[apparmor] PATCH [2/6] - Fix capability log parsing
Steve Beattie
steve at nxnw.org
Fri Sep 10 00:25:06 BST 2010
On Thu, Sep 09, 2010 at 03:36:18PM -0700, Steve Beattie wrote:
> On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
> > The capability operation picked up the capability and capname fields.
> > capability is reported by LSM_AUDIT and is just the capability number.
> > capname is reported by the apparmor module and is the name the kernel
> > knows the capability as.
> >
> > For now just use capname and silently drop capability when it is found.
>
> Actually, I mildly take back my ACK here...
>
> > Index: libapparmor/src/scanner.l
> > ===================================================================
> > --- libapparmor.orig/src/scanner.l 2010-09-09 07:18:32.214193401 -0700
> > +++ libapparmor/src/scanner.l 2010-09-09 07:40:32.814193400 -0700
> > @@ -125,7 +125,6 @@
> > old_on "on"
> > old_xattr "xattr"
> > old_change "change"
> > -old_capability "capability"
> > old_syscall "syscall"
> > old_link "link"
> > old_fork "fork"
> > @@ -159,6 +158,8 @@
> > key_fsuid "fsuid"
> > key_ouid "ouid"
> > key_comm "comm"
> > +key_capability "capability"
> > +key_capname "capname"
> > audit "audit"
> >
> > /* syslog tokens */
> > @@ -303,7 +304,7 @@
> > {old_extended} { return(TOK_OLD_EXTENDED); }
> > {old_on} { return(TOK_OLD_ON); }
> > {old_change} { return(TOK_OLD_CHANGE); }
> > -{old_capability} { BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
> > +{key_capability} { BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
> > {old_syscall} { return(TOK_OLD_SYSCALL); }
> > {old_fork} { return(TOK_OLD_FORK); }
> > {old_child} { return(TOK_OLD_CHILD); }
> > @@ -343,6 +344,8 @@
> > {key_fsuid} { return(TOK_KEY_FSUID); }
> > {key_ouid} { return(TOK_KEY_OUID); }
> > {key_comm} { return(TOK_KEY_COMM); }
> > +{key_capability} { return(TOK_KEY_CAPABILITY); }
> > +{key_capname} { return(TOK_KEY_CAPNAME); }
> >
> > {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> > {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
>
> The pattern {key_capabilty} is now listed twice, thanks to the addition
> in the last chunk. This works out somewhat okay as the first rule
> will always match (and then jump into the sub_id state which can also
> handle =ID pairs). The reason for the sub_id behavior is the old message
> style capability keyword.
>
> I think we should have the pattern keyword just once, and have it (for
> the time being) jump to the sub_id state. Either way, it'll be mildly
> confusing to untangle when we rip out the old style message support.
This added patch passes with the testcases I provided:
=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l 2010-09-09 19:22:02 +0000
+++ libraries/libapparmor/src/scanner.l 2010-09-09 23:21:02 +0000
@@ -308,7 +308,6 @@
{old_extended} { return(TOK_OLD_EXTENDED); }
{old_on} { return(TOK_OLD_ON); }
{old_change} { return(TOK_OLD_CHANGE); }
-{key_capability} { BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
{old_syscall} { return(TOK_OLD_SYSCALL); }
{old_fork} { return(TOK_OLD_FORK); }
{old_child} { return(TOK_OLD_CHILD); }
@@ -348,7 +347,7 @@
{key_fsuid} { return(TOK_KEY_FSUID); }
{key_ouid} { return(TOK_KEY_OUID); }
{key_comm} { return(TOK_KEY_COMM); }
-{key_capability} { return(TOK_KEY_CAPABILITY); }
+{key_capability} { BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
{key_capname} { return(TOK_KEY_CAPNAME); }
{key_offset} { return(TOK_KEY_OFFSET); }
{key_target} { return(TOK_KEY_TARGET); }
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100909/ace771c8/attachment.pgp
More information about the AppArmor
mailing list