[apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules
John Johansen
john.johansen at canonical.com
Thu Feb 18 22:19:32 UTC 2016
On 02/18/2016 08:22 AM, Tyler Hicks wrote:
> On 2016-02-17 22:29:23, John Johansen wrote:
>> On 02/17/2016 08:51 PM, Tyler Hicks wrote:
>>> https://launchpad.net/bugs/1546455
>>>
>>> Don't filter out AF_UNSPEC from the list of valid protocol families so
>>> that the parser will accept rules such as 'network unspec,'.
>>>
>>> There are certain syscalls, such as socket(2), where the LSM hooks are
>>> called before the protocol family is validated. In these cases, AppArmor
>>> was emitting denials even though socket(2) will eventually fail. There
>>> may be cases where AF_UNSPEC sockets are accepted and we need to make
>>> sure that we're mediating those appropriately.
>>>
>>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>>> Suggested-by: Steve Beattie <steve at nxnw.org>
>>
>> Acked-by: John Johansen <john.johansen at canonical.com>
>
> Thanks! Do you have an opinion on whether this patch is 2.10 and 2.9
> branch worthy? I think it is probably a harmless change to apply to
> those branches so let me know if you ack it for 2.10/2.9, as well.
>
yes acked for 2.10/2.9
> Tyler
>
>>
>>> ---
>>> common/Make.rules | 2 +-
>>> parser/tst/simple_tests/network/network_ok_2.sd | 1 +
>>> parser/tst/simple_tests/network/network_ok_7.sd | 9 +++++++++
>>> tests/regression/apparmor/tcp.sh | 4 ++++
>>> 4 files changed, 15 insertions(+), 1 deletion(-)
>>> create mode 100644 parser/tst/simple_tests/network/network_ok_7.sd
>>>
>>> diff --git a/common/Make.rules b/common/Make.rules
>>> index 34ecb62..7d1afa2 100644
>>> --- a/common/Make.rules
>>> +++ b/common/Make.rules
>>> @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
>>> # to mediate. We use PF_ here since that is what is required in
>>> # bits/socket.h, but we will rewrite these as AF_.
>>>
>>> -FILTER_FAMILIES=PF_UNSPEC PF_UNIX
>>> +FILTER_FAMILIES=PF_UNIX
>>>
>>> __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
>>>
>>> diff --git a/parser/tst/simple_tests/network/network_ok_2.sd b/parser/tst/simple_tests/network/network_ok_2.sd
>>> index bb16a23..2ad66af 100644
>>> --- a/parser/tst/simple_tests/network/network_ok_2.sd
>>> +++ b/parser/tst/simple_tests/network/network_ok_2.sd
>>> @@ -3,6 +3,7 @@
>>> #=EXRESULT PASS
>>> #
>>> /usr/bin/foo {
>>> + network unspec,
>>> network inet,
>>> network ax25,
>>> network ipx,
>>> diff --git a/parser/tst/simple_tests/network/network_ok_7.sd b/parser/tst/simple_tests/network/network_ok_7.sd
>>> new file mode 100644
>>> index 0000000..2a8ccf8
>>> --- /dev/null
>>> +++ b/parser/tst/simple_tests/network/network_ok_7.sd
>>> @@ -0,0 +1,9 @@
>>> +#
>>> +#=DESCRIPTION basic unspec network tests
>>> +#=EXRESULT PASS
>>> +#
>>> +/usr/bin/foo {
>>> + network unspec stream,
>>> + network unspec dgram,
>>> + network unspec raw,
>>> +}
>>> diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
>>> index 076ca00..703f1c5 100755
>>> --- a/tests/regression/apparmor/tcp.sh
>>> +++ b/tests/regression/apparmor/tcp.sh
>>> @@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
>>> genprofile network:inet
>>> runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
>>>
>>> +# FAIL TEST - make sure that unspec doesn't match
>>> +genprofile network:unspec
>>> +runchecktest "TCP (accept, connect) wrong socket family" fail 23
>>> +
>>> exit 0
>>>
>>> # PASS TEST - accept via interface
>>>
>>
More information about the AppArmor
mailing list