[apparmor] [PATCH][PARSER]: fix downgraded unix rule output
Seth Arnold
seth.arnold at canonical.com
Sat Aug 19 00:19:06 UTC 2017
On Fri, Aug 18, 2017 at 05:02:15PM -0700, John Johansen wrote:
> with unix rules we output a downgraded rule compatible with network rules so that policy will work on kernels that support network socket controls but not the extended af_unix rules
>
> however this is currently broken if the socket type is left unspecified (initialized to -1), resulting in denials for kernels that don't support the extended af_unix rules.
>
> ---
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc 2015-02-12 18:19:16 +0000
> +++ parser/af_unix.cc 2017-08-18 11:25:26 +0000
> @@ -196,16 +196,20 @@
> #define CMD_OPT 4
>
> void unix_rule::downgrade_rule(Profile &prof) {
> + unsigned int mask = (unsigned int) -1;
> +
> if (!prof.net.allow && !prof.alloc_net_table())
> yyerror(_("Memory allocation error."));
> + if (sock_type_n != -1)
> + mask = 1 << sock_type_n;
> if (deny) {
> - prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
> + prof.net.deny[AF_UNIX] |= mask;
> if (!audit)
> - prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
> + prof.net.quiet[AF_UNIX] |= mask;
> } else {
> - prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
> + prof.net.allow[AF_UNIX] |= mask;
> if (audit)
> - prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
> + prof.net.audit[AF_UNIX] |= mask;
> }
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170818/f7044c26/attachment.pgp>
More information about the AppArmor
mailing list