mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge libapparmor: fix debug build of log parsing

Browse source 
Fix log parsing for void Linux default log format.


Fixes: https://gitlab.com/apparmor/apparmor/-/issues/196
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
John Johansen 2021-09-13 22:58:28 +00:00
commit 92d5bec86e
6 changed files with 46 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
libraries/libapparmor/src/grammar.y
View file

@ -38,7 +38,7 @@
#if (YYDEBUG != 0) #if (YYDEBUG != 0)
#define debug_unused_ /* nothing */ #define debug_unused_ /* nothing */
#else #else
#define no_debug_unused_ unused_ #define debug_unused_ unused_
#endif #endif
aa_log_record *ret_record; aa_log_record *ret_record;
@ -46,7 +46,7 @@ aa_log_record *ret_record;
/* Since we're a library, on any errors we don't want to print out any /* Since we're a library, on any errors we don't want to print out any
* error messages. We should probably add a debug interface that does * error messages. We should probably add a debug interface that does
* emit messages when asked for. */ * emit messages when asked for. */
void aalogparse_error(unused_ void *scanner, no_debug_unused_ char const *s) void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
{ {
#if (YYDEBUG != 0) #if (YYDEBUG != 0)
printf("ERROR: %s\n", s); printf("ERROR: %s\n", s);
@ -186,6 +186,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_FLAGS %token TOK_KEY_FLAGS
%token TOK_KEY_SRCNAME %token TOK_KEY_SRCNAME
%token TOK_SOCKLOGD_KERNEL
%token TOK_SYSLOG_KERNEL %token TOK_SYSLOG_KERNEL
%token TOK_SYSLOG_USER %token TOK_SYSLOG_USER
@ -232,24 +233,28 @@ dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($1); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($1); }
; ;
syslog_id: TOK_ID TOK_SYSLOG_KERNEL { free($1); }
| TOK_SOCKLOGD_KERNEL { }
;
syslog_type: syslog_type:
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list syslog_date syslog_id audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list | syslog_date syslog_id key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list | syslog_date syslog_id TOK_DMESG_STAMP audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list | syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
/* needs update: hard newline in handling mutiline log messages */ /* needs update: hard newline in handling mutiline log messages */
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail | syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail | syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list | syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list | syslog_date syslog_id TOK_AUDIT TOK_COLON key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_USER key_list | syslog_date TOK_ID TOK_SYSLOG_USER key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
; ;

3
libraries/libapparmor/src/scanner.l
View file

@ -172,6 +172,7 @@ audit "audit"
ip_addr [a-f[:digit:].:]{3,} ip_addr [a-f[:digit:].:]{3,}
/* syslog tokens */ /* syslog tokens */
socklogd_kernel kern.notice{colon}
syslog_kernel kernel{colon} syslog_kernel kernel{colon}
syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon} syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon}
syslog_yyyymmdd {digit}{4}{minus}{digit}{2}{minus}{digit}{2} syslog_yyyymmdd {digit}{4}{minus}{digit}{2}{minus}{digit}{2}
@ -351,6 +352,7 @@ yy_flex_debug = 0;
{key_flags} { BEGIN(safe_string); return(TOK_KEY_FLAGS); } {key_flags} { BEGIN(safe_string); return(TOK_KEY_FLAGS); }
{key_srcname} { BEGIN(safe_string); return(TOK_KEY_SRCNAME); } {key_srcname} { BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); } {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_user} { return(TOK_SYSLOG_USER); } {syslog_user} { return(TOK_SYSLOG_USER); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); } {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
@ -365,6 +367,7 @@ yy_flex_debug = 0;
<hostname>{ <hostname>{
{ws}+ { /* eat whitespace */ } {ws}+ { /* eat whitespace */ }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); } {syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
} }

0
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.err Normal file
View file

1
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in Normal file
View file

@ -0,0 +1 @@
2021-09-11T20:57:41.91645 kern.notice: [ 469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/sbin/sshd" name="/run/user/1000/kakoune/" pid=2545 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

15
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out Normal file
View file

@ -0,0 +1,15 @@
START
File: testcase_socklogd_mkdir.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1631392703.952:3
Operation: mkdir
Mask: c
Denied Mask: c
fsuid: 1000
ouid: 1000
Profile: /usr/sbin/sshd
Name: /run/user/1000/kakoune/
Command: sshd
PID: 2545
Epoch: 1631392703
Audit subid: 3

4
libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile Normal file
View file

@ -0,0 +1,4 @@
/usr/sbin/sshd {
owner /run/user/1000/kakoune/ w,
}