2619
|
|
|
Tyler Hicks |
9 years ago
|
|
|
2618
|
|
|
Tyler Hicks |
9 years ago
|
|
|
2617
|
|
parser: initialize perms in unix_rule constructor
On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen@canonical.com wrote: > +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + if (type_p != 0xffffffff) { > + sock_type_n = type_p; > + sock_type = strdup(net_find_type_name(type_p)); > + if (!sock_type) > + yyerror("socket rule: invalid socket type '%d'", type_p); > + } > + mode = AA_VALID_NET_PERMS; > + audit = audit_p ? AA_VALID_NET_PERMS : 0; > + deny = denied; > +}
This unix_rule constructor sets audit and deny (so they do not to be initialized); yet
> +unix_rule::unix_rule(int mode_p, struct cond_entry *conds, > + struct cond_entry *peer_conds): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + move_conditionals(conds); > + move_peer_conditionals(peer_conds); > + > + if (mode_p) { > + mode = mode_p; > + if (mode & ~AA_VALID_NET_PERMS) > + yyerror("mode contains invalid permissions for unix socket rules\n"); > + else if ((mode & AA_NET_BIND) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n"); > + else if ((mode & AA_NET_LISTEN) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n"); > + else if ((mode & AA_NET_ACCEPT) && > + ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) > + /* Do we want to loosen this? */ > + yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n"); > + } else { > + mode = AA_VALID_NET_PERMS; > + } > + > + free_cond_list(conds); > + free_cond_list(peer_conds);
this unix_rule constructor does not. The following patch fixes the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
|
Steve Beattie |
9 years ago
|
|
|
2616
|
|
|
Tyler Hicks |
9 years ago
|
|
|
2615
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2614
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2613
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2612
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2611
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2610
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2609
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2608
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2607
|
|
|
Steve Beattie |
9 years ago
|
|
|
2606
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2605
|
|
parser: Add support for unix domain socket rules.
This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules.
the unix network rules follow the general fine grained network rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) ???? hrmmm not an in list so should be an alternation for multiple
<local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied.
This means that the rules
network unix, network netlink,
are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied.
??? should we do this as if fine grained is present use it and then fallback to broader rules ????
probably.
|
john.johansen@canoni... |
9 years ago
|
|
|
2604
|
|
|
john.johansen@canoni... |
9 years ago
|
|
|
2603
|
|
|
John Johansen |
9 years ago
|
|
|
2602
|
|
|
Kshitij Gupta |
9 years ago
|
|
|
2601
|
|
|
Christian Boltz |
9 years ago
|
|
|
2600
|
|
|
Christian Boltz |
9 years ago
|
|
|