This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.
The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
* Changes from v1
- Rewrote the blurb in apparmor.d.pod
+ Define the 3 sets of permissions (local, peer, and combination) to start
so that they can be referred to by the set name instead of repeatedly
listing the permissions
+ Attempt to make two paragraphs more concise
parser/af_unix.cc | 8 ++------
parser/apparmor.d.pod | 17 ++++++++---------
2 files changed, 10 insertions(+), 15 deletions(-)
diff --git a/parser/af_unix.cc b/parser/af_unix.cc
index 5fac6c7..55549c7 100644
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
mode = mode_p;
if (mode & ~AA_VALID_NET_PERMS)
yyerror("mode contains invalid permissions for unix
socket rules\n");
- else if ((mode & AA_NET_BIND) && has_peer_conds())
- /* Do we want to loosen this? */
- yyerror("unix socket 'bind' access cannot be used with
message rule conditionals\n");
- else if ((mode & AA_NET_LISTEN) && has_peer_conds())
- /* Do we want to loosen this? */
- yyerror("unix socket 'listen' access cannot be used
with message rule conditionals\n");
+ else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds())
+ yyerror("unix socket 'create', 'shutdown', 'setattr',
'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used
with peer socket conditionals\n");
} else {
mode = AA_VALID_NET_PERMS;
}
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 9cf136d..d960f68 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -935,15 +935,14 @@ state an access list. By default if a rule does not have
an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
-The create, bind, listen, shutdown, getattr, setattr permissions are
-applied to the local socket. The accept, connect, send, receive permissions
-apply to the combination of a local and peer. Currently it is required that
-create, bind, listen, shutdown, getattr, and settr permission are only
-specified in rules that do not have a peer component.
+The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
+permissions are local socket permissions. They are only applied to the local
+socket and can't be specified in rules that have a peer component. The accept
+permission applies to the combination of a local and peer socket. The connect,
+send, and receive permissions are peer socket permissions.
-If a rule is specified with a peer component it will only imply accept
-(stream), connect (stream), listen, receive and send. It will not imply the
-create, bind, listen, shutdown, getattr, or setattr permissions.
+Only the peer socket permissions will be applied to rules that don't specify
+permissions and contain a peer component.
=head3 Example Unix domain socket rules:
@@ -963,7 +962,7 @@ create, bind, listen, shutdown, getattr, or setattr
permissions.
unix (receive) peer=(label=unconfined),
# Allow getattr and shutdown on anonymous sockets
- unix (getattr, shutdown) peer=(addr=none),
+ unix (getattr, shutdown) addr=none,
# Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
# with peer running under profile '/foo'
--
2.1.0
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
