Skip to content

parser: fix rule downgrade for unix rules

John Johansen requested to merge jjohansen/apparmor:fix-unix-rule-downgrade into master

Rule downgrades are used to provide some confinement when a feature is only partially supported by the kernel.

Eg. On a kernel that doesn't support fine grained af_unix mediation but does support network mediation.

    unix (connect, receive, send)
          type=stream
          peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

  will be downgraded to

    network unix type=stream,

Which while more permissive still provides some mediation while allowing the appication to still function. However making the rule a deny rule result in tightening the profile.

Eg. deny unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

  will be downgraded to

    deny network unix type=stream,

and that deny rule will take priority over any allow rule. Which means that if the profile also had unix allow rules they will get blocked by the downgraded deny rule, because deny rules have a higher priority, and the application will break. Even worse there is no way to add the functionality back to the profile without deleting the offending deny rule.

To fix this we drop deny rules that can't be downgraded in a way that won't break the application.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766 Signed-off-by: John Johansen john.johansen@canonical.com

Merge request reports