[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules
Tyler Hicks
tyhicks at canonical.com
Thu Feb 18 04:51:01 UTC 2016
https://launchpad.net/bugs/1546455
Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.
There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Suggested-by: Steve Beattie <steve at nxnw.org>
---
common/Make.rules | 2 +-
parser/tst/simple_tests/network/network_ok_2.sd | 1 +
parser/tst/simple_tests/network/network_ok_7.sd | 9 +++++++++
tests/regression/apparmor/tcp.sh | 4 ++++
4 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 parser/tst/simple_tests/network/network_ok_7.sd
diff --git a/common/Make.rules b/common/Make.rules
index 34ecb62..7d1afa2 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
# to mediate. We use PF_ here since that is what is required in
# bits/socket.h, but we will rewrite these as AF_.
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
diff --git a/parser/tst/simple_tests/network/network_ok_2.sd b/parser/tst/simple_tests/network/network_ok_2.sd
index bb16a23..2ad66af 100644
--- a/parser/tst/simple_tests/network/network_ok_2.sd
+++ b/parser/tst/simple_tests/network/network_ok_2.sd
@@ -3,6 +3,7 @@
#=EXRESULT PASS
#
/usr/bin/foo {
+ network unspec,
network inet,
network ax25,
network ipx,
diff --git a/parser/tst/simple_tests/network/network_ok_7.sd b/parser/tst/simple_tests/network/network_ok_7.sd
new file mode 100644
index 0000000..2a8ccf8
--- /dev/null
+++ b/parser/tst/simple_tests/network/network_ok_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION basic unspec network tests
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ network unspec stream,
+ network unspec dgram,
+ network unspec raw,
+}
diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
index 076ca00..703f1c5 100755
--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
genprofile network:inet
runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
+# FAIL TEST - make sure that unspec doesn't match
+genprofile network:unspec
+runchecktest "TCP (accept, connect) wrong socket family" fail 23
+
exit 0
# PASS TEST - accept via interface
--
2.7.0
More information about the AppArmor
mailing list