merge -r 1158 - fix fatal errors so that they have an exit with an exit code

of 127

.bzrignore

@@ -1,165 +0,0 @@
-parser/po/*.mo
-parser/af_names.h
-parser/cap_names.h
-parser/tst_misc
-parser/tst_regex
-parser/tst_symtab
-parser/tst_variable
-parser/parser_lex.c
-parser/parser_version.h
-parser/parser_yacc.c
-parser/parser_yacc.h
-parser/pod2htm*.tmp
-parser/*.7
-parser/*.5
-parser/*.8
-parser/*.7.html
-parser/*.5.html
-parser/*.8.html
-parser/common
-parser/apparmor_parser
-parser/libapparmor_re/regexp.cc
-parser/techdoc.aux
-parser/techdoc.log
-parser/techdoc.pdf
-parser/techdoc.toc
-libraries/libapparmor/Makefile
-libraries/libapparmor/Makefile.in
-libraries/libapparmor/aclocal.m4
-libraries/libapparmor/audit.log
-libraries/libapparmor/autom4te.cache
-libraries/libapparmor/compile
-libraries/libapparmor/config.guess
-libraries/libapparmor/config.log
-libraries/libapparmor/config.status
-libraries/libapparmor/config.sub
-libraries/libapparmor/configure
-libraries/libapparmor/depcomp
-libraries/libapparmor/install-sh
-libraries/libapparmor/libtool
-libraries/libapparmor/ltmain.sh
-libraries/libapparmor/missing
-libraries/libapparmor/ylwrap
-libraries/libapparmor/doc/Makefile
-libraries/libapparmor/doc/Makefile.in
-libraries/libapparmor/doc/*.2
-libraries/libapparmor/src/.deps
-libraries/libapparmor/src/.libs
-libraries/libapparmor/src/Makefile
-libraries/libapparmor/src/Makefile.in
-libraries/libapparmor/src/af_protos.h
-libraries/libapparmor/src/change_hat.lo
-libraries/libapparmor/src/grammar.lo
-libraries/libapparmor/src/libaalogparse.lo
-libraries/libapparmor/src/libimmunix_warning.lo
-libraries/libapparmor/src/scanner.lo
-libraries/libapparmor/src/libapparmor.la
-libraries/libapparmor/src/libimmunix.la
-libraries/libapparmor/src/grammar.c
-libraries/libapparmor/src/grammar.h
-libraries/libapparmor/src/scanner.c
-libraries/libapparmor/src/scanner.h
-libraries/libapparmor/src/tst_aalogmisc
-libraries/libapparmor/swig/Makefile
-libraries/libapparmor/swig/Makefile.in
-libraries/libapparmor/swig/perl/LibAppArmor.bs
-libraries/libapparmor/swig/perl/LibAppArmor.pm
-libraries/libapparmor/swig/perl/Makefile
-libraries/libapparmor/swig/perl/Makefile.PL
-libraries/libapparmor/swig/perl/Makefile.in
-libraries/libapparmor/swig/perl/Makefile.perl
-libraries/libapparmor/swig/perl/blib
-libraries/libapparmor/swig/perl/libapparmor_wrap.c
-libraries/libapparmor/swig/perl/pm_to_blib
-libraries/libapparmor/swig/python/Makefile
-libraries/libapparmor/swig/python/Makefile.in
-libraries/libapparmor/swig/python/setup.py
-libraries/libapparmor/swig/ruby/Makefile
-libraries/libapparmor/swig/ruby/Makefile.in
-libraries/libapparmor/testsuite/.deps
-libraries/libapparmor/testsuite/.libs
-libraries/libapparmor/testsuite/Makefile
-libraries/libapparmor/testsuite/Makefile.in
-libraries/libapparmor/testsuite/libaalogparse.log
-libraries/libapparmor/testsuite/libaalogparse.sum
-libraries/libapparmor/testsuite/site.exp
-libraries/libapparmor/testsuite/test_multi.multi
-libraries/libapparmor/testsuite/config/Makefile
-libraries/libapparmor/testsuite/config/Makefile.in
-libraries/libapparmor/testsuite/lib/Makefile
-libraries/libapparmor/testsuite/lib/Makefile.in
-libraries/libapparmor/testsuite/libaalogparse.test/Makefile
-libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
-libraries/libapparmor/testsuite/test_multi/out
-changehat/mod_apparmor/.libs
-changehat/mod_apparmor/common
-changehat/pam_apparmor/common
-changehat/tomcat_apparmor/common
-utils/common
-utils/*.8
-utils/*.8.html
-utils/*.5
-utils/*.5.html
-utils/*.tmp
-utils/po/*.mo
-tests/regression/apparmor/access
-tests/regression/apparmor/changehat
-tests/regression/apparmor/changehat_fail
-tests/regression/apparmor/changehat_fork
-tests/regression/apparmor/changehat_misc
-tests/regression/apparmor/changehat_misc2
-tests/regression/apparmor/changehat_pthread
-tests/regression/apparmor/changehat_twice
-tests/regression/apparmor/changehat_wrapper
-tests/regression/apparmor/changeprofile
-tests/regression/apparmor/chdir
-tests/regression/apparmor/chgrp
-tests/regression/apparmor/chmod
-tests/regression/apparmor/chown
-tests/regression/apparmor/clone
-tests/regression/apparmor/deleted
-tests/regression/apparmor/env_check
-tests/regression/apparmor/environ
-tests/regression/apparmor/exec
-tests/regression/apparmor/exec_qual
-tests/regression/apparmor/exec_qual2
-tests/regression/apparmor/fchdir
-tests/regression/apparmor/fchgrp
-tests/regression/apparmor/fchmod
-tests/regression/apparmor/fchown
-tests/regression/apparmor/fork
-tests/regression/apparmor/link
-tests/regression/apparmor/link_subset
-tests/regression/apparmor/mkdir
-tests/regression/apparmor/mmap
-tests/regression/apparmor/mount
-tests/regression/apparmor/named_pipe
-tests/regression/apparmor/net_raw
-tests/regression/apparmor/open
-tests/regression/apparmor/openat
-tests/regression/apparmor/pipe
-tests/regression/apparmor/ptrace
-tests/regression/apparmor/ptrace_helper
-tests/regression/apparmor/pwrite
-tests/regression/apparmor/readdir
-tests/regression/apparmor/rename
-tests/regression/apparmor/rw
-tests/regression/apparmor/swap
-tests/regression/apparmor/symlink
-tests/regression/apparmor/syscall_chroot
-tests/regression/apparmor/syscall_mknod
-tests/regression/apparmor/syscall_mlockall
-tests/regression/apparmor/syscall_ptrace
-tests/regression/apparmor/syscall_reboot
-tests/regression/apparmor/syscall_setdomainname
-tests/regression/apparmor/syscall_sethostname
-tests/regression/apparmor/syscall_setpriority
-tests/regression/apparmor/syscall_setscheduler
-tests/regression/apparmor/syscall_sysctl
-tests/regression/apparmor/sysctl_proc
-tests/regression/apparmor/tcp
-tests/regression/apparmor/unix_fd_client
-tests/regression/apparmor/unix_fd_server
-tests/regression/apparmor/unlink
-tests/regression/apparmor/xattrs
-tests/regression/apparmor/coredump

Makefile

@@ -1,4 +1,5 @@
 #
+# $Id$
 #
 OVERRIDE_TARBALL=yes
 
@@ -16,44 +17,22 @@ DIRS=parser \
      common \
      tests
 
-REPO_URL?=lp:apparmor/2.6
-# alternate possibilities to export from
-#REPO_URL=.
-#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
-
-RELEASE_DIR=apparmor-${VERSION}
-__SETUP_DIR?=.
+RELEASE_DIR=apparmor-${VERSION}-${REPO_VERSION}
 
 .PHONY: tarball
-tarball: clean
-	REPO_VERSION=`$(value REPO_VERSION_CMD)` ; \
-	make export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
-	make setup __SETUP_DIR=${RELEASE_DIR} ; \
+tarball: _dist
 	tar cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
 
-.PHONY: snapshot
-snapshot: clean
-	REPO_VERSION=`$(value REPO_VERSION_CMD)` ; \
-	SNAPSHOT_DIR=apparmor-${VERSION}~$${REPO_VERSION} ;\
-	make export_dir __EXPORT_DIR=$${SNAPSHOT_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
-	make setup __SETUP_DIR=$${SNAPSHOT_DIR} ; \
-	tar cvzf $${SNAPSHOT_DIR}.tar.gz $${SNAPSHOT_DIR} ;
+${RELEASE_DIR}:
+	mkdir ${RELEASE_DIR}
 
+.PHONY: _dist
+.PHONY: ${DIRS}
 
-.PHONY: export_dir
-export_dir:
-	mkdir $(__EXPORT_DIR)
-	/usr/bin/bzr export --per-file-timestamps -r $(__REPO_VERSION) $(__EXPORT_DIR) $(REPO_URL)
-	echo "$(REPO_URL) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
+_dist: clean ${DIRS}
+	
+${DIRS}: ${RELEASE_DIR}
+	svn export -r $(REPO_VERSION) $(REPO_URL)/$@ $(RELEASE_DIR)/$@ ; \
 
-.PHONY: clean
 clean:
-	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~*
-
-.PHONY: setup
-setup:
-	cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
-
-.PHONY: tag
-tag:
-	bzr tag apparmor_${VERSION}
+	-rm -rf ${RELEASE_DIR}

README

@@ -1,181 +0,0 @@
-------------
-Introduction
-------------
-AppArmor protects systems from insecure or untrusted processes by
-running them in restricted confinement, while still allowing processes
-to share files, exercise privilege and communicate with other processes.
-AppArmor is a Mandatory Access Control (MAC) mechanism which uses the
-Linux Security Module (LSM) framework. The confinement's restrictions
-are mandatory and are not bound to identity, group membership, or object
-ownership. The protections provided are in addition to the kernel's
-regular access control mechanisms (including DAC) and can be used to
-restrict the superuser.
-
-The AppArmor kernel module and accompanying user-space tools are
-available under the GPL license (the exception is the libapparmor
-library, available under the LGPL license, which allows change_hat(2)
-and change_profile(2) to be used by non-GPL binaries).
-
-For more information, you can read the techdoc.pdf (available after
-building the parser) and by visiting the http://apparmor.net/ web
-site.
-
-
--------------
-Source Layout
--------------
-
-AppArmor consists of several different parts:
-
-changehat/	source for using changehat with Apache, PAM and Tomcat
-common/		common makefile rules
-desktop/	empty
-kernel-patches/	compatibility patches for various kernel versions
-libraries/	libapparmor source and language bindings
-parser/		source for parser/loader and corresponding documentation
-profiles/	configuration files, reference profiles and abstractions
-tests/		regression and stress testsuites
-utils/		high-level utilities for working with AppArmor
-
---------------------------------------
-Important note on AppArmor kernel code
---------------------------------------
-
-While most of the kernel AppArmor code has been accepted in the
-upstream Linux kernel, a few important pieces were not included. These
-missing pieces unfortunately are important bits for AppArmor userspace
-and kernel interaction; therefore we have included compatibility
-patches in the kernel-patches/ subdirectory, versioned by upstream
-kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
-
-Without these patches applied to the kernel, the AppArmor userspace
-will not function correctly.
-
-------------------------------------------
-Building and Installing AppArmor Userspace
-------------------------------------------
-
-To build and install AppArmor userspace on your system, build and install in
-the following order.
-
-
-libapparmor:
-$ cd ./libraries/libapparmor
-$ sh ./autogen.sh
-$ sh ./configure --prefix=/usr --with-perl	# see below
-$ make
-$ make check
-
-[optional arguments to libapparmor's configure include --with-python
- and --with-ruby, to generate python and ruby bindings to libapparmor,
- respectively.]
-
-
-Utilities:
-$ cd utils
-$ make
-$ make install
-
-
-parser:
-$ cd parser
-$ make
-$ make tests	# not strictly necessary as they are run during the
-		# build by default
-$ make install
-
-
-Apache mod_apparmor:
-$ cd changehat/mod_apparmor
-$ make		# depends on libapparmor having been built first
-$ make install
-
-
-PAM AppArmor:
-$ cd changehat/pam_apparmor
-$ make		# depends on libapparmor having been built first
-$ make install
-
-
-Profiles:
-$ cd profiles
-$ make
-$ make check	# depends on the parser having been built first
-$ make install
-
-
--------------------
-AppArmor Testsuites
--------------------
-
-A number of testsuites are in the AppArmor sources. Most have documentation on
-usage and how to update and add tests. Below is a quick overview of their
-location and how to run them.
-
-
-Regression tests
-----------------
-For details on structure and adding tests, see
-tests/regression/apparmor/README.
-
-To run:
-$ cd tests/regression/apparmor (requires root)
-$ make
-$ sudo make tests
-$ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
-
-
-Parser tests
-------------
-For details on structure and adding tests, see parser/tst/README.
-
-To run:
-$ cd parser/tst
-$ make
-$ make tests
-
-
-Libapparmor
------------
-For details on structure and adding tests, see libraries/libapparmor/README.
-$ cd libraries/libapparmor
-$ make check
-
-Profile checks
---------------
-A basic consistency check to ensure that the parser and aa-logprof parse
-successfully the current set of shipped profiles. The system or other
-parser and logprof can be passed in by overriding the PARSER and LOGPROF
-variables.
-$ cd profiles
-$ make && make check
-
-Stress Tests
-------------
-To run AppArmor stress tests:
-$ make all
-
-Use these:
-$ ./change_hat
-$ ./child
-$ ./kill.sh
-$ ./open
-$ ./s.sh
-
-Or run all at once:
-$ ./stress.sh
-
-Please note that the above will stress the system so much it may end up
-invoking the OOM killer.
-
-To run parser stress tests (requires /usr/bin/ruby):
-$ ./stress.sh
-
-(see stress.sh -h for options)
-
------------------------------------------------
-Building and Installing AppArmor Kernel Patches
------------------------------------------------
-
-TODO
-

changehat/libapparmor/AUTHORS

@@ -1,2 +1,2 @@
-Steve Beattie <sbeattie@ubuntu.com>
+Steve Beattie <sbeattie@suse.de>
 Matt Barringer <mbarringer@suse.de>

changehat/libapparmor/configure.in

@@ -1,19 +1,12 @@
-m4_define([__apparmor_version], m4_sinclude(common/Version))
-m4_ifdef(__apparmor_version, , m4_define([__apparmor_version], m4_sinclude(../../common/Version)))
-m4_define([__aalen], decr(len(__apparmor_version)))
-m4_define([apparmor_version], m4_substr(__apparmor_version, 0, __aalen))
-
 AC_INIT(configure.in)
 
-AM_INIT_AUTOMAKE(libapparmor1, apparmor_version)
+AM_INIT_AUTOMAKE(libapparmor1, 2.2)
 
 AM_PROG_LEX
 AC_PROG_YACC
-AC_PROG_SED
 
 AC_PATH_PROG([SWIG], [swig])
 
-sinclude(m4/ac_pod2man.m4)
 PROG_POD2MAN
 
 AC_MSG_CHECKING(Checking for Python)
@@ -75,9 +68,7 @@ doc/Makefile
 src/Makefile
 swig/Makefile
 swig/perl/Makefile
-swig/perl/Makefile.PL
 swig/python/Makefile
-swig/python/setup.py
 swig/ruby/Makefile
 testsuite/Makefile
 testsuite/config/Makefile

changehat/libapparmor/doc/Makefile.am

@@ -2,7 +2,7 @@
 
 POD2MAN = pod2man
 
-man_MANS = aa_change_hat.2 aa_change_profile.2
+man_MANS = aa_change_hat.2
 
 PODS = $(subst .2,.pod,$(man_MANS))
 

changehat/libapparmor/doc/aa_change_hat.pod

@@ -1,21 +1,23 @@
-# This publication is intellectual property of Novell Inc. and Canonical
-# Ltd. Its contents can be duplicated, either in part or in whole, provided
-# that a copyright label is visibly located on each copy.
-#
+# $Id: change_hat.pod 534 2007-04-03 20:08:50Z steve-beattie $
+# This publication is intellectual property of Novell Inc. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+# 
 # All information found in this book has been compiled with utmost
 # attention to detail. However, this does not guarantee complete accuracy.
-# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
-# shall be held liable for possible errors or the consequences thereof.
-#
+# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+# 
 # Many of the software and hardware descriptions cited in this book
 # are registered trademarks. All trade names are subject to copyright
 # restrictions and may be registered trade marks. SUSE LINUX GmbH
-# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
-#
+# essentially adheres to the manufacturer's spelling.
+# 
 # Names of products and trademarks appearing in this book (with or without
 # specific notation) are likewise subject to trademark and trade protection
 # laws and may thus fall under copyright restrictions.
-#
+# 
+# Please direct suggestions and comments to apparmor-general@forge.novell.com.
 
 
 =pod
@@ -29,8 +31,6 @@ aa_change_hat  - change to or from a "hat" within a AppArmor profile
 B<#include E<lt>sys/apparmor.hE<gt>>
 
 B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
-B<int aa_change_hatv (char *subprofiles[], unsigned long magic_token);>
-B<int aa_change_hat_vargs (unsigned long magic_token, ...);>
 
 Link with B<-lapparmor> when compiling.
 
@@ -39,30 +39,11 @@ Link with B<-lapparmor> when compiling.
 An AppArmor profile applies to an executable program; if a portion of
 the program needs different access permissions than other portions,
 the program can "change hats" to a different role, also known as a
-subprofile.
-
-To change into a new hat, it calls one of the family of change_hat
-functions to do so. It passes in a pointer to the I<subprofile> which it
+subprofile. To change into a new hat, it calls the aa_change_hat()
+function to do so. It passes in a pointer to the I<subprofile> which it
 wants to change into, and a 64bit I<magic_token>.  The I<magic_token>
 is used to return out of the subprofile at a later time.
 
-The aa_change_hat() function allows specifying the name of a single
-I<subprofile> that the application wants to change into.  A pointer to the
-name of the I<subprofile> is passed along with the I<magic_token>.  If the
-profile is not present the call will fail with the appropriate error.
-
-The aa_change_hatv() function allows passing a I<NULL> terminated vector
-of pointers to I<subprofile> names which will be tried in order.  The
-first I<subprofile> in the vector that exists will be transitioned to
-and if none of the I<subprofiles> exist the call will fail with the
-appropriate error.
-
-The aa_change_hat_vargs() function is a convenience wrapper for the
-aa_change_hatv() function.  After the I<magic_token> it takes an arbitrary
-number of pointers to I<subprofile> names.  Similar to execl(3),
-aa_change_hat_vargs() assembles the list of I<subprofile> names into a
-vector and calls aa_change_hatv().
-
 If a program wants to return out of the current subprofile to the
 original profile, it calls aa_change_hat() with a pointer to NULL as
 the I<subprofile>, and the original I<magic_token> value. If the
@@ -72,6 +53,9 @@ original profile will not happen, and the current task will be killed.
 If the I<magic_token> matches the original token, then the process will
 change back to the original profile.
 
+If the program wants to change to a subprofile that it can never
+change back out of, the application should call aa_change_hat() with a
+I<magic_token> of I<0>.
 
 As both read(2) and write(2) are mediated, a file must be listed in a
 subprofile definition if the file is to be accessed while the process
@@ -236,15 +220,14 @@ The output when run:
 
 =head1 BUGS
 
-None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>. Note that
-aa_change_hat(2) provides no memory barriers between different areas of a
-program; if address space separation is required, then separate processes
-should be used.
+None known. If you find any, please report them to bugzilla at
+L<http://bugzilla.novell.com>. Note that aa_change_hat(2) provides no
+memory barriers between different areas of a program; if address space
+separation is required, then separate processes should be used.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
-L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), apparmor_parser(8), and
+L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
 
 =cut

changehat/libapparmor/libapparmor1.spec

@@ -5,7 +5,7 @@
 %define _unpackaged_files_terminate_build 0
 
 Name:		libapparmor1
-Version:	2.5
+Version:	2.2
 Release:	3.20070916
 License:	LGPL
 Group:		Development/Libraries/C and C++

changehat/libapparmor/m4/ac_pod2man.m4

@@ -1,4 +1,4 @@
-AC_DEFUN([PROG_POD2MAN],[
+AC_DEFUN(PROG_POD2MAN,[
    AC_CHECK_PROG(POD2MAN,pod2man,pod2man,no)
    if test "$POD2MAN" = "no"; then
       AC_MSG_ERROR([

changehat/libapparmor/src/Makefile.am

@@ -1,6 +1,6 @@
 INCLUDES = $(all_includes)
 
-BUILT_SOURCES = grammar.h scanner.h af_protos.h
+BUILT_SOURCES = grammar.h scanner.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
 AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
@@ -9,9 +9,6 @@ scanner.h: scanner.l
 
 scanner.c: scanner.l
 
-af_protos.h: /usr/include/netinet/in.h
-	 LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
-
 changehatdir = $(includedir)/sys
 changehat_HEADERS = apparmor.h
 
@@ -19,14 +16,14 @@ aalogparsedir = $(includedir)/aalogparse
 aalogparse_HEADERS = aalogparse.h
 
 lib_LTLIBRARIES = libapparmor.la libimmunix.la
-noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h
+noinst_HEADERS = grammar.h parser.h scanner.h
 
-libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel_interface.c scanner.c
+libapparmor_la_SOURCES = grammar.y libaalogparse.c change_hat.c scanner.c
 libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
-	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libapparmor.so.1
+	-Wl,--version-script=libapparmor.map -Wl,-soname=libapparmor.so.1
 
-libimmunix_la_SOURCES = kernel_interface.c libimmunix_warning.c
-libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libimmunix.so.1
+libimmunix_la_SOURCES = change_hat.c libimmunix_warning.c
+libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=libapparmor.map -Wl,-soname=libimmunix.so.1
 
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a

changehat/libapparmor/src/aalogparse.h

@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 1999-2008 NOVELL (All rights reserved)
- * Copyright 2009-2010 Canonical Ltd.
+ *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+ *   NOVELL (All rights reserved)
  *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of version 2.1 of the GNU Lesser General
- * Public License published by the Free Software Foundation.
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
  *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc.
  */
 
 
@@ -115,28 +115,23 @@ typedef struct
 {
 	aa_record_syntax_version version;
 	aa_record_event_type event;	/* Event type */
-	unsigned long pid;		/* PID of the program logging the message */
+	unsigned long pid;			/* PID of the program logging the message */
 	unsigned long task;
 	unsigned long magic_token;
 	long epoch;			/* example: 12345679 */
-	unsigned int audit_sub_id;	/* example: 12 */
+	unsigned int audit_sub_id;		/* example: 12 */
 
 	int bitmask;			/* Bitmask containing "r" "w" "x" etc */
 	char *audit_id;			/* example: 12345679.1234:12 */
 	char *operation;		/* "Exec" "Ptrace", etc. */
 	char *denied_mask;		/* "r", "w", etc. */
 	char *requested_mask;
-	unsigned long fsuid;		/* fsuid of task - if logged */
-	unsigned long ouid;		/* ouid of task - if logged */
 	char *profile;			/* The name of the profile */
-	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
-	char *namespace;
 	char *attribute;
 	unsigned long parent;	
 	char *info;
-	int error_code;			/* error_code returned if logged */
 	char *active_hat;
 	char *net_family;
 	char *net_protocol;

changehat/libapparmor/src/apparmor.h

@@ -0,0 +1,27 @@
+/*   $Id: apparmor.h 132 2006-09-28 07:45:55Z steve-beattie $
+
+     Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
+
+     The libapparmor library is licensed under the terms of the GNU
+     Lesser General Public License, version 2.1. Please see the file
+     COPYING.LGPL.
+*/
+
+#ifndef _SYS_APPARMOR_H_
+#define _SYS_APPARMOR_H	1
+
+__BEGIN_DECLS
+
+/* Prototype for change_hat as defined by the AppArmor project
+   <http://forge.novell.com/modules/xfmod/project/?apparmor>
+   Please see the change_hat(2) manpage for information. */
+
+extern int (change_hat)(const char *subprofile, unsigned int magic_token);
+extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
+extern int aa_change_profile(const char *profile);
+
+#define change_hat(X, Y) aa_change_hat((X), (Y))
+
+__END_DECLS
+
+#endif	/* sys/apparmor.h */

changehat/libapparmor/src/change_hat.c

@@ -0,0 +1,134 @@
+/*   $Id: change_hat.c 13 2006-04-12 21:43:34Z steve-beattie $
+
+     Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
+
+     The libapparmor library is licensed under the terms of the GNU
+     Lesser General Public License, version 2.1. Please see the file
+     COPYING.LGPL.
+
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <limits.h>
+
+#define symbol_version(real, name, version) \
+		__asm__ (".symver " #real "," #name "@" #version)
+#define default_symbol_version(real, name, version) \
+		__asm__ (".symver " #real "," #name "@@" #version)
+
+static int setprocattr(const char *buf, int len)
+{
+	int rc = -1;
+	int fd, ret, ctlerr = 0;
+	char *ctl = NULL;
+	pid_t tid = syscall(SYS_gettid);
+
+	if (!buf) {
+		errno = EINVAL;
+		goto out;
+	}
+
+	ctlerr = asprintf(&ctl, "/proc/%d/attr/current", tid);
+	if (ctlerr < 0) {
+		goto out;
+	}
+
+	fd = open(ctl, O_WRONLY);
+	if (fd == -1) {
+		goto out;
+	}
+
+	ret = write(fd, buf, len);
+	if (ret != len) {
+		int saved;
+		if (ret != -1) {
+			errno = EPROTO;
+		}
+		saved = errno;
+		(void)close(fd);
+		errno = saved;
+		goto out;
+	}
+
+	rc = 0;
+	(void)close(fd);
+
+out:
+	if (ctl) {
+		free(ctl);
+	}
+	return rc;
+}
+
+int aa_change_hat(const char *subprofile, unsigned long token)
+{
+	int rc = -1;
+	int len = 0;
+	char *buf = NULL;
+	const char *fmt = "changehat %016x^%s";
+
+	/* both may not be null */
+	if (!(token || subprofile)) {
+		errno = EINVAL;
+		goto out;
+	}
+
+	if (subprofile && strnlen(subprofile, PATH_MAX + 1) > PATH_MAX) {
+		errno = EPROTO;
+		goto out;
+	}
+
+	len = asprintf(&buf, fmt, token, subprofile ? subprofile : "");
+	if (len < 0) {
+		goto out;
+	}
+
+	rc = setprocattr(buf, len);
+out:
+	if (buf) {
+		/* clear local copy of magic token before freeing */
+		memset(buf, '\0', len);
+		free(buf);
+	}
+	return rc;
+}
+
+/* original change_hat interface */
+int __change_hat(char *subprofile, unsigned int token)
+{
+	return aa_change_hat(subprofile, (unsigned long) token);
+}
+
+int aa_change_profile(const char *profile)
+{
+	char *buf = NULL;
+	int len;
+	int rc;
+
+	if (!profile) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	len = asprintf(&buf, "changeprofile %s", profile);
+	if (len < 0)
+		return -1;
+
+	rc = setprocattr(buf, len);
+
+	free(buf);
+	return rc;
+}
+
+/* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
+extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
+symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
+default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);

changehat/libapparmor/src/grammar.y

@@ -0,0 +1,438 @@
+/*
+ *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+ *   NOVELL (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc.
+ */
+
+
+%{
+
+#define YYDEBUG 0
+#include <string.h>
+#include "aalogparse.h"
+#include "parser.h"
+#include "grammar.h"
+#include "scanner.h"
+
+aa_log_record *ret_record;
+
+/* Since we're a library, on any errors we don't want to print out any
+ * error messages. We should probably add a debug interface that does
+ * emit messages when asked for. */
+void aalogparse_error(void *scanner, char const *s)
+{
+	/* printf("Error: %s\n", s); */
+	ret_record->event = AA_RECORD_INVALID;
+}
+
+struct aa_type_table {
+	unsigned int audit_type;
+	aa_record_event_type event;
+};
+
+static struct aa_type_table aa_type_table[] = {
+	{AUDIT_APPARMOR_AUDIT,   AA_RECORD_AUDIT},
+	{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
+	{AUDIT_APPARMOR_DENIED,  AA_RECORD_DENIED},
+	{AUDIT_APPARMOR_HINT,    AA_RECORD_HINT},
+	{AUDIT_APPARMOR_STATUS,  AA_RECORD_STATUS},
+	{AUDIT_APPARMOR_ERROR,   AA_RECORD_ERROR},
+	{0,                      AA_RECORD_INVALID},
+};
+
+aa_record_event_type lookup_aa_event(unsigned int type)
+{
+	int i;
+
+	for (i = 0; aa_type_table[i].audit_type != 0; i++)
+		if (type == aa_type_table[i].audit_type)
+			break;
+
+	return aa_type_table[i].event;
+}
+%}
+
+%defines
+%pure_parser
+%lex-param{void *scanner}
+%parse-param{void *scanner}
+
+%union
+{
+	char	*t_str;
+	long	t_long;
+}
+
+%type <t_str> old_profile safe_string protocol
+%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
+%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
+%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
+%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+
+%token TOK_EQUALS
+%token TOK_COLON
+%token TOK_OPEN_PAREN
+%token TOK_CLOSE_PAREN
+%token TOK_PERIOD
+
+%token TOK_TYPE_REJECT
+%token TOK_TYPE_AUDIT
+%token TOK_TYPE_COMPLAIN
+%token TOK_TYPE_HINT
+%token TOK_TYPE_STATUS
+%token TOK_TYPE_ERROR
+%token TOK_OLD_TYPE_APPARMOR
+%token TOK_OLD_APPARMOR_REJECT
+%token TOK_OLD_APPARMOR_PERMIT
+%token TOK_OLD_APPARMOR_AUDIT
+%token TOK_OLD_APPARMOR_LOGPROF_HINT
+%token TOK_OLD_UNKNOWN_HAT
+%token TOK_OLD_ACTIVE
+%token TOK_OLD_UNKNOWN_PROFILE
+%token TOK_OLD_MISSING_PROFILE
+%token TOK_OLD_CHANGING_PROFILE
+%token TOK_OLD_ACCESS
+%token TOK_OLD_TO
+%token TOK_OLD_FROM
+%token TOK_OLD_PIPE
+%token TOK_OLD_EXTENDED
+%token TOK_OLD_ATTRIBUTE
+%token TOK_OLD_ON
+%token TOK_OLD_MKDIR
+%token TOK_OLD_RMDIR
+%token TOK_OLD_XATTR
+%token TOK_OLD_CHANGE
+%token TOK_OLD_CAPABILITY
+%token TOK_OLD_SYSCALL
+%token TOK_OLD_LINK
+%token TOK_OLD_FORK
+%token TOK_OLD_CHILD
+
+%token TOK_KEY_TYPE
+%token TOK_KEY_MSG
+%token TOK_KEY_OPERATION
+%token TOK_KEY_NAME
+%token TOK_KEY_NAME2
+%token TOK_KEY_DENIED_MASK
+%token TOK_KEY_REQUESTED_MASK
+%token TOK_KEY_ATTRIBUTE
+%token TOK_KEY_TASK
+%token TOK_KEY_PARENT
+%token TOK_KEY_MAGIC_TOKEN
+%token TOK_KEY_INFO
+%token TOK_KEY_PID
+%token TOK_KEY_PROFILE
+%token TOK_AUDIT
+%token TOK_KEY_IMAGE
+%token TOK_KEY_FAMILY
+%token TOK_KEY_SOCK_TYPE
+%token TOK_KEY_PROTOCOL
+
+%token TOK_SYSLOG_KERNEL
+
+%%
+
+log_message: audit_type
+	| syslog_type
+	;
+
+audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
+
+type_syntax: old_syntax { ret_record->version = AA_RECORD_SYNTAX_V1; }
+	| new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| other_audit
+	;
+
+old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg
+	| TOK_TYPE_UNKNOWN audit_msg old_msg
+	;
+
+new_syntax:
+	  TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
+	| TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
+	| TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
+	| TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
+	| TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
+	| TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
+	| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
+	;
+
+other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
+	{
+		ret_record->operation = $1;
+		ret_record->event = AA_RECORD_INVALID;
+		ret_record->info = $3;
+	}
+	;
+
+syslog_type:
+	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id old_msg
+	  { ret_record->version = AA_RECORD_SYNTAX_V1; }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	;
+
+old_msg:
+	  old_permit_reject_type old_permit_reject_syntax
+	| TOK_OLD_APPARMOR_LOGPROF_HINT old_logprof_syntax { ret_record->event = AA_RECORD_HINT; }
+	;
+
+old_permit_reject_type:
+	  TOK_OLD_APPARMOR_REJECT { ret_record->event = AA_RECORD_DENIED; }
+	| TOK_OLD_APPARMOR_PERMIT { ret_record->event = AA_RECORD_ALLOWED; }
+	| TOK_OLD_APPARMOR_AUDIT  { ret_record->event = AA_RECORD_AUDIT; }
+	;
+
+old_permit_reject_syntax:
+	  TOK_MODE TOK_OLD_ACCESS old_permit_reject_path_pipe_extended
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->requested_mask = $1;
+		ret_record->operation = strdup("access");
+	}
+	| dir_action TOK_OLD_ON TOK_PATH
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->name = $3;
+	}
+	| TOK_OLD_XATTR TOK_ID TOK_OLD_ON TOK_PATH
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->operation = strdup("xattr");
+		ret_record->attribute = $2;
+		ret_record->name = $4;
+	}
+	| TOK_KEY_ATTRIBUTE TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN
+		TOK_OLD_CHANGE TOK_OLD_TO TOK_PATH
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->operation = strdup("setattr");
+		ret_record->attribute = $3;
+		ret_record->name = $7;
+	}
+	| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_CAPABILITY TOK_SINGLE_QUOTED_STRING
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->operation = strdup("capability");
+		ret_record->name = $4;
+	}
+	| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_SYSCALL TOK_SINGLE_QUOTED_STRING
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->operation = strdup("syscall");
+		ret_record->name = $4;
+	}
+	| TOK_OLD_LINK TOK_OLD_ACCESS TOK_OLD_FROM TOK_PATH TOK_OLD_TO TOK_PATH
+		TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
+	{
+		ret_record->requested_mask = strdup("l");
+		ret_record->name = $4;
+		ret_record->name2 = $6;
+	}
+	;
+
+dir_action:
+	  TOK_OLD_MKDIR { ret_record->operation = strdup("mkdir"); }
+	| TOK_OLD_RMDIR { ret_record->operation = strdup("rmdir"); }
+	;
+
+old_process_state:
+	  TOK_ID TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN old_profile_names
+	{
+		ret_record->info = $1;
+		ret_record->pid = atol($3);
+		free($3);
+	}
+	;
+
+old_profile_names:
+	  TOK_KEY_PROFILE old_profile TOK_OLD_ACTIVE old_profile
+	{	ret_record->profile = $2;
+		ret_record->active_hat = $4;
+	}
+	;
+
+old_permit_reject_path_pipe_extended:
+	  TOK_OLD_TO TOK_PATH
+		{
+			ret_record->name = $2;
+		}
+	| TOK_OLD_TO TOK_OLD_PIPE /* Frankly, I don't think this is used */
+		{
+			ret_record->info = strdup("pipe");
+		}
+	| TOK_OLD_EXTENDED TOK_KEY_ATTRIBUTE /* Nor this */
+		{
+			ret_record->info = strdup("extended attribute");
+		}
+	;
+old_logprof_syntax:
+	  old_logprof_syntax2 key_pid
+		TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
+		{
+			ret_record->profile = strdup($5);
+			free($5);
+			ret_record->active_hat = strdup($8);
+			free($8);
+		}
+	| old_logprof_fork_syntax
+	| TOK_OLD_CHANGING_PROFILE key_pid
+	  { ret_record->profile = strdup("null-complain-profile"); }
+	;
+
+old_logprof_syntax2:
+	  TOK_OLD_UNKNOWN_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
+		{
+			ret_record->operation = strdup("profile_set");
+			ret_record->info = strdup("unknown profile");
+			ret_record->name = strdup($4);
+			free($4);
+		}
+	| TOK_OLD_MISSING_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
+		{
+			ret_record->operation = strdup("exec");
+			ret_record->info = strdup("mandatory profile missing");
+			ret_record->name = strdup($4);
+			free($4);
+		}
+	| TOK_OLD_UNKNOWN_HAT TOK_ID
+		{
+			ret_record->operation = strdup("change_hat");
+			ret_record->name = strdup($2);
+			free($2);
+			ret_record->info = strdup("unknown_hat");
+		}
+	;
+
+/* TODO: Clean this up */
+old_logprof_fork_syntax:
+	  TOK_OLD_FORK key_pid
+		TOK_OLD_CHILD TOK_EQUALS TOK_DIGITS old_logprof_fork_addition
+	{
+		ret_record->operation = strdup("clone");
+		ret_record->task = $5;
+	}
+	;
+
+old_logprof_fork_addition:
+	/* Nothin */
+	| TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
+	{
+		ret_record->profile = $3;
+		ret_record->active_hat = $6;
+	}
+	;
+
+old_profile:
+	  TOK_PATH { $$ = $1; }
+	| TOK_ID   { $$ = $1; }
+	| TOK_NULL_COMPLAIN { $$ = strdup("null-complain-profile"); }
+	;
+
+audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
+	;
+
+audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
+	{
+		asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7);
+		ret_record->epoch = atol($3);
+		ret_record->audit_sub_id = atoi($7);
+		free($3);
+		free($5);
+		free($7);
+	} ;
+
+syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
+	;
+
+key_list: key
+	| key_list key
+	;
+
+key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->operation = $3;}
+	| TOK_KEY_NAME TOK_EQUALS safe_string
+	{ ret_record->name = $3;}
+	| TOK_KEY_NAME2 TOK_EQUALS safe_string
+	{ ret_record->name2 = $3;}
+	| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->denied_mask = $3;}
+	| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->requested_mask = $3;}
+	| TOK_KEY_ATTRIBUTE TOK_EQUALS TOK_QUOTED_STRING 
+	{ ret_record->attribute = $3;}
+	| TOK_KEY_TASK TOK_EQUALS TOK_DIGITS
+	{ ret_record->task = $3;}
+	| TOK_KEY_PARENT TOK_EQUALS TOK_DIGITS
+	{ ret_record->parent = $3;}
+	| TOK_KEY_MAGIC_TOKEN TOK_EQUALS TOK_DIGITS
+	{ ret_record->magic_token = $3;}
+	| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->info = $3;}
+	| key_pid
+	| TOK_KEY_PROFILE TOK_EQUALS safe_string
+	{ ret_record->profile = $3;}
+	| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->net_family = $3;}
+	| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->net_sock_type = $3;}
+	| TOK_KEY_PROTOCOL TOK_EQUALS protocol
+	{ ret_record->net_protocol = $3;}
+	| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
+	{ ret_record->event = lookup_aa_event($3);}
+	;
+
+key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
+	;
+
+safe_string: TOK_QUOTED_STRING
+	| TOK_HEXSTRING
+	;
+
+protocol: TOK_QUOTED_STRING
+	| TOK_DIGITS
+	{ /* FIXME: this should probably convert back to a string proto name */
+	  char *ret = NULL;
+	  if (asprintf(&ret, "%ld", $1) < 0)
+	  	yyerror(NULL, "Unable to allocate protocol string");
+	  $$ = ret;
+	}
+	;
+%%
+
+aa_log_record *
+_parse_yacc(char *str)
+{
+	/* yydebug = 1;  */
+	YY_BUFFER_STATE lex_buf;
+	yyscan_t scanner;
+	int parser_return;
+
+	ret_record = NULL;
+	ret_record = (aa_log_record *) malloc(sizeof(aa_log_record));
+
+	_init_log_record(ret_record);
+
+	if (ret_record == NULL)
+		return NULL;
+
+	aalogparse_lex_init(&scanner);
+	lex_buf = aalogparse__scan_string(str, scanner);
+	parser_return = aalogparse_parse(scanner);
+	aalogparse__delete_buffer(lex_buf, scanner);
+	aalogparse_lex_destroy(scanner);
+	return ret_record;
+}

changehat/libapparmor/src/libaalogparse.c

@@ -1,18 +1,19 @@
 /*
- * Copyright (c) 1999-2008 NOVELL (All rights reserved)
- * Copyright 2009-2010 Canonical Ltd.
+ *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+ *   NOVELL (All rights reserved)
  *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of version 2.1 of the GNU Lesser General
- * Public License published by the Free Software Foundation.
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc.
  *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 /*
@@ -30,7 +31,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
-#include <netinet/in.h>
 #include "aalogparse.h"
 #include "parser.h"
 
@@ -55,14 +55,10 @@ void free_record(aa_log_record *record)
 			free(record->denied_mask);
 		if (record->profile != NULL)
 			free(record->profile);
-		if (record->comm != NULL)
-			free(record->comm);
 		if (record->name != NULL)
 			free(record->name);
 		if (record->name2 != NULL)
 			free(record->name2);
-		if (record->namespace != NULL)
-			free(record->namespace);
 		if (record->attribute != NULL)
 			free(record->attribute);
 		if (record->info != NULL)
@@ -89,13 +85,29 @@ void _init_log_record(aa_log_record *record)
 	if (record == NULL)
 		return;
 
-	memset(record, 0, sizeof(aa_log_record));
-
 	record->version = AA_RECORD_SYNTAX_UNKNOWN;
 	record->event = AA_RECORD_INVALID;
-	record->fsuid = (unsigned long) -1;
-	record->ouid = (unsigned long) -1;
+	record->pid = 0;
+	record->bitmask = 0;
+	record->task = 0;
+	record->magic_token = 0;
+	record->epoch = 0;
+	record->audit_sub_id = 0;
 
+	record->audit_id = NULL;
+	record->operation = NULL;
+	record->denied_mask = NULL;
+	record->requested_mask = NULL;
+	record->profile = NULL;
+	record->name = NULL;
+	record->name2 = NULL;
+	record->attribute = NULL;
+	record->parent = 0;
+	record->info = NULL;
+	record->active_hat = NULL;
+	record->net_family = NULL;
+	record->net_protocol = NULL;
+	record->net_sock_type = NULL;
 	return;
 }
 
@@ -125,37 +137,3 @@ char *hex_to_string(char *hexstring)
 out:
 	return ret;
 }
-
-struct ipproto_pairs {
-	unsigned int protocol;
-	char *protocol_name;
-};
-
-#define AA_GEN_PROTO_ENT(name, IP) {name, IP},
-
-static struct ipproto_pairs ipproto_mappings[] = {
-#include "af_protos.h"
-	/* terminate */
-	{0, NULL}
-};
-
-/* convert an ip protocol number to a string */
-char *ipproto_to_string(unsigned int proto)
-{
-	char *ret = NULL;
-	struct ipproto_pairs *current = ipproto_mappings;
-
-	while (current->protocol != proto && current->protocol_name != NULL) {
-		current++;
-	}
-
-	if (current->protocol_name) {
-		ret = strdup(current->protocol_name);
-	} else {
-		if (!asprintf(&ret, "unknown(%u)", proto))
-			ret = NULL;
-	}
-
-	return ret;
-}
-

changehat/libapparmor/src/libapparmor.map

@@ -17,10 +17,7 @@ APPARMOR_1.0 {
 APPARMOR_1.1 {
   global:
         aa_change_hat;
-        aa_change_hatv;
-        aa_change_hat_vargs;
         aa_change_profile;
-        aa_change_onexec;
         parse_record;
         free_record;
   local:

changehat/libapparmor/src/libimmunix_warning.c

@@ -0,0 +1,23 @@
+/*   $Id: libimmunix_warning.c 13 2006-04-12 21:43:34Z steve-beattie $
+
+     Copyright (c) 2006 Novell, Inc. (All rights reserved)
+     The libimmunix library is licensed under the terms of the GNU
+     Lesser General Public License, version 2.1. Please see the file
+     COPYING.LGPL.
+
+*/
+
+#include <syslog.h>
+
+void __libimmunix_warning(void) __attribute__ ((constructor));
+void __libimmunix_warning(void)
+{
+	extern const char *__progname; /* global from linux crt0 */
+	openlog (__progname, LOG_PID|LOG_PERROR, LOG_USER);
+	syslog(LOG_NOTICE,
+			"%s links against libimmunix.so, which is deprecated. "
+			"Please link against libapparmor instead\n",
+			__progname);
+	closelog();
+
+}

changehat/libapparmor/src/parser.h

@@ -0,0 +1,36 @@
+/*
+ *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+ *   NOVELL (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc.
+ */
+
+
+#ifndef __AA_LOG_PARSER_H__
+#define __AA_LOG_PARSER_H__
+
+extern void _init_log_record(aa_log_record *record);
+extern aa_log_record *_parse_yacc(char *str);
+extern char *hex_to_string(char *str);
+
+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT    1501    /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED  1502    /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED   1503
+#define AUDIT_APPARMOR_HINT     1504    /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS   1505    /* Changes in config */
+#define AUDIT_APPARMOR_ERROR    1506    /* Internal AppArmor Errors */
+
+#endif
+

changehat/libapparmor/src/scanner.l

@@ -1,75 +1,32 @@
 /*
- * Copyright (c) 1999-2008 NOVELL (All rights reserved)
- * Copyright (c) 2010, Canonical, Ltd.
+ *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+ *   NOVELL (All rights reserved)
  *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of version 2 of the GNU General Public
- * License published by the Free Software Foundation.
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
  *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc.
  */
 
 %option noyywrap
-%option nounput
-%option noyy_top_state
 %option reentrant
 %option prefix="aalogparse_"
 %option bison-bridge
 %option header-file="scanner.h"
-%option outfile="scanner.c"
+%option outfile="scanner.c" 
 %option stack
 %{
 
 #include "grammar.h"
 #include "aalogparse.h"
 #include "parser.h"
-
-#include <assert.h>
-
-#define YY_NO_INPUT
-
-unsigned int string_buf_alloc = 0;
-unsigned int string_buf_len = 0;
-char *string_buf = NULL;
-
-void string_buf_reset()
-{
-	/* rewind buffer to zero, possibly doing initial allocation too */
-	string_buf_len = 0;
- 	if (string_buf == NULL) {
-		string_buf_alloc = 128;
-		string_buf = malloc(string_buf_alloc);
-		assert(string_buf != NULL);
-	}
-	/* always start with a valid but empty string */
-	string_buf[0] = '\0';
-}
-
-void string_buf_append(unsigned int length, char *text)
-{
-	unsigned int current_length = string_buf_len;
-
-	/* handle calling ..._append before ..._reset */
-	if (string_buf == NULL) string_buf_reset();
-
-	string_buf_len += length;
-	/* expand allocation if this append would exceed the allocation */
-	while (string_buf_len >= string_buf_alloc) {
-		string_buf_alloc *= 2;
-		string_buf = realloc(string_buf, string_buf_alloc);
-		assert(string_buf != NULL);
-	}
-	/* copy and unconditionally terminate */
-	memcpy(string_buf+current_length, text, length);
-	string_buf[string_buf_len] = '\0';
-}
-
 %}
 
 ws		[ \t\r\n]
@@ -78,41 +35,63 @@ equals		"="
 digits		[0-9]+
 hex		[A-F0-9]
 colon		":"
-minus		"-"
 open_paren	"("
 close_paren	")"
 ID		[^ \t\n\(\)="'!]
+path		"/"{ID}*
 hexstring	({hex}{hex})+
 period		"\."
-mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
-modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
+mode_chars      ([RrWwLalMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])
+modes		{mode_chars}+
+
 /* New message types */
 
-aa_reject_type		"APPARMOR_DENIED"
-aa_audit_type		"APPARMOR_AUDIT"
-aa_complain_type	"APPARMOR_ALLOWED"
-aa_hint_type		"APPARMOR_HINT"
-aa_status_type		"APPARMOR_STATUS"
-aa_error_type		"APPARMOR_ERROR"
-reject_type		"\"DENIED\""
-audit_type		"\"AUDIT\""
-complain_type		"\"ALLOWED\""
-hint_type		"\"HINT\""
-status_type		"\"STATUS\""
-error_type		"\"ERROR\""
-lsm_avc_type		"AVC"
+reject_type		"APPARMOR_DENIED"
+audit_type		"APPARMOR_AUDIT"
+complain_type		"APPARMOR_ALLOWED"
+hint_type		"APPARMOR_HINT"
+status_type		"APPARMOR_STATUS"
+error_type		"APPARMOR_ERROR"
 unknown_type		UNKNOWN\[{digits}+\]
 other_audit_type	[[:alnum:]\[\]_-]+
 
+/* Old message tokens */
+
+old_apparmor_type	"APPARMOR"
+old_apparmor_reject	"REJECTING"
+old_apparmor_permit	"PERMITTING"
+old_apparmor_audit	"AUDITING"
+old_apparmor_logprof	"LOGPROF-HINT"
+old_unknown_hat		"unknown_hat"
+old_unknown_profile	"unknown_profile"
+old_missing_profile	"missing_mandatory_profile"
+old_changing_profile	"changing_profile"
+old_active		"active"
+old_access		"access"
+old_from		"from"
+old_to			"to"
+old_pipe		"pipe"
+old_extended		"extended"
+old_rmdir		"rmdir"
+old_mkdir		"mkdir"
+old_on			"on"
+old_xattr		"xattr"
+old_change		"change"
+old_capability		"capability"
+old_syscall		"syscall"
+old_link		"link"
+old_fork		"fork"
+old_child		"child"
+
+null_complain		"null-complain-profile"
+
 /* Key tokens */
 
-key_apparmor		"apparmor"
 key_type		"type"
 key_msg			"msg"
 key_operation		"operation"
 key_name		"name"
 key_name2		"name2"
-key_namespace		"namespace"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
 key_attribute		"attribute"
@@ -122,17 +101,10 @@ key_magic_token		"magic_token"
 key_info		"info"
 key_pid			"pid"
 key_profile		"profile"
+key_image		"image"
 key_family		"family"
 key_sock_type		"sock_type"
 key_protocol		"protocol"
-key_error		"error"
-key_fsuid		"fsuid"
-key_ouid		"ouid"
-key_comm		"comm"
-key_capability		"capability"
-key_capname		"capname"
-key_offset		"offset"
-key_target		"target"
 audit			"audit"
 
 /* syslog tokens */
@@ -145,6 +117,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x quoted_string
 %x sub_id
 %x audit_id
+%x single_quoted_string
 %x hostname
 %x dmesg_timestamp
 %x safe_string
@@ -154,9 +127,11 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 
 %%
 %{
-yy_flex_debug = 0;
-%}
+char string_buf[512];
+char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 
+/* yy_flex_debug = 1;  */
+%}
 
 {ws}+			{ /* Skip whitespace */ }
 
@@ -166,14 +141,14 @@ yy_flex_debug = 0;
 	{period}		{ return(TOK_PERIOD); }
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ yy_pop_state(yyscanner); return(TOK_CLOSE_PAREN); }
-	.			{ BEGIN(unknown_message); yyless(0); /* dump the rest */ }
 }
 
 <sub_id>{
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
+	"'"			{ string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
 	{ws}		{ }
-	\"			{ string_buf_reset(); BEGIN(quoted_string); }
+	\"			{ string_buf_ptr = string_buf; BEGIN(quoted_string); }
 	{ID}+	{
 			yylval->t_str = strdup(yytext);
 			BEGIN(INITIAL);
@@ -182,20 +157,49 @@ yy_flex_debug = 0;
 	{equals}		{ return(TOK_EQUALS); }
 	}
 
-\"			{ string_buf_reset(); BEGIN(quoted_string); }
+
+"'"			{ string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
+<single_quoted_string>"'" { /* End of the quoted string */
+				BEGIN(INITIAL);
+				*string_buf_ptr = '\0';
+				yylval->t_str = strdup(string_buf);
+				return(TOK_SINGLE_QUOTED_STRING);
+			}
+
+
+<single_quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
+
+<single_quoted_string>[^\\\n\'\"]+ {
+				char *yptr = yytext;
+				while (*yptr)
+				{
+					*string_buf_ptr++ = *yptr++;
+				}
+
+			}
+
+\"			{ string_buf_ptr = string_buf; BEGIN(quoted_string); }
 <quoted_string>\"	{ /* End of the quoted string */
 				BEGIN(INITIAL);
+				*string_buf_ptr = '\0';
 				yylval->t_str = strdup(string_buf);
 				return(TOK_QUOTED_STRING);
 			}
 
 
-<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
+<quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
 
-<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
+<quoted_string>[^\\\n\"]+ {
+			char *yptr = yytext;
+				while (*yptr)
+				{
+					*string_buf_ptr++ = *yptr++;
+				}
+			}
 
 <safe_string>{
-	\"		{ string_buf_reset(); BEGIN(quoted_string); }
+	"'"		{ string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
+	\"		{ string_buf_ptr = string_buf; BEGIN(quoted_string); }
 	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
 	{equals}	{ return(TOK_EQUALS); }
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
@@ -210,13 +214,6 @@ yy_flex_debug = 0;
 	{hint_type}	{ BEGIN(INITIAL); return(TOK_TYPE_HINT); }
 	{status_type}	{ BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
 	{error_type}	{ BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
-	{aa_reject_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_REJECT); }
-	{aa_audit_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_AUDIT); }
-	{aa_complain_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_COMPLAIN); }
-	{aa_hint_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_HINT); }
-	{aa_status_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
-	{aa_error_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
-	{lsm_avc_type}	{ BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
 	{unknown_type}	{ char *yptr = yytext;
 			  while (*yptr && *yptr != '[')
 			  	yptr++;
@@ -225,31 +222,55 @@ yy_flex_debug = 0;
 			  BEGIN(INITIAL);
 			  return(TOK_TYPE_UNKNOWN);
 			}
+	{old_apparmor_type} { BEGIN(INITIAL); return(TOK_OLD_TYPE_APPARMOR); }
 	{other_audit_type}  { yylval->t_str = strdup(yytext);
 			      BEGIN(other_audit);
 			      return(TOK_TYPE_OTHER);
 			}
-	.		{ BEGIN(unknown_message); yyless(0); /* dump the rest */ }
 	}
 
 {equals}		{ return(TOK_EQUALS); }
 {digits}		{ yylval->t_long = atol(yytext); return(TOK_DIGITS); }
 {colon}			{ return(TOK_COLON); }
-{minus}			{ return(TOK_MINUS); }
 {open_paren}		{
 			BEGIN(sub_id);
-			return(TOK_OPEN_PAREN);
+			return(TOK_OPEN_PAREN); 
 			}
 {close_paren}		{ return(TOK_CLOSE_PAREN); }
+{path}			{ yylval->t_str = strdup(yytext); return(TOK_PATH); }
 {period}		{ return(TOK_PERIOD); }
 
-{key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
+{old_apparmor_reject}	{ return(TOK_OLD_APPARMOR_REJECT); }
+{old_apparmor_permit}	{ return(TOK_OLD_APPARMOR_PERMIT); }
+{old_apparmor_audit}	{ return(TOK_OLD_APPARMOR_AUDIT); }
+{old_apparmor_logprof}	{ return(TOK_OLD_APPARMOR_LOGPROF_HINT); }
+{old_unknown_hat}	{ BEGIN(sub_id); return(TOK_OLD_UNKNOWN_HAT); }
+{old_unknown_profile}	{ return(TOK_OLD_UNKNOWN_PROFILE); }
+{old_missing_profile}	{ return(TOK_OLD_MISSING_PROFILE); }
+{old_changing_profile}	{ return(TOK_OLD_CHANGING_PROFILE); }
+{old_active}		{ BEGIN(sub_id); return(TOK_OLD_ACTIVE); }
+{old_access}		{ return(TOK_OLD_ACCESS); }
+{old_to}		{ return(TOK_OLD_TO); }
+{old_from}		{ return(TOK_OLD_FROM); }
+{old_pipe}		{ return(TOK_OLD_PIPE); }
+{old_extended}		{ return(TOK_OLD_EXTENDED); }
+{old_mkdir}		{ return(TOK_OLD_MKDIR); }
+{old_rmdir}		{ return(TOK_OLD_RMDIR); }
+{old_on}		{ return(TOK_OLD_ON); }
+{old_xattr}		{ BEGIN(sub_id); return(TOK_OLD_XATTR); }
+{old_change}		{ return(TOK_OLD_CHANGE); }
+{old_capability}	{ BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
+{old_syscall}		{ return(TOK_OLD_SYSCALL); }
+{old_link}		{ return(TOK_OLD_LINK); }
+{old_fork}		{ return(TOK_OLD_FORK); }
+{old_child}		{ return(TOK_OLD_CHILD); }
+{modes}			{ yylval->t_str = strdup(yytext); return(TOK_MODE); }
+
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
 {key_msg}		{ return(TOK_KEY_MSG); }
 {key_operation}		{ return(TOK_KEY_OPERATION); }
 {key_name}		{ BEGIN(safe_string); return(TOK_KEY_NAME); }
 {key_name2}		{ BEGIN(safe_string); return(TOK_KEY_NAME2); }
-{key_namespace}		{ BEGIN(safe_string); return(TOK_KEY_NAMESPACE); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
@@ -262,22 +283,14 @@ yy_flex_debug = 0;
 {key_family}		{ return(TOK_KEY_FAMILY); }
 {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
-{key_error}		{ return(TOK_KEY_ERROR); }
-{key_fsuid}		{ return(TOK_KEY_FSUID); }
-{key_ouid}		{ return(TOK_KEY_OUID); }
-{key_comm}		{ return(TOK_KEY_COMM); }
-{key_capability}	{ return(TOK_KEY_CAPABILITY); }
-{key_capname}		{ return(TOK_KEY_CAPNAME); }
-{key_offset}		{ return(TOK_KEY_OFFSET); }
-{key_target}		{ return(TOK_KEY_TARGET); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
 {syslog_time}		{ yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
 
 {audit}			{ yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
-
-.			{ /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }
+{null_complain}		{ return(TOK_NULL_COMPLAIN); }
+{key_image}		{ BEGIN(sub_id); return(TOK_KEY_IMAGE); }
 
 <hostname>{
 	{ws}+		{ /* eat whitespace */ }
@@ -304,5 +317,4 @@ yy_flex_debug = 0;
 	\n		{ /* not sure why needed here and not elsewhere */ }
 	}
 
-
 %%

changehat/libapparmor/src/tst_aalogmisc.c

@@ -0,0 +1,35 @@
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include "aalogparse.h"
+#include "parser.h"
+
+
+#define MY_TEST(statement, error)               \
+	if (!(statement)) {                     \
+		fprintf(stderr, "FAIL: %s\n", error); \
+		rc = 1; \
+	}
+
+int main(void)
+{
+	int rc = 0;
+	char *retstr = NULL;
+
+	retstr = hex_to_string(NULL);
+	MY_TEST(!retstr, "basic NULL test");
+
+	retstr = hex_to_string("2F746D702F646F6573206E6F74206578697374");
+	MY_TEST(retstr, "basic allocation");
+	MY_TEST(strcmp(retstr, "/tmp/does not exist") == 0, "basic dehex 1");
+
+	retstr = hex_to_string("61");
+	MY_TEST(strcmp(retstr, "a") == 0, "basic dehex 2");
+
+	retstr = hex_to_string("");
+	MY_TEST(strcmp(retstr, "") == 0, "empty string");
+
+	return rc;
+}
+
+

changehat/libapparmor/swig/SWIG/libapparmor.i

@@ -0,0 +1,14 @@
+%module LibAppArmor
+
+%{
+#include "aalogparse.h"
+extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
+extern int aa_change_profile(const char *profile, unsigned long magic_token);
+
+%}
+
+%include "typemaps.i"
+%include "aalogparse.h"
+extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
+extern int aa_change_profile(const char *profile, unsigned long magic_token);
+

changehat/libapparmor/swig/perl/Makefile.PL

@@ -0,0 +1,9 @@
+use ExtUtils::MakeMaker;
+
+use vars qw($CCFLAGS $OBJECT $VERSION $OPTIMIZE);
+
+WriteMakefile(
+	'NAME'			=>	'LibAppArmor',
+	'MAKEFILE'		=>	'Makefile.perl',
+	'FIRST_MAKEFILE'	=>	'Makefile.perl',
+	);

changehat/libapparmor/swig/perl/Makefile.am

@@ -0,0 +1,34 @@
+if HAVE_PERL
+
+PERL_MAKEFILE = Makefile.perl
+
+WRAPPER_SOURCES = libapparmor_wrap.c LibAppArmor.pm
+
+all-local: .build-stamp
+
+.build-stamp: $(WRAPPER_SOURCES) $(PERL_MAKEFILE)
+	make -f $(PERL_MAKEFILE)
+	touch .build-stamp
+
+check-local: .build-stamp
+	make -f $(PERL_MAKEFILE) test
+
+install-exec-local: .build-stamp
+	make -f $(PERL_MAKEFILE) install_vendor
+
+clean-local: $(PERL_MAKEFILE)
+	make -f $(PERL_MAKEFILE) clean
+	rm -f $(PERL_MAKEFILE).old
+	rm -rf build
+
+$(PERL_MAKEFILE): Makefile.PL
+	$(PERL) Makefile.PL VERSION="0.1" OBJECT="../../src/.libs/libapparmor.so libapparmor_wrap.o" CCFLAGS="-I../../src -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement" OPTIMIZE="$(CFLAGS) -shared -I$(includedir) -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement"
+
+
+$(WRAPPER_SOURCES): ../SWIG/*.i
+	$(SWIG) -perl -I../../src -I../SWIG -o libapparmor_wrap.c libapparmor.i
+
+endif
+
+EXTRA_DIST = Makefile.PL $(WRAPPER_SOURCES) examples/*.pl
+

changehat/libapparmor/swig/perl/examples/example.pl

@@ -0,0 +1,15 @@
+require LibAppArmor;
+
+$msg = "type=APPARMOR msg=audit(1168662182.495:58): PERMITTING r access to /home/matt/projects/change_hat_test/test (test_hat(27871) profile /home/matt/projects/change_hat_test/test_hat active null-complain-profile)";
+
+my($test) = AppArmorLogRecordParser::parse_record($msg);
+
+if (AppArmorLogRecordParser::aa_log_record::swig_event_get($test) == $AppArmorLogRecordParser::AA_RECORD_ALLOWED )
+{
+	print "AA_RECORD_ALLOWED\n";
+}
+
+print "Audit ID: " . AppArmorLogRecordParser::aa_log_record::swig_audit_id_get($test) . "\n";
+print "PID: " . AppArmorLogRecordParser::aa_log_record::swig_pid_get($test) . "\n";
+
+AppArmorLogRecordParser::free_record($test);

changehat/libapparmor/swig/python/Makefile.am

@@ -0,0 +1,17 @@
+if HAVE_PYTHON
+BUILT_SOURCES = libapparmor_wrap.c
+
+SWIG_SOURCES = ../SWIG/libapparmor.i
+
+
+pkgpython_PYTHON = LibAppArmor.py
+pkgpyexec_LTLIBRARIES = _libapparmor.la
+_libapparmor_la_SOURCES = libapparmor_wrap.c $(SWIG_SOURCES)
+_libapparmor_la_CPPFLAGS = $(SWIG_PYTHON_CFLAGS) -I$(top_srcdir)/src -I/usr/include/python
+_libapparmor_la_LDFLAGS = -module
+_libapparmor_la_LIBADD = ../../src/.libs/libapparmor.so
+
+libapparmor_wrap.c: $(SWIG_SOURCES)
+	$(SWIG) -python -I$(top_srcdir)/src -o $@ $<
+
+endif 

changehat/libapparmor/swig/ruby/Makefile.am

@@ -0,0 +1,24 @@
+if HAVE_RUBY
+
+RUBY_MAKEFILE = Makefile.ruby
+
+WRAPPER_FILES = LibAppArmor_wrap.* LibAppArmor.so extension.mak .build-stamp
+
+BUILT_SOURCES = LibAppArmor_wrap.c
+
+all-local: .build-stamp
+
+.build-stamp: LibAppArmor_wrap.c
+	CFLAGS="$(CFLAGS) -I../../src" $(RUBY) extconf.rb build
+	touch .build-stamp
+
+install-exec-local: .build-stamp
+	make -f $(RUBY_MAKEFILE) install
+
+LibAppArmor_wrap.c: ../SWIG/*.i
+	$(SWIG) -ruby -I../SWIG -I../../src -o ./LibAppArmor_wrap.c libapparmor.i
+
+endif 
+
+EXTRA_DIST = extconf.rb $(BUILT_SOURCES) examples/*.rb
+

changehat/libapparmor/swig/ruby/extconf.rb

@@ -0,0 +1,76 @@
+require 'mkmf'
+require 'ftools'
+
+$CFLAGS   += " " + (ENV['CFLAGS'] || "") + (ENV['CXXFLAGS'] || "")
+$LDFLAGS = "../../src/.libs/libapparmor.so"
+
+def usage
+	puts <<EOF
+Usage: ruby extconf.rb command
+	build				Build the extension
+	clean				Clean the source directory
+	install				Install the extention
+	test				Test the extension
+	wrap				Generate SWIG wrappers
+EOF
+	exit
+end
+
+cmd = ARGV.shift or usage()
+cmd = cmd.downcase
+
+usage() unless ['build', 'clean', 'install', 'test', 'wrap'].member? cmd
+usage() if ARGV.shift
+
+class Commands
+	def initialize(&block)
+		@block = block
+	end
+	
+	def execute
+		@block.call
+	end
+end
+
+Build = Commands.new {
+	# I don't think we can tell mkmf to generate a makefile with a different name
+	if File.exists?("Makefile")
+		File.rename("Makefile", "Makefile.old")
+	end
+	create_makefile('LibAppArmor')
+	File.rename("Makefile", "Makefile.ruby")
+	if File.exists?("Makefile.old")
+		File.rename("Makefile.old", "Makefile")
+	end
+	system("make -f Makefile.ruby")
+}
+Install = Commands.new {
+    Build.execute
+    if defined? Prefix
+        # strip old prefix and add the new one
+        oldPrefix = Config::CONFIG["prefix"]
+        if defined? Debian
+          archDir = Config::CONFIG["archdir"]
+          libDir = Config::CONFIG["rubylibdir"]
+        else
+          archDir = Config::CONFIG["sitearchdir"]
+          libDir = Config::CONFIG["sitelibdir"]
+        end
+        archDir    = Prefix + archDir.gsub(/^#{oldPrefix}/,"")
+        libDir     = Prefix + libDir.gsub(/^#{oldPrefix}/,"")
+    else
+        archDir    = Config::CONFIG["sitearchdir"]
+        libDir     = Config::CONFIG["sitelibdir"]
+    end
+    [archDir,libDir].each { |path| File.makedirs path }
+     	 binary = 'LibAppArmor.so'
+    File.install "./"+binary, archDir+"/"+binary, 0555, true
+    File.install "./LibAppArmor.so", libDir+"/LibAppArmor.so", 0555, true
+}
+
+availableCommands = {
+	"build"	=> Build,
+	"install" => Install
+}
+
+availableCommands[cmd].execute

changehat/libapparmor/testsuite/Makefile.am

@@ -12,9 +12,9 @@ noinst_PROGRAMS = test_multi.multi
 test_multi_multi_SOURCES	= test_multi.c
 test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
 test_multi_multi_LDFLAGS	= $(LDFLAGS)
-test_multi_multi_LDADD		= -L../src/.libs -lapparmor
+test_multi_multi_LDADD		= ../src/.libs/libapparmor.a
 
 clean-local:
-	rm -rf tmp.err.* tmp.out.* site.exp site.bak test_multi/out
+	rm -f tmp.err.* tmp.out.* site.exp site.bak
 
 EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err

changehat/libapparmor/testsuite/test_multi.c

@@ -113,14 +113,6 @@ int print_results(aa_log_record *record)
 		{
 			printf("Denied Mask: %s\n", record->denied_mask);
 		}
-		if (record->fsuid != (unsigned long) -1)
-		{
-			printf("fsuid: %ld\n", record->fsuid);
-		}
-		if (record->ouid != (unsigned long) -1)
-		{
-			printf("ouid: %ld\n", record->ouid);
-		}
 		if (record->profile != NULL)
 		{
 			printf("Profile: %s\n", record->profile);
@@ -129,18 +121,10 @@ int print_results(aa_log_record *record)
 		{
 			printf("Name: %s\n", record->name);
 		}
-		if (record->comm != NULL)
-		{
-			printf("Command: %s\n", record->comm);
-		}
 		if (record->name2 != NULL)
 		{
 			printf("Name2: %s\n", record->name2);
 		}
-		if (record->namespace != NULL)
-		{
-			printf("Namespace: %s\n", record->namespace);
-		}
 		if (record->attribute != NULL)
 		{
 			printf("Attribute: %s\n", record->attribute);
@@ -161,10 +145,6 @@ int print_results(aa_log_record *record)
 		{
 			printf("Info: %s\n", record->info);
 		}
-		if (record->error_code)
-		{
-			printf("ErrorCode: %d\n", record->error_code);
-		}
 		if (record->pid != 0)
 		{
 			printf("PID: %ld\n", record->pid);

changehat/libapparmor/testsuite/test_multi/testcase1.out

@@ -1,5 +1,5 @@
 START
-File: test_multi/testcase01.in
+File: test_multi/testcase1.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1181057184.959:7
 Operation: exec

changehat/libapparmor/testsuite/test_multi/testcase10.out

@@ -0,0 +1,11 @@
+START
+File: test_multi/testcase10.in
+Event type: AA_RECORD_HINT
+Audit ID: 1168661976.062:55
+Operation: clone
+Profile: /home/matt/projects/change_hat_test/test_hat
+Task: 38229
+PID: 27764
+Active hat: /home/matt/projects/change_hat_test/test_hat
+Epoch: 1168661976
+Audit subid: 55

changehat/libapparmor/testsuite/test_multi/testcase11.out

@@ -0,0 +1,9 @@
+START
+File: test_multi/testcase11.in
+Event type: AA_RECORD_HINT
+Audit ID: 1168661976.062:55
+Operation: clone
+Task: 38229
+PID: 27764
+Epoch: 1168661976
+Audit subid: 55

changehat/libapparmor/testsuite/test_multi/testcase18.out

@@ -0,0 +1,13 @@
+START
+File: test_multi/testcase18.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1157215966.604:46
+Operation: access
+Mask: r
+Profile: /usr/sbin/httpd2-prefork
+Name: /bin/df
+Info: sh
+PID: 7902
+Active hat: SYSINFO
+Epoch: 1157215966
+Audit subid: 46

changehat/libapparmor/testsuite/test_multi/testcase19.out

@@ -0,0 +1,8 @@
+START
+File: test_multi/testcase19.in
+Event type: AA_RECORD_HINT
+Audit ID: 1164007073.953:518
+Profile: null-complain-profile
+PID: 29420
+Epoch: 1164007073
+Audit subid: 518

changehat/libapparmor/testsuite/test_multi/testcase2.out

@@ -0,0 +1,13 @@
+START
+File: test_multi/testcase2.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1168662182.495:58
+Operation: access
+Mask: r
+Profile: /home/matt/projects/change_hat_test/test_hat
+Name: /home/matt/projects/change_hat_test/test
+Info: test_hat
+PID: 27871
+Active hat: null-complain-profile
+Epoch: 1168662182
+Audit subid: 58

changehat/libapparmor/testsuite/test_multi/testcase20.out

@@ -0,0 +1,13 @@
+START
+File: test_multi/testcase20.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1167188680.127:54
+Operation: access
+Mask: r
+Profile: /bin/freak-aa-out
+Name: /bin/freak-aa-out
+Info: bash
+PID: 23415
+Active hat: /bin/freak-aa-out
+Epoch: 1167188680
+Audit subid: 54

changehat/libapparmor/testsuite/test_multi/testcase23.in

@@ -0,0 +1 @@
+Sep 13 13:11:13 lizaveta kernel: AppArmor: REJECTING exec(2) of image '/usr/lib/mailman/mail/mailman'. Profile mandatory and not found (local(20700) profile /usr/lib/postfix/local active /usr/lib/postfix/local)

changehat/libapparmor/testsuite/test_multi/testcase24.out

@@ -7,6 +7,6 @@ Profile: /home/steve/aa-regression-tests/changehat_wrapper//net_raw
 PID: 16196
 Network family: packet
 Socket type: raw
-Protocol: unknown(768)
+Protocol: 768
 Epoch: 1190503205
 Audit subid: 27088