[apparmor] [PATCH][PARSER]: fix downgraded unix rule output
John Johansen
john.johansen at canonical.com
Sat Aug 19 00:02:15 UTC 2017
with unix rules we output a downgraded rule compatible with network rules so that policy will work on kernels that support network socket controls but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified (initialized to -1), resulting in denials for kernels that don't support the extended af_unix rules.
---
=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc 2015-02-12 18:19:16 +0000
+++ parser/af_unix.cc 2017-08-18 11:25:26 +0000
@@ -196,16 +196,20 @@
#define CMD_OPT 4
void unix_rule::downgrade_rule(Profile &prof) {
+ unsigned int mask = (unsigned int) -1;
+
if (!prof.net.allow && !prof.alloc_net_table())
yyerror(_("Memory allocation error."));
+ if (sock_type_n != -1)
+ mask = 1 << sock_type_n;
if (deny) {
- prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.deny[AF_UNIX] |= mask;
if (!audit)
- prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.quiet[AF_UNIX] |= mask;
} else {
- prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.allow[AF_UNIX] |= mask;
if (audit)
- prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.audit[AF_UNIX] |= mask;
}
}
More information about the AppArmor
mailing list