[apparmor] [patch 16/12] v3 unix socket rules
John Johansen
john.johansen at canonical.com
Wed Sep 3 19:44:53 UTC 2014
On 09/02/2014 04:18 PM, Seth Arnold wrote:
> On Sun, Aug 31, 2014 at 10:20:29AM -0700, John Johansen wrote:
>> Fix: rejecting of unix rules with listen or bind permissions
>>
>> Only reject rules with explicit listen or bind permissions if a peer
>> conditional is specified.
>
> With this change, do we want to put AA_NET_ACCEPT back in this check?
>
no, NET_ACCEPT shows up in both local and peer perms, and we don't
want to limit it to cases where only peer_conds are specified.
ie. we want
unix accept, #accept everything
unix accept peer=(addr=@foo), #accept connections from @foo
unix accept addr=@blah, #accept any peer on @blah
unix accept addr=@blah peer=(addr=@foo),
...
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> Thanks
>
>>
>> ---
>>
>> === modified file 'parser/af_unix.cc'
>> --- parser/af_unix.cc 2014-08-31 02:13:35 +0000
>> +++ parser/af_unix.cc 2014-08-31 17:15:54 +0000
>> @@ -115,12 +115,10 @@
>> mode = mode_p;
>> if (mode & ~AA_VALID_NET_PERMS)
>> yyerror("mode contains invalid permissions for unix socket rules\n");
>> - else if ((mode & AA_NET_BIND) &&
>> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
>> + else if ((mode & AA_NET_BIND) && has_peer_conds())
>> /* Do we want to loosen this? */
>> yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
>> - else if ((mode & AA_NET_LISTEN) &&
>> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
>> + else if ((mode & AA_NET_LISTEN) && has_peer_conds())
>> /* Do we want to loosen this? */
>> yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
>> } else {
>>
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>>
>>
More information about the AppArmor
mailing list