From 255716b90ac7fb45c92e06e7f377e25890a93f9c Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 24 Oct 2021 14:19:10 +0200
Subject: [PATCH] Add support for reading s390x and aarch64 wtmp file

Both aarch64 and s390x have a bigger wtmp record size (16 bytes more
than x86_64, 400 bytes total).

The byte position of the timestamp is also different on each
architecture. To make things even more interesting, s390x is big endian.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
---
 utils/apparmor/notify.py                      |  46 ++++++++++++++++--
 utils/test/test-notify.py                     |   5 ++
 utils/test/wtmp-examples/wtmp-aarch64         | Bin 0 -> 800 bytes
 .../wtmp-aarch64-expected-output              |   5 ++
 utils/test/wtmp-examples/wtmp-s390x           | Bin 0 -> 15200 bytes
 .../wtmp-examples/wtmp-s390x-expected-output  |  13 +++++
 6 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 utils/test/wtmp-examples/wtmp-aarch64
 create mode 100644 utils/test/wtmp-examples/wtmp-aarch64-expected-output
 create mode 100644 utils/test/wtmp-examples/wtmp-s390x
 create mode 100644 utils/test/wtmp-examples/wtmp-s390x-expected-output

diff --git a/utils/apparmor/notify.py b/utils/apparmor/notify.py
index 81d702972..1101a2934 100644
--- a/utils/apparmor/notify.py
+++ b/utils/apparmor/notify.py
@@ -22,6 +22,16 @@ from apparmor.common import AppArmorBug, DebugLogger
 debug_logger = DebugLogger('apparmor.notify')
 
 
+def sane_timestamp(timestamp):
+    ''' Check if the given timestamp is in a date range that makes sense for a wtmp file '''
+
+    if timestamp < 946681200:  # 2000-01-01
+        return False
+    elif timestamp > 2524604400:  # 2050-01-01
+        return False
+
+    return True
+
 def get_last_login_timestamp(username, filename='/var/log/wtmp'):
     '''Directly read wtmp and get last login for user as epoch timestamp'''
     timestamp = 0
@@ -33,11 +43,37 @@ def get_last_login_timestamp(username, filename='/var/log/wtmp'):
         offset = 0
         wtmp_filesize = os.path.getsize(filename)
         debug_logger.debug('WTMP filesize: {}'.format(wtmp_filesize))
+
+        if wtmp_filesize < 356:
+            return 0  # (nearly) empty wtmp file, no entries
+
+        # detect architecture based on utmp format differences
+        wtmp_file.seek(340)  # first possible timestamp position
+        timestamp_x86_64    = struct.unpack("<L", wtmp_file.read(4))[0]
+        timestamp_aarch64   = struct.unpack("<L", wtmp_file.read(4))[0]
+        timestamp_s390x     = struct.unpack(">L", wtmp_file.read(4))[0]
+        debug_logger.debug('WTMP timestamps: x86_64 %s, aarch64 %s, s390x %s' % (timestamp_x86_64, timestamp_aarch64, timestamp_s390x))
+
+        if sane_timestamp(timestamp_x86_64):
+            endianness = '<'  # little endian
+            extra_offset_before = 0
+            extra_offset_after = 0
+        elif sane_timestamp(timestamp_aarch64):
+            endianness = '<'  # little endian
+            extra_offset_before = 4
+            extra_offset_after = 12
+        elif sane_timestamp(timestamp_s390x):
+            endianness = '>'  # big endian
+            extra_offset_before = 8
+            extra_offset_after = 8
+        else:
+            raise AppArmorBug('Your /var/log/wtmp is broken or has an unknown format. Please open a bugreport with /var/log/wtmp and the output of "last" attached!')
+
         while offset < wtmp_filesize:
             wtmp_file.seek(offset)
-            offset += 384  # Increment for next entry
+            offset += 384 + extra_offset_before + extra_offset_after  # Increment for next entry
 
-            type = struct.unpack("<H", wtmp_file.read(2))[0]
+            type = struct.unpack('%sH' % endianness, wtmp_file.read(2))[0]
             debug_logger.debug('WTMP entry type: {}'.format(type))
             wtmp_file.read(2)  # skip padding
 
@@ -52,7 +88,11 @@ def get_last_login_timestamp(username, filename='/var/log/wtmp'):
                 term = struct.unpack("<H", wtmp_file.read(2))[0]
                 exit = struct.unpack("<H", wtmp_file.read(2))[0]
                 session = struct.unpack("<L", wtmp_file.read(4))[0]
-                timestamp = struct.unpack("<L", wtmp_file.read(4))[0]
+                if extra_offset_before:
+                    wtmp_file.read(extra_offset_before)
+                timestamp = struct.unpack('%sL' % endianness, wtmp_file.read(4))[0]
+                if extra_offset_after:
+                    wtmp_file.read(extra_offset_after)
                 usec = struct.unpack("<L", wtmp_file.read(4))[0]
                 entry = (pid, line, id, user, host, term, exit, session, timestamp, usec)
                 debug_logger.debug('WTMP entry: {}'.format(entry))
diff --git a/utils/test/test-notify.py b/utils/test/test-notify.py
index 6bbafa107..2a910eada 100644
--- a/utils/test/test-notify.py
+++ b/utils/test/test-notify.py
@@ -18,6 +18,11 @@ class TestGet_last_login_timestamp(AATest):
     tests = [
         (['wtmp-x86_64',        'root'      ], 1635070346),  # Sun Oct 24 12:12:26 CEST 2021
         (['wtmp-x86_64',        'whoever'   ], 0),
+        (['wtmp-s390x',         'root'      ], 1626368763),  # Thu Jul 15 19:06:03 CEST 2021
+        (['wtmp-s390x',         'linux1'    ], 1626368772),  # Thu Jul 15 19:06:12 CEST 2021
+        (['wtmp-s390x',         'whoever'   ], 0),
+        (['wtmp-aarch64',       'guillaume' ], 1611562789),  # Mon Jan 25 09:19:49 CET 2021
+        (['wtmp-aarch64',       'whoever'   ], 0),
     ]
 
     def _run_test(self, params, expected):
diff --git a/utils/test/wtmp-examples/wtmp-aarch64 b/utils/test/wtmp-examples/wtmp-aarch64
new file mode 100644
index 0000000000000000000000000000000000000000..3703b5fc4f7dd11479e4918ac160904fa9d5e193
GIT binary patch
literal 800
zcmZQ)U|`s&%)n4kQmk(bWa9!L$@J39oSekc+*BNj3@wfH49zU`4D^g}s2DlIs`Y#c
sAm1L=-~oI3zzPN?FoOWW0hA{uJ_r~yDvcHb))OJ|(V)VPCWD^~0GxLa&;S4c

literal 0
HcmV?d00001

diff --git a/utils/test/wtmp-examples/wtmp-aarch64-expected-output b/utils/test/wtmp-examples/wtmp-aarch64-expected-output
new file mode 100644
index 000000000..d3caeecf2
--- /dev/null
+++ b/utils/test/wtmp-examples/wtmp-aarch64-expected-output
@@ -0,0 +1,5 @@
+guillaum pts/3        192.168.0.2      Mon Jan 25 08:19 - 09:36  (01:17)
+
+Example and expected output taken from https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
+
+On openSUSE, aarch64 is little endian.
diff --git a/utils/test/wtmp-examples/wtmp-s390x b/utils/test/wtmp-examples/wtmp-s390x
new file mode 100644
index 0000000000000000000000000000000000000000..9e218ea596aae9f1012a0090138778e245fa1b56
GIT binary patch
literal 15200
zcmeI3O-K}B7{^CjozdE)s4hZ;kR8IwS@*+;DC`hHU*s(!#*dA)78TvK%=D=E(W$x>
zL?McFi!M>!gN{L`DCm-hjqMUa2)!S>j^i@#`yWRSI<KJXywCGKGtd9G&%Cqmqgu7b
zz9#sK=g$e^FqG~d7|40LXbH2;wAx!@aWffj=}q72%4Y@M-f?z{#V(BAV7Wv(-oiOm
zG0z0VBj2A*kEF9+u@w)uGK2?zKSsMc+!n!64YlcWx!mY*Pj;}?%Tr|YniJk}eU9c%
zc;uM|k<3$A3(jMf@UTR4WOmWq@Y(cPn)4bSk6{fsj~SwOr)P1HU=lNYx^Ot^Gc?aN
zJYK?i*HTX%s*j6T&R@6;2M)7ifcoG(p!GxXK;L5l)(_4Dx?d?CFprJjulV{gof+v7
zEgzc9j$Uav{Pby>=j!@VbD$B<o7V@#L)8bWY5*QOJx9~jU~c$?s6ePO+t;7JCwMBh
zTFs;xi<wqZ6ba2~`}^62`+r#$d%KU<*B*KfWn@q<IS(k7a&jqP7skG`0prs<mqB#E
z>ZA9ost=J!8?zA}1vWGK=%K&*kn`Bs6@_~i;qjX(u<OkftOUDX>Cp2o95bwr)mj5j
zz5MyS%;N*TpmHA2=ku`24Cn3eDD7XBctozghGTFZ(DN=FGpvpdkJ9IlGLLJ|U`aR+
zXukxG8CFM!M`^#k%%gK0mW21CG^8IjoXO{U2k!QJ#a8_&w=%2idGz`#w?%NYHT~L@
z>etf!k_Y_VUjO2kfPmYyHT_z}gQ!e+M48xo5~tmw3y#=+qOqv@Q38#8n~X&|#o^J8
z?<aB|3$p!Nncep#@8}7}!a5#b;B+~Ud0Bs4W{1xg3P)pp9gm-I+HAiayI-mOc2v~>
z_bbi=st?5j<`J|$p!GxXfO!O6KbFY)p#B~Xm0Rj(EKwKd`RdHFbV}KQ->)DZsy@o1
z$zB8SVEw3lA5}j}rm=rJsgEOUR^4KYzkZaQhySZlGYF3+rb6{f9jpeckEY4ZsE?Cz
z(`qB%R?4*Ecn1c))a~YI7n^^uYi_7Hdvh|+_I#x|u>E#94{03bP@#ZbJa&o?elG3W
zR=89Su=+UqelzMLl`><N8B4U8v3RobOraaGi+$f%(pBfiE*)I?0|~(DL(T(=rJP&}
z*u~qNfxdj$We^>(`e@#d)W?wUztuEN)rVVX!s8zs**%{1S0BxWjEDP7>IhN5F5cnY
jrK(0*`_&1@>%)}sK>l7-)rTW1{f+R5@R27`v_Ad=&1z#R

literal 0
HcmV?d00001

diff --git a/utils/test/wtmp-examples/wtmp-s390x-expected-output b/utils/test/wtmp-examples/wtmp-s390x-expected-output
new file mode 100644
index 000000000..de4d5fff6
--- /dev/null
+++ b/utils/test/wtmp-examples/wtmp-s390x-expected-output
@@ -0,0 +1,13 @@
+linux1@opensuse03:~>  last
+linux1   pts/0        77.21.253.246    Thu Jul 15 13:06   still logged in
+root     pts/0        77.21.253.246    Thu Jul 15 13:06 - 13:06  (00:00)
+linux1   pts/0        77.21.253.246    Thu Jul 15 13:01 - 13:05  (00:04)
+linux1   pts/0        94.134.117.140   Thu Jul 15 08:15 - 08:16  (00:01)
+linux1   pts/0        10.6.22.160      Tue Jul 13 07:42 - 07:42  (00:00)
+reboot   system boot  5.3.18-24.67-def Tue Jul 13 07:41   still running
+linux1   pts/0        10.6.22.160      Tue Jul 13 07:41 - 07:41  (00:00)
+linux1   pts/0        10.6.22.160      Tue Jul 13 07:37 - 07:41  (00:03)
+reboot   system boot  5.3.18-24.64-def Tue Jul 13 07:30 - 07:41  (00:11)
+
+wtmp beginnt Tue Jul 13 07:30:36 2021
+linux1@opensuse03:~>