[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [patch 14/12] v3 unix socket rules
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2014-08-30 5:59:54
Message-ID: 20140830055954.GA20487 () hunt
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Fri, Aug 29, 2014 at 10:45:59PM -0700, John Johansen wrote:
> On 08/29/2014 12:40 PM, John Johansen wrote:
> > This changes/fixes the encoding for unix socket rules.
> >
> > the changes look larger than they are because it refactors the code, instead
> > of duplicating.
> >
> > The major changes are:
> > - it changes where the accept perm is stored
> > - it moves anyone_match_pattern to default_match_pattern
> > - it fixes the layout of the local addr only being written when local perms
> > are present
>
> Fix to allow specifying the unix perm with peer perms. This is allowed now
> and even supported, since for unix sockets the peer accept is mediated in
> the unix_stream_connect hook (something that is not possible in the
> lsm accept hook).
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Heh, "yes", "yes we do want to loosen this" :)
Thanks
>
> ---
>
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc 2014-08-30 05:32:14 +0000
> +++ parser/af_unix.cc 2014-08-30 05:34:21 +0000
> @@ -123,10 +123,6 @@
> ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> /* Do we want to loosen this? */
> yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
> - else if ((mode & AA_NET_ACCEPT) &&
> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> - /* Do we want to loosen this? */
> - yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n");
> } else {
> mode = AA_VALID_NET_PERMS;
> }
>
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
["signature.asc" (application/pgp-signature)]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic