mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

Merge libapparmor: fix debug build of log parsing

Browse Source 
Fix log parsing for void Linux default log format.


Fixes: https://gitlab.com/apparmor/apparmor/-/issues/196
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
John Johansen
2021-09-13 22:58:28 +00:00
parent d11f2d5923 b32b898a9a
commit 92d5bec86e
6 changed files with 46 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
libraries/libapparmor/src/grammar.y
View File

@@ -38,7 +38,7 @@
#if (YYDEBUG != 0)
#define debug_unused_ /* nothing */
#else
#define no_debug_unused_ unused_
#define debug_unused_ unused_
#endif
aa_log_record *ret_record;
@@ -46,7 +46,7 @@ aa_log_record *ret_record;
/* Since we're a library, on any errors we don't want to print out any
* error messages. We should probably add a debug interface that does
* emit messages when asked for. */
void aalogparse_error(unused_ void *scanner, no_debug_unused_ char const *s)
void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
{
#if (YYDEBUG != 0)
printf("ERROR: %s\n", s);
@@ -186,6 +186,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_FLAGS
%token TOK_KEY_SRCNAME
%token TOK_SOCKLOGD_KERNEL
%token TOK_SYSLOG_KERNEL
%token TOK_SYSLOG_USER
@@ -232,24 +233,28 @@ dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($1); }
;
syslog_id: TOK_ID TOK_SYSLOG_KERNEL { free($1); }
| TOK_SOCKLOGD_KERNEL { }
;
syslog_type:
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
syslog_date syslog_id audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date syslog_id key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date syslog_id TOK_DMESG_STAMP audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
/* needs update: hard newline in handling mutiline log messages */
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_USER key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
;

3
libraries/libapparmor/src/scanner.l
View File

@@ -172,6 +172,7 @@ audit "audit"
ip_addr [a-f[:digit:].:]{3,}
/* syslog tokens */
socklogd_kernel kern.notice{colon}
syslog_kernel kernel{colon}
syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon}
syslog_yyyymmdd {digit}{4}{minus}{digit}{2}{minus}{digit}{2}
@@ -351,6 +352,7 @@ yy_flex_debug = 0;
{key_flags} { BEGIN(safe_string); return(TOK_KEY_FLAGS); }
{key_srcname} { BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_user} { return(TOK_SYSLOG_USER); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
@@ -365,6 +367,7 @@ yy_flex_debug = 0;
<hostname>{
{ws}+ { /* eat whitespace */ }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
}

0
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in Normal file
View File

@@ -0,0 +1 @@
2021-09-11T20:57:41.91645 kern.notice: [ 469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/sbin/sshd" name="/run/user/1000/kakoune/" pid=2545 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

15
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out Normal file
View File

@@ -0,0 +1,15 @@
START
File: testcase_socklogd_mkdir.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1631392703.952:3
Operation: mkdir
Mask: c
Denied Mask: c
fsuid: 1000
ouid: 1000
Profile: /usr/sbin/sshd
Name: /run/user/1000/kakoune/
Command: sshd
PID: 2545
Epoch: 1631392703
Audit subid: 3

4
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile Normal file
View File

@@ -0,0 +1,4 @@
/usr/sbin/sshd {
owner /run/user/1000/kakoune/ w,
}