Add support for old-style AUDIT messages.

2025-03-04 08:24:42 +01:00 · 2007-09-18 17:47:11 +00:00 · 2007-09-18 17:47:11 +00:00 · 8e909ad869
commit 8e909ad869
parent b9342d0963
5 changed files with 18 additions and 0 deletions
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@ -95,6 +95,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_OLD_TYPE_APPARMOR
 %token TOK_OLD_APPARMOR_REJECT
 %token TOK_OLD_APPARMOR_PERMIT
+%token TOK_OLD_APPARMOR_AUDIT
 %token TOK_OLD_APPARMOR_LOGPROF_HINT
 %token TOK_OLD_UNKNOWN_HAT
 %token TOK_OLD_ACTIVE
@ -176,6 +177,7 @@ old_msg:
 old_permit_reject_syntax:
 	  TOK_OLD_APPARMOR_REJECT { ret_record->event = AA_RECORD_DENIED; }
 	| TOK_OLD_APPARMOR_PERMIT { ret_record->event = AA_RECORD_ALLOWED; }
+	| TOK_OLD_APPARMOR_AUDIT  { ret_record->event = AA_RECORD_AUDIT; }
 	;

 old_permit_reject_syntax2:
--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@ -58,6 +58,7 @@ unknown_type		UNKNOWN\[{digits}+\]
 old_apparmor_type	"APPARMOR"
 old_apparmor_reject	"REJECTING"
 old_apparmor_permit	"PERMITTING"
+old_apparmor_audit	"AUDITING"
 old_apparmor_logprof	"LOGPROF-HINT"
 old_unknown_hat		"unknown_hat"
 old_unknown_profile	"unknown_profile"
@ -223,6 +224,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {old_apparmor_type}	{ return(TOK_OLD_TYPE_APPARMOR); }
 {old_apparmor_reject}	{ return(TOK_OLD_APPARMOR_REJECT); }
 {old_apparmor_permit}	{ return(TOK_OLD_APPARMOR_PERMIT); }
+{old_apparmor_audit}	{ return(TOK_OLD_APPARMOR_AUDIT); }
 {old_apparmor_logprof}	{ return(TOK_OLD_APPARMOR_LOGPROF_HINT); }
 {old_unknown_hat}	{ BEGIN(sub_id); return(TOK_OLD_UNKNOWN_HAT); }
 {old_unknown_profile}	{ return(TOK_OLD_UNKNOWN_PROFILE); }
--- a/changehat/libapparmor/testsuite/test_multi/testcase27.err
+++ b/changehat/libapparmor/testsuite/test_multi/testcase27.err
--- a/changehat/libapparmor/testsuite/test_multi/testcase27.in
+++ b/changehat/libapparmor/testsuite/test_multi/testcase27.in
@ -0,0 +1 @@
+type=APPARMOR msg=audit(1177962426.395:2107): AUDITING mr access to /lib/ld-2.4.so (open(7139) profile /home/steve/svn/apparmor-forge/tests/regression/subdomain/changehat_wrapper active open)
--- a/changehat/libapparmor/testsuite/test_multi/testcase27.out
+++ b/changehat/libapparmor/testsuite/test_multi/testcase27.out
@ -0,0 +1,13 @@
+START
+File: test_multi/testcase27.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1177962426.395:2107
+Operation: access
+Mask: mr
+Profile: /home/steve/svn/apparmor-forge/tests/regression/subdomain/changehat_wrapper
+Name: /lib/ld-2.4.so
+Info: open
+PID: 7139
+Active hat: open
+Epoch: 1177962426
+Audit subid: 2107
				`@ -0,0 +1 @@`
				`type=APPARMOR msg=audit(1177962426.395:2107): AUDITING mr access to /lib/ld-2.4.so (open(7139) profile /home/steve/svn/apparmor-forge/tests/regression/subdomain/changehat_wrapper active open)`