[apparmor] [PATCH v2] parser: Sync parser and man page regarding local and peer perms

Tyler Hicks tyhicks at canonical.com
Thu Sep 18 15:15:26 UTC 2014 

This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.

The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

* Changes from v1
  - Rewrote the blurb in apparmor.d.pod
    + Define the 3 sets of permissions (local, peer, and combination) to start
      so that they can be referred to by the set name instead of repeatedly
      listing the permissions
    + Attempt to make two paragraphs more concise

 parser/af_unix.cc     |  8 ++------
 parser/apparmor.d.pod | 17 ++++++++---------
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/parser/af_unix.cc b/parser/af_unix.cc
index 5fac6c7..55549c7 100644
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		mode = mode_p;
 		if (mode & ~AA_VALID_NET_PERMS)
 			yyerror("mode contains invalid permissions for unix socket rules\n");
-		else if ((mode & AA_NET_BIND) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
-		else if ((mode & AA_NET_LISTEN) && has_peer_conds())
-			/* Do we want to loosen this? */
-			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
+		else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
 	} else {
 		mode = AA_VALID_NET_PERMS;
 	}
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 9cf136d..d960f68 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -935,15 +935,14 @@ state an access list. By default if a rule does not have an access list
 all permissions that are compatible with the specified set of local
 and peer conditionals are implied.
 
-The create, bind, listen, shutdown, getattr, setattr permissions are
-applied to the local socket. The accept, connect, send, receive permissions
-apply to the combination of a local and peer. Currently it is required that
-create, bind, listen, shutdown, getattr, and settr permission are only
-specified in rules that do not have a peer component.
+The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
+permissions are local socket permissions. They are only applied to the local
+socket and can't be specified in rules that have a peer component. The accept
+permission applies to the combination of a local and peer socket. The connect,
+send, and receive permissions are peer socket permissions.
 
-If a rule is specified with a peer component it will only imply accept
-(stream), connect (stream), listen, receive and send. It will not imply the
-create, bind, listen, shutdown, getattr, or setattr permissions.
+Only the peer socket permissions will be applied to rules that don't specify
+permissions and contain a peer component.
 
 =head3 Example Unix domain socket rules:
 
@@ -963,7 +962,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions.
   unix (receive) peer=(label=unconfined),
 
   # Allow getattr and shutdown on anonymous sockets
-  unix (getattr, shutdown) peer=(addr=none),
+  unix (getattr, shutdown) addr=none,
 
   # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
   # with peer running under profile '/foo'
-- 
2.1.0

More information about the AppArmor mailing list