From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

Acked-By: Steve Beattie <steve@ubuntu.com> Ref: https://bugs.launchpad.net/bugs/431929 Parse log entries containing an ouid. (I added a testcase to Marc's fix.)
2025-03-04 08:24:42 +01:00 · 2009-09-18 21:13:04 +00:00 · 2009-09-18 21:13:04 +00:00 · 4265cecdfa
commit 4265cecdfa
parent 317a3a0ad2
8 changed files with 27 additions and 0 deletions
--- a/libraries/libapparmor/src/aalogparse.h
+++ b/libraries/libapparmor/src/aalogparse.h
@ -127,6 +127,7 @@ typedef struct
 	char *denied_mask;		/* "r", "w", etc. */
 	char *requested_mask;
 	unsigned long fsuid;		/* fsuid of task - if logged */
+	unsigned long ouid;		/* ouid of task - if logged */
 	char *profile;			/* The name of the profile */
 	char *name;
 	char *name2;
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@ -145,6 +145,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_OUID

 %token TOK_SYSLOG_KERNEL

@ -417,6 +418,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->error_code = $3;}
 	| TOK_KEY_FSUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->fsuid = $3;}
+	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
+	{ ret_record->ouid = $3;}
 	;

 key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
--- a/libraries/libapparmor/src/libaalogparse.c
+++ b/libraries/libapparmor/src/libaalogparse.c
@ -93,6 +93,7 @@ void _init_log_record(aa_log_record *record)
 	record->version = AA_RECORD_SYNTAX_UNKNOWN;
 	record->event = AA_RECORD_INVALID;
 	record->fsuid = (unsigned long) -1;
+	record->ouid = (unsigned long) -1;

 	return;
 }
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@ -107,6 +107,7 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_ouid		"ouid"
 audit			"audit"

 /* syslog tokens */
@ -297,6 +298,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_ouid}		{ return(TOK_KEY_OUID); }

 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@ -117,6 +117,10 @@ int print_results(aa_log_record *record)
 		{
 			printf("fsuid: %ld\n", record->fsuid);
 		}
+		if (record->ouid != (unsigned long) -1)
+		{
+			printf("ouid: %ld\n", record->ouid);
+		}
 		if (record->profile != NULL)
 		{
 			printf("Profile: %s\n", record->profile);
--- a/libraries/libapparmor/testsuite/test_multi/testcase_ouid.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_ouid.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_ouid.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_ouid.in
@ -0,0 +1 @@
+type=APPARMOR_DENIED msg=audit(1253311255.027:200): operation="open" pid=25588 parent=25587 profile="/home/ubuntu/tmp/aashell" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/ubuntu/"
--- a/libraries/libapparmor/testsuite/test_multi/testcase_ouid.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_ouid.out
@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_ouid.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1253311255.027:200
+Operation: open
+Mask: r::
+Denied Mask: r::
+fsuid: 1000
+ouid: 1000
+Profile: /home/ubuntu/tmp/aashell
+Name: /home/ubuntu/
+Parent: 25587
+PID: 25588
+Epoch: 1253311255
+Audit subid: 200
				`@ -0,0 +1 @@`
				`type=APPARMOR_DENIED msg=audit(1253311255.027:200): operation="open" pid=25588 parent=25587 profile="/home/ubuntu/tmp/aashell" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/ubuntu/"`