[Apparmor-dev] [RFR] kernel fix for missing audit type
Steve Beattie
sbeattie at suse.de
Fri Sep 7 22:48:40 MDT 2007
On Wed, Sep 05, 2007 at 03:33:18PM -0700, John Johansen wrote:
> The second is a hopefully temporary patch to apparmor that mimicks
> the first by outputting the type field directly. This results
> in audit messages getting 2 type fields 1 with a name and 1 with
> a number.
This patch adds support to the logparsing library for the type=15xx
flags when events come through the audit subsystem. It also fixes the
case where the audit daemon has not been configured with apparmor
support and the events are reported as type=UNKNOWN[15xx].
Support needs to still be added for events coming through syslog.
---
changehat/libapparmor/src/grammar.y | 32 +++++++++++++-
changehat/libapparmor/src/parser.h | 9 +++
changehat/libapparmor/src/scanner.l | 9 +++
changehat/libapparmor/testsuite/Makefile.am | 3 -
changehat/libapparmor/testsuite/test_multi/testcase12.in | 1
changehat/libapparmor/testsuite/test_multi/testcase12.out | 20 ++++++++
changehat/libapparmor/testsuite/test_multi/testcase13.in | 1
changehat/libapparmor/testsuite/test_multi/testcase13.out | 20 ++++++++
8 files changed, 93 insertions(+), 2 deletions(-)
Index: b/changehat/libapparmor/src/grammar.y
===================================================================
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@@ -30,6 +30,32 @@ void aalogparse_error(void *scanner, cha
{
printf("Error: %s\n", s);
}
+
+struct aa_type_table {
+ unsigned int audit_type;
+ aa_record_event_type event;
+};
+
+static struct aa_type_table aa_type_table[] = {
+ {AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT},
+ {AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
+ {AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED},
+ {AUDIT_APPARMOR_HINT, AA_RECORD_HINT},
+ {AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS},
+ {AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR},
+ {0, AA_RECORD_INVALID},
+};
+
+aa_record_event_type lookup_aa_event(unsigned int type)
+{
+ int i;
+
+ for (i = 0; aa_type_table[i].audit_type != 0; i++)
+ if (type == aa_type_table[i].audit_type)
+ break;
+
+ return aa_type_table[i].event;
+}
%}
%defines
@@ -44,7 +70,7 @@ void aalogparse_error(void *scanner, cha
}
%type <t_str> old_profile;
-%token <t_long> TOK_DIGITS
+%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS
%token TOK_EQUALS
@@ -59,6 +85,7 @@ void aalogparse_error(void *scanner, cha
%token TOK_TYPE_HINT
%token TOK_TYPE_STATUS
%token TOK_TYPE_ERROR
+%token TOK_TYPE_UNKNOWN
%token TOK_OLD_TYPE_APPARMOR
%token TOK_OLD_APPARMOR_REJECT
%token TOK_OLD_APPARMOR_PERMIT
@@ -118,6 +145,7 @@ new_syntax:
| TOK_TYPE_HINT audit_msg key { ret_record->event = AA_RECORD_HINT; }
| TOK_TYPE_STATUS audit_msg key { ret_record->event = AA_RECORD_STATUS; }
| TOK_TYPE_ERROR audit_msg key { ret_record->event = AA_RECORD_ERROR; }
+ | TOK_TYPE_UNKNOWN audit_msg key { ret_record->event = lookup_aa_event($1); }
;
old_msg:
@@ -353,6 +381,8 @@ key_list: TOK_KEY_OPERATION TOK_EQUALS T
{ ret_record->net_sock_type = strdup($3); free($3); }
| TOK_KEY_PROTOCOL TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_protocol = strdup($3); free($3);}
+ | TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
+ { ret_record->event = lookup_aa_event($3);}
;
%%
Index: b/changehat/libapparmor/testsuite/Makefile.am
===================================================================
--- a/changehat/libapparmor/testsuite/Makefile.am
+++ b/changehat/libapparmor/testsuite/Makefile.am
@@ -11,7 +11,8 @@ noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS = $(LDFLAGS) ../src/.libs/libapparmor.a
+test_multi_multi_LDFLAGS = $(LDFLAGS)
+test_multi_multi_LDADD = ../src/.libs/libapparmor.a
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
Index: b/changehat/libapparmor/src/parser.h
===================================================================
--- a/changehat/libapparmor/src/parser.h
+++ b/changehat/libapparmor/src/parser.h
@@ -22,5 +22,14 @@
extern void _init_log_record(aa_log_record *record);
extern aa_log_record *_parse_yacc(char *str);
+/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
+ * guarantee these will exist there. */
+#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
+#define AUDIT_APPARMOR_DENIED 1503
+#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */
+#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */
+#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */
+
#endif
Index: b/changehat/libapparmor/src/scanner.l
===================================================================
--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@@ -25,6 +25,8 @@
%{
#include "grammar.h"
+#include "aalogparse.h"
+#include "parser.h"
%}
ws [ \t\r\n]
@@ -46,6 +48,7 @@ complain_type "APPARMOR_ALLOWED"
hint_type "APPARMOR_HINT"
status_type "APPARMOR_STATUS"
error_type "APPARMOR_ERROR"
+unknown_type UNKNOWN\[{digits}+\]
/* Old message tokens */
@@ -186,6 +189,12 @@ char *string_buf_ptr = string_buf; /* as
{hint_type} { return(TOK_TYPE_HINT); }
{status_type} { return(TOK_TYPE_STATUS); }
{error_type} { return(TOK_TYPE_ERROR); }
+{unknown_type} { char *yptr = yytext;
+ while (*yptr && *yptr != '[')
+ yptr++;
+ yylval->t_long = atol(yptr + 1); /* skip '[' */
+ return(TOK_TYPE_UNKNOWN);
+ }
{period} { return(TOK_PERIOD); }
{old_apparmor_type} { return(TOK_OLD_TYPE_APPARMOR); }
Index: b/changehat/libapparmor/testsuite/test_multi/testcase12.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.in
@@ -0,0 +1 @@
+type=APPARMOR_DENIED msg=audit(1181057184.959:7): type=1503 operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
Index: b/changehat/libapparmor/testsuite/test_multi/testcase12.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase12.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase12.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7
Index: b/changehat/libapparmor/testsuite/test_multi/testcase13.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.in
@@ -0,0 +1 @@
+type=UNKNOWN[1503] msg=audit(1181057184.959:7): operation="exec" denied_mask="x" name="/bin/ping" pid=31938 profile="/bin/ping" name2="ping2" requested_mask="rwx" attribute="attr" task="something" parent="something" magic_token=29493 info="Information" protocol="tcp" family="family" sock_type="unknown(1234)"
Index: b/changehat/libapparmor/testsuite/test_multi/testcase13.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase13.out
@@ -0,0 +1,20 @@
+START
+File: test_multi/testcase13.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1181057184.959:7
+Operation: exec
+Mask: rwx
+Denied Mask: x
+Profile: /bin/ping
+Name: /bin/ping
+Name2: ping2
+Attribute: attr
+Parent: something
+Token: 29493
+Info: Information
+PID: 31938
+Network family: family
+Socket type: unknown(1234)
+Protocol: tcp
+Epoch: 1181057184
+Audit subid: 7
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070907/2f660ca1/attachment.pgp
More information about the Apparmor-dev
mailing list