diff --git a/utils/Makefile b/utils/Makefile index fc6ac6528..fefe06c24 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -27,10 +27,10 @@ common/Make.rules: $(COMMONDIR)/Make.rules endif TOOLS = genprof logprof autodep audit complain enforce \ - unconfined aa-eventd apparmor_status + unconfined aa-eventd apparmor_status aa-decode AA_MANPAGES = autodep.8 complain.8 enforce.8 logprof.8 genprof.8 unconfined.8 audit.8 -MANPAGES = ${AA_MANPAGES} logprof.conf.5 apparmor_status.8 +MANPAGES = ${AA_MANPAGES} logprof.conf.5 apparmor_status.8 aa-decode.8 all: ${MANPAGES} ${HTMLMANPAGES} make -C po all diff --git a/utils/aa-decode b/utils/aa-decode new file mode 100755 index 000000000..e6e911368 --- /dev/null +++ b/utils/aa-decode @@ -0,0 +1,75 @@ +#!/bin/sh +# +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Canonical, Ltd. +# + +set -e + +help() { + cat < +Decode a hex-encoded string to ASCII. It will also take an audit log on +standard input and convert any hex-encoded AppArmor log entries and display +them on standard output. + +OPTIONS: + --help display this help + +EXAMPLES: +$ aa-decode 2F746D702F666F6F20626172 +Decoded: /tmp/foo bar +$ cat /var/log/kern.log | aa-decode +... denied_mask="r::" fsuid=1000 ouid=1000 name=/tmp/foo bar +EOM +} + +decode() { + decoded=`perl -le "\\$s = '$1' ; print pack 'H*', \\$s"` + echo "$decoded" +} + +if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + help + exit +fi + +# if have an argument, then use it, otherwise process stdin +if [ -n "$1" ]; then + e=`echo "$1" | tr -s '[:lower:]' '[:upper:]'` + if ! echo "$e" | egrep -q "^[0-9A-F]+$" ; then + echo "String should only contain hex characters (0-9, a-f, A-F)" + return + fi + + d=`decode $e` + if [ -z "$d" ]; then + echo "Could not decode string" + exit 1 + fi + + echo "Decoded: $d" + exit 0 +fi + +# For now just look at 'name=...' which is usually the last in the log entry, +# so validate input against this and output based on it. +# TODO: better handle other cases too +egrep ' name=2[fF][0-9a-fA-F]*$' | while read line ; do + e=`echo "$line" | sed 's/.* name=\(.*\)/\\1/g' | tr -s '[:lower:]' '[:upper:]'` + d=`decode $e` + echo -n "$line" | sed "s/\(.*\) name=.*/\1 name=/g" + echo "'$d'" +done + diff --git a/utils/aa-decode.pod b/utils/aa-decode.pod new file mode 100644 index 000000000..ce2079909 --- /dev/null +++ b/utils/aa-decode.pod @@ -0,0 +1,47 @@ +# $Id$ + +=pod + +=head1 NAME + +aa-decode - decode hex-encoded in AppArmor log files + +=head1 SYNOPSIS + +B [option] + +=head1 DESCRIPTION + +B will decode hex-encoded strings as seen in AppArmor log +output. It will also take an audit log on standard input and convert +any hex-encoded AppArmor log entries and display them on standard +output. + +=head1 OPTIONS + +=over 4 + +=item --help + +displays a short usage statement. + +=back + +=head1 EXAMPLES + + $ aa-decode 2F746D702F666F6F20626172 + Decoded: /tmp/foo bar + + $ cat /var/log/kern.log | aa-decode + ... denied_mask="r::" fsuid=1000 ouid=1000 name=/tmp/foo bar + +=head1 BUGS + +None. Please report any you find to Launchpad at +L. + +=head1 SEE ALSO + +apparmor(7) + +=cut