Re: [apparmor] [patch 02/12] parser: Add support for unix domain socket rules.

Steve Beattie Wed, 27 Aug 2014 12:57:47 -0700

On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
> 
> the unix network rules follow the general fine grained network
> rule pattern of
> 
>   [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer 
> expr>]
> 
> specifically for af_unix this is
> 
>   [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer 
> expr>]
> 
>   <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
> 
>   <access expr> = ( <access> | <access list> )
> 
>   <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
>                'connect' | 'shutdown' | 'getattr' | 'setattr' |
>              'getopt' | 'setopt' |
>                'send' | 'receive' | 'r' | 'w' | 'rw' )
>   (some access modes are incompatible with some rules or require additional
>    parameters)
> 
>   <access list> = '(' <access> ( [','] <WS> <access> )* ')'


So I'm testing a bit with this patch and it seems that the patch doesn't
implement this exactly. Currently, the parser does not accept the following:

  unix send,
  unix receive,
  unix server,
  unix (server),

Implementing the latter two requires a bit of complexity that I wasn't
prepared to tackle at this moment. The following patch adds support
for the first two, as well as adding a bunch more simple acceptance
tests for the various access keywords.

Signed-off-by: Steve Beattie <st...@nxnw.org>
---
 parser/parser_lex.l                           |    2 +-
 parser/tst/simple_tests/unix/ok_accept_1.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_accept_2.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_1.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_2.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_3.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_4.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_bind_2.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_bind_3.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_connect_1.sd  |    7 +++++++
 parser/tst/simple_tests/unix/ok_connect_2.sd  |    7 +++++++
 parser/tst/simple_tests/unix/ok_create_1.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_create_2.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_listen_1.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_listen_2.sd   |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_11.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_12.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_13.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_14.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_15.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_16.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_17.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_18.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_msg_19.sd     |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_1.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_2.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_3.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_4.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_shutdown_1.sd |    7 +++++++
 parser/tst/simple_tests/unix/ok_shutdown_2.sd |    7 +++++++
 30 files changed, 204 insertions(+), 1 deletion(-)

Index: b/parser/parser_lex.l
===================================================================
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -489,7 +489,7 @@ LT_EQUAL    <=
        eavesdrop       { RETURN_TOKEN(TOK_EAVESDROP); }
 }
 
-<DBUS_MODE,SIGNAL_MODE>{
+<DBUS_MODE,SIGNAL_MODE,UNIX_MODE>{
        send            { RETURN_TOKEN(TOK_SEND); }
        receive         { RETURN_TOKEN(TOK_RECEIVE); }
 }
Index: b/parser/tst/simple_tests/unix/ok_msg_11.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_11.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix rule
+#=EXRESULT PASS
+
+profile a_profile {
+  unix,
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_12.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_12.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix send test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix send,
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_13.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_13.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix receive,
+}
Index: b/parser/tst/simple_tests/unix/ok_create_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_create_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix create acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix create,
+}
Index: b/parser/tst/simple_tests/unix/ok_create_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_create_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix create acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (create),
+}
Index: b/parser/tst/simple_tests/unix/ok_accept_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_accept_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix accept acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix accept,
+}
Index: b/parser/tst/simple_tests/unix/ok_accept_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_accept_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix accept acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (accept),
+}
Index: b/parser/tst/simple_tests/unix/ok_bind_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_bind_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix bind acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix bind,
+}
Index: b/parser/tst/simple_tests/unix/ok_bind_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_bind_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix bind acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (bind),
+}
Index: b/parser/tst/simple_tests/unix/ok_listen_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_listen_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix listen acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix listen,
+}
Index: b/parser/tst/simple_tests/unix/ok_listen_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_listen_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix listen acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (listen),
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getattr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix getattr,
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getattr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (getattr),
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setattr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix setattr,
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_4.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setattr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (setattr),
+}
Index: b/parser/tst/simple_tests/unix/ok_connect_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_connect_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix connect acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix connect,
+}
Index: b/parser/tst/simple_tests/unix/ok_connect_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_connect_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix connect acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (connect),
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getopt acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix getopt,
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getopt acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (getopt),
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setopt acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix setopt,
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_4.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setopt acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (setopt),
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_14.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_14.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix r,
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_15.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_15.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (r),
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_16.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_16.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix w,
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_17.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_17.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (w),
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_18.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_18.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix rw,
+}
Index: b/parser/tst/simple_tests/unix/ok_msg_19.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_msg_19.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix msg test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (rw),
+}
Index: b/parser/tst/simple_tests/unix/ok_shutdown_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_shutdown_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix shutdown acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix shutdown,
+}
Index: b/parser/tst/simple_tests/unix/ok_shutdown_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_shutdown_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix shutdown acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix (shutdown),
+}

-- 
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch 02/12] parser: Add support for unix domain socket rules.

Reply via email to