From a6a88a4dd7ec9fd59b01c27f8cd40f653386107b Mon Sep 17 00:00:00 2001
From: Steve Beattie <steve@nxnw.org>
Date: Fri, 14 Sep 2007 14:00:48 +0000
Subject: [PATCH] This patch adds support to the logparsing library for the
 type=15xx flags when events come through the audit subsystem. It also fixes
 the case where the audit daemon has not been configured with apparmor support
 and the events are reported as type=UNKNOWN[15xx].

It also fixes the testsuite dependencies so that they will get relinked
when the library changes.
---
 changehat/libapparmor/doc/Makefile.am         |  2 ++
 changehat/libapparmor/src/grammar.y           | 32 ++++++++++++++++++-
 changehat/libapparmor/src/parser.h            |  9 ++++++
 changehat/libapparmor/src/scanner.l           |  9 ++++++
 changehat/libapparmor/testsuite/Makefile.am   |  3 +-
 .../testsuite/test_multi/testcase12.err       |  0
 .../testsuite/test_multi/testcase12.in        |  1 +
 .../testsuite/test_multi/testcase12.out       | 20 ++++++++++++
 .../testsuite/test_multi/testcase13.err       |  0
 .../testsuite/test_multi/testcase13.in        |  1 +
 .../testsuite/test_multi/testcase13.out       | 20 ++++++++++++
 11 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase12.err
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase12.in
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase12.out
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase13.err
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase13.in
 create mode 100644 changehat/libapparmor/testsuite/test_multi/testcase13.out

diff --git a/changehat/libapparmor/doc/Makefile.am b/changehat/libapparmor/doc/Makefile.am
index 6c775c426..74c8366d4 100644
--- a/changehat/libapparmor/doc/Makefile.am
+++ b/changehat/libapparmor/doc/Makefile.am
@@ -1,3 +1,5 @@
+## Process this file with automake to produce Makefile.in
+
 POD2MAN = pod2man
 
 man_MANS = aa_change_hat.2
diff --git a/changehat/libapparmor/src/grammar.y b/changehat/libapparmor/src/grammar.y
index a3dfc0a87..c2ae84b06 100644
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@@ -30,6 +30,32 @@ void aalogparse_error(void *scanner, char const *s)
 {
 	printf("Error: %s\n", s);
 }
+
+struct aa_type_table {
+	unsigned int audit_type;
+	aa_record_event_type event;
+};
+
+static struct aa_type_table aa_type_table[] = {
+	{AUDIT_APPARMOR_AUDIT,   AA_RECORD_AUDIT},
+	{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
+	{AUDIT_APPARMOR_DENIED,  AA_RECORD_DENIED},
+	{AUDIT_APPARMOR_HINT,    AA_RECORD_HINT},
+	{AUDIT_APPARMOR_STATUS,  AA_RECORD_STATUS},
+	{AUDIT_APPARMOR_ERROR,   AA_RECORD_ERROR},
+	{0,                      AA_RECORD_INVALID},
+};
+
+aa_record_event_type lookup_aa_event(unsigned int type)
+{
+	int i;
+
+	for (i = 0; aa_type_table[i].audit_type != 0; i++)
+		if (type == aa_type_table[i].audit_type)
+			break;
+
+	return aa_type_table[i].event;
+}
 %}
 
 %defines
@@ -44,7 +70,7 @@ void aalogparse_error(void *scanner, char const *s)
 }
 
 %type <t_str> old_profile;
-%token <t_long> TOK_DIGITS
+%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
 %token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS
 
 %token TOK_EQUALS
@@ -59,6 +85,7 @@ void aalogparse_error(void *scanner, char const *s)
 %token TOK_TYPE_HINT
 %token TOK_TYPE_STATUS
 %token TOK_TYPE_ERROR
+%token TOK_TYPE_UNKNOWN
 %token TOK_OLD_TYPE_APPARMOR
 %token TOK_OLD_APPARMOR_REJECT
 %token TOK_OLD_APPARMOR_PERMIT
@@ -118,6 +145,7 @@ new_syntax:
 	| TOK_TYPE_HINT audit_msg key { ret_record->event = AA_RECORD_HINT; }
 	| TOK_TYPE_STATUS audit_msg key { ret_record->event = AA_RECORD_STATUS; }
 	| TOK_TYPE_ERROR audit_msg key { ret_record->event = AA_RECORD_ERROR; }
+	| TOK_TYPE_UNKNOWN audit_msg key { ret_record->event = lookup_aa_event($1); }
 	;
 
 old_msg:
@@ -353,6 +381,8 @@ key_list: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_sock_type = strdup($3); free($3); }
 	| TOK_KEY_PROTOCOL TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_protocol = strdup($3); free($3);}
+	| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
+	{ ret_record->event = lookup_aa_event($3);}
 	;
 
 %%
diff --git a/changehat/libapparmor/src/parser.h b/changehat/libapparmor/src/parser.h
index ae01f956f..eee920a28 100644
--- a/changehat/libapparmor/src/parser.h
+++ b/changehat/libapparmor/src/parser.h
@@ -22,5 +22,14 @@
 extern void _init_log_record(aa_log_record *record);
 extern aa_log_record *_parse_yacc(char *str);
 
+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT    1501    /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED  1502    /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED   1503
+#define AUDIT_APPARMOR_HINT     1504    /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS   1505    /* Changes in config */
+#define AUDIT_APPARMOR_ERROR    1506    /* Internal AppArmor Errors */
+
 #endif
 
diff --git a/changehat/libapparmor/src/scanner.l b/changehat/libapparmor/src/scanner.l
index 199235c92..f945bc0da 100644
--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@@ -25,6 +25,8 @@
 %{
 
 #include "grammar.h"
+#include "aalogparse.h"
+#include "parser.h"
 %}
 
 ws		[ \t\r\n]
@@ -46,6 +48,7 @@ complain_type		"APPARMOR_ALLOWED"
 hint_type		"APPARMOR_HINT"
 status_type		"APPARMOR_STATUS"
 error_type		"APPARMOR_ERROR"
+unknown_type		UNKNOWN\[{digits}+\]
 
 /* Old message tokens */
 
@@ -186,6 +189,12 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {hint_type}		{ return(TOK_TYPE_HINT); }
 {status_type}		{ return(TOK_TYPE_STATUS); }
 {error_type}		{ return(TOK_TYPE_ERROR); }
+{unknown_type}		{ char *yptr = yytext;
+			  while (*yptr && *yptr != '[')
+			  	yptr++;
+			  yylval->t_long = atol(yptr + 1); /* skip '[' */
+			  return(TOK_TYPE_UNKNOWN);
+			}
 {period}		{ return(TOK_PERIOD); }
 
 {old_apparmor_type}	{ return(TOK_OLD_TYPE_APPARMOR); }
diff --git a/changehat/libapparmor/testsuite/Makefile.am b/changehat/libapparmor/testsuite/Makefile.am
index cec81541c..d6476fbfd 100644
--- a/changehat/libapparmor/testsuite/Makefile.am
+++ b/changehat/libapparmor/testsuite/Makefile.am
@@ -11,7 +11,8 @@ noinst_PROGRAMS = test_multi.multi
 
 test_multi_multi_SOURCES	= test_multi.c
 test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS	= $(LDFLAGS) ../src/.libs/libapparmor.a
+test_multi_multi_LDFLAGS	= $(LDFLAGS)
+test_multi_multi_LDADD		= ../src/.libs/libapparmor.a
 
 clean-local:
 	rm -f tmp.err.* tmp.out.* site.exp site.bak
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.err b/changehat/libapparmor/testsuite/test_multi/testcase12.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.in b/changehat/libapparmor/testsuite/test_multi/testcase12.in
new file mode 100644
index 000000000..443a5dffe
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.in
@@ -0,0 +1 @@
+type=APPARMOR_DENIED msg=audit(1181057184.959:7): type=1503 operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase12.out b/changehat/libapparmor/testsuite/test_multi/testcase12.out
new file mode 100644
index 000000000..ed4363bad
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase12.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.err b/changehat/libapparmor/testsuite/test_multi/testcase13.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.in b/changehat/libapparmor/testsuite/test_multi/testcase13.in
new file mode 100644
index 000000000..089453045
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.in
@@ -0,0 +1 @@
+type=UNKNOWN[1503] msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
diff --git a/changehat/libapparmor/testsuite/test_multi/testcase13.out b/changehat/libapparmor/testsuite/test_multi/testcase13.out
new file mode 100644
index 000000000..879aa50df
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase13.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7