[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules

Tyler Hicks tyhicks at canonical.com
Thu Feb 18 18:30:52 UTC 2016 

On 2016-02-18 18:19:39, Christian Boltz wrote:
> Hello,
> 
> Am Mittwoch, 17. Februar 2016, 22:51:01 CET schrieb Tyler Hicks:
> > https://launchpad.net/bugs/1546455
> > 
> > Don't filter out AF_UNSPEC from the list of valid protocol families so
> > that the parser will accept rules such as 'network unspec,'.
> > 
> > There are certain syscalls, such as socket(2), where the LSM hooks are
> > called before the protocol family is validated. In these cases,
> > AppArmor was emitting denials even though socket(2) will eventually
> > fail. There may be cases where AF_UNSPEC sockets are accepted and we
> > need to make sure that we're mediating those appropriately.
> 
> Whenever you change something in the parser simple_tests or libapparmor 
> test_multi testsuite, please also run the utils testsuite which also 
> runs against those testcases.
> 
> Long story short: Your addition of the 'unspec' keyword breaks the 
> utils testsuite.
> 
> To un-break it, we need...
> 
> 
> [patch] Add 'unspec' to NetworkRule keyword list
> 
> I propose this patch for trunk and 2.10 (assuming the parser patch for
> AF_UNSPEC gets applied to both)
> 
> 
> [ 71-network-unspec.diff ]
> 
> --- utils/apparmor/rule/network.py      2016-02-12 22:11:21.078578660 +0100
> +++ utils/apparmor/rule/network.py      2016-02-18 18:09:26.482597013 +0100
> @@ -27,7 +27,7 @@
>  network_domain_keywords   = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
>                                'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
>                                'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
> -                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
> +                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'unspec' ]
>  
>  network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
>  network_protocol_keywords = ['tcp', 'udp', 'icmp']
> 
> 
> Feel free to commit this together with your parser patch ;-)

Thanks! I added it to the front of the list to match the ordering of the
definitions in <sys/socket.h>:

/* Protocol families.  */
#define PF_UNSPEC       0       /* Unspecified.  */
#define PF_LOCAL        1       /* Local to host (pipes and
file-domain).  */
#define PF_UNIX         PF_LOCAL /* POSIX name for PF_LOCAL.  */
#define PF_FILE         PF_LOCAL /* Another non-standard name for
PF_LOCAL.  */
#define PF_INET         2       /* IP protocol family.  */
#define PF_AX25         3       /* Amateur Radio AX.25.  */
#define PF_IPX          4       /* Novell Internet Protocol.  */
...

Tyler

> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> > Bei Mutt oder Gnus landet ohnehin jeder früher oder später,
> > Du kannst also abkürzen gleich damit anfangen. ;)
> Nein, diese Aussage ist schlicht falsch. Denn in einem
> kleinen Dorf im Nordwesten Galliens...
> [> Andreas Kneib und Thomas Hertweck in suse-linux]



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160218/841a00db/attachment.pgp>

More information about the AppArmor mailing list