[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules
John Johansen
john.johansen at canonical.com
Thu Feb 18 06:29:23 UTC 2016
On 02/17/2016 08:51 PM, Tyler Hicks wrote:
> https://launchpad.net/bugs/1546455
>
> Don't filter out AF_UNSPEC from the list of valid protocol families so
> that the parser will accept rules such as 'network unspec,'.
>
> There are certain syscalls, such as socket(2), where the LSM hooks are
> called before the protocol family is validated. In these cases, AppArmor
> was emitting denials even though socket(2) will eventually fail. There
> may be cases where AF_UNSPEC sockets are accepted and we need to make
> sure that we're mediating those appropriately.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Suggested-by: Steve Beattie <steve at nxnw.org>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> common/Make.rules | 2 +-
> parser/tst/simple_tests/network/network_ok_2.sd | 1 +
> parser/tst/simple_tests/network/network_ok_7.sd | 9 +++++++++
> tests/regression/apparmor/tcp.sh | 4 ++++
> 4 files changed, 15 insertions(+), 1 deletion(-)
> create mode 100644 parser/tst/simple_tests/network/network_ok_7.sd
>
> diff --git a/common/Make.rules b/common/Make.rules
> index 34ecb62..7d1afa2 100644
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
> # to mediate. We use PF_ here since that is what is required in
> # bits/socket.h, but we will rewrite these as AF_.
>
> -FILTER_FAMILIES=PF_UNSPEC PF_UNIX
> +FILTER_FAMILIES=PF_UNIX
>
> __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
>
> diff --git a/parser/tst/simple_tests/network/network_ok_2.sd b/parser/tst/simple_tests/network/network_ok_2.sd
> index bb16a23..2ad66af 100644
> --- a/parser/tst/simple_tests/network/network_ok_2.sd
> +++ b/parser/tst/simple_tests/network/network_ok_2.sd
> @@ -3,6 +3,7 @@
> #=EXRESULT PASS
> #
> /usr/bin/foo {
> + network unspec,
> network inet,
> network ax25,
> network ipx,
> diff --git a/parser/tst/simple_tests/network/network_ok_7.sd b/parser/tst/simple_tests/network/network_ok_7.sd
> new file mode 100644
> index 0000000..2a8ccf8
> --- /dev/null
> +++ b/parser/tst/simple_tests/network/network_ok_7.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION basic unspec network tests
> +#=EXRESULT PASS
> +#
> +/usr/bin/foo {
> + network unspec stream,
> + network unspec dgram,
> + network unspec raw,
> +}
> diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
> index 076ca00..703f1c5 100755
> --- a/tests/regression/apparmor/tcp.sh
> +++ b/tests/regression/apparmor/tcp.sh
> @@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
> genprofile network:inet
> runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
>
> +# FAIL TEST - make sure that unspec doesn't match
> +genprofile network:unspec
> +runchecktest "TCP (accept, connect) wrong socket family" fail 23
> +
> exit 0
>
> # PASS TEST - accept via interface
>
More information about the AppArmor
mailing list