[apparmor] [patch] libapparmor: add support for ip addresses and ports
Steve Beattie
steve at nxnw.org
Fri Apr 6 17:39:56 UTC 2012
Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826
https://bugzilla.novell.com/show_bug.cgi?id=755923
This patch modifies the libapparmor log parsing code to add support
for the additional ip address and port keywords that can occur in
network rejection rules. The laddr and faddr keywords stand for local
address and foreign address respectively.
The regex used to match an ip address is not very strict, to hopefully
catch the formats that the kernel emits for ipv6 addresses; however,
because this is in a context triggered by the addr keywords, it should
not over-eagerly consume non-ip addresses. Said addresses are returned
as strings in the struct to be processed by the calling application.
(When committing, empty .err files will need to be created as well.)
---
libraries/libapparmor/src/aalogparse.h | 4 ++
libraries/libapparmor/src/grammar.y | 13 ++++++
libraries/libapparmor/src/scanner.l | 20 +++++++++-
libraries/libapparmor/testsuite/test_multi.c | 17 ++++++++
libraries/libapparmor/testsuite/test_multi/testcase_network_01.in | 1
libraries/libapparmor/testsuite/test_multi/testcase_network_01.out | 18 +++++++++
libraries/libapparmor/testsuite/test_multi/testcase_network_02.in | 1
libraries/libapparmor/testsuite/test_multi/testcase_network_02.out | 16 ++++++++
libraries/libapparmor/testsuite/test_multi/testcase_network_03.in | 1
libraries/libapparmor/testsuite/test_multi/testcase_network_03.out | 15 +++++++
libraries/libapparmor/testsuite/test_multi/testcase_network_04.in | 1
libraries/libapparmor/testsuite/test_multi/testcase_network_04.out | 18 +++++++++
libraries/libapparmor/testsuite/test_multi/testcase_network_05.in | 1
libraries/libapparmor/testsuite/test_multi/testcase_network_05.out | 18 +++++++++
14 files changed, 143 insertions(+), 1 deletion(-)
Index: b/libraries/libapparmor/src/scanner.l
===================================================================
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -133,8 +133,15 @@ key_capability "capability"
key_capname "capname"
key_offset "offset"
key_target "target"
+key_laddr "laddr"
+key_faddr "faddr"
+key_lport "lport"
+key_fport "fport"
audit "audit"
+/* network addrs */
+ip_addr [a-f[:digit:].:]{3,}
+
/* syslog tokens */
syslog_kernel kernel{colon}
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
@@ -149,12 +156,13 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:
%x dmesg_timestamp
%x safe_string
%x audit_types
+%x ip_addr
%x other_audit
%x unknown_message
%%
%{
-yy_flex_debug = 0;
+yy_flex_debug = 1;
%}
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
}
+<ip_addr>{
+ {ip_addr} { yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+ {equals} { return(TOK_EQUALS); }
+ . { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+ }
+
<audit_types>{
{equals} { return(TOK_EQUALS); }
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
@@ -270,6 +284,10 @@ yy_flex_debug = 0;
{key_capname} { return(TOK_KEY_CAPNAME); }
{key_offset} { return(TOK_KEY_OFFSET); }
{key_target} { return(TOK_KEY_TARGET); }
+{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport} { return(TOK_KEY_LPORT); }
+{key_fport} { return(TOK_KEY_FPORT); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
Index: b/libraries/libapparmor/src/aalogparse.h
===================================================================
--- a/libraries/libapparmor/src/aalogparse.h
+++ b/libraries/libapparmor/src/aalogparse.h
@@ -141,6 +141,10 @@ typedef struct
char *net_family;
char *net_protocol;
char *net_sock_type;
+ char *net_local_addr;
+ unsigned long net_local_port;
+ char *net_foreign_addr;
+ unsigned long net_foreign_port;
} aa_log_record;
/**
Index: b/libraries/libapparmor/src/grammar.y
===================================================================
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(uns
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR
%token TOK_EQUALS
%token TOK_COLON
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(uns
%token TOK_KEY_CAPNAME
%token TOK_KEY_OFFSET
%token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT
%token TOK_SYSLOG_KERNEL
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
{ /* target was always name2 in the past */
ret_record->name2 = $3;
}
+ | TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+ { ret_record->net_local_addr = $3;}
+ | TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+ { ret_record->net_foreign_addr = $3;}
+ | TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+ { ret_record->net_local_port = $3;}
+ | TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+ { ret_record->net_foreign_port = $3;}
| TOK_MSG_REST
{
ret_record->event = AA_RECORD_INVALID;
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
@@ -0,0 +1 @@
+Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
Index: b/libraries/libapparmor/testsuite/test_multi.c
===================================================================
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@@ -51,6 +51,18 @@ int main(int argc, char **argv)
return ret;
}
+#define print_string(description, var) \
+ if ((var) != NULL) { \
+ printf("%s: %s\n", (description), (var)); \
+ }
+
+/* unset is the value that the library sets to the var to indicate
+ that it is unset */
+#define print_long(description, var, unset) \
+ if ((var) != (unsigned long) (unset)) { \
+ printf("%s: %ld\n", (description), (var)); \
+ }
+
int print_results(aa_log_record *record)
{
printf("Event type: ");
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
{
printf("Protocol: %s\n", record->net_protocol);
}
+ print_string("Local addr", record->net_local_addr);
+ print_string("Foreign addr", record->net_foreign_addr);
+ print_long("Local port", record->net_local_port, 0);
+ print_long("Foreign port", record->net_foreign_port, 0);
+
printf("Epoch: %lu\n", record->epoch);
printf("Audit subid: %u\n", record->audit_sub_id);
return(0);
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
@@ -0,0 +1 @@
+Apr 5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.out
@@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_network_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1333648169.009:11707146
+Operation: accept
+Profile: /usr/lib/dovecot/imap-login
+Command: imap-login
+Parent: 25932
+PID: 5049
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local port: 143
+Epoch: 1333648169
+Audit subid: 11707146
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.out
@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333697181.284:273901
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1056
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::1
+Foreign addr: ::1
+Local port: 2048
+Foreign port: 33986
+Epoch: 1333697181
+Audit subid: 273901
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.out
@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333698107.128:273917
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1875
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 2048
+Foreign port: 59180
+Epoch: 1333698107
+Audit subid: 273917
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/0e3ec9b8/attachment-0001.pgp>
More information about the AppArmor
mailing list