libapparmor: add support for class in logparsing

We want to use the class field to identify operations such as
posix_mqueue

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 5cc7a26e78)
Signed-off-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/include/aalogparse.h

@@ -159,6 +159,8 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *class;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/grammar.y

@@ -187,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -431,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->class = $3; }
 	;
 
 apparmor_event:

libraries/libapparmor/src/libaalogparse.c

@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->class != NULL)
+			free(record->class);
 
 		free(record);
 	}

libraries/libapparmor/src/scanner.l

@@ -171,6 +171,7 @@ key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
 audit			"audit"
 
 /* network addrs */
@@ -361,6 +362,7 @@ yy_flex_debug = 0;
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -35,6 +35,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -109,7 +110,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         """parse the swig created record and construct a dict from it"""
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]

libraries/libapparmor/testsuite/test_multi.c

@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Class", record->class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);

utils/apparmor/logparser.py

@@ -102,6 +102,7 @@ class ReadLog:
         ev['family'] = event.net_family
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
+        ev['class'] = event._class
 
         if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
             ev['fsuid'] = event.fsuid

utils/test/test-capability.py

@@ -124,6 +124,7 @@ class CapabilityTest(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)

utils/test/test-change_profile.py

@@ -129,6 +129,7 @@ class ChangeProfileTestParseFromLog(ChangeProfileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = ChangeProfileRule(None, ChangeProfileRule.ALL, parsed_event['name2'], log_event=parsed_event)

utils/test/test-dbus.py

@@ -162,6 +162,7 @@ class DbusTestParseFromLog(DbusTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         # # XXX send rules must not contain name conditional, but the log event includes it - how should we handle this in logparser.py?

utils/test/test-file.py

@@ -177,6 +177,7 @@ class FileTestParseFromLog(FileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         #     FileRule path,                 perms,                         exec_perms, target,       owner, file_keyword, leading_perms

utils/test/test-logparser.py

@@ -95,6 +95,7 @@ class TestParseEvent(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event))

utils/test/test-network.py

@@ -132,6 +132,7 @@ class NetworkTestParseFromLog(NetworkTest):
             'attr': None,
             'name2': None,
             'name': None,
+            'class': None,
         })
 
         obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event)

utils/test/test-ptrace.py

@@ -118,6 +118,7 @@ class PtraceTestParseFromLog(PtraceTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = PtraceRule(parsed_event['denied_mask'], parsed_event['peer'], log_event=parsed_event)

utils/test/test-signal.py

@@ -123,6 +123,7 @@ class SignalTestParseFromLog(SignalTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event)