- Added the timestamp from the audit ID ('epoch')

to aa_log_record.
- Added the integer that follows the colon in the 
  audit ID ('audit_sub_id') to aa_log_record.
- Modified the testsuite to deal with the two new
  numbers.

changehat/libapparmor/src/aalogparse.h

@@ -118,9 +118,11 @@ typedef struct
 	long pid;			/* PID of the program logging the message */
 	long task;
 	long magic_token;
+	long epoch;			/* example: 12345679 */
+	unsigned int audit_sub_id;		/* example: 12 */
 
 	int bitmask;			/* Bitmask containing "r" "w" "x" etc */
-	char *audit_id;
+	char *audit_id;			/* example: 12345679.1234:12 */
 	char *operation;		/* "Exec" "Ptrace", etc. */
 	char *denied_mask;		/* "r", "w", etc. */
 	char *requested_mask;

changehat/libapparmor/src/grammar.y

@@ -311,6 +311,8 @@ old_profile:
 audit_msg: TOK_KEY_MSG TOK_EQUALS TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
 	{
 		asprintf(&ret_record->audit_id, "%s.%s:%s", $5, $7, $9);
+		ret_record->epoch = atol($5);
+		ret_record->audit_sub_id = atoi($9);
 		free($5);
 		free($7);
 		free($9);

changehat/libapparmor/src/libaalogparse.c

@@ -94,6 +94,8 @@ _init_log_record(aa_log_record *record)
 	record->bitmask = 0;
 	record->task = 0;
 	record->magic_token = 0;
+	record->epoch = 0;
+	record->audit_sub_id = 0;
 
 	record->audit_id = NULL;
 	record->operation = NULL;

changehat/libapparmor/testsuite/test_multi.c

@@ -165,5 +165,7 @@ int print_results(aa_log_record *record)
 		{
 			printf("Protocol: %s\n", record->net_protocol);
 		}
+		printf("Epoch: %lu\n", record->epoch);
+		printf("Audit subid: %u\n", record->audit_sub_id);
 	return(0);
 }

changehat/libapparmor/testsuite/test_multi/testcase1.out

@@ -16,3 +16,5 @@ PID: 31938
 Network family: family
 Socket type: unknown(1234)
 Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7

changehat/libapparmor/testsuite/test_multi/testcase10.out

@@ -7,3 +7,5 @@ Profile: /home/matt/projects/change_hat_test/test_hat
 Task: 38229
 PID: 27764
 Active hat: /home/matt/projects/change_hat_test/test_hat
+Epoch: 1168661976
+Audit subid: 55

changehat/libapparmor/testsuite/test_multi/testcase11.out

@@ -5,3 +5,5 @@ Audit ID: 1168661976.062:55
 Operation: clone
 Task: 38229
 PID: 27764
+Epoch: 1168661976
+Audit subid: 55

changehat/libapparmor/testsuite/test_multi/testcase2.out

@@ -9,3 +9,5 @@ Name: /home/matt/projects/change_hat_test/test
 Info: test_hat
 PID: 27871
 Active hat: null-complain-profile
+Epoch: 1168662182
+Audit subid: 58

changehat/libapparmor/testsuite/test_multi/testcase3.out

@@ -8,3 +8,5 @@ Name: TESTHAT
 Info: unknown_hat
 PID: 27764
 Active hat: /home/matt/projects/change_hat_test/test_hat
+Epoch: 1168661976
+Audit subid: 55

changehat/libapparmor/testsuite/test_multi/testcase4.out

@@ -9,3 +9,5 @@ Name: /bin/freak-aa-out
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase5.out

@@ -8,3 +8,5 @@ Name: /path/to/something
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase6.out

@@ -8,3 +8,5 @@ Name: /path/to/something
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase7.out

@@ -9,3 +9,5 @@ Attribute: set
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase8.out

@@ -9,3 +9,5 @@ Attribute: something
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase9.out

@@ -8,3 +8,5 @@ Name: cap
 Info: bash
 PID: 23415
 Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54