[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules
Tyler Hicks
tyhicks at canonical.com
Thu Feb 18 18:30:52 UTC 2016
On 2016-02-18 18:19:39, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 17. Februar 2016, 22:51:01 CET schrieb Tyler Hicks:
> > https://launchpad.net/bugs/1546455
> >
> > Don't filter out AF_UNSPEC from the list of valid protocol families so
> > that the parser will accept rules such as 'network unspec,'.
> >
> > There are certain syscalls, such as socket(2), where the LSM hooks are
> > called before the protocol family is validated. In these cases,
> > AppArmor was emitting denials even though socket(2) will eventually
> > fail. There may be cases where AF_UNSPEC sockets are accepted and we
> > need to make sure that we're mediating those appropriately.
>
> Whenever you change something in the parser simple_tests or libapparmor
> test_multi testsuite, please also run the utils testsuite which also
> runs against those testcases.
>
> Long story short: Your addition of the 'unspec' keyword breaks the
> utils testsuite.
>
> To un-break it, we need...
>
>
> [patch] Add 'unspec' to NetworkRule keyword list
>
> I propose this patch for trunk and 2.10 (assuming the parser patch for
> AF_UNSPEC gets applied to both)
>
>
> [ 71-network-unspec.diff ]
>
> --- utils/apparmor/rule/network.py 2016-02-12 22:11:21.078578660 +0100
> +++ utils/apparmor/rule/network.py 2016-02-18 18:09:26.482597013 +0100
> @@ -27,7 +27,7 @@
> network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
> 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
> 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
> - 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
> + 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'unspec' ]
>
> network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
> network_protocol_keywords = ['tcp', 'udp', 'icmp']
>
>
> Feel free to commit this together with your parser patch ;-)
Thanks! I added it to the front of the list to match the ordering of the
definitions in <sys/socket.h>:
/* Protocol families. */
#define PF_UNSPEC 0 /* Unspecified. */
#define PF_LOCAL 1 /* Local to host (pipes and
file-domain). */
#define PF_UNIX PF_LOCAL /* POSIX name for PF_LOCAL. */
#define PF_FILE PF_LOCAL /* Another non-standard name for
PF_LOCAL. */
#define PF_INET 2 /* IP protocol family. */
#define PF_AX25 3 /* Amateur Radio AX.25. */
#define PF_IPX 4 /* Novell Internet Protocol. */
...
Tyler
>
>
> Regards,
>
> Christian Boltz
> --
> > Bei Mutt oder Gnus landet ohnehin jeder früher oder später,
> > Du kannst also abkürzen gleich damit anfangen. ;)
> Nein, diese Aussage ist schlicht falsch. Denn in einem
> kleinen Dorf im Nordwesten Galliens...
> [> Andreas Kneib und Thomas Hertweck in suse-linux]
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160218/841a00db/attachment.pgp>
More information about the AppArmor
mailing list