2
* Copyright (c) 1999-2008 NOVELL (All rights reserved)
3
* Copyright (c) 2010, Canonical, Ltd.
5
* This program is free software; you can redistribute it and/or
6
* modify it under the terms of version 2.1 of the GNU Lesser General
7
* Public License published by the Free Software Foundation.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU Lesser General Public License for more details.
14
* You should have received a copy of the GNU Lesser General Public License
15
* along with this program. If not, see <http://www.gnu.org/licenses/>.
21
/* set the following to non-zero to get bison to emit debugging
22
* information about tokens given and rules matched. */
25
#include "aalogparse.h"
30
aa_log_record *ret_record;
32
/* Since we're a library, on any errors we don't want to print out any
33
* error messages. We should probably add a debug interface that does
34
* emit messages when asked for. */
35
void aalogparse_error(void *scanner, char const *s)
37
//printf("ERROR: %s\n", s);
38
ret_record->event = AA_RECORD_INVALID;
41
struct aa_type_table {
42
unsigned int audit_type;
43
aa_record_event_type event;
46
static struct aa_type_table aa_type_table[] = {
47
{AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT},
48
{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
49
{AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED},
50
{AUDIT_APPARMOR_HINT, AA_RECORD_HINT},
51
{AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS},
52
{AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR},
53
{0, AA_RECORD_INVALID},
56
aa_record_event_type lookup_aa_event(unsigned int type)
60
for (i = 0; aa_type_table[i].audit_type != 0; i++)
61
if (type == aa_type_table[i].audit_type)
64
return aa_type_table[i].event;
72
%lex-param{void *scanner}
73
%parse-param{void *scanner}
81
%type <t_str> safe_string protocol
82
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
83
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
84
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
85
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
91
%token TOK_CLOSE_PAREN
94
%token TOK_TYPE_REJECT
96
%token TOK_TYPE_COMPLAIN
98
%token TOK_TYPE_STATUS
100
%token TOK_TYPE_AA_REJECT
101
%token TOK_TYPE_AA_AUDIT
102
%token TOK_TYPE_AA_COMPLAIN
103
%token TOK_TYPE_AA_HINT
104
%token TOK_TYPE_AA_STATUS
105
%token TOK_TYPE_AA_ERROR
106
%token TOK_TYPE_LSM_AVC
108
%token TOK_KEY_APPARMOR
111
%token TOK_KEY_OPERATION
114
%token TOK_KEY_DENIED_MASK
115
%token TOK_KEY_REQUESTED_MASK
116
%token TOK_KEY_ATTRIBUTE
118
%token TOK_KEY_PARENT
119
%token TOK_KEY_MAGIC_TOKEN
122
%token TOK_KEY_PROFILE
124
%token TOK_KEY_FAMILY
125
%token TOK_KEY_SOCK_TYPE
126
%token TOK_KEY_PROTOCOL
127
%token TOK_KEY_NAMESPACE
132
%token TOK_KEY_CAPABILITY
133
%token TOK_KEY_CAPNAME
134
%token TOK_KEY_OFFSET
135
%token TOK_KEY_TARGET
137
%token TOK_SYSLOG_KERNEL
141
log_message: audit_type
146
audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
148
type_syntax: new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
153
TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
154
| TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
155
| TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
156
| TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
157
| TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
158
| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
159
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
160
| TOK_TYPE_LSM_AVC audit_msg key_list
163
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
165
ret_record->operation = $1;
166
ret_record->event = AA_RECORD_INVALID;
167
ret_record->info = $3;
172
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
173
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
174
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
175
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
176
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
177
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
178
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
179
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
182
/* when audit dispatches a message it doesn't prepend the audit type string */
184
audit_msg key_list { ret_record->version = AA_RECORD_SYNTAX_V2; }
187
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
190
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
192
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
193
yyerror(scanner, YY_("Out of memory"));
194
ret_record->epoch = atol($3);
195
ret_record->audit_sub_id = atoi($7);
201
syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
208
key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
209
{ ret_record->operation = $3;}
210
| TOK_KEY_NAME TOK_EQUALS safe_string
211
{ ret_record->name = $3;}
212
| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
213
{ ret_record->namespace = $3;}
214
| TOK_KEY_NAME2 TOK_EQUALS safe_string
215
{ ret_record->name2 = $3;}
216
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
217
{ ret_record->denied_mask = $3;}
218
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
219
{ ret_record->requested_mask = $3;}
220
| TOK_KEY_ATTRIBUTE TOK_EQUALS TOK_QUOTED_STRING
221
{ ret_record->attribute = $3;}
222
| TOK_KEY_TASK TOK_EQUALS TOK_DIGITS
223
{ ret_record->task = $3;}
224
| TOK_KEY_PARENT TOK_EQUALS TOK_DIGITS
225
{ ret_record->parent = $3;}
226
| TOK_KEY_MAGIC_TOKEN TOK_EQUALS TOK_DIGITS
227
{ ret_record->magic_token = $3;}
228
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
229
{ ret_record->info = $3;}
231
| TOK_KEY_PROFILE TOK_EQUALS safe_string
232
{ ret_record->profile = $3;}
233
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
234
{ ret_record->net_family = $3;}
235
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
236
{ ret_record->net_sock_type = $3;}
237
| TOK_KEY_PROTOCOL TOK_EQUALS protocol
238
{ ret_record->net_protocol = $3;}
239
| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
240
{ ret_record->event = lookup_aa_event($3);}
241
| TOK_KEY_ERROR TOK_EQUALS TOK_DIGITS
242
{ ret_record->error_code = $3;}
243
| TOK_KEY_ERROR TOK_EQUALS TOK_MINUS TOK_DIGITS
244
{ ret_record->error_code = $4;}
245
| TOK_KEY_FSUID TOK_EQUALS TOK_DIGITS
246
{ ret_record->fsuid = $3;}
247
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
248
{ ret_record->ouid = $3;}
249
| TOK_KEY_COMM TOK_EQUALS safe_string
250
{ ret_record->comm = $3;}
251
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
252
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
253
{ /* need to reverse map number to string, need to figure out
254
* how to get auto generation of reverse mapping table into
255
* autotools Makefile. For now just drop assumming capname is
256
* present which it should be with current kernels */
258
| TOK_KEY_CAPNAME TOK_EQUALS TOK_QUOTED_STRING
259
{ /* capname used to be reported in name */
260
ret_record->name = $3;
262
| TOK_KEY_OFFSET TOK_EQUALS TOK_DIGITS
263
{ /* offset is used for reporting where an error occured unpacking
264
* loaded policy. We can just drop this currently
267
| TOK_KEY_TARGET TOK_EQUALS safe_string
268
{ /* target was always name2 in the past */
269
ret_record->name2 = $3;
273
ret_record->event = AA_RECORD_INVALID;
274
ret_record->info = $1;
279
TOK_TYPE_REJECT { ret_record->event = AA_RECORD_DENIED; }
280
| TOK_TYPE_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
281
| TOK_TYPE_COMPLAIN { ret_record->event = AA_RECORD_ALLOWED; }
282
| TOK_TYPE_HINT { ret_record->event = AA_RECORD_HINT; }
283
| TOK_TYPE_STATUS { ret_record->event = AA_RECORD_STATUS; }
284
| TOK_TYPE_ERROR { ret_record->event = AA_RECORD_ERROR; }
287
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
290
key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
293
safe_string: TOK_QUOTED_STRING
297
protocol: TOK_QUOTED_STRING
299
{ /* FIXME: this should probably convert back to a string proto name */
300
$$ = ipproto_to_string($1);
306
_parse_yacc(char *str)
309
YY_BUFFER_STATE lex_buf;
314
ret_record = (aa_log_record *) malloc(sizeof(aa_log_record));
316
_init_log_record(ret_record);
318
if (ret_record == NULL)
325
aalogparse_lex_init(&scanner);
326
lex_buf = aalogparse__scan_string(str, scanner);
327
parser_return = aalogparse_parse(scanner);
328
aalogparse__delete_buffer(lex_buf, scanner);
329
aalogparse_lex_destroy(scanner);