[apparmor] [PATCH] update parsing structure to include "comm"

Kees Cook kees at ubuntu.com
Mon Jul 26 02:56:43 BST 2010 

This adds the "comm" string to the log parsing structure.

=== modified file 'libraries/libapparmor/src/aalogparse.h'
--- libraries/libapparmor/src/aalogparse.h	2009-09-18 21:13:04 +0000
+++ libraries/libapparmor/src/aalogparse.h	2010-07-24 11:58:32 +0000
@@ -129,6 +129,7 @@
 	unsigned long fsuid;		/* fsuid of task - if logged */
 	unsigned long ouid;		/* ouid of task - if logged */
 	char *profile;			/* The name of the profile */
+	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
 	char *namespace;

=== modified file 'libraries/libapparmor/src/grammar.y'
--- libraries/libapparmor/src/grammar.y	2010-07-24 10:43:53 +0000
+++ libraries/libapparmor/src/grammar.y	2010-07-24 11:58:32 +0000
@@ -432,6 +432,7 @@
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
 	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->comm = $3;}
 	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
 	;
 

=== modified file 'libraries/libapparmor/src/libaalogparse.c'
--- libraries/libapparmor/src/libaalogparse.c	2009-09-18 21:13:04 +0000
+++ libraries/libapparmor/src/libaalogparse.c	2010-07-24 11:58:32 +0000
@@ -56,6 +56,8 @@
 			free(record->denied_mask);
 		if (record->profile != NULL)
 			free(record->profile);
+		if (record->comm != NULL)
+			free(record->comm);
 		if (record->name != NULL)
 			free(record->name);
 		if (record->name2 != NULL)

=== modified file 'libraries/libapparmor/testsuite/test_multi.c'
--- libraries/libapparmor/testsuite/test_multi.c	2009-09-18 21:13:04 +0000
+++ libraries/libapparmor/testsuite/test_multi.c	2010-07-24 11:58:32 +0000
@@ -129,6 +129,10 @@
 		{
 			printf("Name: %s\n", record->name);
 		}
+		if (record->comm != NULL)
+		{
+			printf("Command: %s\n", record->comm);
+		}
 		if (record->name2 != NULL)
 		{
 			printf("Name2: %s\n", record->name2);

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_audit_01.out'
--- libraries/libapparmor/testsuite/test_multi/avc_audit_01.out	2010-07-24 10:36:13 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_audit_01.out	2010-07-24 11:58:32 +0000
@@ -9,6 +9,7 @@
 ouid: 1000
 Profile: /usr/sbin/cupsd
 Name: /home/user/.ssh/
+Command: ls
 Parent: 12332
 PID: 12333
 Epoch: 1279948288

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_audit_02.out'
--- libraries/libapparmor/testsuite/test_multi/avc_audit_02.out	2010-07-24 10:36:13 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_audit_02.out	2010-07-24 11:58:32 +0000
@@ -4,6 +4,7 @@
 Audit ID: 1279948227.175:27
 Operation: profile_replace
 Name: /sbin/dhclient3
+Command: apparmor_parser
 PID: 12291
 Epoch: 1279948227
 Audit subid: 27

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_audit_03.out'
--- libraries/libapparmor/testsuite/test_multi/avc_audit_03.out	2010-07-24 10:57:56 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_audit_03.out	2010-07-24 11:58:32 +0000
@@ -9,6 +9,7 @@
 ouid: 0
 Profile: /tmp/cat
 Name: /etc/passwd
+Command: cat
 Parent: 7014
 PID: 21645
 Epoch: 1279968846

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out'
--- libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out	2010-07-24 10:36:13 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out	2010-07-24 11:58:32 +0000
@@ -9,6 +9,7 @@
 ouid: 0
 Profile: /usr/sbin/cupsd
 Name: /boot/
+Command: ls
 Parent: 19650
 PID: 19651
 Epoch: 1279967133

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out'
--- libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out	2010-07-24 10:36:13 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out	2010-07-24 11:58:32 +0000
@@ -4,6 +4,7 @@
 Audit ID: 1279967081.455:42
 Operation: profile_replace
 Name: /sbin/dhclient3
+Command: apparmor_parser
 PID: 19610
 Epoch: 1279967081
 Audit subid: 42

=== modified file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out'
--- libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out	2010-07-24 10:57:56 +0000
+++ libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out	2010-07-24 11:58:32 +0000
@@ -9,6 +9,7 @@
 ouid: 0
 Profile: /tmp/cat
 Name: /etc/passwd
+Command: cat
 Parent: 7014
 PID: 21645
 Epoch: 1279968846


-- 
Kees Cook
Ubuntu Security Team

More information about the AppArmor mailing list