mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

From: Jesse Michael <jesse.michael@comcast.net>

Browse source 
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

The format of audit messages that are redirected to syslog because
auditd isn't running changed between Hardy and Intrepid and now have
the type=NNNN field before the audit tag like--

Nov 1 22:24:43 box kernel: [ 158.113592] type=1503
audit(1225603483.635:5): operation="inode_permission" requested_mask="r::"
denied_mask="r::" fsuid=7 name="/proc/7034/net/" pid=7034
profile="/usr/sbin/cupsd"

I believe this patch will address the moved type=NNNN field as well as
capturing non-matching logfile input instead of printing it to stdout.

Patch modified by Steve Beattie <sbeattie@ubuntu.com> to take into
account a couple of different situations.

https://bugs.launchpad.net/bugs/271252
https://bugzilla.novell.com/show_bug.cgi?id=441381
This commit is contained in:
Steve Beattie 2008-11-04 20:19:59 +00:00
parent e6e3447c19
commit e56ed9a68a
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
libraries/libapparmor/src/grammar.y
View file

@ -187,8 +187,12 @@ syslog_type:
{ ret_record->version = AA_RECORD_SYNTAX_V1; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
;
/* when audit dispatches a message it doesn't prepend the audit type string */
@ -416,6 +420,9 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
;
key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
;
safe_string: TOK_QUOTED_STRING
| TOK_HEXSTRING
;

3
libraries/libapparmor/src/scanner.l
View file

@ -229,6 +229,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
BEGIN(other_audit);
return(TOK_TYPE_OTHER);
}
. { BEGIN(unknown_message); yyless(0); /* dump the rest */ }
}
{equals} { return(TOK_EQUALS); }
@ -297,6 +298,8 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
{null_complain} { return(TOK_NULL_COMPLAIN); }
{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
. { /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }
<hostname>{
{ws}+ { /* eat whitespace */ }
{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }