From 6a8a099968715b820e8932e5147cb64c3dbdd9f1 Mon Sep 17 00:00:00 2001
From: Steve Beattie <sbeattie@ubuntu.com>
Date: Fri, 12 Dec 2014 17:07:42 -0800
Subject: [PATCH] libapparmor: fix parsing for yet another format

Backport from trunk revision 2830

This patch fixes the libapparmor log parsing library to take into
account yet another log format style, as well as incorporating a
testcase for it.

Bugs:
  https://bugs.launchpad.net/apparmor/+bug/1399027
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771400
  https://bugzilla.opensuse.org/show_bug.cgi?id=905368

Nominated-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>

Bug: https://launchpad.net/bugs/1399027
---
 libraries/libapparmor/src/grammar.y               |  2 ++
 .../testsuite/test_multi/syslog_audit_02.err      |  0
 .../testsuite/test_multi/syslog_audit_02.in       |  1 +
 .../testsuite/test_multi/syslog_audit_02.out      | 15 +++++++++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err
 create mode 100644 libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
 create mode 100644 libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out

diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index 69625356f..5322aae01 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -184,6 +184,8 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
 
 /* when audit dispatches a message it doesn't prepend the audit type string */
diff --git a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
new file mode 100644
index 000000000..26abf7e87
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
@@ -0,0 +1 @@
+Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
diff --git a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
new file mode 100644
index 000000000..a5492b66e
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
@@ -0,0 +1,15 @@
+START
+File: test_multi/syslog_audit_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1417954745.397:82
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /home/simi/bin/aa-test
+Name: /usr/bin/
+Command: ls
+PID: 3231
+Epoch: 1417954745
+Audit subid: 82