On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
>
> the unix network rules follow the general fine grained network
> rule pattern of
>
> [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer
> expr>]
>
> specifically for af_unix this is
>
> [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer
> expr>]
>
> <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
>
> <access expr> = ( <access> | <access list> )
>
> <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
> 'connect' | 'shutdown' | 'getattr' | 'setattr' |
> 'getopt' | 'setopt' |
> 'send' | 'receive' | 'r' | 'w' | 'rw' )
> (some access modes are incompatible with some rules or require additional
> parameters)
>
> <access list> = '(' <access> ( [','] <WS> <access> )* ')'
>
> <WS> = white space
>
> <rule conds> = ( <type cond> | <protocol cond> )*
> each cond can appear at most once
>
> <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
>
> <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE>
> )+ ')' )
> ???? hrmmm not an in list so should be an alternation for multiple
>
>
> <local expr> = ( <path cond> | <attr cond> | <opt cond> )*
> each cond can appear at most once
>
> <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
> each cond can appear at most once
>
> <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
>
> <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
>
> <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
>
> <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
>
> <AARE> = ?*[]{}^ ( see man page )
>
> unix domain socket rules are accumulated so that the granted unix
> socket permissions are the union of all the listed unix rule permissions.
>
> unix domain socket rules are broad and general and become more restrictive
> as further information is specified. Policy may be specified down to
> the path and label level. The content of the communication is not
> examined.
>
> Some permissions are not compatible with all unix rules.
>
> unix socket rule permissions are implied when a rule does not explicitly
> state an access list. By default if a rule does not have an access list
> all permissions that are compatible with the specified set of local
> and peer conditionals are implied.
>
> The 'server', 'r', 'w' and 'rw' permissions are aliases for other
> permissions.
> server = (create, bind, listen, accept)
> r = (receive, getattr, getopt)
> w = (create, connect, send, setattr, setopt)
>
>
> In addition it supports the v7 kernel abi semantics around generic
> network rules. The v7 abi removes the masking unix and netlink
> address families from the generic masking and uses fine grained
> mediation for an address type if supplied.
>
> This means that the rules
>
> network unix,
> network netlink,
>
> are now enforced instead of ignored. The parser previously could accept
> these but the kernel would ignore anything written to them. If a network
> rule is supplied it takes precedence over the finer grained mediation
> rule. If permission is not granted via a broad network access rule
> fine grained mediation is applied.
>
> ??? should we do this as if fine grained is present use it and then
> fallback to broader rules ????
>
> probably.
In case people are curious, this is how this version of the patch
differs from the previous version (with the makefile hackage stripped
out). The changes to AA_NET_ACCEPT and AA_NET_LISTEN are possibly
notable.
diff -u 2.9-test/parser/af_rule.cc 2.9-test/parser/af_rule.cc
--- 2.9-test/parser/af_rule.cc
+++ 2.9-test/parser/af_rule.cc
@@ -40,8 +40,8 @@
{ NULL, false, false, false, local_cond }, /* eol sentinal */
};
-int af_rule::cond_check(struct supported_cond *conds, struct cond_entry *ent,
- bool peer, const char *rname)
+bool af_rule::cond_check(struct supported_cond *conds, struct cond_entry *ent,
+ bool peer, const char *rname)
{
struct supported_cond *i;
for (i = conds; i->name; i++) {
diff -u 2.9-test/parser/af_rule.h 2.9-test/parser/af_rule.h
--- 2.9-test/parser/af_rule.h
+++ 2.9-test/parser/af_rule.h
@@ -61,8 +61,8 @@
free(peer_label);
};
- int cond_check(struct supported_cond *cond, struct cond_entry *ent,
- bool peer, const char *rname);
+ bool cond_check(struct supported_cond *cond, struct cond_entry *ent,
+ bool peer, const char *rname);
int move_base_cond(struct cond_entry *conds, bool peer);
virtual bool has_peer_conds(void) { return peer_label ? true : false; }
diff -u 2.9-test/parser/network.h 2.9-test/parser/network.h
--- 2.9-test/parser/network.h
+++ 2.9-test/parser/network.h
@@ -34,6 +34,7 @@
#include "parser.h"
#include "rule.h"
+
#define AA_NET_WRITE 0x0002
#define AA_NET_SEND AA_NET_WRITE
#define AA_NET_READ 0x0004
@@ -51,9 +52,9 @@
//#define AA_NET_CHGRP 0x4000 /* pair */
//#define AA_NET_LOCK 0x8000 /* LINK_SUBSET overlaid */
+#define AA_NET_ACCEPT 0x00100000
#define AA_NET_BIND 0x00200000
-#define AA_NET_ACCEPT 0x00400000
-#define AA_NET_LISTEN 0x00800000
+#define AA_NET_LISTEN 0x00400000
#define AA_NET_SETOPT 0x01000000
#define AA_NET_GETOPT 0x02000000
diff -u 2.9-test/parser/profile.cc 2.9-test/parser/profile.cc
--- 2.9-test/parser/profile.cc
+++ 2.9-test/parser/profile.cc
@@ -64,9 +64,9 @@
if (net.allow)
return true;
net.allow = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
- net.audit = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
- net.deny = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
- net.quiet = (unsigned int *)calloc(get_af_max(), sizeof(unsigned int));
+ net.audit = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
+ net.deny = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
+ net.quiet = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
if (!net.allow || !net.audit || !net.deny || !net.quiet)
return false;
--
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
