[apparmor] [patch] libapparmor: add support for ip addresses and ports

John Johansen john.johansen at canonical.com
Fri Apr 6 21:57:18 UTC 2012 

On 04/06/2012 10:39 AM, Steve Beattie wrote:
> 
> Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826
>   https://bugzilla.novell.com/show_bug.cgi?id=755923
> 
> This patch modifies the libapparmor log parsing code to add support
> for the additional ip address and port keywords that can occur in
> network rejection rules. The laddr and faddr keywords stand for local
> address and foreign address respectively.
> 
> The regex used to match an ip address is not very strict, to hopefully
> catch the formats that the kernel emits for ipv6 addresses; however,
> because this is in a context triggered by the addr keywords, it should
> not over-eagerly consume non-ip addresses. Said addresses are returned
> as strings in the struct to be processed by the calling application.
> 
> (When committing, empty .err files will need to be created as well.)
> 
see the one comment below otherwise it looks good and can have my Acked-by:

> ---
>  libraries/libapparmor/src/aalogparse.h                             |    4 ++
>  libraries/libapparmor/src/grammar.y                                |   13 ++++++
>  libraries/libapparmor/src/scanner.l                                |   20 +++++++++-
>  libraries/libapparmor/testsuite/test_multi.c                       |   17 ++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_network_01.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_network_01.out |   18 +++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_network_02.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_network_02.out |   16 ++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_network_03.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_network_03.out |   15 +++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_network_04.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_network_04.out |   18 +++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_network_05.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_network_05.out |   18 +++++++++
>  14 files changed, 143 insertions(+), 1 deletion(-)
> 
> Index: b/libraries/libapparmor/src/scanner.l
> ===================================================================
> --- a/libraries/libapparmor/src/scanner.l
> +++ b/libraries/libapparmor/src/scanner.l
> @@ -133,8 +133,15 @@ key_capability		"capability"
>  key_capname		"capname"
>  key_offset		"offset"
>  key_target		"target"
> +key_laddr		"laddr"
> +key_faddr		"faddr"
> +key_lport		"lport"
> +key_fport		"fport"
>  audit			"audit"
>  
> +/* network addrs */
> +ip_addr			[a-f[:digit:].:]{3,}
> +
>  /* syslog tokens */
>  syslog_kernel		kernel{colon}
>  syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
> @@ -149,12 +156,13 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:
>  %x dmesg_timestamp
>  %x safe_string
>  %x audit_types
> +%x ip_addr
>  %x other_audit
>  %x unknown_message
>  
>  %%
>  %{
> -yy_flex_debug = 0;
> +yy_flex_debug = 1;
>  %}
>  
err I don't think we really want to be defaulting to flex_debug as on :)

>  
> @@ -201,6 +209,12 @@ yy_flex_debug = 0;
>  	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
>  	}
>  
> +<ip_addr>{
> +	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
> +	{equals}	{ return(TOK_EQUALS); }
> +	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
> +	}
> +
>  <audit_types>{
>  	{equals}	{ return(TOK_EQUALS); }
>  	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
> @@ -270,6 +284,10 @@ yy_flex_debug = 0;
>  {key_capname}		{ return(TOK_KEY_CAPNAME); }
>  {key_offset}		{ return(TOK_KEY_OFFSET); }
>  {key_target}		{ return(TOK_KEY_TARGET); }
> +{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
> +{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
> +{key_lport}		{ return(TOK_KEY_LPORT); }
> +{key_fport}		{ return(TOK_KEY_FPORT); }
>  
>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
>  {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
> Index: b/libraries/libapparmor/src/aalogparse.h
> ===================================================================
> --- a/libraries/libapparmor/src/aalogparse.h
> +++ b/libraries/libapparmor/src/aalogparse.h
> @@ -141,6 +141,10 @@ typedef struct
>  	char *net_family;
>  	char *net_protocol;
>  	char *net_sock_type;
> +	char *net_local_addr;
> +	unsigned long net_local_port;
> +	char *net_foreign_addr;
> +	unsigned long net_foreign_port;
>  } aa_log_record;
>  
>  /**
> Index: b/libraries/libapparmor/src/grammar.y
> ===================================================================
> --- a/libraries/libapparmor/src/grammar.y
> +++ b/libraries/libapparmor/src/grammar.y
> @@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(uns
>  %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
>  %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
>  %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
> +%token <t_str> TOK_IP_ADDR
>  
>  %token TOK_EQUALS
>  %token TOK_COLON
> @@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(uns
>  %token TOK_KEY_CAPNAME
>  %token TOK_KEY_OFFSET
>  %token TOK_KEY_TARGET
> +%token TOK_KEY_LADDR
> +%token TOK_KEY_FADDR
> +%token TOK_KEY_LPORT
> +%token TOK_KEY_FPORT
>  
>  %token TOK_SYSLOG_KERNEL
>  
> @@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
>  	{ /* target was always name2 in the past */
>  	  ret_record->name2 = $3;
>  	}
> +	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
> +	{ ret_record->net_local_addr = $3;}
> +	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
> +	{ ret_record->net_foreign_addr = $3;}
> +	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
> +	{ ret_record->net_local_port = $3;}
> +	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
> +	{ ret_record->net_foreign_port = $3;}
>  	| TOK_MSG_REST
>  	{
>  		ret_record->event = AA_RECORD_INVALID;
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
> @@ -0,0 +1 @@
> +Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
> @@ -0,0 +1,18 @@
> +START
> +File: test_multi/testcase_network_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1308766940.698:3704
> +Operation: sendmsg
> +Profile: /usr/bin/evince-thumbnailer
> +Command: evince-thumbnai
> +Parent: 24737
> +PID: 24743
> +Network family: inet
> +Socket type: stream
> +Protocol: tcp
> +Local addr: 192.168.66.150
> +Foreign addr: 192.168.66.200
> +Local port: 765
> +Foreign port: 2049
> +Epoch: 1308766940
> +Audit subid: 3704
> Index: b/libraries/libapparmor/testsuite/test_multi.c
> ===================================================================
> --- a/libraries/libapparmor/testsuite/test_multi.c
> +++ b/libraries/libapparmor/testsuite/test_multi.c
> @@ -51,6 +51,18 @@ int main(int argc, char **argv)
>  	return ret;
>  }
>  
> +#define print_string(description, var) \
> +	if ((var) != NULL) { \
> +		printf("%s: %s\n", (description), (var)); \
> +	}
> +
> +/* unset is the value that the library sets to the var to indicate
> +   that it is unset */
> +#define print_long(description, var, unset) \
> +	if ((var) != (unsigned long) (unset)) { \
> +		printf("%s: %ld\n", (description), (var)); \
> +	}
> +
>  int print_results(aa_log_record *record)
>  {
>  		printf("Event type: ");
> @@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
>  		{
>  			printf("Protocol: %s\n", record->net_protocol);
>  		}
> +		print_string("Local addr", record->net_local_addr);
> +		print_string("Foreign addr", record->net_foreign_addr);
> +		print_long("Local port", record->net_local_port, 0);
> +		print_long("Foreign port", record->net_foreign_port, 0);
> +
>  		printf("Epoch: %lu\n", record->epoch);
>  		printf("Audit subid: %u\n", record->audit_sub_id);
>  	return(0);
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
> @@ -0,0 +1 @@
> +Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
> @@ -0,0 +1,16 @@
> +START
> +File: test_multi/testcase_network_02.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1308766940.698:3704
> +Operation: sendmsg
> +Profile: /usr/bin/evince-thumbnailer
> +Command: evince-thumbnai
> +Parent: 24737
> +PID: 24743
> +Network family: inet
> +Socket type: stream
> +Protocol: tcp
> +Local port: 765
> +Foreign port: 2049
> +Epoch: 1308766940
> +Audit subid: 3704
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_03.out
> @@ -0,0 +1,15 @@
> +START
> +File: test_multi/testcase_network_03.in
> +Event type: AA_RECORD_ALLOWED
> +Audit ID: 1333648169.009:11707146
> +Operation: accept
> +Profile: /usr/lib/dovecot/imap-login
> +Command: imap-login
> +Parent: 25932
> +PID: 5049
> +Network family: inet6
> +Socket type: stream
> +Protocol: tcp
> +Local port: 143
> +Epoch: 1333648169
> +Audit subid: 11707146
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_04.out
> @@ -0,0 +1,18 @@
> +START
> +File: test_multi/testcase_network_04.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1333697181.284:273901
> +Operation: recvmsg
> +Profile: /home/ubuntu/tmp/nc
> +Command: nc
> +Parent: 1596
> +PID: 1056
> +Network family: inet6
> +Socket type: stream
> +Protocol: tcp
> +Local addr: ::1
> +Foreign addr: ::1
> +Local port: 2048
> +Foreign port: 33986
> +Epoch: 1333697181
> +Audit subid: 273901
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_05.out
> @@ -0,0 +1,18 @@
> +START
> +File: test_multi/testcase_network_05.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1333698107.128:273917
> +Operation: recvmsg
> +Profile: /home/ubuntu/tmp/nc
> +Command: nc
> +Parent: 1596
> +PID: 1875
> +Network family: inet6
> +Socket type: stream
> +Protocol: tcp
> +Local addr: ::ffff:127.0.0.1
> +Foreign addr: ::ffff:127.0.0.1
> +Local port: 2048
> +Foreign port: 59180
> +Epoch: 1333698107
> +Audit subid: 273917
> 
> 
> 
>

More information about the AppArmor mailing list