mon Sep 15 19:55:39 UTC 2014

This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.

The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 parser/af_unix.cc     |  8 ++------
 parser/apparmor.d.pod | 17 +++++++++--------
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/parser/af_unix.cc b/parser/af_unix.cc
index 5fac6c7..55549c7 100644
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		mode = mode_p;
 		if (mode & ~AA_VALID_NET_PERMS)
 			yyerror("mode contains invalid permissions for unix socket rules\n");
-		else if ((mode & AA_NET_BIND) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
-		else if ((mode & AA_NET_LISTEN) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
+		else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
 	} else {
 		mode = AA_VALID_NET_PERMS;
 	}
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 9cf136d..1590892 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -935,15 +935,16 @@ state an access list. By default if a rule does not have an access list
 all permissions that are compatible with the specified set of local
 and peer conditionals are implied.
 
-The create, bind, listen, shutdown, getattr, setattr permissions are
-applied to the local socket. The accept, connect, send, receive permissions
-apply to the combination of a local and peer. Currently it is required that
-create, bind, listen, shutdown, getattr, and settr permission are only
-specified in rules that do not have a peer component.
+The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
+permissions are applied to the local socket. The accept permission
+applies to the combination of a local and peer socket. It is required
+that create, bind, listen, shutdown, getattr, setattr, getopt, and
+setopt permissions are only specified in rules that do not have a peer
+component.
 
 If a rule is specified with a peer component it will only imply accept
-(stream), connect (stream), listen, receive and send. It will not imply the
-create, bind, listen, shutdown, getattr, or setattr permissions.
+(stream), connect (stream), receive and send. It will not imply the create,
+bind, listen, shutdown, getattr, setattr, getopt, or setopt permissions.
 
 =head3 Example Unix domain socket rules:
 
@@ -963,7 +964,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions.
   unix (receive) peer=(label=unconfined),
 
   # Allow getattr and shutdown on anonymous sockets
-  unix (getattr, shutdown) peer=(addr=none),
+  unix (getattr, shutdown) addr=none,
 
   # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
   # with peer running under profile '/foo'
-- 
2.1.0


