From b32b898a9a86b54eb4f45f8ea91a8feeb1f9db1d Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Sun, 12 Sep 2021 23:02:26 -0700
Subject: [PATCH] libapparmor: fix log parsing for socklogd

The default log format for void linux is not handled by current log
parsing. The following example message results in an invalid record
error.

2021-09-11T20:57:41.91645 kern.notice: [  469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/bin/kak" name="/run/user/1000/kakoune/" pid=2545 comm="kak" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This log message fails on parsing

  kern.notice:

which differs from the expect syslog format of
  host_name kernel:

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/196
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 libraries/libapparmor/src/grammar.y           | 37 +++++++++++--------
 libraries/libapparmor/src/scanner.l           |  3 ++
 .../test_multi/testcase_socklogd_mkdir.err    |  0
 .../test_multi/testcase_socklogd_mkdir.in     |  1 +
 .../test_multi/testcase_socklogd_mkdir.out    | 15 ++++++++
 .../testcase_socklogd_mkdir.profile           |  4 ++
 6 files changed, 44 insertions(+), 16 deletions(-)
 create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.err
 create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in
 create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out
 create mode 100644 libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile

diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index fd723d458..687a93db5 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -186,6 +186,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
 
+%token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
 %token TOK_SYSLOG_USER
 
@@ -232,24 +233,28 @@ dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	{ ret_record->version = AA_RECORD_SYNTAX_V2; free($1); }
 	;
 
+syslog_id: TOK_ID TOK_SYSLOG_KERNEL { free($1); }
+	| TOK_SOCKLOGD_KERNEL { }
+	;
+
 syslog_type:
-	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  syslog_date syslog_id audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date syslog_id key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date syslog_id TOK_DMESG_STAMP audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	/* needs update: hard newline in handling mutiline log messages */
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
index 6405ef5ce..1dfb15c2f 100644
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -172,6 +172,7 @@ audit			"audit"
 ip_addr			[a-f[:digit:].:]{3,}
 
 /* syslog tokens */
+socklogd_kernel		kern.notice{colon}
 syslog_kernel		kernel{colon}
 syslog_user		[[:alnum:]_-]+\[[[:digit:]]+\]{colon}
 syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
@@ -351,6 +352,7 @@ yy_flex_debug = 0;
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
 
+{socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_user}		{ return(TOK_SYSLOG_USER); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
@@ -365,6 +367,7 @@ yy_flex_debug = 0;
 
 <hostname>{
 	{ws}+		{ /* eat whitespace */ }
+	{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 	{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
 }
 
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.err b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in
new file mode 100644
index 000000000..05ff28ac2
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in
@@ -0,0 +1 @@
+2021-09-11T20:57:41.91645 kern.notice: [  469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/sbin/sshd" name="/run/user/1000/kakoune/" pid=2545 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out
new file mode 100644
index 000000000..7f70604b8
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out
@@ -0,0 +1,15 @@
+START
+File: testcase_socklogd_mkdir.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1631392703.952:3
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 1000
+ouid: 1000
+Profile: /usr/sbin/sshd
+Name: /run/user/1000/kakoune/
+Command: sshd
+PID: 2545
+Epoch: 1631392703
+Audit subid: 3
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile
new file mode 100644
index 000000000..6a4b637cc
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile
@@ -0,0 +1,4 @@
+/usr/sbin/sshd {
+  owner /run/user/1000/kakoune/ w,
+
+}