[Apparmor-dev] [RFR] libapparmor - support for parsing syslog
messages
Steve Beattie
sbeattie at suse.de
Wed Sep 12 12:59:12 MDT 2007
On Fri, Sep 07, 2007 at 09:48:40PM -0700, Steve Beattie wrote:
> Support needs to still be added for events coming through syslog.
This patch adds support for parsing apparmor messages that come through
syslog, along with testcases. This should work for both old and new
style log messages, as well as with dmesg timestamps enabled in the
kernel ("echo 1 > /sys/module/printk/parameters/printk_time").
This patch applies on top of the previous patch sent to support the
type=15xx messages.
---
changehat/libapparmor/src/Makefile.am | 3
changehat/libapparmor/src/grammar.y | 56 +++++++++-----
changehat/libapparmor/src/scanner.l | 32 +++++++-
changehat/libapparmor/testsuite/test_multi/testcase14.in | 1
changehat/libapparmor/testsuite/test_multi/testcase14.out | 12 +++
changehat/libapparmor/testsuite/test_multi/testcase15.in | 1
changehat/libapparmor/testsuite/test_multi/testcase15.out | 12 +++
changehat/libapparmor/testsuite/test_multi/testcase16.in | 1
changehat/libapparmor/testsuite/test_multi/testcase16.out | 12 +++
changehat/libapparmor/testsuite/test_multi/testcase17.in | 1
changehat/libapparmor/testsuite/test_multi/testcase17.out | 12 +++
11 files changed, 119 insertions(+), 24 deletions(-)
Index: b/changehat/libapparmor/testsuite/test_multi/testcase14.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase14.in
@@ -0,0 +1 @@
+Sep 7 17:47:53 gutsy-server kernel: audit(1189201672.746:537): type=1503 operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/samba/unexpected.tdb" pid=4316 profile="/usr/sbin/nmbd"
Index: b/changehat/libapparmor/testsuite/test_multi/testcase15.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase15.in
@@ -0,0 +1 @@
+Sep 7 17:47:53 gutsy-server kernel: [32339.774269] audit(1189201672.746:537): type=1503 operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/samba/unexpected.tdb" pid=4316 profile="/usr/sbin/nmbd"
Index: b/changehat/libapparmor/src/scanner.l
===================================================================
--- a/changehat/libapparmor/src/scanner.l
+++ b/changehat/libapparmor/src/scanner.l
@@ -40,6 +40,7 @@ ID [^ \t\n\(\)="'!]
path "/"{ID}*
period "\."
modes [RrWwXxIiLlUuPpMm]
+
/* New message types */
reject_type "APPARMOR_DENIED"
@@ -97,10 +98,19 @@ key_sock_type "sock_type"
key_protocol "protocol"
audit "audit"
+/* syslog tokens */
+syslog_kernel kernel{colon}
+syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
+syslog_time {digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
+syslog_hostname [[:alnum:]_-]+
+dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
+
%x quoted_string
%x sub_id
%x audit_id
%x single_quoted_string
+%x hostname
+%x dmesg_timestamp
%%
%{
@@ -135,7 +145,6 @@ char *string_buf_ptr = string_buf; /* as
}
-
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
<single_quoted_string>"'" { /* End of the quoted string */
BEGIN(INITIAL);
@@ -192,7 +201,8 @@ char *string_buf_ptr = string_buf; /* as
{unknown_type} { char *yptr = yytext;
while (*yptr && *yptr != '[')
yptr++;
- yylval->t_long = atol(yptr + 1); /* skip '[' */
+ if (*yptr)
+ yylval->t_long = atol(yptr + 1); /* skip '[' */
return(TOK_TYPE_UNKNOWN);
}
{period} { return(TOK_PERIOD); }
@@ -237,8 +247,24 @@ char *string_buf_ptr = string_buf; /* as
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
{key_protocol} { return(TOK_KEY_PROTOCOL); }
+{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
+{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
+{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
+
+<hostname>{
+ {ws}+ { /* eat whitespace */ }
+ {syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
+}
+
+<dmesg_timestamp>{
+ {ws}+ { /* eat whitespace */ }
+ {dmesg_timestamp} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_DMESG_STAMP); }
+ . { BEGIN(INITIAL); yyless(0); }
+}
+
{audit} { BEGIN(audit_id); return(TOK_AUDIT); }
{null_complain} { return(TOK_NULL_COMPLAIN); }
-{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
+{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
+
%%
Index: b/changehat/libapparmor/src/Makefile.am
===================================================================
--- a/changehat/libapparmor/src/Makefile.am
+++ b/changehat/libapparmor/src/Makefile.am
@@ -1,10 +1,11 @@
INCLUDES = $(all_includes)
BUILT_SOURCES = grammar.h scanner.h
+AM_LFLAGS = -v
AM_YFLAGS = -d -p aalogparse_
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
scanner.h: scanner.l
- $(LEX) scanner.l
+ $(LEX) -v $<
scanner.c: scanner.l
Index: b/changehat/libapparmor/src/grammar.y
===================================================================
--- a/changehat/libapparmor/src/grammar.y
+++ b/changehat/libapparmor/src/grammar.y
@@ -71,7 +71,8 @@ aa_record_event_type lookup_aa_event(uns
%type <t_str> old_profile;
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
-%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS
+%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
+%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
%token TOK_EQUALS
%token TOK_COLON
@@ -85,7 +86,6 @@ aa_record_event_type lookup_aa_event(uns
%token TOK_TYPE_HINT
%token TOK_TYPE_STATUS
%token TOK_TYPE_ERROR
-%token TOK_TYPE_UNKNOWN
%token TOK_OLD_TYPE_APPARMOR
%token TOK_OLD_APPARMOR_REJECT
%token TOK_OLD_APPARMOR_PERMIT
@@ -128,24 +128,36 @@ aa_record_event_type lookup_aa_event(uns
%token TOK_KEY_SOCK_TYPE
%token TOK_KEY_PROTOCOL
+%token TOK_SYSLOG_KERNEL
+
%%
-type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
+log_message: audit_type
+ | syslog_type
+ ;
+
+audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
type_syntax: old_syntax { ret_record->version = AA_RECORD_SYNTAX_V1; }
- | new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
+ | new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
;
old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg ;
new_syntax:
- TOK_TYPE_REJECT audit_msg key { ret_record->event = AA_RECORD_DENIED; }
- | TOK_TYPE_AUDIT audit_msg key { ret_record->event = AA_RECORD_AUDIT; }
- | TOK_TYPE_COMPLAIN audit_msg key { ret_record->event = AA_RECORD_ALLOWED; }
- | TOK_TYPE_HINT audit_msg key { ret_record->event = AA_RECORD_HINT; }
- | TOK_TYPE_STATUS audit_msg key { ret_record->event = AA_RECORD_STATUS; }
- | TOK_TYPE_ERROR audit_msg key { ret_record->event = AA_RECORD_ERROR; }
- | TOK_TYPE_UNKNOWN audit_msg key { ret_record->event = lookup_aa_event($1); }
+ TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
+ | TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
+ | TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
+ | TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
+ | TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
+ | TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
+ | TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
+ ;
+
+syslog_type:
+ syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id old_msg { ret_record->version = AA_RECORD_SYNTAX_V1; }
+ | syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list { ret_record->version = AA_RECORD_SYNTAX_V2; }
+ | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list { ret_record->version = AA_RECORD_SYNTAX_V2; }
;
old_msg:
@@ -336,22 +348,26 @@ old_profile:
}
;
-audit_msg: TOK_KEY_MSG TOK_EQUALS TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
+audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
+
+audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
{
- asprintf(&ret_record->audit_id, "%s.%s:%s", $5, $7, $9);
- ret_record->epoch = atol($5);
- ret_record->audit_sub_id = atoi($9);
+ asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7);
+ ret_record->epoch = atol($3);
+ ret_record->audit_sub_id = atoi($7);
+ free($3);
free($5);
free($7);
- free($9);
} ;
-key:
- key_list
- | key key_list
+syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
+ ;
+
+key_list: key
+ | key_list key
;
-key_list: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
+key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->operation = strdup($3); free($3); }
| TOK_KEY_NAME TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->name = strdup($3); free($3); }
Index: b/changehat/libapparmor/testsuite/test_multi/testcase16.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase16.in
@@ -0,0 +1 @@
+Sep 7 17:47:53 rix kernel: audit(1189201672.746:537): type=1503 operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/samba/unexpected.tdb" pid=4316 profile="/usr/sbin/nmbd"
Index: b/changehat/libapparmor/testsuite/test_multi/testcase14.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase14.out
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase14.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1189201672.746:537
+Operation: file_lock
+Mask: k
+Denied Mask: k
+Profile: /usr/sbin/nmbd
+Name: /var/run/samba/unexpected.tdb
+PID: 4316
+Epoch: 1189201672
+Audit subid: 537
Index: b/changehat/libapparmor/testsuite/test_multi/testcase15.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase15.out
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase15.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1189201672.746:537
+Operation: file_lock
+Mask: k
+Denied Mask: k
+Profile: /usr/sbin/nmbd
+Name: /var/run/samba/unexpected.tdb
+PID: 4316
+Epoch: 1189201672
+Audit subid: 537
Index: b/changehat/libapparmor/testsuite/test_multi/testcase16.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase16.out
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase16.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1189201672.746:537
+Operation: file_lock
+Mask: k
+Denied Mask: k
+Profile: /usr/sbin/nmbd
+Name: /var/run/samba/unexpected.tdb
+PID: 4316
+Epoch: 1189201672
+Audit subid: 537
Index: b/changehat/libapparmor/testsuite/test_multi/testcase17.in
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase17.in
@@ -0,0 +1 @@
+Sep 7 17:47:53 gutsy-server kernel: [ 103.555604] audit(1189201672.746:537): type=1503 operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/samba/unexpected.tdb" pid=4316 profile="/usr/sbin/nmbd"
Index: b/changehat/libapparmor/testsuite/test_multi/testcase17.out
===================================================================
--- /dev/null
+++ b/changehat/libapparmor/testsuite/test_multi/testcase17.out
@@ -0,0 +1,12 @@
+START
+File: test_multi/testcase17.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1189201672.746:537
+Operation: file_lock
+Mask: k
+Denied Mask: k
+Profile: /usr/sbin/nmbd
+Name: /var/run/samba/unexpected.tdb
+PID: 4316
+Epoch: 1189201672
+Audit subid: 537
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070912/b9913842/attachment.pgp
More information about the Apparmor-dev
mailing list