This patch adds support to the logparsing library for the type=15xx

flags when events come through the audit subsystem. It also fixes the case where the audit daemon has not been configured with apparmor support and the events are reported as type=UNKNOWN[15xx]. It also fixes the testsuite dependencies so that they will get relinked when the library changes.
2025-08-30 13:58:22 +00:00 · 2007-09-14 14:00:48 +00:00
parent 16758ebdaa
commit a6a88a4dd7
11 changed files with 95 additions and 2 deletions
--- a/changehat/libapparmor/doc/Makefile.am
+++ b/changehat/libapparmor/doc/Makefile.am
@@ -1,3 +1,5 @@
+## Process this file with automake to produce Makefile.in
+
 POD2MAN = pod2man

 man_MANS = aa_change_hat.2
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@@ -30,6 +30,32 @@ void aalogparse_error(void *scanner, char const *s)
 {
 	printf("Error: %s\n", s);
 }
+
+struct aa_type_table {
+	unsigned int audit_type;
+	aa_record_event_type event;
+};
+
+static struct aa_type_table aa_type_table[] = {
+	{AUDIT_APPARMOR_AUDIT,   AA_RECORD_AUDIT},
+	{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
+	{AUDIT_APPARMOR_DENIED,  AA_RECORD_DENIED},
+	{AUDIT_APPARMOR_HINT,    AA_RECORD_HINT},
+	{AUDIT_APPARMOR_STATUS,  AA_RECORD_STATUS},
+	{AUDIT_APPARMOR_ERROR,   AA_RECORD_ERROR},
+	{0,                      AA_RECORD_INVALID},
+};
+
+aa_record_event_type lookup_aa_event(unsigned int type)
+{
+	int i;
+
+	for (i = 0; aa_type_table[i].audit_type != 0; i++)
+		if (type == aa_type_table[i].audit_type)
+			break;
+
+	return aa_type_table[i].event;
+}
 %}

 %defines
@@ -44,7 +70,7 @@ void aalogparse_error(void *scanner, char const *s)
 }

 %type <t_str> old_profile;
-%token <t_long> TOK_DIGITS
+%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
 %token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS

 %token TOK_EQUALS
@@ -59,6 +85,7 @@ void aalogparse_error(void *scanner, char const *s)
 %token TOK_TYPE_HINT
 %token TOK_TYPE_STATUS
 %token TOK_TYPE_ERROR
+%token TOK_TYPE_UNKNOWN
 %token TOK_OLD_TYPE_APPARMOR
 %token TOK_OLD_APPARMOR_REJECT
 %token TOK_OLD_APPARMOR_PERMIT
@@ -118,6 +145,7 @@ new_syntax:
 	| TOK_TYPE_HINT audit_msg key { ret_record->event = AA_RECORD_HINT; }
 	| TOK_TYPE_STATUS audit_msg key { ret_record->event = AA_RECORD_STATUS; }
 	| TOK_TYPE_ERROR audit_msg key { ret_record->event = AA_RECORD_ERROR; }
+	| TOK_TYPE_UNKNOWN audit_msg key { ret_record->event = lookup_aa_event($1); }
 	;

 old_msg:
@@ -353,6 +381,8 @@ key_list: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_sock_type = strdup($3); free($3); }
 	| TOK_KEY_PROTOCOL TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_protocol = strdup($3); free($3);}
+	| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
+	{ ret_record->event = lookup_aa_event($3);}
 	;

 %%
--- a/changehat/libapparmor/src/parser.h
+++ b/changehat/libapparmor/src/parser.h
@@ -22,5 +22,14 @@
 extern void _init_log_record(aa_log_record *record);
 extern aa_log_record *_parse_yacc(char *str);

+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT    1501    /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED  1502    /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED   1503
+#define AUDIT_APPARMOR_HINT     1504    /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS   1505    /* Changes in config */
+#define AUDIT_APPARMOR_ERROR    1506    /* Internal AppArmor Errors */
+
 #endif

--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@@ -25,6 +25,8 @@
 %{

 #include "grammar.h"
+#include "aalogparse.h"
+#include "parser.h"
 %}

 ws		[ \t\r\n]
@@ -46,6 +48,7 @@ complain_type		"APPARMOR_ALLOWED"
 hint_type		"APPARMOR_HINT"
 status_type		"APPARMOR_STATUS"
 error_type		"APPARMOR_ERROR"
+unknown_type		UNKNOWN\[{digits}+\]

 /* Old message tokens */

@@ -186,6 +189,12 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {hint_type}		{ return(TOK_TYPE_HINT); }
 {status_type}		{ return(TOK_TYPE_STATUS); }
 {error_type}		{ return(TOK_TYPE_ERROR); }
+{unknown_type}		{ char *yptr = yytext;
+			  while (*yptr && *yptr != '[')
+			  	yptr++;
+			  yylval->t_long = atol(yptr + 1); /* skip '[' */
+			  return(TOK_TYPE_UNKNOWN);
+			}
 {period}		{ return(TOK_PERIOD); }

 {old_apparmor_type}	{ return(TOK_OLD_TYPE_APPARMOR); }
--- a/changehat/libapparmor/testsuite/Makefile.am
+++ b/changehat/libapparmor/testsuite/Makefile.am
@@ -11,7 +11,8 @@ noinst_PROGRAMS = test_multi.multi

 test_multi_multi_SOURCES	= test_multi.c
 test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS	= $(LDFLAGS) ../src/.libs/libapparmor.a
+test_multi_multi_LDFLAGS	= $(LDFLAGS)
+test_multi_multi_LDADD		= ../src/.libs/libapparmor.a

 clean-local:
 	rm -f tmp.err.* tmp.out.* site.exp site.bak
--- a/changehat/libapparmor/testsuite/test_multi/testcase12.err
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.err
--- a/changehat/libapparmor/testsuite/test_multi/testcase12.in
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.in
@@ -0,0 +1 @@
+type=APPARMOR_DENIED msg=audit(1181057184.959:7): type=1503 operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
--- a/changehat/libapparmor/testsuite/test_multi/testcase12.out
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase12.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7
--- a/changehat/libapparmor/testsuite/test_multi/testcase13.err
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.err
--- a/changehat/libapparmor/testsuite/test_multi/testcase13.in
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.in
@@ -0,0 +1 @@
+type=UNKNOWN[1503] msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
--- a/changehat/libapparmor/testsuite/test_multi/testcase13.out
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase13.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7
				`@@ -0,0 +1 @@`
				`type=APPARMOR_DENIED msg=audit(1181057184.959:7): type=1503 operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"`
				`@@ -0,0 +1 @@`
				`type=UNKNOWN[1503] msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"`