utils: add logparser support for mqueue

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in

@@ -0,0 +1 @@
+Apr 05 19:36:19 ubuntu kernel: audit: type=1400 audit(1649187379.660:255): apparmor="DENIED" operation="create" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=791 comm="posix_mq_rcv" requested="create" denied="create" class="posix_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187379.660:255
+Operation: create
+Mask: create
+Denied Mask: create
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 791
+Class: posix_mqueue
+Epoch: 1649187379
+Audit subid: 255

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue create type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in

@@ -0,0 +1,2 @@
+Apr 05 19:36:29 ubuntu kernel: audit: type=1400 audit(1649187389.828:262): apparmor="DENIED" operation="open" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=848 comm="posix_mq_rcv" requested="read create" denied="read" class="posix_mqueue" fsuid=0 ouid=0
+

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187389.828:262
+Operation: open
+Mask: read create
+Denied Mask: read
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 848
+Class: posix_mqueue
+Epoch: 1649187389
+Audit subid: 262

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue read type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in

@@ -0,0 +1 @@
+Apr 05 19:36:39 ubuntu kernel: audit: type=1400 audit(1649187399.973:265): apparmor="DENIED" operation="unlink" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=897 comm="posix_mq_rcv" requested="delete" denied="delete" class="posix_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_03.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187399.973:265
+Operation: unlink
+Mask: delete
+Denied Mask: delete
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 897
+Class: posix_mqueue
+Epoch: 1649187399
+Audit subid: 265

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue delete type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.in

@@ -0,0 +1 @@
+Jun 02 16:58:20 ubuntu kernel: audit: type=1400 audit(1654189100.680:1011): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=13574 comm="sysv_mq_rcv" requested="create" denied="create" class="sysv_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654189100.680:1011
+Operation: sysv_mqueue
+Mask: create
+Denied Mask: create
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
+Name: 123
+Command: sysv_mq_rcv
+PID: 13574
+Class: sysv_mqueue
+Epoch: 1654189100
+Audit subid: 1011

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
+  mqueue create type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.in

@@ -0,0 +1 @@
+Jun 02 17:15:45 ubuntu kernel: audit: type=1400 audit(1654190145.439:1135): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=15849 comm="sysv_mq_snd" requested="open" denied="open" class="sysv_mqueue"

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mqueue_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190145.439:1135
+Operation: sysv_mqueue
+Mask: open
+Denied Mask: open
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
+Name: 123
+Command: sysv_mq_snd
+PID: 15849
+Class: sysv_mqueue
+Epoch: 1654190145
+Audit subid: 1135

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_snd {
+  mqueue open type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.in

@@ -0,0 +1 @@
+Jun 02 17:15:37 ubuntu kernel: audit: type=1400 audit(1654190137.559:1122): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15632 comm="sysv_mq_rcv" requested="read" denied="read" class="sysv_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_06.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190137.559:1122
+Operation: sysv_mqueue
+Mask: read
+Denied Mask: read
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
+Name: 123
+Command: sysv_mq_rcv
+PID: 15632
+Class: sysv_mqueue
+Epoch: 1654190137
+Audit subid: 1122

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
+  mqueue read type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.in

@@ -0,0 +1 @@
+Jun 02 17:15:51 ubuntu kernel: audit: type=1400 audit(1654190151.003:1145): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15973 comm="sysv_mq_rcv" requested="delete" denied="delete" class="sysv_mqueue" fsuid=1001 ouid=1001

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_07.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190151.003:1145
+Operation: sysv_mqueue
+Mask: delete
+Denied Mask: delete
+fsuid: 1001
+ouid: 1001
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
+Name: 123
+Command: sysv_mq_rcv
+PID: 15973
+Class: sysv_mqueue
+Epoch: 1654190151
+Audit subid: 1145

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
+  mqueue delete type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.in

@@ -0,0 +1 @@
+Jun 02 17:15:55 ubuntu kernel: audit: type=1400 audit(1654190155.699:1155): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=16148 comm="sysv_mq_snd" requested="write" denied="write" class="sysv_mqueue" fsuid=1001 ouid=1001

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_08.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190155.699:1155
+Operation: sysv_mqueue
+Mask: write
+Denied Mask: write
+fsuid: 1001
+ouid: 1001
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
+Name: 123
+Command: sysv_mq_snd
+PID: 16148
+Class: sysv_mqueue
+Epoch: 1654190155
+Audit subid: 1155

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_snd {
+  mqueue write type=sysv 123,
+
+}

utils/apparmor/aa.py

@@ -51,6 +51,7 @@ from apparmor.rule.network import NetworkRule
 from apparmor.rule.ptrace import PtraceRule
 from apparmor.rule.signal import SignalRule
 from apparmor.rule.userns import UserNamespaceRule
+from apparmor.rule.mqueue import MessageQueueRule
 from apparmor.translations import init_translation
 
 _ = init_translation()
@@ -1728,6 +1729,14 @@ def collapse_log(hashlog, ignore_null_profiles=True):
                 if not hat_exists or not is_known_rule(aa[profile][hat], 'userns', userns_event):
                     log_dict[aamode][full_profile]['userns'].add(userns_event)
 
+            mqueue = hashlog[aamode][full_profile]['mqueue']
+            for access in mqueue.keys():
+                for mqueue_type in mqueue[access]:
+                    for mqueue_name in mqueue[access][mqueue_type]:
+                        mqueue_event = MessageQueueRule(access, mqueue_type, MessageQueueRule.ALL, mqueue_name, log_event=True)
+                        if not hat_exists or not is_known_rule(aa[profile][hat], 'mqueue', mqueue_event):
+                            log_dict[aamode][full_profile]['mqueue'].add(mqueue_event)
+
     return log_dict
 
 

utils/apparmor/logparser.py

@@ -58,6 +58,7 @@ class ReadLog:
             'ptrace':       hasher(),
             'signal':       hasher(),
             'userns':       hasher(),
+            'mqueue':       hasher(),
         }
 
     def prefetch_next_log_entry(self):
@@ -188,7 +189,12 @@ class ReadLog:
         elif e['class'] and e['class'] == 'namespace':
             if e['denied_mask'].startswith('userns'):
                 self.hashlog[aamode][full_profile]['userns'][e['denied_mask'].removeprefix('userns_')] = True
-            return None
+            return
+
+        elif e['class'] and e['class'].endswith('mqueue'):
+            mqueue_type = e['class'].partition('_')[0]
+            self.hashlog[aamode][full_profile]['mqueue'][e['denied_mask']][mqueue_type][e['name']] = True
+            return
 
         elif self.op_type(e) == 'file':
             # Map c (create) and d (delete) to w (logging is more detailed than the profile language)