On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote: > +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + if (type_p != 0xffffffff) { > + sock_type_n = type_p; > + sock_type = strdup(net_find_type_name(type_p)); > + if (!sock_type) > + yyerror("socket rule: invalid socket type '%d'", > type_p); > + } > + mode = AA_VALID_NET_PERMS; > + audit = audit_p ? AA_VALID_NET_PERMS : 0; > + deny = denied; > +}
This unix_rule constructor sets audit and deny (so they do not to be initialized); yet > +unix_rule::unix_rule(int mode_p, struct cond_entry *conds, > + struct cond_entry *peer_conds): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + move_conditionals(conds); > + move_peer_conditionals(peer_conds); > + > + if (mode_p) { > + mode = mode_p; > + if (mode & ~AA_VALID_NET_PERMS) > + yyerror("mode contains invalid permissions for unix > socket rules\n"); > + else if ((mode & AA_NET_BIND) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'bind' access cannot be used with > message rule conditionals\n"); > + else if ((mode & AA_NET_LISTEN) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'listen' access cannot be used > with message rule conditionals\n"); > + else if ((mode & AA_NET_ACCEPT) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'accept' access cannot be used > with message rule conditionals\n"); > + } else { > + mode = AA_VALID_NET_PERMS; > + } > + > + free_cond_list(conds); > + free_cond_list(peer_conds); this unix_rule constructor does not. The following patch fixes the issue. Signed-off-by: Steve Beattie <st...@nxnw.org> --- parser/af_unix.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: b/parser/af_unix.cc =================================================================== --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -105,7 +105,8 @@ unix_rule::unix_rule(unsigned int type_p unix_rule::unix_rule(int mode_p, struct cond_entry *conds, struct cond_entry *peer_conds): - af_rule("unix"), addr(NULL), peer_addr(NULL) + af_rule("unix"), addr(NULL), peer_addr(NULL), + audit(0), deny(0) { move_conditionals(conds); move_peer_conditionals(peer_conds); -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor