2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00

Fix aa logparsing library to parse messages where the strings in the

name, name2, or profile fields have been safely (hex) encoded.
This commit is contained in:
Steve Beattie
2007-09-17 05:22:40 +00:00
parent 27c13607be
commit cd498230c7
10 changed files with 113 additions and 10 deletions

View File

@@ -6,7 +6,7 @@
Name: libapparmor1
Version: 2.2
Release: 2.20070914
Release: 3.20070916
License: LGPL
Group: Development/Libraries/C and C++
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -102,11 +102,12 @@ rm -rf "$RPM_BUILD_ROOT"
%{perl_vendorarch}/LibAppArmor.pm
%changelog
* Fri Sep 14 2007 - sbeattie@suse.de
* Sun Sep 16 2007 - sbeattie@suse.de
- aalogparse: add support for type=15xx audit field
- aalogparse: add support for audit messages thru syslog
- aalogparse: reduce noise to stdout on syntax errors
- aalogparse: add support for more missing message types
- aalogparse: parse messages w/safe (hex) string encodings
* Fri Aug 17 2007 - sbeattie@suse.de
- Fix broken symlink for old change_hat(2) manpage
* Wed Aug 15 2007 - sbeattie@suse.de

View File

@@ -25,4 +25,9 @@ libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
libimmunix_la_SOURCES = change_hat.c libimmunix_warning.c
libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=libapparmor.map -Wl,-soname=libimmunix.so.1
tst_aalogmisc_SOURCES = tst_aalogmisc.c
tst_aalogmisc_LDADD = .libs/libapparmor.a
check_PROGRAMS = tst_aalogmisc
TESTS = $(check_PROGRAMS)
EXTRA_DIST = grammar.y scanner.l libapparmor.map

View File

@@ -74,10 +74,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
long t_long;
}
%type <t_str> old_profile;
%type <t_str> old_profile, safe_string;
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
%token <t_str> TOK_HEXSTRING
%token TOK_EQUALS
%token TOK_COLON
@@ -373,9 +374,9 @@ key_list: key
key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->operation = strdup($3); free($3); }
| TOK_KEY_NAME TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_NAME TOK_EQUALS safe_string
{ ret_record->name = strdup($3); free($3); }
| TOK_KEY_NAME2 TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_NAME2 TOK_EQUALS safe_string
{ ret_record->name2 = strdup($3); free($3); }
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->denied_mask = strdup($3); free($3);}
@@ -392,7 +393,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->info = strdup($3); free($3);}
| key_pid
| TOK_KEY_PROFILE TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_PROFILE TOK_EQUALS safe_string
{ ret_record->profile = strdup($3); free($3);}
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_family = strdup($3); free($3);}
@@ -406,6 +407,11 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
;
safe_string: TOK_QUOTED_STRING
| TOK_HEXSTRING
;
%%
aa_log_record *

View File

@@ -29,6 +29,8 @@
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "aalogparse.h"
#include "parser.h"
@@ -113,3 +115,31 @@ _init_log_record(aa_log_record *record)
record->net_sock_type = NULL;
return;
}
/* convert a hex-encoded string to its char* version */
char *
hex_to_string(char *hexstring)
{
char *ret = NULL;
char buf[3], *endptr;
size_t len;
int i;
if (!hexstring)
goto out;
len = strlen(hexstring) / 2;
ret = malloc(len + 1);
if (!ret)
goto out;
for (i = 0; i < len; i++) {
sprintf(buf, "%.2s", hexstring);
hexstring += 2;
ret[i] = (unsigned char) strtoul(buf, &endptr, 16);
}
ret[len] = '\0';
out:
return ret;
}

View File

@@ -21,6 +21,7 @@
extern void _init_log_record(aa_log_record *record);
extern aa_log_record *_parse_yacc(char *str);
extern char *hex_to_string(char *str);
/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
* guarantee these will exist there. */

View File

@@ -33,11 +33,13 @@ ws [ \t\r\n]
equals "="
digits [0-9]+
hex [A-F0-9]
colon ":"
open_paren "("
close_paren ")"
ID [^ \t\n\(\)="'!]
path "/"{ID}*
hexstring ({hex}{hex})+
period "\."
modes [RrWwXxIiLlUuPpMm]
@@ -112,6 +114,7 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x single_quoted_string
%x hostname
%x dmesg_timestamp
%x safe_string
%%
%{
@@ -184,6 +187,15 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
*string_buf_ptr++ = *yptr++;
}
}
<safe_string>{
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
{hexstring} { yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
{equals} { return(TOK_EQUALS); }
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
}
{equals} { return(TOK_EQUALS); }
{digits} { yylval->t_long = atol(yytext); return(TOK_DIGITS); }
{colon} { return(TOK_COLON); }
@@ -234,8 +246,8 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
{key_type} { return(TOK_KEY_TYPE); }
{key_msg} { return(TOK_KEY_MSG); }
{key_operation} { return(TOK_KEY_OPERATION); }
{key_name} { return(TOK_KEY_NAME); }
{key_name2} { return(TOK_KEY_NAME2); }
{key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
{key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
@@ -244,7 +256,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
{key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
{key_info} { return(TOK_KEY_INFO); }
{key_pid} { return(TOK_KEY_PID); }
{key_profile} { return(TOK_KEY_PROFILE); }
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
{key_family} { return(TOK_KEY_FAMILY); }
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
{key_protocol} { return(TOK_KEY_PROTOCOL); }
@@ -261,7 +273,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
<dmesg_timestamp>{
{ws}+ { /* eat whitespace */ }
{dmesg_timestamp} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_DMESG_STAMP); }
. { BEGIN(INITIAL); yyless(0); }
. { /* no timestamp in this message */ BEGIN(INITIAL); yyless(0); }
}
{audit} { BEGIN(audit_id); return(TOK_AUDIT); }

View File

@@ -0,0 +1,35 @@
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "aalogparse.h"
#include "parser.h"
#define MY_TEST(statement, error) \
if (!(statement)) { \
fprintf(stderr, "FAIL: %s\n", error); \
rc = 1; \
}
int main(void)
{
int rc = 0;
char *retstr = NULL;
retstr = hex_to_string(NULL);
MY_TEST(!retstr, "basic NULL test");
retstr = hex_to_string("2F746D702F646F6573206E6F74206578697374");
MY_TEST(retstr, "basic allocation");
MY_TEST(strcmp(retstr, "/tmp/does not exist") == 0, "basic dehex 1");
retstr = hex_to_string("61");
MY_TEST(strcmp(retstr, "a") == 0, "basic dehex 2");
retstr = hex_to_string("");
MY_TEST(strcmp(retstr, "") == 0, "empty string");
return rc;
}

View File

@@ -0,0 +1 @@
type=APPARMOR_DENIED msg=audit(1190305421.066:14665): type=1503 operation="inode_permission" requested_mask="w" denied_mask="w" name=2F746D702F646F6573206E6F74206578697374 pid=31401 profile="/home/steve/tmp/sh"

View File

@@ -0,0 +1,12 @@
START
File: test_multi/testcase22.in
Event type: AA_RECORD_DENIED
Audit ID: 1190305421.066:14665
Operation: inode_permission
Mask: w
Denied Mask: w
Profile: /home/steve/tmp/sh
Name: /tmp/does not exist
PID: 31401
Epoch: 1190305421
Audit subid: 14665