On 02/17/2016 08:51 PM, Tyler Hicks wrote:
> https://launchpad.net/bugs/1546455
>
> Don't filter out AF_UNSPEC from the list of valid protocol families so
> that the parser will accept rules such as 'network unspec,'.
>
> There are certain syscalls, such as socket(2), where the LSM hooks are
> called before the protocol family is validated. In these cases, AppArmor
> was emitting denials even though socket(2) will eventually fail. There
> may be cases where AF_UNSPEC sockets are accepted and we need to make
> sure that we're mediating those appropriately.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Suggested-by: Steve Beattie <st...@nxnw.org>
Acked-by: John Johansen <john.johan...@canonical.com>
> ---
> common/Make.rules | 2 +-
> parser/tst/simple_tests/network/network_ok_2.sd | 1 +
> parser/tst/simple_tests/network/network_ok_7.sd | 9 +++++++++
> tests/regression/apparmor/tcp.sh | 4 ++++
> 4 files changed, 15 insertions(+), 1 deletion(-)
> create mode 100644 parser/tst/simple_tests/network/network_ok_7.sd
>
> diff --git a/common/Make.rules b/common/Make.rules
> index 34ecb62..7d1afa2 100644
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
> # to mediate. We use PF_ here since that is what is required in
> # bits/socket.h, but we will rewrite these as AF_.
>
> -FILTER_FAMILIES=PF_UNSPEC PF_UNIX
> +FILTER_FAMILIES=PF_UNIX
>
> __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
>
> diff --git a/parser/tst/simple_tests/network/network_ok_2.sd
> b/parser/tst/simple_tests/network/network_ok_2.sd
> index bb16a23..2ad66af 100644
> --- a/parser/tst/simple_tests/network/network_ok_2.sd
> +++ b/parser/tst/simple_tests/network/network_ok_2.sd
> @@ -3,6 +3,7 @@
> #=EXRESULT PASS
> #
> /usr/bin/foo {
> + network unspec,
> network inet,
> network ax25,
> network ipx,
> diff --git a/parser/tst/simple_tests/network/network_ok_7.sd
> b/parser/tst/simple_tests/network/network_ok_7.sd
> new file mode 100644
> index 0000000..2a8ccf8
> --- /dev/null
> +++ b/parser/tst/simple_tests/network/network_ok_7.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION basic unspec network tests
> +#=EXRESULT PASS
> +#
> +/usr/bin/foo {
> + network unspec stream,
> + network unspec dgram,
> + network unspec raw,
> +}
> diff --git a/tests/regression/apparmor/tcp.sh
> b/tests/regression/apparmor/tcp.sh
> index 076ca00..703f1c5 100755
> --- a/tests/regression/apparmor/tcp.sh
> +++ b/tests/regression/apparmor/tcp.sh
> @@ -52,6 +52,10 @@ runchecktest "TCP (accept, connect) low numbered port/bind
> cap" pass 23
> genprofile network:inet
> runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
>
> +# FAIL TEST - make sure that unspec doesn't match
> +genprofile network:unspec
> +runchecktest "TCP (accept, connect) wrong socket family" fail 23
> +
> exit 0
>
> # PASS TEST - accept via interface
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
