[apparmor] [patch] libapparmor: add log-parsing support for encoded comm strings

Wed Nov 30 18:27:00 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11/30/2011 10:21 AM, Steve Beattie wrote:
> While trying to track down the source of the problem for
> https://bugs.launchpad.net/apparmor/+bug/897957/ I discovered that the
> libapparmor log parsing library doesn't take into account comm entries
> that have been hex-encoded; these occur when the binary path name
> includes a space or other character that needs encoding.
> 
> The attached patch fixes the issue as well as adding a testcase that
> demonstrates the issue.
> 
> Unfortunately, this does not appear to be the cause of LP: #897957.
> 

Acked-by: John Johansen <john.johansen at canonical.com>

> === modified file 'libraries/libapparmor/src/grammar.y'
> --- libraries/libapparmor/src/grammar.y	2011-02-23 22:02:45 +0000
> +++ libraries/libapparmor/src/grammar.y	2011-11-30 18:08:05 +0000
> @@ -246,7 +246,7 @@
>  	{ ret_record->fsuid = $3;}
>  	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
>  	{ ret_record->ouid = $3;}
> -	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
> +	| TOK_KEY_COMM TOK_EQUALS safe_string
>  	{ ret_record->comm = $3;}
>  	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
>  	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
> 
> === modified file 'libraries/libapparmor/src/scanner.l'
> --- libraries/libapparmor/src/scanner.l	2011-02-22 11:51:16 +0000
> +++ libraries/libapparmor/src/scanner.l	2011-11-30 18:08:39 +0000
> @@ -265,7 +265,7 @@
>  {key_error}		{ return(TOK_KEY_ERROR); }
>  {key_fsuid}		{ return(TOK_KEY_FSUID); }
>  {key_ouid}		{ return(TOK_KEY_OUID); }
> -{key_comm}		{ return(TOK_KEY_COMM); }
> +{key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
>  {key_capability}	{ return(TOK_KEY_CAPABILITY); }
>  {key_capname}		{ return(TOK_KEY_CAPNAME); }
>  {key_offset}		{ return(TOK_KEY_OFFSET); }
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.err'
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in'
> --- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in	1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in	2011-11-30 18:04:43 +0000
> @@ -0,0 +1,1 @@
> +type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> 
> === added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out'
> --- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out	1970-01-01 00:00:00 +0000
> +++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out	2011-11-30 18:12:12 +0000
> @@ -0,0 +1,16 @@
> +START
> +File: test_multi/testcase_encoded_comm.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1322676143.201:455
> +Operation: open
> +Mask: r
> +Denied Mask: r
> +fsuid: 1000
> +ouid: 1000
> +Profile: /home/steve/tmp/my prog.sh
> +Name: /home/steve/tmp/my prog.sh
> +Command: my prog.sh
> +Parent: 10357
> +PID: 22918
> +Epoch: 1322676143
> +Audit subid: 455
> 
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJO1nVnAAoJEAUvNnAY1cPYkEEQAIv63mb9iqB0AHPgkIhKWHv+
+JxZjnlfuEyKFSLJ+icrQzkxyd1Pjk9A4CPgNvQGW5IbqoykrCYRPgVfwDWG8ERm
4apRN5PYxAwbAF8vvwgFM6PUQGCsD7VC9q4AQ2eeCj+QRG2gdvDOMbEzdKN2u4Vy
oZiTKskI34xN9zYRWaAliIxH8xML93csCZSVHrWzVLH4ZarlKPUX0PYMzqU/P5mb
PhU31JSVVAHIfjIKA6QE1h+x3dK6JbN1CMhvdRjRad/zUeuyTB/dqK57ekSkZtP5
mCeb5l8XlHoNSKBcOyDjcxcMhv8dTm4SPkkG+G/rmSCCsApfL+gyvqGODGSUq5Ub
GK0I8JVtQlH7vYaYWqWisSvQ7fZDGb+L5uV4uRhfWfxkimpGxTOUSMIKTrS98Zor
NVH3HcAHDBIK7Odej/CaCdDaTqkRfhgFvDTw5yVWVPGenkMavYLd9qxko4KrpBVT
8w/egb4mv+Tfq/ZYY0VQsYbY8CZFv2fvVolsy98o2Uh3yapNbwYuenBMyjkcOF17
vE0bQpIlj41OX2WsH8tm6JqdRaT2nngVUM2abO9HgV1v6RizUMTzoH4fijobyM45
w15y6Ahz5wFR6PhBjDT3cYAAXxLwWQIMN4fjbIvXVbqXUl7hgHrQ5A9f9QR4u4f8
0Mc9rBs+ZoZyAg1MoxCI
=KzkT
-----END PGP SIGNATURE-----