[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules
Tyler Hicks
tyhicks at canonical.com
Thu Feb 18 16:22:43 UTC 2016
On 2016-02-17 22:29:23, John Johansen wrote:
> On 02/17/2016 08:51 PM, Tyler Hicks wrote:
> > https://launchpad.net/bugs/1546455
> >
> > Don't filter out AF_UNSPEC from the list of valid protocol families so
> > that the parser will accept rules such as 'network unspec,'.
> >
> > There are certain syscalls, such as socket(2), where the LSM hooks are
> > called before the protocol family is validated. In these cases, AppArmor
> > was emitting denials even though socket(2) will eventually fail. There
> > may be cases where AF_UNSPEC sockets are accepted and we need to make
> > sure that we're mediating those appropriately.
> >
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > Suggested-by: Steve Beattie <steve at nxnw.org>
>
> Acked-by: John Johansen <john.johansen at canonical.com>
Thanks! Do you have an opinion on whether this patch is 2.10 and 2.9
branch worthy? I think it is probably a harmless change to apply to
those branches so let me know if you ack it for 2.10/2.9, as well.
Tyler
>
> > ---
> > common/Make.rules | 2 +-
> > parser/tst/simple_tests/network/network_ok_2.sd | 1 +
> > parser/tst/simple_tests/network/network_ok_7.sd | 9 +++++++++
> > tests/regression/apparmor/tcp.sh | 4 ++++
> > 4 files changed, 15 insertions(+), 1 deletion(-)
> > create mode 100644 parser/tst/simple_tests/network/network_ok_7.sd
> >
> > diff --git a/common/Make.rules b/common/Make.rules
> > index 34ecb62..7d1afa2 100644
> > --- a/common/Make.rules
> > +++ b/common/Make.rules
> > @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
> > # to mediate. We use PF_ here since that is what is required in
> > # bits/socket.h, but we will rewrite these as AF_.
> >
> > -FILTER_FAMILIES=PF_UNSPEC PF_UNIX
> > +FILTER_FAMILIES=PF_UNIX
> >
> > __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
> >
> > diff --git a/parser/tst/simple_tests/network/network_ok_2.sd b/parser/tst/simple_tests/network/network_ok_2.sd
> > index bb16a23..2ad66af 100644
> > --- a/parser/tst/simple_tests/network/network_ok_2.sd
> > +++ b/parser/tst/simple_tests/network/network_ok_2.sd
> > @@ -3,6 +3,7 @@
> > #=EXRESULT PASS
> > #
> > /usr/bin/foo {
> > + network unspec,
> > network inet,
> > network ax25,
> > network ipx,
> > diff --git a/parser/tst/simple_tests/network/network_ok_7.sd b/parser/tst/simple_tests/network/network_ok_7.sd
> > new file mode 100644
> > index 0000000..2a8ccf8
> > --- /dev/null
> > +++ b/parser/tst/simple_tests/network/network_ok_7.sd
> > @@ -0,0 +1,9 @@
> > +#
> > +#=DESCRIPTION basic unspec network tests
> > +#=EXRESULT PASS
> > +#
> > +/usr/bin/foo {
> > + network unspec stream,
> > + network unspec dgram,
> > + network unspec raw,
> > +}
> > diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
> > index 076ca00..703f1c5 100755
> > --- a/tests/regression/apparmor/tcp.sh
> > +++ b/tests/regression/apparmor/tcp.sh
> > @@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
> > genprofile network:inet
> > runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
> >
> > +# FAIL TEST - make sure that unspec doesn't match
> > +genprofile network:unspec
> > +runchecktest "TCP (accept, connect) wrong socket family" fail 23
> > +
> > exit 0
> >
> > # PASS TEST - accept via interface
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160218/e470df1c/attachment.pgp>
More information about the AppArmor
mailing list