From 11ca694af79a9c9780a4e768818288889a8c1a57 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Oct 2023 23:47:31 +0100
Subject: [PATCH] feat(aa-log): more log cleanup.

---
 pkg/logs/loggers.go      |  1 +
 pkg/logs/loggers_test.go |  1 -
 pkg/logs/logs.go         | 13 +++----------
 pkg/logs/logs_test.go    |  5 +----
 pkg/util/tools.go        | 20 ++++++++++++--------
 pkg/util/tools_test.go   | 14 +++++++-------
 6 files changed, 24 insertions(+), 30 deletions(-)

diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go
index 54abe43f..2958d177 100644
--- a/pkg/logs/loggers.go
+++ b/pkg/logs/loggers.go
@@ -50,6 +50,7 @@ func GetApparmorLogs(file io.Reader, profile string) []string {
 	}
 
 	// Clean & remove doublon in logs
+	res = util.DecodeHexInString(res)
 	for _, aa := range regCleanLogs {
 		res = aa.Regex.ReplaceAllLiteralString(res, aa.Repl)
 	}
diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go
index bf84fee3..8f5e4cc3 100644
--- a/pkg/logs/loggers_test.go
+++ b/pkg/logs/loggers_test.go
@@ -23,7 +23,6 @@ func TestGetJournalctlLogs(t *testing.T) {
 			want: AppArmorLogs{
 				{
 					"apparmor":   "ALLOWED",
-					"profile":    "",
 					"label":      "gsd-xsettings",
 					"operation":  "dbus_method_call",
 					"name":       ":*",
diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 06576e14..f6b50311 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -59,13 +59,14 @@ var (
 		`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
 		`/sys/`, `@{sys}/`,
 		`@{PROC}@{sys}/`, `@{PROC}/sys/`,
-		`pci[0-9][0-9][0-9][0-9]:[0-9][0-9]`, `@{pci_bus}`,
-		`@{pci_bus}/([0-9][0-9][0-9][0-9]:[0-9][0-9]:[0-9a-f][0-9a-f]\.[0-9]/)+`, `@{pci}/`,
+		`pci[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]`, `@{pci_bus}`,
 
 		// Some system glob
 		`:1.[0-9]*`, `:*`, // dbus peer name
 		`@{bin}/(|ba|da)sh`, `@{bin}/{,ba,da}sh`, // collect all shell
 		`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
+		`[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]`, `@{uuid}`,
+		`[0-9][0-9][0-9][0-9][0-9][0-9]+`, `@{int}`,
 
 		// Remove basic rules from abstractions/base
 		`(?m)^.*/etc/[^/]+so.*$`, ``,
@@ -114,14 +115,6 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
 				aa[kv[0]] = strings.Trim(kv[1], `"`)
 			}
 		}
-		aa["profile"] = util.DecodeHex(aa["profile"])
-		toDecode := []string{"name", "comm"}
-		for _, name := range toDecode {
-			if value, ok := aa[name]; ok {
-				aa[name] = util.DecodeHex(value)
-			}
-		}
-
 		aaLogs = append(aaLogs, aa)
 	}
 
diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go
index 79fc283c..360cc523 100644
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@@ -47,7 +47,6 @@ var (
 	refPowerProfiles = AppArmorLogs{
 		{
 			"apparmor":   "ALLOWED",
-			"profile":    "",
 			"label":      "power-profiles-daemon",
 			"operation":  "dbus_method_call",
 			"name":       "org.freedesktop.DBus",
@@ -83,7 +82,7 @@ func TestAppArmorEvents(t *testing.T) {
 					"apparmor":       "ALLOWED",
 					"profile":        "@{bin}/httpd2-prefork//vhost_foo",
 					"operation":      "rename_dest",
-					"name":           "/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg",
+					"name":           "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg",
 					"comm":           "httpd2-prefork",
 					"requested_mask": "wc",
 					"denied_mask":    "wc",
@@ -136,7 +135,6 @@ func TestAppArmorEvents(t *testing.T) {
 			want: AppArmorLogs{
 				{
 					"apparmor":   "ALLOWED",
-					"profile":    "",
 					"label":      "snapd",
 					"operation":  "dbus_method_call",
 					"name":       "org.freedesktop.PolicyKit1",
@@ -163,7 +161,6 @@ func TestAppArmorEvents(t *testing.T) {
 			want: AppArmorLogs{
 				{
 					"apparmor":  "ALLOWED",
-					"profile":   "",
 					"label":     "xdg-document-portal",
 					"operation": "dbus_bind",
 					"name":      "org.freedesktop.portal.Documents",
diff --git a/pkg/util/tools.go b/pkg/util/tools.go
index 6b49647d..7aba0e7c 100644
--- a/pkg/util/tools.go
+++ b/pkg/util/tools.go
@@ -9,23 +9,27 @@ import (
 	"regexp"
 )
 
-var isHexa = regexp.MustCompile("^[0-9A-Fa-f]+$")
-
 type RegexRepl struct {
 	Regex *regexp.Regexp
 	Repl  string
 }
 
-// DecodeHex decode a string if it is hexa.
-func DecodeHex(str string) string {
-	if isHexa.MatchString(str) {
-		bs, _ := hex.DecodeString(str)
-		return string(bs)
+// DecodeHexInString decode and replace all hex value in a given string constitued of "key=value".
+func DecodeHexInString(str string) string {
+	toDecode := []string{"name", "comm", "profile"}
+	for _, name := range toDecode {
+		exp := name + `=[0-9A-F]+`
+		re := regexp.MustCompile(exp)
+		str = re.ReplaceAllStringFunc(str, func(s string) string {
+			hexa := s[len(name)+1:]
+			bs, _ := hex.DecodeString(hexa)
+			return name + "=\"" + string(bs) + "\""
+		})
 	}
 	return str
 }
 
-// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty string
+// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element.
 func RemoveDuplicate[T comparable](inlist []T) []T {
 	var empty T
 	list := []T{}
diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go
index 92c677dd..086ec9c3 100644
--- a/pkg/util/tools_test.go
+++ b/pkg/util/tools_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 )
 
-func TestDecodeHex(t *testing.T) {
+func TestDecodeHexInString(t *testing.T) {
 	tests := []struct {
 		name string
 		str  string
@@ -18,19 +18,19 @@ func TestDecodeHex(t *testing.T) {
 	}{
 		{
 			name: "Hexa",
-			str:  "666F6F20626172",
-			want: "foo bar",
+			str:  `apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc"`,
+			want: `apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name="/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg" pid=20143 comm="httpd2-prefork" requested_mask="wc"`,
 		},
 		{
 			name: "Not Hexa",
-			str:  "ALLOWED",
-			want: "ALLOWED",
+			str:  `type=AVC msg=audit(1424425690.883:716630): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/klogd" name="var/run/nscd/passwd" pid=25333 comm="id" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`,
+			want: `type=AVC msg=audit(1424425690.883:716630): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/klogd" name="var/run/nscd/passwd" pid=25333 comm="id" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := DecodeHex(tt.str); got != tt.want {
-				t.Errorf("DecodeHex() = %v, want %v", got, tt.want)
+			if got := DecodeHexInString(tt.str); got != tt.want {
+				t.Errorf("DecodeHexInString() = %v, want %v", got, tt.want)
 			}
 		})
 	}