Add testcases for new LSM-audit log messages.

Update log parser grammar to handle new LSM-audit log messages.

libraries/libapparmor/src/grammar.y

@@ -1,6 +1,7 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
+ *   Copyright (c) 2010, Canonical, Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -96,6 +97,13 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_TYPE_HINT
 %token TOK_TYPE_STATUS
 %token TOK_TYPE_ERROR
+%token TOK_TYPE_AA_REJECT
+%token TOK_TYPE_AA_AUDIT
+%token TOK_TYPE_AA_COMPLAIN
+%token TOK_TYPE_AA_HINT
+%token TOK_TYPE_AA_STATUS
+%token TOK_TYPE_AA_ERROR
+%token TOK_TYPE_LSM_AVC
 %token TOK_OLD_TYPE_APPARMOR
 %token TOK_OLD_APPARMOR_REJECT
 %token TOK_OLD_APPARMOR_PERMIT
@@ -123,6 +131,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_OLD_FORK
 %token TOK_OLD_CHILD
 
+%token TOK_KEY_APPARMOR
 %token TOK_KEY_TYPE
 %token TOK_KEY_MSG
 %token TOK_KEY_OPERATION
@@ -146,6 +155,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
 %token TOK_KEY_OUID
+%token TOK_KEY_COMM
 
 %token TOK_SYSLOG_KERNEL
 
@@ -168,13 +178,14 @@ old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg
 	;
 
 new_syntax:
-	  TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
-	| TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
-	| TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
-	| TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
-	| TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
-	| TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
+	  TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
+	| TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
+	| TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
+	| TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
+	| TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
+	| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
 	| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
+	| TOK_TYPE_LSM_AVC audit_msg key_list
 	;
 
 other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
@@ -420,6 +431,17 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
+	;
+
+apparmor_event:
+	  TOK_TYPE_REJECT	{ ret_record->event = AA_RECORD_DENIED; }
+	| TOK_TYPE_AUDIT	{ ret_record->event = AA_RECORD_AUDIT; }
+	| TOK_TYPE_COMPLAIN	{ ret_record->event = AA_RECORD_ALLOWED; }
+	| TOK_TYPE_HINT		{ ret_record->event = AA_RECORD_HINT; }
+	| TOK_TYPE_STATUS	{ ret_record->event = AA_RECORD_STATUS; }
+	| TOK_TYPE_ERROR	{ ret_record->event = AA_RECORD_ERROR; }
 	;
 
 key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }

libraries/libapparmor/src/scanner.l

@@ -1,6 +1,7 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
+ *   Copyright (c) 2010, Canonical, Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -84,12 +85,19 @@ mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
 modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
 /* New message types */
 
-reject_type		"APPARMOR_DENIED"
-audit_type		"APPARMOR_AUDIT"
-complain_type		"APPARMOR_ALLOWED"
-hint_type		"APPARMOR_HINT"
-status_type		"APPARMOR_STATUS"
-error_type		"APPARMOR_ERROR"
+aa_reject_type		"APPARMOR_DENIED"
+aa_audit_type		"APPARMOR_AUDIT"
+aa_complain_type	"APPARMOR_ALLOWED"
+aa_hint_type		"APPARMOR_HINT"
+aa_status_type		"APPARMOR_STATUS"
+aa_error_type		"APPARMOR_ERROR"
+reject_type		"\"DENIED\""
+audit_type		"\"AUDIT\""
+complain_type		"\"ALLOWED\""
+hint_type		"\"HINT\""
+status_type		"\"STATUS\""
+error_type		"\"ERROR\""
+lsm_avc_type		"AVC"
 unknown_type		UNKNOWN\[{digits}+\]
 other_audit_type	[[:alnum:]\[\]_-]+
 
@@ -125,6 +133,7 @@ null_complain		"null-complain-profile"
 
 /* Key tokens */
 
+key_apparmor		"apparmor"
 key_type		"type"
 key_msg			"msg"
 key_operation		"operation"
@@ -147,6 +156,7 @@ key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
 key_ouid		"ouid"
+key_comm		"comm"
 audit			"audit"
 
 /* syslog tokens */
@@ -240,6 +250,13 @@ yy_flex_debug = 0;
 	{hint_type}	{ BEGIN(INITIAL); return(TOK_TYPE_HINT); }
 	{status_type}	{ BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
 	{error_type}	{ BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
+	{aa_reject_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_REJECT); }
+	{aa_audit_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_AUDIT); }
+	{aa_complain_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_COMPLAIN); }
+	{aa_hint_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_HINT); }
+	{aa_status_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
+	{aa_error_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
+	{lsm_avc_type}	{ BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
 	{unknown_type}	{ char *yptr = yytext;
 			  while (*yptr && *yptr != '[')
 			  	yptr++;
@@ -300,6 +317,7 @@ yy_flex_debug = 0;
 	{key_attribute}	{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 }
 
+{key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
 {key_msg}		{ return(TOK_KEY_MSG); }
 {key_operation}		{ return(TOK_KEY_OPERATION); }
@@ -321,6 +339,7 @@ yy_flex_debug = 0;
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_comm}		{ return(TOK_KEY_COMM); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }

libraries/libapparmor/testsuite/test_multi/avc_audit_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1279948288.415:39): apparmor="DENIED" operation="open" parent=12332 profile="/usr/sbin/cupsd" name="/home/user/.ssh/" pid=12333 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

libraries/libapparmor/testsuite/test_multi/avc_audit_01.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/avc_audit_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1279948288.415:39
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 0
+ouid: 1000
+Profile: /usr/sbin/cupsd
+Name: /home/user/.ssh/
+Parent: 12332
+PID: 12333
+Epoch: 1279948288
+Audit subid: 39

libraries/libapparmor/testsuite/test_multi/avc_audit_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1279948227.175:27): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=12291 comm="apparmor_parser"

libraries/libapparmor/testsuite/test_multi/avc_audit_02.out

@@ -0,0 +1,9 @@
+START
+File: test_multi/avc_audit_02.in
+Event type: AA_RECORD_STATUS
+Audit ID: 1279948227.175:27
+Operation: profile_replace
+Name: /sbin/dhclient3
+PID: 12291
+Epoch: 1279948227
+Audit subid: 27

libraries/libapparmor/testsuite/test_multi/avc_audit_03.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

libraries/libapparmor/testsuite/test_multi/avc_audit_03.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/avc_audit_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1279968846.035:77
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /tmp/cat
+Name: /etc/passwd
+Parent: 7014
+PID: 21645
+Epoch: 1279968846
+Audit subid: 77

libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in

@@ -0,0 +1 @@
+Jul 24 12:25:33 spriggan kernel: [42416.178567] type=1400 audit(1279967133.365:54): apparmor="DENIED" operation="open" parent=19650 profile="/usr/sbin/cupsd" name="/boot/" pid=19651 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/avc_syslog_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1279967133.365:54
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 0
+ouid: 0
+Profile: /usr/sbin/cupsd
+Name: /boot/
+Parent: 19650
+PID: 19651
+Epoch: 1279967133
+Audit subid: 54

libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in

@@ -0,0 +1 @@
+Jul 24 12:24:41 spriggan kernel: [42364.269117] type=1400 audit(1279967081.455:42): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=19610 comm="apparmor_parser"

libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out

@@ -0,0 +1,9 @@
+START
+File: test_multi/avc_syslog_02.in
+Event type: AA_RECORD_STATUS
+Audit ID: 1279967081.455:42
+Operation: profile_replace
+Name: /sbin/dhclient3
+PID: 19610
+Epoch: 1279967081
+Audit subid: 42

libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in

@@ -0,0 +1 @@
+Jul 24 12:54:06 spriggan kernel: [44128.842691] type=1400 audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/avc_syslog_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1279968846.035:77
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /tmp/cat
+Name: /etc/passwd
+Parent: 7014
+PID: 21645
+Epoch: 1279968846
+Audit subid: 77

utils/SubDomain.pm

@@ -2,6 +2,7 @@
 #
 # ----------------------------------------------------------------------
 #    Copyright (c) 2006 Novell, Inc. All Rights Reserved.
+#    Copyright (c) 2010 Canonical, Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -2413,10 +2414,13 @@ our $logmark;
 our $seenmark;
 my $RE_LOG_v2_0_syslog = qr/SubDomain/;
 my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?(audit\([\d\.\:]+\):\s+)?type=150[1-6]/;
+my $RE_LOG_v2_6_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=/;
 my $RE_LOG_v2_0_audit  =
     qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/;
 my $RE_LOG_v2_1_audit  =
     qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
+my $RE_LOG_v2_6_audit =
+    qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
 
 sub prefetch_next_log_entry {
     # if we already have an existing cache entry, something's broken
@@ -2434,6 +2438,8 @@ sub prefetch_next_log_entry {
         $RE_LOG_v2_0_audit  |
         $RE_LOG_v2_1_audit  |
         $RE_LOG_v2_1_syslog |
+        $RE_LOG_v2_6_syslog |
+        $RE_LOG_v2_6_audit  |
         $logmark
     }x);
 }