[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules

Christian Boltz apparmor at cboltz.de
Thu Feb 18 17:19:39 UTC 2016


Am Mittwoch, 17. Februar 2016, 22:51:01 CET schrieb Tyler Hicks:
> https://launchpad.net/bugs/1546455
> Don't filter out AF_UNSPEC from the list of valid protocol families so
> that the parser will accept rules such as 'network unspec,'.
> There are certain syscalls, such as socket(2), where the LSM hooks are
> called before the protocol family is validated. In these cases,
> AppArmor was emitting denials even though socket(2) will eventually
> fail. There may be cases where AF_UNSPEC sockets are accepted and we
> need to make sure that we're mediating those appropriately.

Whenever you change something in the parser simple_tests or libapparmor 
test_multi testsuite, please also run the utils testsuite which also 
runs against those testcases.

Long story short: Your addition of the 'unspec' keyword breaks the 
utils testsuite.

To un-break it, we need...

[patch] Add 'unspec' to NetworkRule keyword list

I propose this patch for trunk and 2.10 (assuming the parser patch for
AF_UNSPEC gets applied to both)

[ 71-network-unspec.diff ]

--- utils/apparmor/rule/network.py      2016-02-12 22:11:21.078578660 +0100
+++ utils/apparmor/rule/network.py      2016-02-18 18:09:26.482597013 +0100
@@ -27,7 +27,7 @@
 network_domain_keywords   = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                               'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                               'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
-                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
+                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'unspec' ]
 network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
 network_protocol_keywords = ['tcp', 'udp', 'icmp']

Feel free to commit this together with your parser patch ;-)


Christian Boltz
> Bei Mutt oder Gnus landet ohnehin jeder früher oder später,
> Du kannst also abkürzen gleich damit anfangen. ;)
Nein, diese Aussage ist schlicht falsch. Denn in einem
kleinen Dorf im Nordwesten Galliens...
[> Andreas Kneib und Thomas Hertweck in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160218/9ac72f74/attachment.pgp>

More information about the AppArmor mailing list