[apparmor] [PATCH v2] parser: Sync parser and man page regarding local and peer perms

Seth Arnold seth.arnold at canonical.com
Thu Sep 18 22:46:21 UTC 2014


On Thu, Sep 18, 2014 at 10:15:26AM -0500, Tyler Hicks wrote:
> This patch updates the parser code to reject rules that contain local
> socket permissions and peer conditional elements. The error message for
> that condition is also corrected to resolve a copy and paste mistake
> from the D-Bus rule parsing code.
> 
> The patch also updates the man page to correctly describe the two sets
> of socket permissions and fixes an example rule that resulted in a
> parser error after the change described above.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

The last paragraph could use an elucidating example but this is an
improvement.

Thanks

> ---
> 
> * Changes from v1
>   - Rewrote the blurb in apparmor.d.pod
>     + Define the 3 sets of permissions (local, peer, and combination) to start
>       so that they can be referred to by the set name instead of repeatedly
>       listing the permissions
>     + Attempt to make two paragraphs more concise
> 
>  parser/af_unix.cc     |  8 ++------
>  parser/apparmor.d.pod | 17 ++++++++---------
>  2 files changed, 10 insertions(+), 15 deletions(-)
> 
> diff --git a/parser/af_unix.cc b/parser/af_unix.cc
> index 5fac6c7..55549c7 100644
> --- a/parser/af_unix.cc
> +++ b/parser/af_unix.cc
> @@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
>  		mode = mode_p;
>  		if (mode & ~AA_VALID_NET_PERMS)
>  			yyerror("mode contains invalid permissions for unix socket rules\n");
> -		else if ((mode & AA_NET_BIND) && has_peer_conds())
> -			/* Do we want to loosen this? */
> -			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
> -		else if ((mode & AA_NET_LISTEN) && has_peer_conds())
> -			/* Do we want to loosen this? */
> -			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> +		else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
> +			yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
>  	} else {
>  		mode = AA_VALID_NET_PERMS;
>  	}
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 9cf136d..d960f68 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -935,15 +935,14 @@ state an access list. By default if a rule does not have an access list
>  all permissions that are compatible with the specified set of local
>  and peer conditionals are implied.
>  
> -The create, bind, listen, shutdown, getattr, setattr permissions are
> -applied to the local socket. The accept, connect, send, receive permissions
> -apply to the combination of a local and peer. Currently it is required that
> -create, bind, listen, shutdown, getattr, and settr permission are only
> -specified in rules that do not have a peer component.
> +The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
> +permissions are local socket permissions. They are only applied to the local
> +socket and can't be specified in rules that have a peer component. The accept
> +permission applies to the combination of a local and peer socket. The connect,
> +send, and receive permissions are peer socket permissions.
>  
> -If a rule is specified with a peer component it will only imply accept
> -(stream), connect (stream), listen, receive and send. It will not imply the
> -create, bind, listen, shutdown, getattr, or setattr permissions.
> +Only the peer socket permissions will be applied to rules that don't specify
> +permissions and contain a peer component.
>  
>  =head3 Example Unix domain socket rules:
>  
> @@ -963,7 +962,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions.
>    unix (receive) peer=(label=unconfined),
>  
>    # Allow getattr and shutdown on anonymous sockets
> -  unix (getattr, shutdown) peer=(addr=none),
> +  unix (getattr, shutdown) addr=none,
>  
>    # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
>    # with peer running under profile '/foo'
> -- 
> 2.1.0
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140918/1548e74c/attachment-0001.pgp>


More information about the AppArmor mailing list