diff --git a/changehat/libapparmor/doc/Makefile.am b/changehat/libapparmor/doc/Makefile.am index 6c775c426..74c8366d4 100644 --- a/changehat/libapparmor/doc/Makefile.am +++ b/changehat/libapparmor/doc/Makefile.am @@ -1,3 +1,5 @@ +## Process this file with automake to produce Makefile.in + POD2MAN = pod2man man_MANS = aa_change_hat.2 diff --git a/changehat/libapparmor/src/grammar.y b/changehat/libapparmor/src/grammar.y index a3dfc0a87..c2ae84b06 100644 --- a/changehat/libapparmor/src/grammar.y +++ b/changehat/libapparmor/src/grammar.y @@ -30,6 +30,32 @@ void aalogparse_error(void *scanner, char const *s) { printf("Error: %s\n", s); } + +struct aa_type_table { + unsigned int audit_type; + aa_record_event_type event; +}; + +static struct aa_type_table aa_type_table[] = { + {AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT}, + {AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED}, + {AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED}, + {AUDIT_APPARMOR_HINT, AA_RECORD_HINT}, + {AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS}, + {AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR}, + {0, AA_RECORD_INVALID}, +}; + +aa_record_event_type lookup_aa_event(unsigned int type) +{ + int i; + + for (i = 0; aa_type_table[i].audit_type != 0; i++) + if (type == aa_type_table[i].audit_type) + break; + + return aa_type_table[i].event; +} %} %defines @@ -44,7 +70,7 @@ void aalogparse_error(void *scanner, char const *s) } %type old_profile; -%token TOK_DIGITS +%token TOK_DIGITS TOK_TYPE_UNKNOWN %token TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS %token TOK_EQUALS @@ -59,6 +85,7 @@ void aalogparse_error(void *scanner, char const *s) %token TOK_TYPE_HINT %token TOK_TYPE_STATUS %token TOK_TYPE_ERROR +%token TOK_TYPE_UNKNOWN %token TOK_OLD_TYPE_APPARMOR %token TOK_OLD_APPARMOR_REJECT %token TOK_OLD_APPARMOR_PERMIT @@ -118,6 +145,7 @@ new_syntax: | TOK_TYPE_HINT audit_msg key { ret_record->event = AA_RECORD_HINT; } | TOK_TYPE_STATUS audit_msg key { ret_record->event = AA_RECORD_STATUS; } | TOK_TYPE_ERROR audit_msg key { ret_record->event = AA_RECORD_ERROR; } + | TOK_TYPE_UNKNOWN audit_msg key { ret_record->event = lookup_aa_event($1); } ; old_msg: @@ -353,6 +381,8 @@ key_list: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING { ret_record->net_sock_type = strdup($3); free($3); } | TOK_KEY_PROTOCOL TOK_EQUALS TOK_QUOTED_STRING { ret_record->net_protocol = strdup($3); free($3);} + | TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS + { ret_record->event = lookup_aa_event($3);} ; %% diff --git a/changehat/libapparmor/src/parser.h b/changehat/libapparmor/src/parser.h index ae01f956f..eee920a28 100644 --- a/changehat/libapparmor/src/parser.h +++ b/changehat/libapparmor/src/parser.h @@ -22,5 +22,14 @@ extern void _init_log_record(aa_log_record *record); extern aa_log_record *_parse_yacc(char *str); +/* FIXME: this ought to be pulled from but there's no + * guarantee these will exist there. */ +#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */ +#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */ +#define AUDIT_APPARMOR_DENIED 1503 +#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */ +#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */ +#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */ + #endif diff --git a/changehat/libapparmor/src/scanner.l b/changehat/libapparmor/src/scanner.l index 199235c92..f945bc0da 100644 --- a/changehat/libapparmor/src/scanner.l +++ b/changehat/libapparmor/src/scanner.l @@ -25,6 +25,8 @@ %{ #include "grammar.h" +#include "aalogparse.h" +#include "parser.h" %} ws [ \t\r\n] @@ -46,6 +48,7 @@ complain_type "APPARMOR_ALLOWED" hint_type "APPARMOR_HINT" status_type "APPARMOR_STATUS" error_type "APPARMOR_ERROR" +unknown_type UNKNOWN\[{digits}+\] /* Old message tokens */ @@ -186,6 +189,12 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */ {hint_type} { return(TOK_TYPE_HINT); } {status_type} { return(TOK_TYPE_STATUS); } {error_type} { return(TOK_TYPE_ERROR); } +{unknown_type} { char *yptr = yytext; + while (*yptr && *yptr != '[') + yptr++; + yylval->t_long = atol(yptr + 1); /* skip '[' */ + return(TOK_TYPE_UNKNOWN); + } {period} { return(TOK_PERIOD); } {old_apparmor_type} { return(TOK_OLD_TYPE_APPARMOR); } diff --git a/changehat/libapparmor/testsuite/Makefile.am b/changehat/libapparmor/testsuite/Makefile.am index cec81541c..d6476fbfd 100644 --- a/changehat/libapparmor/testsuite/Makefile.am +++ b/changehat/libapparmor/testsuite/Makefile.am @@ -11,7 +11,8 @@ noinst_PROGRAMS = test_multi.multi test_multi_multi_SOURCES = test_multi.c test_multi_multi_CFLAGS = $(CFLAGS) -Wall -test_multi_multi_LDFLAGS = $(LDFLAGS) ../src/.libs/libapparmor.a +test_multi_multi_LDFLAGS = $(LDFLAGS) +test_multi_multi_LDADD = ../src/.libs/libapparmor.a clean-local: rm -f tmp.err.* tmp.out.* site.exp site.bak diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.err b/changehat/libapparmor/testsuite/test_multi/testcase12.err new file mode 100644 index 000000000..e69de29bb diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.in b/changehat/libapparmor/testsuite/test_multi/testcase12.in new file mode 100644 index 000000000..443a5dffe --- /dev/null +++ b/changehat/libapparmor/testsuite/test_multi/testcase12.in @@ -0,0 +1 @@ +type=APPARMOR_DENIED msg=audit(1181057184.959:7): type=1503 operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)" diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.out b/changehat/libapparmor/testsuite/test_multi/testcase12.out new file mode 100644 index 000000000..ed4363bad --- /dev/null +++ b/changehat/libapparmor/testsuite/test_multi/testcase12.out @@ -0,0 +1,20 @@ +START +File: test_multi/testcase12.in +Event type: AA_RECORD_DENIED +Audit ID: 1181057184.959:7 +Operation: exec +Mask: rwx +Denied Mask: x +Profile: /bin/ping +Name: /bin/ping +Name2: ping2 +Attribute: attr +Parent: something +Token: 29493 +Info: Information +PID: 31938 +Network family: family +Socket type: unknown(1234) +Protocol: tcp +Epoch: 1181057184 +Audit subid: 7 diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.err b/changehat/libapparmor/testsuite/test_multi/testcase13.err new file mode 100644 index 000000000..e69de29bb diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.in b/changehat/libapparmor/testsuite/test_multi/testcase13.in new file mode 100644 index 000000000..089453045 --- /dev/null +++ b/changehat/libapparmor/testsuite/test_multi/testcase13.in @@ -0,0 +1 @@ +type=UNKNOWN[1503] msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)" diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.out b/changehat/libapparmor/testsuite/test_multi/testcase13.out new file mode 100644 index 000000000..879aa50df --- /dev/null +++ b/changehat/libapparmor/testsuite/test_multi/testcase13.out @@ -0,0 +1,20 @@ +START +File: test_multi/testcase13.in +Event type: AA_RECORD_DENIED +Audit ID: 1181057184.959:7 +Operation: exec +Mask: rwx +Denied Mask: x +Profile: /bin/ping +Name: /bin/ping +Name2: ping2 +Attribute: attr +Parent: something +Token: 29493 +Info: Information +PID: 31938 +Network family: family +Socket type: unknown(1234) +Protocol: tcp +Epoch: 1181057184 +Audit subid: 7