On 2016-02-18 18:19:39, Christian Boltz wrote: > Hello, > > Am Mittwoch, 17. Februar 2016, 22:51:01 CET schrieb Tyler Hicks: > > https://launchpad.net/bugs/1546455 > > > > Don't filter out AF_UNSPEC from the list of valid protocol families so > > that the parser will accept rules such as 'network unspec,'. > > > > There are certain syscalls, such as socket(2), where the LSM hooks are > > called before the protocol family is validated. In these cases, > > AppArmor was emitting denials even though socket(2) will eventually > > fail. There may be cases where AF_UNSPEC sockets are accepted and we > > need to make sure that we're mediating those appropriately. > > Whenever you change something in the parser simple_tests or libapparmor > test_multi testsuite, please also run the utils testsuite which also > runs against those testcases. > > Long story short: Your addition of the 'unspec' keyword breaks the > utils testsuite. > > To un-break it, we need... > > > [patch] Add 'unspec' to NetworkRule keyword list > > I propose this patch for trunk and 2.10 (assuming the parser patch for > AF_UNSPEC gets applied to both) > > > [ 71-network-unspec.diff ] > > --- utils/apparmor/rule/network.py 2016-02-12 22:11:21.078578660 +0100 > +++ utils/apparmor/rule/network.py 2016-02-18 18:09:26.482597013 +0100 > @@ -27,7 +27,7 @@ > network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', > 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', > 'rose', 'netbeui', 'security', 'key', > 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', > 'irda', 'pppox', 'wanpipe', 'llc', 'can', > 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', > - 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', > 'mpls', 'ib' ] > + 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', > 'mpls', 'ib', 'unspec' ] > > network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', > 'packet'] > network_protocol_keywords = ['tcp', 'udp', 'icmp'] > > > Feel free to commit this together with your parser patch ;-)
Thanks! I added it to the front of the list to match the ordering of the definitions in <sys/socket.h>: /* Protocol families. */ #define PF_UNSPEC 0 /* Unspecified. */ #define PF_LOCAL 1 /* Local to host (pipes and file-domain). */ #define PF_UNIX PF_LOCAL /* POSIX name for PF_LOCAL. */ #define PF_FILE PF_LOCAL /* Another non-standard name for PF_LOCAL. */ #define PF_INET 2 /* IP protocol family. */ #define PF_AX25 3 /* Amateur Radio AX.25. */ #define PF_IPX 4 /* Novell Internet Protocol. */ ... Tyler > > > Regards, > > Christian Boltz > -- > > Bei Mutt oder Gnus landet ohnehin jeder früher oder später, > > Du kannst also abkürzen gleich damit anfangen. ;) > Nein, diese Aussage ist schlicht falsch. Denn in einem > kleinen Dorf im Nordwesten Galliens... > [> Andreas Kneib und Thomas Hertweck in suse-linux] > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
