Adding support for execpath in libraries

`execpath` allows to reliably store the path of the binary that triggered a log. This is useful because comm was not sufficient to reliably identify a binary Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
2025-03-04 08:24:42 +01:00 · 2024-06-09 17:40:34 +02:00 · 2024-06-09 17:40:34 +02:00 · 3c825eb001
commit 3c825eb001
parent 0d9d548694
5 changed files with 12 additions and 0 deletions
--- a/libraries/libapparmor/include/aalogparse.h
+++ b/libraries/libapparmor/include/aalogparse.h
@ -148,6 +148,9 @@ typedef struct
 	unsigned long net_local_port;
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
+
+	char *execpath;
+
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@ -189,6 +189,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
 %token TOK_KEY_UNIX_PEER_ADDR
+%token TOK_KEY_EXECPATH
 %token TOK_KEY_CLASS

 %token TOK_SOCKLOGD_KERNEL
@ -431,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->flags = $3; }
 	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->src_name = $3; }
+	| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->execpath = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
--- a/libraries/libapparmor/src/libaalogparse.c
+++ b/libraries/libapparmor/src/libaalogparse.c
@ -107,6 +107,8 @@ void free_record(aa_log_record *record)
 			free(record->net_addr);
 		if (record->peer_addr != NULL)
 			free(record->peer_addr);
+		if (record->execpath != NULL)
+			free(record->execpath);

 		if (record->class != NULL)
 			free(record->class);
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@ -179,6 +179,7 @@ key_srcname		"srcname"
 key_class		"class"
 key_tcontext		"tcontext"
 key_unix_peer_addr	"peer_addr"
+key_execpath		"execpath"
 audit			"audit"

 /* network addrs */
@ -377,6 +378,7 @@ yy_flex_debug = 0;
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
 {key_unix_peer_addr}    { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
+{key_execpath}		{ BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
 {key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }

 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@ -140,6 +140,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);

+		print_string("Execpath", record->execpath);
+
 		print_string("Class", record->class);

 		print_long("Epoch", record->epoch, 0);