When a parser that is aware of dbus rules is running under a kernel that is unaware of dbus rules, the parser should ignore the dbus rules instead of attempting to load them into the kernel. Otherwise, the kernel will reject the entire profile, leaving the application unconfined.
Similar to what is done for mount rules, the features listed in apparmorfs should be checked to see if dbus is supported under the current kernel. https://launchpad.net/bugs/1231778 Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- parser/parser.h | 1 + parser/parser_common.c | 1 + parser/parser_main.c | 2 ++ parser/parser_regex.c | 16 ++++++++++------ 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/parser/parser.h b/parser/parser.h index dacf337..4b77ee5 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -224,6 +224,7 @@ extern int net_af_max_override; extern int kernel_load; extern int kernel_supports_network; extern int kernel_supports_mount; +extern int kernel_supports_dbus; extern int conf_verbose; extern int conf_quiet; extern int names_only; diff --git a/parser/parser_common.c b/parser/parser_common.c index c0fa107..53a3e70 100644 --- a/parser/parser_common.c +++ b/parser/parser_common.c @@ -27,6 +27,7 @@ int net_af_max_override = -1; /* use kernel to determine af_max */ int kernel_load = 1; int kernel_supports_network = 1; /* kernel supports network rules */ int kernel_supports_mount = 0; /* kernel supports mount rules */ +int kernel_supports_dbus = 0; /* kernel supports dbus rules */ int conf_verbose = 0; int conf_quiet = 0; int names_only = 0; diff --git a/parser/parser_main.c b/parser/parser_main.c index 263c7dc..d3a0234 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -757,6 +757,8 @@ static void get_match_string(void) { kernel_supports_network = 0; if (strstr(flags_string, "mount")) kernel_supports_mount = 1; + if (strstr(flags_string, "dbus")) + kernel_supports_dbus = 1; return; } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index aa52ad5..f61af37 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -1157,14 +1157,18 @@ static int post_process_mnt_ents(Profile *prof) static int post_process_dbus_ents(Profile *prof) { int ret = TRUE; - struct dbus_entry *entry; int count = 0; - list_for_each(prof->dbus_ents, entry) { - if (!process_dbus_entry(prof->policy.rules, entry)) - ret = FALSE; - count++; - } + if (prof->dbus_ents && kernel_supports_dbus) { + struct dbus_entry *entry; + + list_for_each(prof->dbus_ents, entry) { + if (!process_dbus_entry(prof->policy.rules, entry)) + ret = FALSE; + count++; + } + } else if (prof->dbus_ents && !kernel_supports_dbus) + pwarn("profile %s dbus rules not enforced\n", prof->name); prof->policy.count += count; return ret; -- 1.8.3.2 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
