2
* Copyright (c) 1999-2008 NOVELL (All rights reserved)
3
* Copyright (c) 2010, Canonical, Ltd.
5
* This program is free software; you can redistribute it and/or
6
* modify it under the terms of version 2.1 of the GNU Lesser General
7
* Public License published by the Free Software Foundation.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU Lesser General Public License for more details.
14
* You should have received a copy of the GNU Lesser General Public License
15
* along with this program. If not, see <http://www.gnu.org/licenses/>.
21
/* set the following to non-zero to get bison to emit debugging
22
* information about tokens given and rules matched. */
25
#include "aalogparse.h"
30
aa_log_record *ret_record;
32
/* Since we're a library, on any errors we don't want to print out any
33
* error messages. We should probably add a debug interface that does
34
* emit messages when asked for. */
35
void aalogparse_error(void *scanner, char const *s)
37
//printf("ERROR: %s\n", s);
38
ret_record->event = AA_RECORD_INVALID;
41
struct aa_type_table {
42
unsigned int audit_type;
43
aa_record_event_type event;
46
static struct aa_type_table aa_type_table[] = {
47
{AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT},
48
{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
49
{AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED},
50
{AUDIT_APPARMOR_HINT, AA_RECORD_HINT},
51
{AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS},
52
{AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR},
53
{0, AA_RECORD_INVALID},
56
aa_record_event_type lookup_aa_event(unsigned int type)
60
for (i = 0; aa_type_table[i].audit_type != 0; i++)
61
if (type == aa_type_table[i].audit_type)
64
return aa_type_table[i].event;
72
%lex-param{void *scanner}
73
%parse-param{void *scanner}
81
%type <t_str> safe_string protocol
82
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
83
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
84
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
85
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
86
%token <t_str> TOK_IP_ADDR
92
%token TOK_CLOSE_PAREN
95
%token TOK_TYPE_REJECT
97
%token TOK_TYPE_COMPLAIN
99
%token TOK_TYPE_STATUS
100
%token TOK_TYPE_ERROR
101
%token TOK_TYPE_AA_REJECT
102
%token TOK_TYPE_AA_AUDIT
103
%token TOK_TYPE_AA_COMPLAIN
104
%token TOK_TYPE_AA_HINT
105
%token TOK_TYPE_AA_STATUS
106
%token TOK_TYPE_AA_ERROR
107
%token TOK_TYPE_LSM_AVC
109
%token TOK_KEY_APPARMOR
112
%token TOK_KEY_OPERATION
115
%token TOK_KEY_DENIED_MASK
116
%token TOK_KEY_REQUESTED_MASK
117
%token TOK_KEY_ATTRIBUTE
119
%token TOK_KEY_PARENT
120
%token TOK_KEY_MAGIC_TOKEN
123
%token TOK_KEY_PROFILE
125
%token TOK_KEY_FAMILY
126
%token TOK_KEY_SOCK_TYPE
127
%token TOK_KEY_PROTOCOL
128
%token TOK_KEY_NAMESPACE
133
%token TOK_KEY_CAPABILITY
134
%token TOK_KEY_CAPNAME
135
%token TOK_KEY_OFFSET
136
%token TOK_KEY_TARGET
142
%token TOK_SYSLOG_KERNEL
146
log_message: audit_type
151
audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
153
type_syntax: new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
158
TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
159
| TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
160
| TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
161
| TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
162
| TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
163
| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
164
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
165
| TOK_TYPE_LSM_AVC audit_msg key_list
168
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
170
ret_record->operation = $1;
171
ret_record->event = AA_RECORD_INVALID;
172
ret_record->info = $3;
177
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
178
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
179
| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
180
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
181
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
182
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
183
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
184
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
187
/* when audit dispatches a message it doesn't prepend the audit type string */
189
audit_msg key_list { ret_record->version = AA_RECORD_SYNTAX_V2; }
192
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
195
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
197
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
198
yyerror(scanner, YY_("Out of memory"));
199
ret_record->epoch = atol($3);
200
ret_record->audit_sub_id = atoi($7);
206
syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
213
key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
214
{ ret_record->operation = $3;}
215
| TOK_KEY_NAME TOK_EQUALS safe_string
216
{ ret_record->name = $3;}
217
| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
218
{ ret_record->namespace = $3;}
219
| TOK_KEY_NAME2 TOK_EQUALS safe_string
220
{ ret_record->name2 = $3;}
221
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
222
{ ret_record->denied_mask = $3;}
223
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
224
{ ret_record->requested_mask = $3;}
225
| TOK_KEY_ATTRIBUTE TOK_EQUALS TOK_QUOTED_STRING
226
{ ret_record->attribute = $3;}
227
| TOK_KEY_TASK TOK_EQUALS TOK_DIGITS
228
{ ret_record->task = $3;}
229
| TOK_KEY_PARENT TOK_EQUALS TOK_DIGITS
230
{ ret_record->parent = $3;}
231
| TOK_KEY_MAGIC_TOKEN TOK_EQUALS TOK_DIGITS
232
{ ret_record->magic_token = $3;}
233
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
234
{ ret_record->info = $3;}
236
| TOK_KEY_PROFILE TOK_EQUALS safe_string
237
{ ret_record->profile = $3;}
238
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
239
{ ret_record->net_family = $3;}
240
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
241
{ ret_record->net_sock_type = $3;}
242
| TOK_KEY_PROTOCOL TOK_EQUALS protocol
243
{ ret_record->net_protocol = $3;}
244
| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
245
{ ret_record->event = lookup_aa_event($3);}
246
| TOK_KEY_ERROR TOK_EQUALS TOK_DIGITS
247
{ ret_record->error_code = $3;}
248
| TOK_KEY_ERROR TOK_EQUALS TOK_MINUS TOK_DIGITS
249
{ ret_record->error_code = $4;}
250
| TOK_KEY_FSUID TOK_EQUALS TOK_DIGITS
251
{ ret_record->fsuid = $3;}
252
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
253
{ ret_record->ouid = $3;}
254
| TOK_KEY_COMM TOK_EQUALS safe_string
255
{ ret_record->comm = $3;}
256
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
257
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
258
{ /* need to reverse map number to string, need to figure out
259
* how to get auto generation of reverse mapping table into
260
* autotools Makefile. For now just drop assumming capname is
261
* present which it should be with current kernels */
263
| TOK_KEY_CAPNAME TOK_EQUALS TOK_QUOTED_STRING
264
{ /* capname used to be reported in name */
265
ret_record->name = $3;
267
| TOK_KEY_OFFSET TOK_EQUALS TOK_DIGITS
268
{ /* offset is used for reporting where an error occured unpacking
269
* loaded policy. We can just drop this currently
272
| TOK_KEY_TARGET TOK_EQUALS safe_string
273
{ /* target was always name2 in the past */
274
ret_record->name2 = $3;
276
| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
277
{ ret_record->net_local_addr = $3;}
278
| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
279
{ ret_record->net_foreign_addr = $3;}
280
| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
281
{ ret_record->net_local_port = $3;}
282
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
283
{ ret_record->net_foreign_port = $3;}
286
ret_record->event = AA_RECORD_INVALID;
287
ret_record->info = $1;
292
TOK_TYPE_REJECT { ret_record->event = AA_RECORD_DENIED; }
293
| TOK_TYPE_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
294
| TOK_TYPE_COMPLAIN { ret_record->event = AA_RECORD_ALLOWED; }
295
| TOK_TYPE_HINT { ret_record->event = AA_RECORD_HINT; }
296
| TOK_TYPE_STATUS { ret_record->event = AA_RECORD_STATUS; }
297
| TOK_TYPE_ERROR { ret_record->event = AA_RECORD_ERROR; }
300
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
303
key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
306
safe_string: TOK_QUOTED_STRING
310
protocol: TOK_QUOTED_STRING
312
{ /* FIXME: this should probably convert back to a string proto name */
313
$$ = ipproto_to_string($1);
319
_parse_yacc(char *str)
322
YY_BUFFER_STATE lex_buf;
327
ret_record = (aa_log_record *) malloc(sizeof(aa_log_record));
329
_init_log_record(ret_record);
331
if (ret_record == NULL)
338
aalogparse_lex_init(&scanner);
339
lex_buf = aalogparse__scan_string(str, scanner);
340
parser_return = aalogparse_parse(scanner);
341
aalogparse__delete_buffer(lex_buf, scanner);
342
aalogparse_lex_destroy(scanner);