1
Description: libaalogparse: Parse dbus-daemon audit messages
3
This requires libaalogparse to become aware of USER_AVC messages.
5
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
6
Acked-by: Seth Arnold <seth.arnold@canonical.com>
7
Origin: backport, revision id: tyhicks@canonical.com-20130809180241-1wnf1d6zwgu1a669
8
Author: Tyler Hicks <tyhicks@canonical.com>
9
Last-Update: 2013-08-09
10
X-Bzr-Revision-Id: tyhicks@canonical.com-20130809180241-1wnf1d6zwgu1a669
12
Index: apparmor-2.8.0/libraries/libapparmor/src/aalogparse.h
13
===================================================================
14
--- apparmor-2.8.0.orig/libraries/libapparmor/src/aalogparse.h 2013-08-01 02:14:08.547854401 -0700
15
+++ apparmor-2.8.0/libraries/libapparmor/src/aalogparse.h 2013-08-01 02:14:08.539854401 -0700
16
@@ -116,6 +116,7 @@ typedef struct
17
aa_record_syntax_version version;
18
aa_record_event_type event; /* Event type */
19
unsigned long pid; /* PID of the program logging the message */
20
+ unsigned long peer_pid;
22
unsigned long magic_token;
23
long epoch; /* example: 12345679 */
24
@@ -129,6 +130,7 @@ typedef struct
25
unsigned long fsuid; /* fsuid of task - if logged */
26
unsigned long ouid; /* ouid of task - if logged */
27
char *profile; /* The name of the profile */
29
char *comm; /* Command that triggered msg */
32
@@ -136,6 +138,7 @@ typedef struct
37
int error_code; /* error_code returned if logged */
40
@@ -145,6 +148,10 @@ typedef struct
41
unsigned long net_local_port;
42
char *net_foreign_addr;
43
unsigned long net_foreign_port;
46
+ char *dbus_interface;
51
Index: apparmor-2.8.0/libraries/libapparmor/src/grammar.y
52
===================================================================
53
--- apparmor-2.8.0.orig/libraries/libapparmor/src/grammar.y 2013-08-01 02:14:08.547854401 -0700
54
+++ apparmor-2.8.0/libraries/libapparmor/src/grammar.y 2013-08-01 02:14:08.539854401 -0700
55
@@ -91,6 +91,8 @@ aa_record_event_type lookup_aa_event(uns
57
%token TOK_CLOSE_PAREN
59
+%token TOK_QUESTION_MARK
60
+%token TOK_SINGLE_QUOTE
62
%token TOK_TYPE_REJECT
64
@@ -105,6 +107,7 @@ aa_record_event_type lookup_aa_event(uns
65
%token TOK_TYPE_AA_STATUS
66
%token TOK_TYPE_AA_ERROR
67
%token TOK_TYPE_LSM_AVC
68
+%token TOK_TYPE_USER_AVC
70
%token TOK_KEY_APPARMOR
72
@@ -112,6 +115,7 @@ aa_record_event_type lookup_aa_event(uns
73
%token TOK_KEY_OPERATION
77
%token TOK_KEY_DENIED_MASK
78
%token TOK_KEY_REQUESTED_MASK
79
%token TOK_KEY_ATTRIBUTE
80
@@ -119,8 +123,11 @@ aa_record_event_type lookup_aa_event(uns
82
%token TOK_KEY_MAGIC_TOKEN
84
+%token TOK_KEY_PEER_INFO
86
+%token TOK_KEY_PEER_PID
87
%token TOK_KEY_PROFILE
88
+%token TOK_KEY_PEER_PROFILE
91
%token TOK_KEY_SOCK_TYPE
92
@@ -129,6 +136,14 @@ aa_record_event_type lookup_aa_event(uns
100
+%token TOK_KEY_HOSTNAME
102
+%token TOK_KEY_TERMINAL
105
%token TOK_KEY_CAPABILITY
106
%token TOK_KEY_CAPNAME
107
@@ -138,8 +153,13 @@ aa_record_event_type lookup_aa_event(uns
113
+%token TOK_KEY_INTERFACE
114
+%token TOK_KEY_MEMBER
116
%token TOK_SYSLOG_KERNEL
117
+%token TOK_SYSLOG_USER
121
@@ -163,6 +183,7 @@ new_syntax:
122
| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
123
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
124
| TOK_TYPE_LSM_AVC audit_msg key_list
125
+ | TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
128
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
129
@@ -182,6 +203,8 @@ syslog_type:
130
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
131
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
132
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
133
+ | syslog_date TOK_ID TOK_SYSLOG_USER key_list
134
+ { ret_record->version = AA_RECORD_SYNTAX_V2; }
137
/* when audit dispatches a message it doesn't prepend the audit type string */
138
@@ -192,6 +215,9 @@ audit_dispatch:
139
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
142
+audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
145
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
147
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
148
@@ -218,6 +244,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
149
{ ret_record->namespace = $3;}
150
| TOK_KEY_NAME2 TOK_EQUALS safe_string
151
{ ret_record->name2 = $3;}
152
+ | TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
153
+ { ret_record->denied_mask = $3;}
154
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
155
{ ret_record->denied_mask = $3;}
156
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
157
@@ -232,9 +260,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
158
{ ret_record->magic_token = $3;}
159
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
160
{ ret_record->info = $3;}
161
+ | TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
162
+ { ret_record->peer_info = $3;}
165
| TOK_KEY_PROFILE TOK_EQUALS safe_string
166
{ ret_record->profile = $3;}
167
+ | TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
168
+ { ret_record->peer_profile = $3;}
169
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
170
{ ret_record->net_family = $3;}
171
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
172
@@ -251,8 +284,29 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
173
{ ret_record->fsuid = $3;}
174
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
175
{ ret_record->ouid = $3;}
176
+ | TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
177
+ { /* Ignore - Source audit ID from user AVC messages */ }
178
+ | TOK_KEY_HOSTNAME TOK_EQUALS safe_string
179
+ { free($3); /* Ignore - hostname from user AVC messages */ }
180
+ | TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
181
+ | TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
182
+ | TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
183
+ | TOK_KEY_ADDR TOK_EQUALS safe_string
184
+ { free($3); /* Ignore - IP address from user AVC messages */ }
185
+ | TOK_KEY_TERMINAL TOK_EQUALS safe_string
186
+ { free($3); /* Ignore - TTY from user AVC messages */ }
187
+ | TOK_KEY_EXE TOK_EQUALS safe_string
188
+ { /* Free existing arrays because exe= and comm= maps to the same
189
+ aa_log_record member */
190
+ free(ret_record->comm);
191
+ ret_record->comm = $3;
193
| TOK_KEY_COMM TOK_EQUALS safe_string
194
- { ret_record->comm = $3;}
195
+ { /* Free existing arrays because exe= and comm= maps to the same
196
+ aa_log_record member */
197
+ free(ret_record->comm);
198
+ ret_record->comm = $3;
200
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
201
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
202
{ /* need to reverse map number to string, need to figure out
203
@@ -281,6 +335,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
204
{ ret_record->net_local_port = $3;}
205
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
206
{ ret_record->net_foreign_port = $3;}
207
+ | TOK_KEY_BUS TOK_EQUALS TOK_QUOTED_STRING
208
+ { ret_record->dbus_bus = $3; }
209
+ | TOK_KEY_PATH TOK_EQUALS TOK_QUOTED_STRING
210
+ { ret_record->dbus_path = $3; }
211
+ | TOK_KEY_INTERFACE TOK_EQUALS TOK_QUOTED_STRING
212
+ { ret_record->dbus_interface = $3; }
213
+ | TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
214
+ { ret_record->dbus_member = $3; }
217
ret_record->event = AA_RECORD_INVALID;
218
@@ -300,6 +362,14 @@ apparmor_event:
219
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
222
+key_peer_pid: TOK_KEY_PEER_PID TOK_EQUALS TOK_DIGITS { ret_record->peer_pid = $3; }
225
+ignored_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { /* DROP */ }
226
+ignored_uid: TOK_KEY_UID TOK_EQUALS TOK_DIGITS { /* DROP */ }
227
+ignored_auid: TOK_KEY_AUID TOK_EQUALS TOK_DIGITS { /* DROP */ }
228
+ignored_ses: TOK_KEY_SES TOK_EQUALS TOK_DIGITS { /* DROP */ }
230
key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
233
Index: apparmor-2.8.0/libraries/libapparmor/src/libaalogparse.c
234
===================================================================
235
--- apparmor-2.8.0.orig/libraries/libapparmor/src/libaalogparse.c 2013-08-01 02:14:08.547854401 -0700
236
+++ apparmor-2.8.0/libraries/libapparmor/src/libaalogparse.c 2013-08-01 02:14:08.539854401 -0700
237
@@ -55,6 +55,8 @@ void free_record(aa_log_record *record)
238
free(record->denied_mask);
239
if (record->profile != NULL)
240
free(record->profile);
241
+ if (record->peer_profile != NULL)
242
+ free(record->peer_profile);
243
if (record->comm != NULL)
245
if (record->name != NULL)
246
@@ -67,6 +69,8 @@ void free_record(aa_log_record *record)
247
free(record->attribute);
248
if (record->info != NULL)
250
+ if (record->peer_info != NULL)
251
+ free(record->peer_info);
252
if (record->active_hat != NULL)
253
free(record->active_hat);
254
if (record->audit_id != NULL)
255
@@ -77,6 +81,14 @@ void free_record(aa_log_record *record)
256
free(record->net_protocol);
257
if (record->net_sock_type != NULL)
258
free(record->net_sock_type);
259
+ if (record->dbus_bus != NULL)
260
+ free(record->dbus_bus);
261
+ if (record->dbus_path != NULL)
262
+ free(record->dbus_path);
263
+ if (record->dbus_interface != NULL)
264
+ free(record->dbus_interface);
265
+ if (record->dbus_member != NULL)
266
+ free(record->dbus_member);
270
Index: apparmor-2.8.0/libraries/libapparmor/src/scanner.l
271
===================================================================
272
--- apparmor-2.8.0.orig/libraries/libapparmor/src/scanner.l 2013-08-01 02:14:08.547854401 -0700
273
+++ apparmor-2.8.0/libraries/libapparmor/src/scanner.l 2013-08-01 02:14:08.539854401 -0700
274
@@ -84,6 +84,8 @@ close_paren ")"
276
hexstring ({hex}{hex})+
280
mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
281
modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
282
/* New message types */
283
@@ -101,6 +103,7 @@ hint_type "\"HINT\""
284
status_type "\"STATUS\""
285
error_type "\"ERROR\""
287
+user_avc_type "USER_AVC"
288
unknown_type UNKNOWN\[{digits}+\]
289
other_audit_type [[:alnum:]\[\]_-]+
291
@@ -113,6 +116,7 @@ key_operation "operation"
294
key_namespace "namespace"
296
key_denied_mask "denied_mask"
297
key_requested_mask "requested_mask"
298
key_attribute "attribute"
299
@@ -120,14 +124,25 @@ key_task "task"
301
key_magic_token "magic_token"
303
+key_peer_info "peer_info"
305
+key_peer_pid "peer_pid"
306
key_profile "profile"
307
+key_peer_profile "peer_profile"
309
key_sock_type "sock_type"
310
key_protocol "protocol"
318
+key_hostname "hostname"
320
+key_terminal "terminal"
323
key_capability "capability"
324
key_capname "capname"
325
@@ -137,6 +152,11 @@ key_laddr "laddr"
332
+key_interface "interface"
337
@@ -144,11 +164,13 @@ ip_addr [a-f[:digit:].:]{3,}
340
syslog_kernel kernel{colon}
341
+syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon}
342
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
343
syslog_time {digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
344
syslog_hostname [[:alnum:]_-]+
345
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
347
+%x single_quoted_string
351
@@ -231,6 +253,7 @@ yy_flex_debug = 0;
352
{aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
353
{aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
354
{lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
355
+ {user_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_USER_AVC); }
356
{unknown_type} { char *yptr = yytext;
357
while (*yptr && *yptr != '[')
359
@@ -256,6 +279,8 @@ yy_flex_debug = 0;
361
{close_paren} { return(TOK_CLOSE_PAREN); }
362
{period} { return(TOK_PERIOD); }
363
+{question_mark} { return(TOK_QUESTION_MARK); }
364
+{single_quote} { return(TOK_SINGLE_QUOTE); }
366
{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
367
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
368
@@ -264,6 +289,7 @@ yy_flex_debug = 0;
369
{key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
370
{key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
371
{key_namespace} { BEGIN(safe_string); return(TOK_KEY_NAMESPACE); }
372
+{key_mask} { return(TOK_KEY_MASK); }
373
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
374
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
375
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
376
@@ -271,14 +297,25 @@ yy_flex_debug = 0;
377
{key_parent} { return(TOK_KEY_PARENT); }
378
{key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
379
{key_info} { return(TOK_KEY_INFO); }
380
+{key_peer_info} { return(TOK_KEY_PEER_INFO); }
381
{key_pid} { return(TOK_KEY_PID); }
382
+{key_peer_pid} { return(TOK_KEY_PEER_PID); }
383
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
384
+{key_peer_profile} { BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
385
{key_family} { return(TOK_KEY_FAMILY); }
386
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
387
{key_protocol} { return(TOK_KEY_PROTOCOL); }
388
{key_error} { return(TOK_KEY_ERROR); }
389
{key_fsuid} { return(TOK_KEY_FSUID); }
390
{key_ouid} { return(TOK_KEY_OUID); }
391
+{key_uid} { return(TOK_KEY_UID); }
392
+{key_auid} { return(TOK_KEY_AUID); }
393
+{key_sauid} { return(TOK_KEY_SAUID); }
394
+{key_ses} { return(TOK_KEY_SES); }
395
+{key_hostname} { return(TOK_KEY_HOSTNAME); }
396
+{key_addr} { return(TOK_KEY_ADDR); }
397
+{key_terminal} { return(TOK_KEY_TERMINAL); }
398
+{key_exe} { BEGIN(safe_string); return(TOK_KEY_EXE); }
399
{key_comm} { BEGIN(safe_string); return(TOK_KEY_COMM); }
400
{key_capability} { return(TOK_KEY_CAPABILITY); }
401
{key_capname} { return(TOK_KEY_CAPNAME); }
402
@@ -288,8 +325,13 @@ yy_flex_debug = 0;
403
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
404
{key_lport} { return(TOK_KEY_LPORT); }
405
{key_fport} { return(TOK_KEY_FPORT); }
406
+{key_bus} { return(TOK_KEY_BUS); }
407
+{key_path} { return(TOK_KEY_PATH); }
408
+{key_interface} { return(TOK_KEY_INTERFACE); }
409
+{key_member} { return(TOK_KEY_MEMBER); }
411
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
412
+{syslog_user} { return(TOK_SYSLOG_USER); }
413
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
414
{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }