Fix aa logparsing library to parse messages where the strings in the

name, name2, or profile fields have been safely (hex) encoded.
2025-08-31 06:16:03 +00:00 · 2007-09-17 05:22:40 +00:00
parent 27c13607be
commit cd498230c7
10 changed files with 113 additions and 10 deletions
--- a/changehat/libapparmor/libapparmor1.spec
+++ b/changehat/libapparmor/libapparmor1.spec
@@ -6,7 +6,7 @@

 Name:		libapparmor1
 Version:	2.2
-Release:	2.20070914
+Release:	3.20070916
 License:	LGPL
 Group:		Development/Libraries/C and C++
 BuildRoot:	%{_tmppath}/%{name}-%{version}-build
@@ -102,11 +102,12 @@ rm -rf "$RPM_BUILD_ROOT"
 %{perl_vendorarch}/LibAppArmor.pm

 %changelog
-* Fri Sep 14 2007 - sbeattie@suse.de
+* Sun Sep 16 2007 - sbeattie@suse.de
 - aalogparse: add support for type=15xx audit field
 - aalogparse: add support for audit messages thru syslog
 - aalogparse: reduce noise to stdout on syntax errors
 - aalogparse: add support for more missing message types
+- aalogparse: parse messages w/safe (hex) string encodings
 * Fri Aug 17 2007 - sbeattie@suse.de
 - Fix broken symlink for old change_hat(2) manpage
 * Wed Aug 15 2007 - sbeattie@suse.de
--- a/changehat/libapparmor/src/Makefile.am
+++ b/changehat/libapparmor/src/Makefile.am
@@ -25,4 +25,9 @@ libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
 libimmunix_la_SOURCES = change_hat.c libimmunix_warning.c
 libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=libapparmor.map -Wl,-soname=libimmunix.so.1

+tst_aalogmisc_SOURCES = tst_aalogmisc.c
+tst_aalogmisc_LDADD = .libs/libapparmor.a
+check_PROGRAMS = tst_aalogmisc
+TESTS = $(check_PROGRAMS)
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@@ -74,10 +74,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 	long	t_long;
 }

-%type <t_str> old_profile;
+%type <t_str> old_profile, safe_string;
 %token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
 %token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
 %token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
+%token <t_str> TOK_HEXSTRING

 %token TOK_EQUALS
 %token TOK_COLON
@@ -373,9 +374,9 @@ key_list: key

 key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->operation = strdup($3); free($3); }
-	| TOK_KEY_NAME TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_NAME TOK_EQUALS safe_string
 	{ ret_record->name = strdup($3); free($3); }
-	| TOK_KEY_NAME2 TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_NAME2 TOK_EQUALS safe_string
 	{ ret_record->name2 = strdup($3); free($3); }
 	| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->denied_mask = strdup($3); free($3);}
@@ -392,7 +393,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->info = strdup($3); free($3);}
 	| key_pid
-	| TOK_KEY_PROFILE TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_PROFILE TOK_EQUALS safe_string
 	{ ret_record->profile = strdup($3); free($3);}
 	| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_family = strdup($3); free($3);}
@@ -406,6 +407,11 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING

 key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
 	;
+
+safe_string: TOK_QUOTED_STRING
+	| TOK_HEXSTRING
+	;
+
 %%

 aa_log_record *
--- a/changehat/libapparmor/src/libaalogparse.c
+++ b/changehat/libapparmor/src/libaalogparse.c
@@ -29,6 +29,8 @@


 #include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
 #include "aalogparse.h"
 #include "parser.h"

@@ -113,3 +115,31 @@ _init_log_record(aa_log_record *record)
 	record->net_sock_type = NULL;
 	return;
 }
+
+/* convert a hex-encoded string to its char* version */
+char *
+hex_to_string(char *hexstring)
+{
+	char *ret = NULL;
+	char buf[3], *endptr;
+	size_t len;
+	int i;
+
+	if (!hexstring)
+		goto out;
+
+	len = strlen(hexstring) / 2;
+	ret = malloc(len + 1);
+	if (!ret)
+		goto out;
+
+	for (i = 0; i < len; i++) {
+		sprintf(buf, "%.2s", hexstring);
+		hexstring += 2;
+		ret[i] = (unsigned char) strtoul(buf, &endptr, 16);
+	}
+	ret[len] = '\0';
+
+out:
+	return ret;
+}
--- a/changehat/libapparmor/src/parser.h
+++ b/changehat/libapparmor/src/parser.h
@@ -21,6 +21,7 @@

 extern void _init_log_record(aa_log_record *record);
 extern aa_log_record *_parse_yacc(char *str);
+extern char *hex_to_string(char *str);

 /* FIXME: this ought to be pulled from <linux/audit.h> but there's no
 * guarantee these will exist there. */
--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@@ -33,11 +33,13 @@ ws		[ \t\r\n]

 equals		"="
 digits		[0-9]+
+hex		[A-F0-9]
 colon		":"
 open_paren	"("
 close_paren	")"
 ID		[^ \t\n\(\)="'!]
 path		"/"{ID}*
+hexstring	({hex}{hex})+
 period		"\."
 modes           [RrWwXxIiLlUuPpMm]

@@ -112,6 +114,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x single_quoted_string
 %x hostname
 %x dmesg_timestamp
+%x safe_string

 %%
 %{
@@ -184,6 +187,15 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 					*string_buf_ptr++ = *yptr++;
 				}
 			}
+
+<safe_string>{
+	"'"		{ string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
+	\"		{ string_buf_ptr = string_buf; BEGIN(quoted_string); }
+	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
 {equals}		{ return(TOK_EQUALS); }
 {digits}		{ yylval->t_long = atol(yytext); return(TOK_DIGITS); }
 {colon}			{ return(TOK_COLON); }
@@ -234,8 +246,8 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {key_type}		{ return(TOK_KEY_TYPE); }
 {key_msg}		{ return(TOK_KEY_MSG); }
 {key_operation}		{ return(TOK_KEY_OPERATION); }
-{key_name}		{ return(TOK_KEY_NAME); }
-{key_name2}		{ return(TOK_KEY_NAME2); }
+{key_name}		{ BEGIN(safe_string); return(TOK_KEY_NAME); }
+{key_name2}		{ BEGIN(safe_string); return(TOK_KEY_NAME2); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
@@ -244,7 +256,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {key_magic_token}	{ return(TOK_KEY_MAGIC_TOKEN); }
 {key_info}		{ return(TOK_KEY_INFO); }
 {key_pid}		{ return(TOK_KEY_PID); }
-{key_profile}		{ return(TOK_KEY_PROFILE); }
+{key_profile}		{ BEGIN(safe_string); return(TOK_KEY_PROFILE); }
 {key_family}		{ return(TOK_KEY_FAMILY); }
 {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
@@ -261,7 +273,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 <dmesg_timestamp>{
 	{ws}+		{ /* eat whitespace */ }
 	{dmesg_timestamp} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_DMESG_STAMP); }
-	.		{ BEGIN(INITIAL); yyless(0); }
+	.		{ /* no timestamp in this message */ BEGIN(INITIAL); yyless(0); }
 }

 {audit}			{ BEGIN(audit_id); return(TOK_AUDIT); }
--- a/changehat/libapparmor/src/tst_aalogmisc.c
+++ b/changehat/libapparmor/src/tst_aalogmisc.c
@@ -0,0 +1,35 @@
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include "aalogparse.h"
+#include "parser.h"
+
+
+#define MY_TEST(statement, error)               \
+	if (!(statement)) {                     \
+		fprintf(stderr, "FAIL: %s\n", error); \
+		rc = 1; \
+	}
+
+int main(void)
+{
+	int rc = 0;
+	char *retstr = NULL;
+
+	retstr = hex_to_string(NULL);
+	MY_TEST(!retstr, "basic NULL test");
+
+	retstr = hex_to_string("2F746D702F646F6573206E6F74206578697374");
+	MY_TEST(retstr, "basic allocation");
+	MY_TEST(strcmp(retstr, "/tmp/does not exist") == 0, "basic dehex 1");
+
+	retstr = hex_to_string("61");
+	MY_TEST(strcmp(retstr, "a") == 0, "basic dehex 2");
+
+	retstr = hex_to_string("");
+	MY_TEST(strcmp(retstr, "") == 0, "empty string");
+
+	return rc;
+}
+
+
--- a/changehat/libapparmor/testsuite/test_multi/testcase22.err
+++ b/changehat/libapparmor/testsuite/test_multi/testcase22.err
--- a/changehat/libapparmor/testsuite/test_multi/testcase22.in
+++ b/changehat/libapparmor/testsuite/test_multi/testcase22.in
@@ -0,0 +1 @@
+type=APPARMOR_DENIED msg=audit(1190305421.066:14665):  type=1503 operation="inode_permission" requested_mask="w" denied_mask="w" name=2F746D702F646F6573206E6F74206578697374 pid=31401 profile="/home/steve/tmp/sh"
--- a/changehat/libapparmor/testsuite/test_multi/testcase22.out
+++ b/changehat/libapparmor/testsuite/test_multi/testcase22.out
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase22.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1190305421.066:14665
+Operation: inode_permission
+Mask: w
+Denied Mask: w
+Profile: /home/steve/tmp/sh
+Name: /tmp/does not exist
+PID: 31401
+Epoch: 1190305421
+Audit subid: 14665
				`@@ -0,0 +1 @@`
				`type=APPARMOR_DENIED msg=audit(1190305421.066:14665): type=1503 operation="inode_permission" requested_mask="w" denied_mask="w" name=2F746D702F646F6573206E6F74206578697374 pid=31401 profile="/home/steve/tmp/sh"`