[apparmor] [patch] parser: initialize perms in unix_rule constructor

Tue, 26 Aug 2014 13:18:57 -0700 

On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
> +     af_rule("unix"), path(NULL), peer_path(NULL)
> +{
> +     if (type_p != 0xffffffff) {
> +             sock_type_n = type_p;
> +             sock_type = strdup(net_find_type_name(type_p));
> +             if (!sock_type)
> +                     yyerror("socket rule: invalid socket type '%d'", 
> type_p);
> +     }
> +     mode = AA_VALID_NET_PERMS;
> +     audit = audit_p ? AA_VALID_NET_PERMS : 0;
> +     deny = denied;
> +}

This unix_rule constructor sets audit and deny (so they do
not to be initialized); yet

> +unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
> +                  struct cond_entry *peer_conds):
> +     af_rule("unix"), path(NULL), peer_path(NULL)
> +{
> +     move_conditionals(conds);
> +     move_peer_conditionals(peer_conds);
> +
> +     if (mode_p) {
> +             mode = mode_p;
> +             if (mode & ~AA_VALID_NET_PERMS)
> +                     yyerror("mode contains invalid permissions for unix 
> socket rules\n");
> +             else if ((mode & AA_NET_BIND) &&
> +                      ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> +                     /* Do we want to loosen this? */
> +                     yyerror("unix socket 'bind' access cannot be used with 
> message rule conditionals\n");
> +             else if ((mode & AA_NET_LISTEN) &&
> +                      ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> +                     /* Do we want to loosen this? */
> +                     yyerror("unix socket 'listen' access cannot be used 
> with message rule conditionals\n");
> +             else if ((mode & AA_NET_ACCEPT) &&
> +                      ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> +                     /* Do we want to loosen this? */
> +                     yyerror("unix socket 'accept' access cannot be used 
> with message rule conditionals\n");
> +     } else {
> +             mode = AA_VALID_NET_PERMS;
> +     }
> +
> +     free_cond_list(conds);
> +     free_cond_list(peer_conds);

this unix_rule constructor does not. The following patch fixes the issue.

Signed-off-by: Steve Beattie <st...@nxnw.org>
---
 parser/af_unix.cc |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: b/parser/af_unix.cc
===================================================================
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -105,7 +105,8 @@ unix_rule::unix_rule(unsigned int type_p
 
 unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
                     struct cond_entry *peer_conds):
-       af_rule("unix"), addr(NULL), peer_addr(NULL)
+       af_rule("unix"), addr(NULL), peer_addr(NULL),
+       audit(0), deny(0)
 {
        move_conditionals(conds);
        move_peer_conditionals(peer_conds);

-- 
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to