[apparmor] [patch] fix aa-decode stdin handling

[Christian Boltz]

Hello,

the attached patch fixes aa-decode stdin handling.

Handling stdin was totally broken (= no output) with the current log 
format because aa-decode expected name= to be the last entry in the 
log line.

This patch for stdin handling
- fixes the pattern to match the current log format (name= is NOT the
  last part in the log entry)
- uses bash replacement to avoid some sed calls (which also means the 
  script now needs an explicit "#!/bin/bash")
- prints decoded filenames in double instead of single quotes to be
  consistent with filenames that were not encoded
- also prints lines that do not contain an encoded filename (instead of 
  grepping them away)

In other words: you can pipe your audit.log through aa-decode, and the 
only difference to the raw audit.log is that filenames are decoded.

Signed-Off-By: Christian Boltz <apparmor at cboltz.de>



=== modified file 'utils/aa-decode'
--- utils/aa-decode     2012-09-17 21:55:28 +0000
+++ utils/aa-decode     2012-10-02 23:59:06 +0000
@@ -1,6 +1,7 @@
-#!/bin/sh
+#!/bin/bash
 #
 #    Copyright (C) 2009-2010 Canonical Ltd.
+#    Copyright (C) Christian Boltz 2012
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -63,13 +64,25 @@
     exit 0
 fi
 
-# For now just look at 'name=...' which is usually the last in the log entry,
+# For now just look at 'name=...',
 # so validate input against this and output based on it.
 # TODO: better handle other cases too
-egrep ' name=2[fF][0-9a-fA-F]*$' | while read line ; do
-    e=`echo "$line" | sed 's/.* name=\(.*\)/\\1/g' | tr -s '[:lower:]' '[:upper:]'`
-    d=`decode $e`
-    echo -n "$line" | sed "s/\(.*\) name=.*/\1 name=/g"
-    echo "'$d'"
+while read line ; do
+
+    # check if line contains encoded name=
+    if echo "$line" | egrep ' name=2[fF][0-9a-fA-F]*' >/dev/null ; then
+
+        # cut the encoded filename out of the line and decode it
+        e=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g' | tr -s '[:lower:]' '[:upper:]'`
+        d="\"`decode $e`\""
+
+               # replace encoded name with its decoded counterpart
+               echo "${line/name=$e/name=$d}"
+
+    else
+        # line does not contain encoded name= - no need to decode, print unchanged line
+        echo "$line"
+    fi
+
 done
 




Note: if you don't like the ${../../..} bash-ism, we can also use sed, 
but the code looks ugly in comparison:

        # everything till name=
        echo -n "$line" | sed "s/^\(.*\) name=[^ ]*.*/\1 name=/g"
        # decoded name (in quotes)
        echo -n "$d"
        # remaining part of the line
        echo "$line" | sed "s/^.* name=[^ ]*\(.*\)$/\1/g"


Regards,

Christian Boltz
-- 
So... Hm... ich bin etwas aufgeschmissen.
How to troubleshoot without trouble?
[Ratti in fontlinge-devel]