Re: [apparmor] [PATCH] parser: Allow AF_UNSPEC family in network rules

Thu, 18 Feb 2016 09:20:06 -0800 

Hello,

Am Mittwoch, 17. Februar 2016, 22:51:01 CET schrieb Tyler Hicks:
> https://launchpad.net/bugs/1546455
> 
> Don't filter out AF_UNSPEC from the list of valid protocol families so
> that the parser will accept rules such as 'network unspec,'.
> 
> There are certain syscalls, such as socket(2), where the LSM hooks are
> called before the protocol family is validated. In these cases,
> AppArmor was emitting denials even though socket(2) will eventually
> fail. There may be cases where AF_UNSPEC sockets are accepted and we
> need to make sure that we're mediating those appropriately.

Whenever you change something in the parser simple_tests or libapparmor 
test_multi testsuite, please also run the utils testsuite which also 
runs against those testcases.

Long story short: Your addition of the 'unspec' keyword breaks the 
utils testsuite.

To un-break it, we need...


[patch] Add 'unspec' to NetworkRule keyword list

I propose this patch for trunk and 2.10 (assuming the parser patch for
AF_UNSPEC gets applied to both)


[ 71-network-unspec.diff ]

--- utils/apparmor/rule/network.py      2016-02-12 22:11:21.078578660 +0100
+++ utils/apparmor/rule/network.py      2016-02-18 18:09:26.482597013 +0100
@@ -27,7 +27,7 @@
 network_domain_keywords   = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 
'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                               'rose', 'netbeui', 'security', 'key', 'netlink', 
'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                               'irda', 'pppox', 'wanpipe', 'llc', 'can', 
'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
-                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 
'mpls', 'ib' ]
+                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 
'mpls', 'ib', 'unspec' ]
 
 network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 
'packet']
 network_protocol_keywords = ['tcp', 'udp', 'icmp']


Feel free to commit this together with your parser patch ;-)


Regards,

Christian Boltz
-- 
> Bei Mutt oder Gnus landet ohnehin jeder früher oder später,
> Du kannst also abkürzen gleich damit anfangen. ;)
Nein, diese Aussage ist schlicht falsch. Denn in einem
kleinen Dorf im Nordwesten Galliens...
[> Andreas Kneib und Thomas Hertweck in suse-linux]

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to