[apparmor] [patch 02/12] parser: Add support for unix domain socket rules.

Tue Aug 26 05:40:04 UTC 2014

On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen at canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
> 
> the unix network rules follow the general fine grained network
> rule pattern of
> 
>   [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
> 
> specifically for af_unix this is
> 
>   [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
> 
>   <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
> 
>   <access expr> = ( <access> | <access list> )
> 
>   <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
>                'connect' | 'shutdown' | 'getattr' | 'setattr' |
> 	       'getopt' | 'setopt' |
>                'send' | 'receive' | 'r' | 'w' | 'rw' )
>   (some access modes are incompatible with some rules or require additional
>    parameters)
> 
>   <access list> = '(' <access> ( [','] <WS> <access> )* ')' 
> 
>   <WS> = white space
> 
>   <rule conds> = ( <type cond> | <protocol cond> )*
>      each cond can appear at most once
> 
>   <type cond> = 'type' '='  ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
> 
>   <protocol cond> = 'protocol' '='  ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
> ???? hrmmm not an in list so should be an alternation for multiple
> 
> 
>   <local expr> = ( <path cond> | <attr cond> | <opt cond> )*
>      each cond can appear at most once
> 
>   <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
>      each cond can appear at most once
> 
>   <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
> 
>   <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
> 
>   <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
> 
>   <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
> 
>   <AARE> = ?*[]{}^ ( see man page )
> 
>  unix domain socket rules are accumulated so that the granted unix
>  socket permissions are the union of all the listed unix rule permissions.
> 
>  unix domain socket rules are broad and general and become more restrictive
>  as further information is specified. Policy may be specified down to
>  the path and label level. The content of the communication is not
>  examined.
> 
>  Some permissions are not compatible with all unix rules.
> 
>  unix socket rule permissions are implied when a rule does not explicitly
>  state an access list. By default if a rule does not have an access list
>  all permissions that are compatible with the specified set of local
>  and peer conditionals are implied.
> 
>  The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
>  server = (create, bind, listen, accept)
>  r = (receive, getattr, getopt)
>  w = (create, connect, send, setattr, setopt)
> 
> 
> In addition it supports the v7 kernel abi semantics around generic
> network rules. The v7 abi removes the masking unix and netlink
> address families from the generic masking and uses fine grained
> mediation for an address type if supplied.
> 
> This means that the rules
> 
>   network unix,
>   network netlink,
> 
> are now enforced instead of ignored. The parser previously could accept
> these but the kernel would ignore anything written to them. If a network
> rule is supplied it takes precedence over the finer grained mediation
> rule. If permission is not granted via a broad network access rule
> fine grained mediation is applied.
> 
> ??? should we do this as if fine grained is present use it and then
> fallback to broader rules ????
> 
> probably.

In case people are curious, this is how this version of the patch
differs from the previous version (with the makefile hackage stripped
out). The changes to AA_NET_ACCEPT and AA_NET_LISTEN are possibly
notable.

diff -u 2.9-test/parser/af_rule.cc 2.9-test/parser/af_rule.cc

--- 2.9-test/parser/af_rule.cc
+++ 2.9-test/parser/af_rule.cc
@@ -40,8 +40,8 @@
 	{ NULL, false, false, false, local_cond },	/* eol sentinal */
 };
 
-int af_rule::cond_check(struct supported_cond *conds, struct cond_entry *ent,
-			bool peer, const char *rname)
+bool af_rule::cond_check(struct supported_cond *conds, struct cond_entry *ent,
+			 bool peer, const char *rname)
 {
 	struct supported_cond *i;
 	for (i = conds; i->name; i++) {
diff -u 2.9-test/parser/af_rule.h 2.9-test/parser/af_rule.h
--- 2.9-test/parser/af_rule.h
+++ 2.9-test/parser/af_rule.h
@@ -61,8 +61,8 @@
 		free(peer_label);
 	};
 
-	int cond_check(struct supported_cond *cond, struct cond_entry *ent,
-		       bool peer, const char *rname);
+	bool cond_check(struct supported_cond *cond, struct cond_entry *ent,
+			bool peer, const char *rname);
 	int move_base_cond(struct cond_entry *conds, bool peer);
 
 	virtual bool has_peer_conds(void) { return peer_label ? true : false; }
diff -u 2.9-test/parser/network.h 2.9-test/parser/network.h
--- 2.9-test/parser/network.h
+++ 2.9-test/parser/network.h
@@ -34,6 +34,7 @@
 #include "parser.h"
 #include "rule.h"
 
+
 #define AA_NET_WRITE		0x0002
 #define AA_NET_SEND		AA_NET_WRITE
 #define AA_NET_READ		0x0004
@@ -51,9 +52,9 @@
 //#define AA_NET_CHGRP		0x4000		/* pair */
 //#define AA_NET_LOCK		0x8000		/* LINK_SUBSET overlaid */
 
+#define AA_NET_ACCEPT		0x00100000
 #define AA_NET_BIND		0x00200000
-#define AA_NET_ACCEPT		0x00400000
-#define AA_NET_LISTEN		0x00800000
+#define AA_NET_LISTEN		0x00400000
 
 #define AA_NET_SETOPT		0x01000000
 #define AA_NET_GETOPT		0x02000000
diff -u 2.9-test/parser/profile.cc 2.9-test/parser/profile.cc
--- 2.9-test/parser/profile.cc
+++ 2.9-test/parser/profile.cc
@@ -64,9 +64,9 @@
 	if (net.allow)
 		return true;
 	net.allow = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
-	net.audit = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
-	net.deny = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
-	net.quiet = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
+	net.audit = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
+	net.deny = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
+	net.quiet = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
 	if (!net.allow || !net.audit || !net.deny || !net.quiet)
 		return false;
 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140825/e0dc0f58/attachment-0001.pgp>
