mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

utils/SubDomain.pm:

Browse Source 
- Update matching regex for reordered kernel audit messages (when they
  come through syslog). Ideally, rather than use a regex, the utils would
  just use the log parsing library to determine whether it's a log even
  of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
  predictable location in /tmp; File::Temp would be the right solution
  except that the log file is created in a BEGIN clause, and
  File::Temp.new() ends up returning an unopened filehandle in that
  situation, so logging fails. Someone with more perl-fu may know how to
  fix that.
This commit is contained in:
Steve Beattie
2009-03-19 15:32:02 +00:00
parent b1fab26057
commit be5ddfa59b
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
utils/SubDomain.pm
View File

@@ -265,7 +265,7 @@ BEGIN {
# set things up to log extra info if they want...
if ($ENV{LOGPROF_DEBUG}) {
$DEBUGGING = 1;
open(DEBUG, ">/tmp/logprof_debug_$$.log");
open(DEBUG, ">/var/log/apparmor/logprof_debug_$$.log");
my $oldfd = select(DEBUG);
$| = 1;
select($oldfd);
@@ -2410,7 +2410,7 @@ our $next_log_entry;
our $logmark;
our $seenmark;
my $RE_LOG_v2_0_syslog = qr/SubDomain/;
my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?audit\([\d\.\:]+\):\s+type=150[1-6]/;
my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?(audit\([\d\.\:]+\):\s+)?type=150[1-6]/;
my $RE_LOG_v2_0_audit =
qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/;
my $RE_LOG_v2_1_audit =
@@ -2426,6 +2426,7 @@ sub prefetch_next_log_entry {
# AA event message format we recognize
do {
$next_log_entry = <$LOG>;
$DEBUGGING && debug "prefetch_next_log_entry: next_log_entry = $next_log_entry";
} until (!$next_log_entry || $next_log_entry =~ m{
$RE_LOG_v2_0_syslog |
$RE_LOG_v2_0_audit |
@@ -2894,8 +2895,11 @@ sub read_log {
while ($_ = get_next_log_entry()) {
chomp;
$DEBUGGING && debug "read_log: $_";
$seenmark = 1 if /$logmark/;
$DEBUGGING && debug "read_log: seenmark = $seenmark";
next unless $seenmark;
my $last_match = ""; # v_2_0 syslog record parsing requires
@@ -6522,6 +6526,8 @@ sub parse_event($) {
my $event = LibAppArmor::parse_record($msg);
my ($rmask, $dmask);
$DEBUGGING && debug("parse_event: $msg");
$ev{'resource'} = LibAppArmor::aa_log_record::swig_info_get($event);
$ev{'active_hat'} = LibAppArmor::aa_log_record::swig_active_hat_get($event);
$ev{'sdmode'} = LibAppArmor::aa_log_record::swig_event_get($event);