[apparmor] Rev 1435: Add testcases for new LSM-audit log messages.
Steve Beattie
steve at nxnw.org
Fri Sep 10 02:49:15 BST 2010
This particular commit, rev 1435 from trunk, never got nominated for
the 2.5.1 branch, but is pretty crucial for parsing the the most recent
version of apparmor's log messages. Thus I'm nominating it for 2.5.1.
(I want to review it a little more closely myself.)
On Mon, Jul 26, 2010 at 04:18:26PM -0000, noreply at launchpad.net wrote:
> ------------------------------------------------------------
> revno: 1435
> committer: Kees Cook <kees.cook at canonical.com>
> branch nick: master
> timestamp: Mon 2010-07-26 09:16:23 -0700
> message:
> Add testcases for new LSM-audit log messages.
> Update log parser grammar to handle new LSM-audit log messages.
> added:
> libraries/libapparmor/testsuite/test_multi/avc_audit_01.in
> libraries/libapparmor/testsuite/test_multi/avc_audit_01.out
> libraries/libapparmor/testsuite/test_multi/avc_audit_02.in
> libraries/libapparmor/testsuite/test_multi/avc_audit_02.out
> libraries/libapparmor/testsuite/test_multi/avc_audit_03.in
> libraries/libapparmor/testsuite/test_multi/avc_audit_03.out
> libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in
> libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out
> libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in
> libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out
> libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in
> libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out
> modified:
> libraries/libapparmor/src/grammar.y
> libraries/libapparmor/src/scanner.l
> utils/SubDomain.pm
>
>
> --
> lp:apparmor
> https://code.launchpad.net/~apparmor-dev/apparmor/master
>
> You are subscribed to branch lp:apparmor.
> To unsubscribe from this branch go to https://code.launchpad.net/~apparmor-dev/apparmor/master/+edit-subscription
> === modified file 'libraries/libapparmor/src/grammar.y'
> --- libraries/libapparmor/src/grammar.y 2009-09-18 21:13:04 +0000
> +++ libraries/libapparmor/src/grammar.y 2010-07-26 16:16:23 +0000
> @@ -1,6 +1,7 @@
> /*
> * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> * NOVELL (All rights reserved)
> + * Copyright (c) 2010, Canonical, Ltd.
> *
> * This program is free software; you can redistribute it and/or
> * modify it under the terms of version 2 of the GNU General Public
> @@ -96,6 +97,13 @@
> %token TOK_TYPE_HINT
> %token TOK_TYPE_STATUS
> %token TOK_TYPE_ERROR
> +%token TOK_TYPE_AA_REJECT
> +%token TOK_TYPE_AA_AUDIT
> +%token TOK_TYPE_AA_COMPLAIN
> +%token TOK_TYPE_AA_HINT
> +%token TOK_TYPE_AA_STATUS
> +%token TOK_TYPE_AA_ERROR
> +%token TOK_TYPE_LSM_AVC
> %token TOK_OLD_TYPE_APPARMOR
> %token TOK_OLD_APPARMOR_REJECT
> %token TOK_OLD_APPARMOR_PERMIT
> @@ -123,6 +131,7 @@
> %token TOK_OLD_FORK
> %token TOK_OLD_CHILD
>
> +%token TOK_KEY_APPARMOR
> %token TOK_KEY_TYPE
> %token TOK_KEY_MSG
> %token TOK_KEY_OPERATION
> @@ -146,6 +155,7 @@
> %token TOK_KEY_ERROR
> %token TOK_KEY_FSUID
> %token TOK_KEY_OUID
> +%token TOK_KEY_COMM
>
> %token TOK_SYSLOG_KERNEL
>
> @@ -168,13 +178,14 @@
> ;
>
> new_syntax:
> - TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
> - | TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
> - | TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
> - | TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
> - | TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
> - | TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
> + TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
> + | TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
> + | TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
> + | TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
> + | TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
> + | TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
> | TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
> + | TOK_TYPE_LSM_AVC audit_msg key_list
> ;
>
> other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
> @@ -420,6 +431,17 @@
> { ret_record->fsuid = $3;}
> | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
> { ret_record->ouid = $3;}
> + | TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
> + | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
> + ;
> +
> +apparmor_event:
> + TOK_TYPE_REJECT { ret_record->event = AA_RECORD_DENIED; }
> + | TOK_TYPE_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
> + | TOK_TYPE_COMPLAIN { ret_record->event = AA_RECORD_ALLOWED; }
> + | TOK_TYPE_HINT { ret_record->event = AA_RECORD_HINT; }
> + | TOK_TYPE_STATUS { ret_record->event = AA_RECORD_STATUS; }
> + | TOK_TYPE_ERROR { ret_record->event = AA_RECORD_ERROR; }
> ;
>
> key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
>
> === modified file 'libraries/libapparmor/src/scanner.l'
> --- libraries/libapparmor/src/scanner.l 2010-02-10 23:13:55 +0000
> +++ libraries/libapparmor/src/scanner.l 2010-07-26 16:16:23 +0000
> @@ -1,6 +1,7 @@
> /*
> * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> * NOVELL (All rights reserved)
> + * Copyright (c) 2010, Canonical, Ltd.
> *
> * This program is free software; you can redistribute it and/or
> * modify it under the terms of version 2 of the GNU General Public
> @@ -84,12 +85,19 @@
> modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
> /* New message types */
>
> -reject_type "APPARMOR_DENIED"
> -audit_type "APPARMOR_AUDIT"
> -complain_type "APPARMOR_ALLOWED"
> -hint_type "APPARMOR_HINT"
> -status_type "APPARMOR_STATUS"
> -error_type "APPARMOR_ERROR"
> +aa_reject_type "APPARMOR_DENIED"
> +aa_audit_type "APPARMOR_AUDIT"
> +aa_complain_type "APPARMOR_ALLOWED"
> +aa_hint_type "APPARMOR_HINT"
> +aa_status_type "APPARMOR_STATUS"
> +aa_error_type "APPARMOR_ERROR"
> +reject_type "\"DENIED\""
> +audit_type "\"AUDIT\""
> +complain_type "\"ALLOWED\""
> +hint_type "\"HINT\""
> +status_type "\"STATUS\""
> +error_type "\"ERROR\""
> +lsm_avc_type "AVC"
> unknown_type UNKNOWN\[{digits}+\]
> other_audit_type [[:alnum:]\[\]_-]+
>
> @@ -125,6 +133,7 @@
>
> /* Key tokens */
>
> +key_apparmor "apparmor"
> key_type "type"
> key_msg "msg"
> key_operation "operation"
> @@ -147,6 +156,7 @@
> key_error "error"
> key_fsuid "fsuid"
> key_ouid "ouid"
> +key_comm "comm"
> audit "audit"
>
> /* syslog tokens */
> @@ -240,6 +250,13 @@
> {hint_type} { BEGIN(INITIAL); return(TOK_TYPE_HINT); }
> {status_type} { BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
> {error_type} { BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
> + {aa_reject_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_REJECT); }
> + {aa_audit_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_AUDIT); }
> + {aa_complain_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_COMPLAIN); }
> + {aa_hint_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_HINT); }
> + {aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
> + {aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
> + {lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
> {unknown_type} { char *yptr = yytext;
> while (*yptr && *yptr != '[')
> yptr++;
> @@ -300,6 +317,7 @@
> {key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
> }
>
> +{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
> {key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
> {key_msg} { return(TOK_KEY_MSG); }
> {key_operation} { return(TOK_KEY_OPERATION); }
> @@ -321,6 +339,7 @@
> {key_error} { return(TOK_KEY_ERROR); }
> {key_fsuid} { return(TOK_KEY_FSUID); }
> {key_ouid} { return(TOK_KEY_OUID); }
> +{key_comm} { return(TOK_KEY_COMM); }
>
> {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_01.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_01.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_01.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +type=AVC msg=audit(1279948288.415:39): apparmor="DENIED" operation="open" parent=12332 profile="/usr/sbin/cupsd" name="/home/user/.ssh/" pid=12333 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_01.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_01.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_01.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,15 @@
> +START
> +File: test_multi/avc_audit_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1279948288.415:39
> +Operation: open
> +Mask: r
> +Denied Mask: r
> +fsuid: 0
> +ouid: 1000
> +Profile: /usr/sbin/cupsd
> +Name: /home/user/.ssh/
> +Parent: 12332
> +PID: 12333
> +Epoch: 1279948288
> +Audit subid: 39
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_02.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_02.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_02.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +type=AVC msg=audit(1279948227.175:27): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=12291 comm="apparmor_parser"
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_02.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_02.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_02.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,9 @@
> +START
> +File: test_multi/avc_audit_02.in
> +Event type: AA_RECORD_STATUS
> +Audit ID: 1279948227.175:27
> +Operation: profile_replace
> +Name: /sbin/dhclient3
> +PID: 12291
> +Epoch: 1279948227
> +Audit subid: 27
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_03.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_03.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_03.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +type=AVC msg=audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_03.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_audit_03.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_audit_03.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,15 @@
> +START
> +File: test_multi/avc_audit_03.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1279968846.035:77
> +Operation: open
> +Mask: r
> +Denied Mask: r
> +fsuid: 1000
> +ouid: 0
> +Profile: /tmp/cat
> +Name: /etc/passwd
> +Parent: 7014
> +PID: 21645
> +Epoch: 1279968846
> +Audit subid: 77
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +Jul 24 12:25:33 spriggan kernel: [42416.178567] type=1400 audit(1279967133.365:54): apparmor="DENIED" operation="open" parent=19650 profile="/usr/sbin/cupsd" name="/boot/" pid=19651 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,15 @@
> +START
> +File: test_multi/avc_syslog_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1279967133.365:54
> +Operation: open
> +Mask: r
> +Denied Mask: r
> +fsuid: 0
> +ouid: 0
> +Profile: /usr/sbin/cupsd
> +Name: /boot/
> +Parent: 19650
> +PID: 19651
> +Epoch: 1279967133
> +Audit subid: 54
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +Jul 24 12:24:41 spriggan kernel: [42364.269117] type=1400 audit(1279967081.455:42): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=19610 comm="apparmor_parser"
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,9 @@
> +START
> +File: test_multi/avc_syslog_02.in
> +Event type: AA_RECORD_STATUS
> +Audit ID: 1279967081.455:42
> +Operation: profile_replace
> +Name: /sbin/dhclient3
> +PID: 19610
> +Epoch: 1279967081
> +Audit subid: 42
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,1 @@
> +Jul 24 12:54:06 spriggan kernel: [44128.842691] type=1400 audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out'
> --- libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out 1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out 2010-07-26 16:16:23 +0000
> @@ -0,0 +1,15 @@
> +START
> +File: test_multi/avc_syslog_03.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1279968846.035:77
> +Operation: open
> +Mask: r
> +Denied Mask: r
> +fsuid: 1000
> +ouid: 0
> +Profile: /tmp/cat
> +Name: /etc/passwd
> +Parent: 7014
> +PID: 21645
> +Epoch: 1279968846
> +Audit subid: 77
>
> === modified file 'utils/SubDomain.pm'
> --- utils/SubDomain.pm 2010-03-26 13:51:21 +0000
> +++ utils/SubDomain.pm 2010-07-26 16:16:23 +0000
> @@ -2,6 +2,7 @@
> #
> # ----------------------------------------------------------------------
> # Copyright (c) 2006 Novell, Inc. All Rights Reserved.
> +# Copyright (c) 2010 Canonical, Ltd.
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -2413,10 +2414,13 @@
> our $seenmark;
> my $RE_LOG_v2_0_syslog = qr/SubDomain/;
> my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?(audit\([\d\.\:]+\):\s+)?type=150[1-6]/;
> +my $RE_LOG_v2_6_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=/;
> my $RE_LOG_v2_0_audit =
> qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/;
> my $RE_LOG_v2_1_audit =
> qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
> +my $RE_LOG_v2_6_audit =
> + qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
>
> sub prefetch_next_log_entry {
> # if we already have an existing cache entry, something's broken
> @@ -2434,6 +2438,8 @@
> $RE_LOG_v2_0_audit |
> $RE_LOG_v2_1_audit |
> $RE_LOG_v2_1_syslog |
> + $RE_LOG_v2_6_syslog |
> + $RE_LOG_v2_6_audit |
> $logmark
> }x);
> }
>
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100909/7cf28718/attachment-0001.pgp
More information about the AppArmor
mailing list