This patch updates the parser code to reject rules that contain local socket permissions and peer conditional elements. The error message for that condition is also corrected to resolve a copy and paste mistake from the D-Bus rule parsing code.
The patch also updates the man page to correctly describe the two sets of socket permissions and fixes an example rule that resulted in a parser error after the change described above. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes from v1 - Rewrote the blurb in apparmor.d.pod + Define the 3 sets of permissions (local, peer, and combination) to start so that they can be referred to by the set name instead of repeatedly listing the permissions + Attempt to make two paragraphs more concise parser/af_unix.cc | 8 ++------ parser/apparmor.d.pod | 17 ++++++++--------- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 5fac6c7..55549c7 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -115,12 +115,8 @@ unix_rule::unix_rule(int mode_p, struct cond_entry *conds, mode = mode_p; if (mode & ~AA_VALID_NET_PERMS) yyerror("mode contains invalid permissions for unix socket rules\n"); - else if ((mode & AA_NET_BIND) && has_peer_conds()) - /* Do we want to loosen this? */ - yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n"); - else if ((mode & AA_NET_LISTEN) && has_peer_conds()) - /* Do we want to loosen this? */ - yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n"); + else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds()) + yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n"); } else { mode = AA_VALID_NET_PERMS; } diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 9cf136d..d960f68 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -935,15 +935,14 @@ state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. -The create, bind, listen, shutdown, getattr, setattr permissions are -applied to the local socket. The accept, connect, send, receive permissions -apply to the combination of a local and peer. Currently it is required that -create, bind, listen, shutdown, getattr, and settr permission are only -specified in rules that do not have a peer component. +The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt +permissions are local socket permissions. They are only applied to the local +socket and can't be specified in rules that have a peer component. The accept +permission applies to the combination of a local and peer socket. The connect, +send, and receive permissions are peer socket permissions. -If a rule is specified with a peer component it will only imply accept -(stream), connect (stream), listen, receive and send. It will not imply the -create, bind, listen, shutdown, getattr, or setattr permissions. +Only the peer socket permissions will be applied to rules that don't specify +permissions and contain a peer component. =head3 Example Unix domain socket rules: @@ -963,7 +962,7 @@ create, bind, listen, shutdown, getattr, or setattr permissions. unix (receive) peer=(label=unconfined), # Allow getattr and shutdown on anonymous sockets - unix (getattr, shutdown) peer=(addr=none), + unix (getattr, shutdown) addr=none, # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar # with peer running under profile '/foo' -- 2.1.0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor