[apparmor] [patch] parser: initialize perms in unix_rule constructor

Tue Aug 26 21:22:47 UTC 2014

On Tue, Aug 26, 2014 at 01:17:56PM -0700, Steve Beattie wrote:
> On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen at canonical.com wrote:
> > +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
> > +	af_rule("unix"), path(NULL), peer_path(NULL)
> > +{
> > +	if (type_p != 0xffffffff) {
> > +		sock_type_n = type_p;
> > +		sock_type = strdup(net_find_type_name(type_p));
> > +		if (!sock_type)
> > +			yyerror("socket rule: invalid socket type '%d'", type_p);
> > +	}
> > +	mode = AA_VALID_NET_PERMS;
> > +	audit = audit_p ? AA_VALID_NET_PERMS : 0;
> > +	deny = denied;
> > +}
> 
> This unix_rule constructor sets audit and deny (so they do
> not to be initialized); yet
> 
> > +unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
> > +		     struct cond_entry *peer_conds):
> > +	af_rule("unix"), path(NULL), peer_path(NULL)
> > +{
> > +	move_conditionals(conds);
> > +	move_peer_conditionals(peer_conds);
> > +
> > +	if (mode_p) {
> > +		mode = mode_p;
> > +		if (mode & ~AA_VALID_NET_PERMS)
> > +			yyerror("mode contains invalid permissions for unix socket rules\n");
> > +		else if ((mode & AA_NET_BIND) &&
> > +			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> > +			/* Do we want to loosen this? */
> > +			yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
> > +		else if ((mode & AA_NET_LISTEN) &&
> > +			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> > +			/* Do we want to loosen this? */
> > +			yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> > +		else if ((mode & AA_NET_ACCEPT) &&
> > +			 ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> > +			/* Do we want to loosen this? */
> > +			yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n");
> > +	} else {
> > +		mode = AA_VALID_NET_PERMS;
> > +	}
> > +
> > +	free_cond_list(conds);
> > +	free_cond_list(peer_conds);
> 
> this unix_rule constructor does not. The following patch fixes the issue.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  parser/af_unix.cc |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Index: b/parser/af_unix.cc
> ===================================================================
> --- a/parser/af_unix.cc
> +++ b/parser/af_unix.cc
> @@ -105,7 +105,8 @@ unix_rule::unix_rule(unsigned int type_p
>  
>  unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
>  		     struct cond_entry *peer_conds):
> -	af_rule("unix"), addr(NULL), peer_addr(NULL)
> +	af_rule("unix"), addr(NULL), peer_addr(NULL),
> +	audit(0), deny(0)
>  {
>  	move_conditionals(conds);
>  	move_peer_conditionals(peer_conds);
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/


> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140826/90fbc307/attachment.pgp>