2012-10-16 00:19:49 +02:00
|
|
|
#!/bin/bash
|
2010-01-12 07:19:20 -06:00
|
|
|
#
|
2012-10-16 00:19:49 +02:00
|
|
|
# Copyright (C) 2009-2010, 2012 Canonical Ltd.
|
|
|
|
|
# Copyright (C) 2012 Christian Boltz
|
2010-01-12 07:19:20 -06:00
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
# License as published by the Free Software Foundation.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, contact Canonical, Ltd.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
help() {
|
|
|
|
|
cat <<EOM
|
|
|
|
|
USAGE: aa-decode [OPTIONS] <encoded string>
|
|
|
|
|
Decode a hex-encoded string to ASCII. It will also take an audit log on
|
|
|
|
|
standard input and convert any hex-encoded AppArmor log entries and display
|
|
|
|
|
them on standard output.
|
|
|
|
|
|
|
|
|
|
OPTIONS:
|
|
|
|
|
--help display this help
|
|
|
|
|
|
|
|
|
|
EXAMPLES:
|
|
|
|
|
$ aa-decode 2F746D702F666F6F20626172
|
|
|
|
|
Decoded: /tmp/foo bar
|
|
|
|
|
$ cat /var/log/kern.log | aa-decode
|
|
|
|
|
... denied_mask="r::" fsuid=1000 ouid=1000 name=/tmp/foo bar
|
|
|
|
|
EOM
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
decode() {
|
2019-02-03 21:41:03 +01:00
|
|
|
if echo "$1" | egrep -q "^[0-9A-Fa-f]+$" ; then
|
|
|
|
|
python3 -c "import binascii; print(bytes.decode(binascii.unhexlify('$1'), errors='strict'));"
|
|
|
|
|
else
|
|
|
|
|
echo ""
|
|
|
|
|
fi
|
|
|
|
|
|
2010-01-12 07:19:20 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
|
|
|
|
help
|
|
|
|
|
exit
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# if have an argument, then use it, otherwise process stdin
|
|
|
|
|
if [ -n "$1" ]; then
|
2012-10-16 00:19:49 +02:00
|
|
|
e="$1"
|
|
|
|
|
if ! echo "$e" | egrep -q "^[0-9A-Fa-f]+$" ; then
|
2010-01-12 07:19:20 -06:00
|
|
|
echo "String should only contain hex characters (0-9, a-f, A-F)"
|
2012-09-17 23:55:28 +02:00
|
|
|
exit 1
|
2010-01-12 07:19:20 -06:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
d=`decode $e`
|
|
|
|
|
if [ -z "$d" ]; then
|
|
|
|
|
echo "Could not decode string"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Decoded: $d"
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
|
2012-10-16 00:19:49 +02:00
|
|
|
# For now just look at 'name=...' and 'profile=...',
|
2010-01-12 07:19:20 -06:00
|
|
|
# so validate input against this and output based on it.
|
|
|
|
|
# TODO: better handle other cases too
|
2012-10-16 00:19:49 +02:00
|
|
|
while read line ; do
|
|
|
|
|
|
|
|
|
|
# check if line contains encoded name= or profile=
|
2017-12-24 00:22:24 -08:00
|
|
|
if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then
|
2012-10-16 00:19:49 +02:00
|
|
|
|
|
|
|
|
# cut the encoded filename/profile name out of the line and decode it
|
|
|
|
|
ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
|
|
|
|
|
nd="$(decode ${ne/\'/\\\'})"
|
|
|
|
|
|
|
|
|
|
pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
|
|
|
|
|
pd="$(decode ${pe/\'/\\\'})"
|
|
|
|
|
|
2017-12-24 00:22:24 -08:00
|
|
|
pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
|
|
|
|
|
pcd="$(decode ${pce/\'/\\\'})"
|
|
|
|
|
|
2012-10-16 00:19:49 +02:00
|
|
|
# replace encoded name and profile with its decoded counterparts (only if it was encoded)
|
|
|
|
|
test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
|
|
|
|
|
test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
|
2017-12-24 00:22:24 -08:00
|
|
|
test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}"
|
2012-10-16 00:19:49 +02:00
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "$line"
|
|
|
|
|
|
2010-01-12 07:19:20 -06:00
|
|
|
done
|
