libapparmor: fix log parsing for socklogd

The default log format for void linux is not handled by current log
parsing. The following example message results in an invalid record
error.

2021-09-11T20:57:41.91645 kern.notice: [  469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/bin/kak" name="/run/user/1000/kakoune/" pid=2545 comm="kak" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This log message fails on parsing

  kern.notice:

which differs from the expect syslog format of
  host_name kernel:

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/196
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Signed-off-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/src/grammar.y

@@ -186,6 +186,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
 
+%token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
 %token TOK_SYSLOG_USER
 
@@ -232,24 +233,28 @@ dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	{ ret_record->version = AA_RECORD_SYNTAX_V2; free($1); }
 	;
 
+syslog_id: TOK_ID TOK_SYSLOG_KERNEL { free($1); }
+	| TOK_SOCKLOGD_KERNEL { }
+	;
+
 syslog_type:
-	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
+	  syslog_date syslog_id audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
+	| syslog_date syslog_id key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
+	| syslog_date syslog_id TOK_DMESG_STAMP audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
+	| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	/* needs update: hard newline in handling mutiline log messages */
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
+	| syslog_date syslog_id TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;

libraries/libapparmor/src/scanner.l

@@ -172,6 +172,7 @@ audit			"audit"
 ip_addr			[a-f[:digit:].:]{3,}
 
 /* syslog tokens */
+socklogd_kernel		kern.notice{colon}
 syslog_kernel		kernel{colon}
 syslog_user		[[:alnum:]_-]+\[[[:digit:]]+\]{colon}
 syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
@@ -351,6 +352,7 @@ yy_flex_debug = 0;
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
 
+{socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_user}		{ return(TOK_SYSLOG_USER); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
@@ -365,6 +367,7 @@ yy_flex_debug = 0;
 
 <hostname>{
 	{ws}+		{ /* eat whitespace */ }
+	{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 	{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
 }
 

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in

@@ -0,0 +1 @@
+2021-09-11T20:57:41.91645 kern.notice: [  469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/sbin/sshd" name="/run/user/1000/kakoune/" pid=2545 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out

@@ -0,0 +1,15 @@
+START
+File: testcase_socklogd_mkdir.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1631392703.952:3
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 1000
+ouid: 1000
+Profile: /usr/sbin/sshd
+Name: /run/user/1000/kakoune/
+Command: sshd
+PID: 2545
+Epoch: 1631392703
+Audit subid: 3

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile

@@ -0,0 +1,4 @@
+/usr/sbin/sshd {
+  owner /run/user/1000/kakoune/ w,
+
+}