- Added "protocol", "family" and "sock_type" to the parser to

support the initial network support.

changehat/libapparmor/src/aalogparse.h

@@ -131,6 +131,9 @@ typedef struct
 	char *parent;	
 	char *info;
 	char *active_hat;
+	char *net_family;
+	char *net_protocol;
+	char *net_sock_type;
 } aa_log_record;
 
 /**

changehat/libapparmor/src/grammar.y

@@ -97,6 +97,9 @@ void aalogparse_error(void *scanner, char const *s)
 %token TOK_KEY_PROFILE
 %token TOK_AUDIT
 %token TOK_KEY_IMAGE
+%token TOK_KEY_FAMILY
+%token TOK_KEY_SOCK_TYPE
+%token TOK_KEY_PROTOCOL
 
 %%
 
@@ -342,6 +345,12 @@ key_list: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->pid = $3;}
 	| TOK_KEY_PROFILE TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->profile = strdup($3); free($3);}
+	| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->net_family = strdup($3); free($3);}
+	| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->net_sock_type = strdup($3); free($3); }
+	| TOK_KEY_PROTOCOL TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->net_protocol = strdup($3); free($3);}
 	;
 
 %%

changehat/libapparmor/src/libaalogparse.c

@@ -69,6 +69,13 @@ free_record(aa_log_record *record)
 			free(record->active_hat);
 		if (record->audit_id != NULL)
 			free(record->audit_id);
+		if (record->net_family != NULL)
+			free(record->net_family);
+		if (record->net_protocol != NULL)
+			free(record->net_protocol);
+		if (record->net_sock_type != NULL)
+			free(record->net_sock_type);
+
 		free(record);
 	}
 	return;
@@ -99,5 +106,8 @@ _init_log_record(aa_log_record *record)
 	record->parent = NULL;
 	record->info = NULL;
 	record->active_hat = NULL;
+	record->net_family = NULL;
+	record->net_protocol = NULL;
+	record->net_sock_type = NULL;
 	return;
 }

changehat/libapparmor/src/scanner.l

@@ -89,6 +89,9 @@ key_info		"info"
 key_pid			"pid"
 key_profile		"profile"
 key_image		"image"
+key_family		"family"
+key_sock_type		"sock_type"
+key_protocol		"protocol"
 audit			"audit"
 
 %x quoted_string
@@ -221,6 +224,10 @@ char *string_buf_ptr;
 {key_info}		{ return(TOK_KEY_INFO); }
 {key_pid}		{ return(TOK_KEY_PID); }
 {key_profile}		{ return(TOK_KEY_PROFILE); }
+{key_family}		{ return(TOK_KEY_FAMILY); }
+{key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
+{key_protocol}		{ return(TOK_KEY_PROTOCOL); }
+
 {audit}			{ BEGIN(audit_id); return(TOK_AUDIT); }
 {null_complain}		{ return(TOK_NULL_COMPLAIN); }
 {key_image}		{  BEGIN(sub_id); return(TOK_KEY_IMAGE); }

changehat/libapparmor/testsuite/test_multi.c

@@ -153,5 +153,17 @@ int print_results(aa_log_record *record)
 		{
 			printf("Active hat: %s\n", record->active_hat);
 		}
+		if (record->net_family != NULL)
+		{
+			printf("Network family: %s\n", record->net_family);
+		}
+		if (record->net_sock_type != NULL)
+		{
+			printf("Socket type: %s\n", record->net_sock_type);
+		}
+		if (record->net_protocol != NULL)
+		{
+			printf("Protocol: %s\n", record->net_protocol);
+		}
 	return(0);
 }

changehat/libapparmor/testsuite/test_multi/testcase1.in

@@ -1 +1 @@
-type=APPARMOR_DENIED msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information"
+type=APPARMOR_DENIED msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"

changehat/libapparmor/testsuite/test_multi/testcase1.out

@@ -13,3 +13,6 @@ Parent: something
 Token: 29493
 Info: Information
 PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp