i/prompting/constraints: map get-attr and set-attr to read and write (c…

…anonical#14142)

* i/prompting/constraints: map get-attr and set-attr to read and write for home interface

Signed-off-by: Oliver Calder <[email protected]>

* s/apparmor/notify: fix comments for AA_MAY_SETATTR and AA_MAY_GETATTR

The `AA_MAY_SETATTR` and `AA_MAY_GETATTR` permissions are checked by the
kernel, and are mapped to by `w` and `r` respectively. These permissions
are not exposed to the user in policy, but they can be included in
notifications from the kernel.

Signed-off-by: Oliver Calder <[email protected]>

---------

Signed-off-by: Oliver Calder <[email protected]>

interfaces/prompting/constraints.go

@@ -137,8 +137,8 @@ var (
 	// and if it does not, it should be interpreted as AA_MAY_READ.
 	interfaceFilePermissionsMaps = map[string]map[string]notify.FilePermission{
 		"home": {
-			"read":    notify.AA_MAY_READ,
-			"write":   notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			"read":    notify.AA_MAY_READ | notify.AA_MAY_GETATTR,
+			"write":   notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 			"execute": notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
 		},
 	}

interfaces/prompting/constraints_test.go

@@ -465,7 +465,7 @@ func (s *constraintsSuite) TestAbstractPermissionsFromAppArmorPermissionsUnhappy
 		},
 		{
 			"home",
-			notify.AA_MAY_GETATTR | notify.AA_MAY_READ,
+			notify.AA_MAY_GETCRED | notify.AA_MAY_READ,
 			"cannot map AppArmor permission to abstract permission for the home interface.*",
 		},
 	}
@@ -485,12 +485,12 @@ func (s *constraintsSuite) TestAbstractPermissionsToAppArmorPermissionsHappy(c *
 		{
 			"home",
 			[]string{"read"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR,
 		},
 		{
 			"home",
 			[]string{"write"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			notify.AA_MAY_OPEN | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 		},
 		{
 			"home",
@@ -500,12 +500,12 @@ func (s *constraintsSuite) TestAbstractPermissionsToAppArmorPermissionsHappy(c *
 		{
 			"home",
 			[]string{"read", "execute"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
 		},
 		{
 			"home",
 			[]string{"execute", "write", "read"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 		},
 	}
 	for _, testCase := range cases {

sandbox/apparmor/notify/permission.go

@@ -32,9 +32,9 @@ const (
 	AA_MAY_OPEN
 	// AA_MAY_RENAME implies that a process may rename a file.
 	AA_MAY_RENAME
-	// AA_MAY_SETATTR is not checked by the kernel.
+	// AA_MAY_SETATTR implies that a process may modify file attributes.
 	AA_MAY_SETATTR
-	// AA_MAY_GETATTR is not checked by the kernel.
+	// AA_MAY_GETATTR implies that a process may read file attributes.
 	AA_MAY_GETATTR
 	// AA_MAY_SETCRED is not used in the kernel.
 	AA_MAY_SETCRED