diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y index 266f728a3..ee55242e0 100644 --- a/libraries/libapparmor/src/grammar.y +++ b/libraries/libapparmor/src/grammar.y @@ -1,6 +1,7 @@ /* * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 * NOVELL (All rights reserved) + * Copyright (c) 2010, Canonical, Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public @@ -96,6 +97,13 @@ aa_record_event_type lookup_aa_event(unsigned int type) %token TOK_TYPE_HINT %token TOK_TYPE_STATUS %token TOK_TYPE_ERROR +%token TOK_TYPE_AA_REJECT +%token TOK_TYPE_AA_AUDIT +%token TOK_TYPE_AA_COMPLAIN +%token TOK_TYPE_AA_HINT +%token TOK_TYPE_AA_STATUS +%token TOK_TYPE_AA_ERROR +%token TOK_TYPE_LSM_AVC %token TOK_OLD_TYPE_APPARMOR %token TOK_OLD_APPARMOR_REJECT %token TOK_OLD_APPARMOR_PERMIT @@ -123,6 +131,7 @@ aa_record_event_type lookup_aa_event(unsigned int type) %token TOK_OLD_FORK %token TOK_OLD_CHILD +%token TOK_KEY_APPARMOR %token TOK_KEY_TYPE %token TOK_KEY_MSG %token TOK_KEY_OPERATION @@ -146,6 +155,7 @@ aa_record_event_type lookup_aa_event(unsigned int type) %token TOK_KEY_ERROR %token TOK_KEY_FSUID %token TOK_KEY_OUID +%token TOK_KEY_COMM %token TOK_SYSLOG_KERNEL @@ -168,13 +178,14 @@ old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg ; new_syntax: - TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; } - | TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; } - | TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; } - | TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; } - | TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; } - | TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; } + TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; } + | TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; } + | TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; } + | TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; } + | TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; } + | TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; } | TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); } + | TOK_TYPE_LSM_AVC audit_msg key_list ; other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST @@ -420,6 +431,17 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING { ret_record->fsuid = $3;} | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS { ret_record->ouid = $3;} + | TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING + | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event + ; + +apparmor_event: + TOK_TYPE_REJECT { ret_record->event = AA_RECORD_DENIED; } + | TOK_TYPE_AUDIT { ret_record->event = AA_RECORD_AUDIT; } + | TOK_TYPE_COMPLAIN { ret_record->event = AA_RECORD_ALLOWED; } + | TOK_TYPE_HINT { ret_record->event = AA_RECORD_HINT; } + | TOK_TYPE_STATUS { ret_record->event = AA_RECORD_STATUS; } + | TOK_TYPE_ERROR { ret_record->event = AA_RECORD_ERROR; } ; key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; } diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l index b217f69a5..2515b23e8 100644 --- a/libraries/libapparmor/src/scanner.l +++ b/libraries/libapparmor/src/scanner.l @@ -1,6 +1,7 @@ /* * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 * NOVELL (All rights reserved) + * Copyright (c) 2010, Canonical, Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public @@ -84,12 +85,19 @@ mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx]) modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*) /* New message types */ -reject_type "APPARMOR_DENIED" -audit_type "APPARMOR_AUDIT" -complain_type "APPARMOR_ALLOWED" -hint_type "APPARMOR_HINT" -status_type "APPARMOR_STATUS" -error_type "APPARMOR_ERROR" +aa_reject_type "APPARMOR_DENIED" +aa_audit_type "APPARMOR_AUDIT" +aa_complain_type "APPARMOR_ALLOWED" +aa_hint_type "APPARMOR_HINT" +aa_status_type "APPARMOR_STATUS" +aa_error_type "APPARMOR_ERROR" +reject_type "\"DENIED\"" +audit_type "\"AUDIT\"" +complain_type "\"ALLOWED\"" +hint_type "\"HINT\"" +status_type "\"STATUS\"" +error_type "\"ERROR\"" +lsm_avc_type "AVC" unknown_type UNKNOWN\[{digits}+\] other_audit_type [[:alnum:]\[\]_-]+ @@ -125,6 +133,7 @@ null_complain "null-complain-profile" /* Key tokens */ +key_apparmor "apparmor" key_type "type" key_msg "msg" key_operation "operation" @@ -147,6 +156,7 @@ key_protocol "protocol" key_error "error" key_fsuid "fsuid" key_ouid "ouid" +key_comm "comm" audit "audit" /* syslog tokens */ @@ -240,6 +250,13 @@ yy_flex_debug = 0; {hint_type} { BEGIN(INITIAL); return(TOK_TYPE_HINT); } {status_type} { BEGIN(INITIAL); return(TOK_TYPE_STATUS); } {error_type} { BEGIN(INITIAL); return(TOK_TYPE_ERROR); } + {aa_reject_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_REJECT); } + {aa_audit_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_AUDIT); } + {aa_complain_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_COMPLAIN); } + {aa_hint_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_HINT); } + {aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); } + {aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); } + {lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); } {unknown_type} { char *yptr = yytext; while (*yptr && *yptr != '[') yptr++; @@ -300,6 +317,7 @@ yy_flex_debug = 0; {key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); } } +{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); } {key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); } {key_msg} { return(TOK_KEY_MSG); } {key_operation} { return(TOK_KEY_OPERATION); } @@ -321,6 +339,7 @@ yy_flex_debug = 0; {key_error} { return(TOK_KEY_ERROR); } {key_fsuid} { return(TOK_KEY_FSUID); } {key_ouid} { return(TOK_KEY_OUID); } +{key_comm} { return(TOK_KEY_COMM); } {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); } {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); } diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_01.in b/libraries/libapparmor/testsuite/test_multi/avc_audit_01.in new file mode 100644 index 000000000..44c24a743 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_01.in @@ -0,0 +1 @@ +type=AVC msg=audit(1279948288.415:39): apparmor="DENIED" operation="open" parent=12332 profile="/usr/sbin/cupsd" name="/home/user/.ssh/" pid=12333 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_01.out b/libraries/libapparmor/testsuite/test_multi/avc_audit_01.out new file mode 100644 index 000000000..1a1869d45 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_01.out @@ -0,0 +1,15 @@ +START +File: test_multi/avc_audit_01.in +Event type: AA_RECORD_DENIED +Audit ID: 1279948288.415:39 +Operation: open +Mask: r +Denied Mask: r +fsuid: 0 +ouid: 1000 +Profile: /usr/sbin/cupsd +Name: /home/user/.ssh/ +Parent: 12332 +PID: 12333 +Epoch: 1279948288 +Audit subid: 39 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_02.in b/libraries/libapparmor/testsuite/test_multi/avc_audit_02.in new file mode 100644 index 000000000..eae049de5 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_02.in @@ -0,0 +1 @@ +type=AVC msg=audit(1279948227.175:27): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=12291 comm="apparmor_parser" diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_02.out b/libraries/libapparmor/testsuite/test_multi/avc_audit_02.out new file mode 100644 index 000000000..f5bea2a8f --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_02.out @@ -0,0 +1,9 @@ +START +File: test_multi/avc_audit_02.in +Event type: AA_RECORD_STATUS +Audit ID: 1279948227.175:27 +Operation: profile_replace +Name: /sbin/dhclient3 +PID: 12291 +Epoch: 1279948227 +Audit subid: 27 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_03.in b/libraries/libapparmor/testsuite/test_multi/avc_audit_03.in new file mode 100644 index 000000000..b60e3a2e4 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_03.in @@ -0,0 +1 @@ +type=AVC msg=audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_audit_03.out b/libraries/libapparmor/testsuite/test_multi/avc_audit_03.out new file mode 100644 index 000000000..ff144783a --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_audit_03.out @@ -0,0 +1,15 @@ +START +File: test_multi/avc_audit_03.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1279968846.035:77 +Operation: open +Mask: r +Denied Mask: r +fsuid: 1000 +ouid: 0 +Profile: /tmp/cat +Name: /etc/passwd +Parent: 7014 +PID: 21645 +Epoch: 1279968846 +Audit subid: 77 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in new file mode 100644 index 000000000..c102b3cc1 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in @@ -0,0 +1 @@ +Jul 24 12:25:33 spriggan kernel: [42416.178567] type=1400 audit(1279967133.365:54): apparmor="DENIED" operation="open" parent=19650 profile="/usr/sbin/cupsd" name="/boot/" pid=19651 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out new file mode 100644 index 000000000..90dc30f75 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out @@ -0,0 +1,15 @@ +START +File: test_multi/avc_syslog_01.in +Event type: AA_RECORD_DENIED +Audit ID: 1279967133.365:54 +Operation: open +Mask: r +Denied Mask: r +fsuid: 0 +ouid: 0 +Profile: /usr/sbin/cupsd +Name: /boot/ +Parent: 19650 +PID: 19651 +Epoch: 1279967133 +Audit subid: 54 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in b/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in new file mode 100644 index 000000000..29c9771fb --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in @@ -0,0 +1 @@ +Jul 24 12:24:41 spriggan kernel: [42364.269117] type=1400 audit(1279967081.455:42): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=19610 comm="apparmor_parser" diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out b/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out new file mode 100644 index 000000000..b59174893 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out @@ -0,0 +1,9 @@ +START +File: test_multi/avc_syslog_02.in +Event type: AA_RECORD_STATUS +Audit ID: 1279967081.455:42 +Operation: profile_replace +Name: /sbin/dhclient3 +PID: 19610 +Epoch: 1279967081 +Audit subid: 42 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in b/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in new file mode 100644 index 000000000..83907e9b5 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in @@ -0,0 +1 @@ +Jul 24 12:54:06 spriggan kernel: [44128.842691] type=1400 audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 diff --git a/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out b/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out new file mode 100644 index 000000000..61031d2a9 --- /dev/null +++ b/libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out @@ -0,0 +1,15 @@ +START +File: test_multi/avc_syslog_03.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1279968846.035:77 +Operation: open +Mask: r +Denied Mask: r +fsuid: 1000 +ouid: 0 +Profile: /tmp/cat +Name: /etc/passwd +Parent: 7014 +PID: 21645 +Epoch: 1279968846 +Audit subid: 77 diff --git a/utils/SubDomain.pm b/utils/SubDomain.pm index 9af392609..05fc507eb 100755 --- a/utils/SubDomain.pm +++ b/utils/SubDomain.pm @@ -2,6 +2,7 @@ # # ---------------------------------------------------------------------- # Copyright (c) 2006 Novell, Inc. All Rights Reserved. +# Copyright (c) 2010 Canonical, Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -2413,10 +2414,13 @@ our $logmark; our $seenmark; my $RE_LOG_v2_0_syslog = qr/SubDomain/; my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?(audit\([\d\.\:]+\):\s+)?type=150[1-6]/; +my $RE_LOG_v2_6_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=/; my $RE_LOG_v2_0_audit = qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/; my $RE_LOG_v2_1_audit = qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/; +my $RE_LOG_v2_6_audit = + qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/; sub prefetch_next_log_entry { # if we already have an existing cache entry, something's broken @@ -2434,6 +2438,8 @@ sub prefetch_next_log_entry { $RE_LOG_v2_0_audit | $RE_LOG_v2_1_audit | $RE_LOG_v2_1_syslog | + $RE_LOG_v2_6_syslog | + $RE_LOG_v2_6_audit | $logmark }x); }