mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
This patch removes all of the old log parsing code from libapparmor.
The testcases that were in place for the old style log messages have had their expected output modified such that they are expected to return invalid results, rather than deleting the testcases outright.
This commit is contained in:
Steve Beattie
parent
93ae7808cb
commit
1c2591de1e
20 changed files with 65 additions and 421 deletions
|
|
@ -79,10 +79,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
|||
long t_long;
|
||||
}
|
||||
|
||||
%type <t_str> old_profile safe_string protocol
|
||||
%type <t_str> safe_string protocol
|
||||
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
|
||||
%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
|
||||
%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
|
||||
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
|
||||
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
|
||||
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
|
||||
|
||||
%token TOK_EQUALS
|
||||
|
|
@ -105,31 +105,6 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
|||
%token TOK_TYPE_AA_STATUS
|
||||
%token TOK_TYPE_AA_ERROR
|
||||
%token TOK_TYPE_LSM_AVC
|
||||
%token TOK_OLD_TYPE_APPARMOR
|
||||
%token TOK_OLD_APPARMOR_REJECT
|
||||
%token TOK_OLD_APPARMOR_PERMIT
|
||||
%token TOK_OLD_APPARMOR_AUDIT
|
||||
%token TOK_OLD_APPARMOR_LOGPROF_HINT
|
||||
%token TOK_OLD_UNKNOWN_HAT
|
||||
%token TOK_OLD_ACTIVE
|
||||
%token TOK_OLD_UNKNOWN_PROFILE
|
||||
%token TOK_OLD_MISSING_PROFILE
|
||||
%token TOK_OLD_CHANGING_PROFILE
|
||||
%token TOK_OLD_ACCESS
|
||||
%token TOK_OLD_TO
|
||||
%token TOK_OLD_FROM
|
||||
%token TOK_OLD_PIPE
|
||||
%token TOK_OLD_EXTENDED
|
||||
%token TOK_OLD_ATTRIBUTE
|
||||
%token TOK_OLD_ON
|
||||
%token TOK_OLD_MKDIR
|
||||
%token TOK_OLD_RMDIR
|
||||
%token TOK_OLD_XATTR
|
||||
%token TOK_OLD_CHANGE
|
||||
%token TOK_OLD_SYSCALL
|
||||
%token TOK_OLD_LINK
|
||||
%token TOK_OLD_FORK
|
||||
%token TOK_OLD_CHILD
|
||||
|
||||
%token TOK_KEY_APPARMOR
|
||||
%token TOK_KEY_TYPE
|
||||
|
|
@ -147,7 +122,6 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
|||
%token TOK_KEY_PID
|
||||
%token TOK_KEY_PROFILE
|
||||
%token TOK_AUDIT
|
||||
%token TOK_KEY_IMAGE
|
||||
%token TOK_KEY_FAMILY
|
||||
%token TOK_KEY_SOCK_TYPE
|
||||
%token TOK_KEY_PROTOCOL
|
||||
|
|
@ -172,15 +146,10 @@ log_message: audit_type
|
|||
|
||||
audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
|
||||
|
||||
type_syntax: old_syntax { ret_record->version = AA_RECORD_SYNTAX_V1; }
|
||||
| new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
type_syntax: new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
| other_audit
|
||||
;
|
||||
|
||||
old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg
|
||||
| TOK_TYPE_UNKNOWN audit_msg old_msg
|
||||
;
|
||||
|
||||
new_syntax:
|
||||
TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
|
||||
| TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
|
||||
|
|
@ -201,9 +170,7 @@ other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
|
|||
;
|
||||
|
||||
syslog_type:
|
||||
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id old_msg
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V1; }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
|
||||
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
|
|
@ -215,167 +182,9 @@ syslog_type:
|
|||
|
||||
/* when audit dispatches a message it doesn't prepend the audit type string */
|
||||
audit_dispatch:
|
||||
audit_msg old_msg { ret_record->version = AA_RECORD_SYNTAX_V1; }
|
||||
audit_msg key_list { ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
;
|
||||
|
||||
old_msg:
|
||||
old_permit_reject_type old_permit_reject_syntax
|
||||
| TOK_OLD_APPARMOR_LOGPROF_HINT old_logprof_syntax { ret_record->event = AA_RECORD_HINT; }
|
||||
;
|
||||
|
||||
old_permit_reject_type:
|
||||
TOK_OLD_APPARMOR_REJECT { ret_record->event = AA_RECORD_DENIED; }
|
||||
| TOK_OLD_APPARMOR_PERMIT { ret_record->event = AA_RECORD_ALLOWED; }
|
||||
| TOK_OLD_APPARMOR_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
|
||||
;
|
||||
|
||||
old_permit_reject_syntax:
|
||||
TOK_MODE TOK_OLD_ACCESS old_permit_reject_path_pipe_extended
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->requested_mask = $1;
|
||||
ret_record->operation = strdup("access");
|
||||
}
|
||||
| dir_action TOK_OLD_ON TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->name = $3;
|
||||
}
|
||||
| TOK_OLD_XATTR TOK_ID TOK_OLD_ON TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("xattr");
|
||||
ret_record->attribute = $2;
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_KEY_ATTRIBUTE TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN
|
||||
TOK_OLD_CHANGE TOK_OLD_TO TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("setattr");
|
||||
ret_record->attribute = $3;
|
||||
ret_record->name = $7;
|
||||
}
|
||||
| TOK_OLD_ACCESS TOK_OLD_TO TOK_KEY_CAPABILITY TOK_SINGLE_QUOTED_STRING
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("capability");
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_SYSCALL TOK_SINGLE_QUOTED_STRING
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("syscall");
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_OLD_LINK TOK_OLD_ACCESS TOK_OLD_FROM TOK_PATH TOK_OLD_TO TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->requested_mask = strdup("l");
|
||||
ret_record->name = $4;
|
||||
ret_record->name2 = $6;
|
||||
}
|
||||
;
|
||||
|
||||
dir_action:
|
||||
TOK_OLD_MKDIR { ret_record->operation = strdup("mkdir"); }
|
||||
| TOK_OLD_RMDIR { ret_record->operation = strdup("rmdir"); }
|
||||
;
|
||||
|
||||
old_process_state:
|
||||
TOK_ID TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN old_profile_names
|
||||
{
|
||||
ret_record->info = $1;
|
||||
ret_record->pid = atol($3);
|
||||
free($3);
|
||||
}
|
||||
;
|
||||
|
||||
old_profile_names:
|
||||
TOK_KEY_PROFILE old_profile TOK_OLD_ACTIVE old_profile
|
||||
{ ret_record->profile = $2;
|
||||
ret_record->active_hat = $4;
|
||||
}
|
||||
;
|
||||
|
||||
old_permit_reject_path_pipe_extended:
|
||||
TOK_OLD_TO TOK_PATH
|
||||
{
|
||||
ret_record->name = $2;
|
||||
}
|
||||
| TOK_OLD_TO TOK_OLD_PIPE /* Frankly, I don't think this is used */
|
||||
{
|
||||
ret_record->info = strdup("pipe");
|
||||
}
|
||||
| TOK_OLD_EXTENDED TOK_KEY_ATTRIBUTE /* Nor this */
|
||||
{
|
||||
ret_record->info = strdup("extended attribute");
|
||||
}
|
||||
;
|
||||
old_logprof_syntax:
|
||||
old_logprof_syntax2 key_pid
|
||||
TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
|
||||
{
|
||||
ret_record->profile = strdup($5);
|
||||
free($5);
|
||||
ret_record->active_hat = strdup($8);
|
||||
free($8);
|
||||
}
|
||||
| old_logprof_fork_syntax
|
||||
| TOK_OLD_CHANGING_PROFILE key_pid
|
||||
{ ret_record->profile = strdup("null-complain-profile"); }
|
||||
;
|
||||
|
||||
old_logprof_syntax2:
|
||||
TOK_OLD_UNKNOWN_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("profile_set");
|
||||
ret_record->info = strdup("unknown profile");
|
||||
ret_record->name = strdup($4);
|
||||
free($4);
|
||||
}
|
||||
| TOK_OLD_MISSING_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("exec");
|
||||
ret_record->info = strdup("mandatory profile missing");
|
||||
ret_record->name = strdup($4);
|
||||
free($4);
|
||||
}
|
||||
| TOK_OLD_UNKNOWN_HAT TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("change_hat");
|
||||
ret_record->name = strdup($2);
|
||||
free($2);
|
||||
ret_record->info = strdup("unknown_hat");
|
||||
}
|
||||
;
|
||||
|
||||
/* TODO: Clean this up */
|
||||
old_logprof_fork_syntax:
|
||||
TOK_OLD_FORK key_pid
|
||||
TOK_OLD_CHILD TOK_EQUALS TOK_DIGITS old_logprof_fork_addition
|
||||
{
|
||||
ret_record->operation = strdup("clone");
|
||||
ret_record->task = $5;
|
||||
}
|
||||
;
|
||||
|
||||
old_logprof_fork_addition:
|
||||
/* Nothin */
|
||||
| TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
|
||||
{
|
||||
ret_record->profile = $3;
|
||||
ret_record->active_hat = $6;
|
||||
}
|
||||
;
|
||||
|
||||
old_profile:
|
||||
TOK_PATH { $$ = $1; }
|
||||
| TOK_ID { $$ = $1; }
|
||||
| TOK_NULL_COMPLAIN { $$ = strdup("null-complain-profile"); }
|
||||
;
|
||||
|
||||
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
|
||||
;
|
||||
|
||||
|
|
@ -441,7 +250,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
|||
| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->comm = $3;}
|
||||
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
|
||||
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_ID
|
||||
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
|
||||
{ /* need to reverse map number to string, need to figure out
|
||||
* how to get auto generation of reverse mapping table into
|
||||
* autotools Makefile. For now just drop assumming capname is
|
||||
|
|
@ -460,6 +269,11 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
|||
{ /* target was always name2 in the past */
|
||||
ret_record->name2 = $3;
|
||||
}
|
||||
| TOK_MSG_REST
|
||||
{
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
ret_record->info = $1;
|
||||
}
|
||||
;
|
||||
|
||||
apparmor_event:
|
||||
|
|
|
|||
|
|
@ -83,7 +83,6 @@ minus "-"
|
|||
open_paren "("
|
||||
close_paren ")"
|
||||
ID [^ \t\n\(\)="'!]
|
||||
path "/"{ID}*
|
||||
hexstring ({hex}{hex})+
|
||||
period "\."
|
||||
mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
|
||||
|
|
@ -106,35 +105,6 @@ lsm_avc_type "AVC"
|
|||
unknown_type UNKNOWN\[{digits}+\]
|
||||
other_audit_type [[:alnum:]\[\]_-]+
|
||||
|
||||
/* Old message tokens */
|
||||
|
||||
old_apparmor_type "APPARMOR"
|
||||
old_apparmor_reject "REJECTING"
|
||||
old_apparmor_permit "PERMITTING"
|
||||
old_apparmor_audit "AUDITING"
|
||||
old_apparmor_logprof "LOGPROF-HINT"
|
||||
old_unknown_hat "unknown_hat"
|
||||
old_unknown_profile "unknown_profile"
|
||||
old_missing_profile "missing_mandatory_profile"
|
||||
old_changing_profile "changing_profile"
|
||||
old_active "active"
|
||||
old_access "access"
|
||||
old_from "from"
|
||||
old_to "to"
|
||||
old_pipe "pipe"
|
||||
old_extended "extended"
|
||||
old_rmdir "rmdir"
|
||||
old_mkdir "mkdir"
|
||||
old_on "on"
|
||||
old_xattr "xattr"
|
||||
old_change "change"
|
||||
old_syscall "syscall"
|
||||
old_link "link"
|
||||
old_fork "fork"
|
||||
old_child "child"
|
||||
|
||||
null_complain "null-complain-profile"
|
||||
|
||||
/* Key tokens */
|
||||
|
||||
key_apparmor "apparmor"
|
||||
|
|
@ -153,7 +123,6 @@ key_magic_token "magic_token"
|
|||
key_info "info"
|
||||
key_pid "pid"
|
||||
key_profile "profile"
|
||||
key_image "image"
|
||||
key_family "family"
|
||||
key_sock_type "sock_type"
|
||||
key_protocol "protocol"
|
||||
|
|
@ -177,12 +146,10 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
|||
%x quoted_string
|
||||
%x sub_id
|
||||
%x audit_id
|
||||
%x single_quoted_string
|
||||
%x hostname
|
||||
%x dmesg_timestamp
|
||||
%x safe_string
|
||||
%x audit_types
|
||||
%x old_action
|
||||
%x other_audit
|
||||
%x unknown_message
|
||||
|
||||
|
|
@ -206,7 +173,6 @@ yy_flex_debug = 0;
|
|||
<sub_id>{
|
||||
{open_paren} { return(TOK_OPEN_PAREN); }
|
||||
{close_paren} { BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
|
||||
"'" { string_buf_reset(); BEGIN(single_quoted_string); }
|
||||
{ws} { }
|
||||
\" { string_buf_reset(); BEGIN(quoted_string); }
|
||||
{ID}+ {
|
||||
|
|
@ -217,19 +183,6 @@ yy_flex_debug = 0;
|
|||
{equals} { return(TOK_EQUALS); }
|
||||
}
|
||||
|
||||
|
||||
"'" { string_buf_reset(); BEGIN(single_quoted_string); }
|
||||
<single_quoted_string>"'" { /* End of the quoted string */
|
||||
BEGIN(INITIAL);
|
||||
yylval->t_str = strdup(string_buf);
|
||||
return(TOK_SINGLE_QUOTED_STRING);
|
||||
}
|
||||
|
||||
|
||||
<single_quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
|
||||
|
||||
<single_quoted_string>[^\\\n\'\"]+ { string_buf_append(yyleng, yytext); }
|
||||
|
||||
\" { string_buf_reset(); BEGIN(quoted_string); }
|
||||
<quoted_string>\" { /* End of the quoted string */
|
||||
BEGIN(INITIAL);
|
||||
|
|
@ -243,7 +196,6 @@ yy_flex_debug = 0;
|
|||
<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
|
||||
|
||||
<safe_string>{
|
||||
"'" { string_buf_reset(); BEGIN(single_quoted_string); }
|
||||
\" { string_buf_reset(); BEGIN(quoted_string); }
|
||||
{hexstring} { yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
|
|
@ -274,7 +226,6 @@ yy_flex_debug = 0;
|
|||
BEGIN(INITIAL);
|
||||
return(TOK_TYPE_UNKNOWN);
|
||||
}
|
||||
{old_apparmor_type} { BEGIN(INITIAL); return(TOK_OLD_TYPE_APPARMOR); }
|
||||
{other_audit_type} { yylval->t_str = strdup(yytext);
|
||||
BEGIN(other_audit);
|
||||
return(TOK_TYPE_OTHER);
|
||||
|
|
@ -291,42 +242,8 @@ yy_flex_debug = 0;
|
|||
return(TOK_OPEN_PAREN);
|
||||
}
|
||||
{close_paren} { return(TOK_CLOSE_PAREN); }
|
||||
{path} { yylval->t_str = strdup(yytext); return(TOK_PATH); }
|
||||
{period} { return(TOK_PERIOD); }
|
||||
|
||||
{old_apparmor_reject} { BEGIN(old_action); return(TOK_OLD_APPARMOR_REJECT); }
|
||||
{old_apparmor_permit} { BEGIN(old_action); return(TOK_OLD_APPARMOR_PERMIT); }
|
||||
{old_apparmor_audit} { BEGIN(old_action); return(TOK_OLD_APPARMOR_AUDIT); }
|
||||
{old_apparmor_logprof} { return(TOK_OLD_APPARMOR_LOGPROF_HINT); }
|
||||
{old_unknown_hat} { BEGIN(sub_id); return(TOK_OLD_UNKNOWN_HAT); }
|
||||
{old_unknown_profile} { return(TOK_OLD_UNKNOWN_PROFILE); }
|
||||
{old_missing_profile} { return(TOK_OLD_MISSING_PROFILE); }
|
||||
{old_changing_profile} { return(TOK_OLD_CHANGING_PROFILE); }
|
||||
{old_active} { BEGIN(sub_id); return(TOK_OLD_ACTIVE); }
|
||||
{old_access} { return(TOK_OLD_ACCESS); }
|
||||
{old_to} { return(TOK_OLD_TO); }
|
||||
{old_from} { return(TOK_OLD_FROM); }
|
||||
{old_pipe} { return(TOK_OLD_PIPE); }
|
||||
{old_extended} { return(TOK_OLD_EXTENDED); }
|
||||
{old_on} { return(TOK_OLD_ON); }
|
||||
{old_change} { return(TOK_OLD_CHANGE); }
|
||||
{key_capability} { BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
|
||||
{old_syscall} { return(TOK_OLD_SYSCALL); }
|
||||
{old_fork} { return(TOK_OLD_FORK); }
|
||||
{old_child} { return(TOK_OLD_CHILD); }
|
||||
|
||||
<old_action>{
|
||||
{ws}+ { /* eat whitespace */ }
|
||||
{modes} { /* modes must stay out of INITIAL because of false pos matches e.g. Mar */
|
||||
yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_MODE); }
|
||||
{old_link} { BEGIN(INITIAL); return(TOK_OLD_LINK); }
|
||||
{old_access} { BEGIN(INITIAL); return(TOK_OLD_ACCESS); }
|
||||
{old_mkdir} { BEGIN(INITIAL); return(TOK_OLD_MKDIR); }
|
||||
{old_rmdir} { BEGIN(INITIAL); return(TOK_OLD_RMDIR); }
|
||||
{old_xattr} { BEGIN(sub_id); return(TOK_OLD_XATTR); }
|
||||
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
|
||||
}
|
||||
|
||||
{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
|
||||
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
|
||||
{key_msg} { return(TOK_KEY_MSG); }
|
||||
|
|
@ -350,18 +267,7 @@ yy_flex_debug = 0;
|
|||
{key_fsuid} { return(TOK_KEY_FSUID); }
|
||||
{key_ouid} { return(TOK_KEY_OUID); }
|
||||
{key_comm} { return(TOK_KEY_COMM); }
|
||||
/* This key_capability entry is here to document, what should be.
|
||||
* currently the capability token is handled by the old set of rules above
|
||||
* it should be handled here, but there is no good way to combine them
|
||||
* that doesn't require more work than it is worth atm because of the
|
||||
* switch to sub_id in the old scanner rules.
|
||||
* The switch to sub_id causes the new rule set in the grammar to need to
|
||||
* accept a TOK_ID instead of TOK_DIGITS, which it should be.
|
||||
* once the old rules and old scanning is ripped out this scanner rule
|
||||
* should be activated and the corresponding rule in the grammar should
|
||||
* be updated to use TOK_DIGITS
|
||||
* {key_capability} { return(TOK_KEY_CAPABILITY); }
|
||||
*/
|
||||
{key_capability} { return(TOK_KEY_CAPABILITY); }
|
||||
{key_capname} { return(TOK_KEY_CAPNAME); }
|
||||
{key_offset} { return(TOK_KEY_OFFSET); }
|
||||
{key_target} { return(TOK_KEY_TARGET); }
|
||||
|
|
@ -371,8 +277,6 @@ yy_flex_debug = 0;
|
|||
{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
|
||||
|
||||
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
|
||||
{null_complain} { return(TOK_NULL_COMPLAIN); }
|
||||
{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
|
||||
|
||||
. { /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_01.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1157215966.604:46
|
||||
Operation: access
|
||||
Mask: r
|
||||
Profile: /usr/sbin/httpd2-prefork
|
||||
Name: /bin/df
|
||||
Info: sh
|
||||
PID: 7902
|
||||
Active hat: SYSINFO
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING r access to /bin/df (sh(7902) profile /usr/sbin/httpd2-prefork active SYSINFO)
|
||||
Epoch: 1157215966
|
||||
Audit subid: 46
|
||||
|
|
|
|||
|
|
@ -1,13 +1,7 @@
|
|||
START
|
||||
File: test_multi/old_style_log_02.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: access
|
||||
Mask: r
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /bin/freak-aa-out
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Info: REJECTING r access to /bin/freak-aa-out (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_03.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1173790298.651:1662
|
||||
Operation: syscall
|
||||
Profile: /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace
|
||||
Name: ptrace
|
||||
Info: syscall_ptrace
|
||||
PID: 25210
|
||||
Active hat: /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING access to syscall 'ptrace' (syscall_ptrace(25210) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace active /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_ptrace)
|
||||
Epoch: 1173790298
|
||||
Audit subid: 1662
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_04.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1177962395.525:1837
|
||||
Mask: l
|
||||
Profile: /home/steve/svn/apparmor-forge/tests/regression/subdomain/link
|
||||
Name: /tmp/sdtest.3676-13458-it3683/target
|
||||
Name2: /tmp/sdtest.3676-13458-it3683/src
|
||||
Info: link
|
||||
PID: 3823
|
||||
Active hat: /home/steve/svn/apparmor-forge/tests/regression/subdomain/link
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING link access from /tmp/sdtest.3676-13458-it3683/target to /tmp/sdtest.3676-13458-it3683/src (link(3823) profile /home/steve/svn/apparmor-forge/tests/regression/subdomain/link active /home/steve/svn/apparmor-forge/tests/regression/subdomain/link)
|
||||
Epoch: 1177962395
|
||||
Audit subid: 1837
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_05.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: access
|
||||
Mask: r
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /bin/freak-aa-out
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING r access to /bin/freak-aa-out (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_06.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: mkdir
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /path/to/something
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_07.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: xattr
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /path/to/something
|
||||
Attribute: set
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_08.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1168662182.495:58
|
||||
Operation: access
|
||||
Mask: r
|
||||
Profile: /home/matt/projects/change_hat_test/test_hat
|
||||
Name: /home/matt/projects/change_hat_test/test
|
||||
Info: test_hat
|
||||
PID: 27871
|
||||
Active hat: null-complain-profile
|
||||
Operation: APPARMOR
|
||||
Info: PERMITTING r access to /home/matt/projects/change_hat_test/test (test_hat(27871) profile /home/matt/projects/change_hat_test/test_hat active null-complain-profile)
|
||||
Epoch: 1168662182
|
||||
Audit subid: 58
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_09.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: rmdir
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /path/to/something
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: PERMITTING rmdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_10.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: setattr
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: /else
|
||||
Attribute: something
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_11.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1167188680.127:54
|
||||
Operation: capability
|
||||
Profile: /bin/freak-aa-out
|
||||
Name: cap
|
||||
Info: bash
|
||||
PID: 23415
|
||||
Active hat: /bin/freak-aa-out
|
||||
Operation: APPARMOR
|
||||
Info: PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)
|
||||
Epoch: 1167188680
|
||||
Audit subid: 54
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_12.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1201615421.935:4837
|
||||
Mask: l
|
||||
Profile: null-complain-profile
|
||||
Name: /home/jj/.fonts.cache-2.LCK
|
||||
Name2: /home/jj/.fonts.cache-2.TMP-IyT7AP
|
||||
Info: firefox-bin
|
||||
PID: 16844
|
||||
Active hat: null-complain-profile
|
||||
Operation: APPARMOR
|
||||
Info: PERMITTING link access from /home/jj/.fonts.cache-2.LCK to /home/jj/.fonts.cache-2.TMP-IyT7AP (firefox-bin(16844) profile null-complain-profile active null-complain-profile)
|
||||
Epoch: 1201615421
|
||||
Audit subid: 4837
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_13.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1173790298.983:1669
|
||||
Operation: syscall
|
||||
Profile: /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_sysctl
|
||||
Name: sysctl (write)
|
||||
Info: syscall_sysctl
|
||||
PID: 25423
|
||||
Active hat: /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_sysctl
|
||||
Operation: APPARMOR
|
||||
Info: REJECTING access to syscall 'sysctl (write)' (syscall_sysctl(25423) profile /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_sysctl active /home/steve/svn/trunk-forge/tests/regression/subdomain/syscall_sysctl)
|
||||
Epoch: 1173790298
|
||||
Audit subid: 1669
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_14.in
|
||||
Event type: AA_RECORD_AUDIT
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1177962426.395:2107
|
||||
Operation: access
|
||||
Mask: mr
|
||||
Profile: /home/steve/svn/apparmor-forge/tests/regression/subdomain/changehat_wrapper
|
||||
Name: /lib/ld-2.4.so
|
||||
Info: open
|
||||
PID: 7139
|
||||
Active hat: open
|
||||
Operation: APPARMOR
|
||||
Info: AUDITING mr access to /lib/ld-2.4.so (open(7139) profile /home/steve/svn/apparmor-forge/tests/regression/subdomain/changehat_wrapper active open)
|
||||
Epoch: 1177962426
|
||||
Audit subid: 2107
|
||||
|
|
|
|||
|
|
@ -1,11 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_15.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1168661976.062:55
|
||||
Operation: clone
|
||||
Profile: /home/matt/projects/change_hat_test/test_hat
|
||||
Task: 38229
|
||||
PID: 27764
|
||||
Active hat: /home/matt/projects/change_hat_test/test_hat
|
||||
Operation: APPARMOR
|
||||
Info: LOGPROF-HINT fork pid=27764 child=38229 profile=/home/matt/projects/change_hat_test/test_hat active=/home/matt/projects/change_hat_test/test_hat
|
||||
Epoch: 1168661976
|
||||
Audit subid: 55
|
||||
|
|
|
|||
|
|
@ -1,9 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_16.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1168661976.062:55
|
||||
Operation: clone
|
||||
Task: 38229
|
||||
PID: 27764
|
||||
Operation: APPARMOR
|
||||
Info: LOGPROF-HINT fork pid=27764 child=38229
|
||||
Epoch: 1168661976
|
||||
Audit subid: 55
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_17.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1164007073.953:518
|
||||
Profile: null-complain-profile
|
||||
PID: 29420
|
||||
Operation: APPARMOR
|
||||
Info: LOGPROF-HINT changing_profile pid=29420
|
||||
Epoch: 1164007073
|
||||
Audit subid: 518
|
||||
|
|
|
|||
|
|
@ -1,12 +1,8 @@
|
|||
START
|
||||
File: test_multi/old_style_log_18.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Event type: AA_RECORD_INVALID
|
||||
Audit ID: 1168661976.062:55
|
||||
Operation: change_hat
|
||||
Profile: /home/matt/projects/change_hat_test/test_hat
|
||||
Name: TESTHAT
|
||||
Info: unknown_hat
|
||||
PID: 27764
|
||||
Active hat: /home/matt/projects/change_hat_test/test_hat
|
||||
Operation: APPARMOR
|
||||
Info: LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/home/matt/projects/change_hat_test/test_hat active=/home/matt/projects/change_hat_test/test_hat
|
||||
Epoch: 1168661976
|
||||
Audit subid: 55
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue