[apparmor] PATCH [2/6] - Fix capability log parsing

Steve Beattie steve at nxnw.org
Thu Sep 9 23:36:18 BST 2010 

On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
> The capability operation picked up the capability and capname fields.
> capability is reported by LSM_AUDIT and is just the capability number.
> capname is reported by the apparmor module and is the name the kernel
> knows the capability as.
> 
> For now just use capname and silently drop capability when it is found.

Actually, I mildly take back my ACK here...

> Index: libapparmor/src/scanner.l
> ===================================================================
> --- libapparmor.orig/src/scanner.l	2010-09-09 07:18:32.214193401 -0700
> +++ libapparmor/src/scanner.l	2010-09-09 07:40:32.814193400 -0700
> @@ -125,7 +125,6 @@
>  old_on			"on"
>  old_xattr		"xattr"
>  old_change		"change"
> -old_capability		"capability"
>  old_syscall		"syscall"
>  old_link		"link"
>  old_fork		"fork"
> @@ -159,6 +158,8 @@
>  key_fsuid		"fsuid"
>  key_ouid		"ouid"
>  key_comm		"comm"
> +key_capability		"capability"
> +key_capname		"capname"
>  audit			"audit"
>  
>  /* syslog tokens */
> @@ -303,7 +304,7 @@
>  {old_extended}		{ return(TOK_OLD_EXTENDED); }
>  {old_on}		{ return(TOK_OLD_ON); }
>  {old_change}		{ return(TOK_OLD_CHANGE); }
> -{old_capability}	{ BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
> +{key_capability}	{ BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
>  {old_syscall}		{ return(TOK_OLD_SYSCALL); }
>  {old_fork}		{ return(TOK_OLD_FORK); }
>  {old_child}		{ return(TOK_OLD_CHILD); }
> @@ -343,6 +344,8 @@
>  {key_fsuid}		{ return(TOK_KEY_FSUID); }
>  {key_ouid}		{ return(TOK_KEY_OUID); }
>  {key_comm}		{ return(TOK_KEY_COMM); }
> +{key_capability}	{ return(TOK_KEY_CAPABILITY); }
> +{key_capname}		{ return(TOK_KEY_CAPNAME); }
>  
>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
>  {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }

The pattern {key_capabilty} is now listed twice, thanks to the addition
in the last chunk. This works out somewhat okay as the first rule
will always match (and then jump into the sub_id state which can also
handle =ID pairs). The reason for the sub_id behavior is the old message
style capability keyword.

I think we should have the pattern keyword just once, and have it (for
the time being) jump to the sub_id state. Either way, it'll be mildly
confusing to untangle when we rip out the old style message support.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100909/a49b374c/attachment.pgp

More information about the AppArmor mailing list