[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-dev
Subject:    Re: [apparmor] [patch 02/12] parser: Add support for unix domain socket rules.
From:       Tyler Hicks <tyhicks () canonical ! com>
Date:       2014-08-27 22:01:44
Message-ID: 1409176906-28088-1-git-send-email-tyhicks () canonical ! com
[Download RAW message or body]


On 2014-08-26 04:57:45, John Johansen wrote:
> On 08/26/2014 02:44 AM, Tyler Hicks wrote:
> >  2) It doesn't allow the policy author to only specify a permission. For
> >     example you can't create a blanket rule for all AF_UNIX create
> >     permissions ("unix create,"). The create operation is denied unless
> >     you specify the type ("unix create type=stream,"). This can be
> >     manually demonstrated using a simple profile to confine dbus-send
> >     ("profile test { file, dbus, unix create, }") but I also hope to
> >     have regression tests ready within the next day or two to test these
> >     types of things.
> > 
> shoot, thanks for catching.

I've been trying to chase down this bug and other related things that I've
bumped into. In the process, I've found two issues that need fixed before we
can start generated rules with any conditionals. Currently, af_unix policy
generation is not honoring conditionals because of some simple bugs. For
example:

$ echo "/t { unix w type=stream, }" | apparmor_parser -qQS | md5sum
a2532b107021cb645acc545d2f37a1b1  -
$ echo "/t { unix w type=stream addr=@foo peer=(label=/bar), }" | apparmor_parser -qQS | md5sum
a2532b107021cb645acc545d2f37a1b1  -

The following two patches get to where we're generating the entire binary rule
but there are still conditions where I can't allow certain actions. That'll
have to be fixed in future patches.

Tyler

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]