[apparmor] [PATCH 1/2] libaalogparse: Parse dbus-daemon audit messages
Tyler Hicks
tyhicks at canonical.com
Thu Aug 1 07:31:30 UTC 2013
This requires libaalogparse to become aware of USER_AVC messages.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
libraries/libapparmor/src/aalogparse.h | 7 +++
libraries/libapparmor/src/grammar.y | 72 ++++++++++++++++++++++++++++++-
libraries/libapparmor/src/libaalogparse.c | 12 ++++++
libraries/libapparmor/src/scanner.l | 42 ++++++++++++++++++
4 files changed, 132 insertions(+), 1 deletion(-)
diff --git a/libraries/libapparmor/src/aalogparse.h b/libraries/libapparmor/src/aalogparse.h
index 2079669..ceaa4ec 100644
--- a/libraries/libapparmor/src/aalogparse.h
+++ b/libraries/libapparmor/src/aalogparse.h
@@ -116,6 +116,7 @@ typedef struct
aa_record_syntax_version version;
aa_record_event_type event; /* Event type */
unsigned long pid; /* PID of the program logging the message */
+ unsigned long peer_pid;
unsigned long task;
unsigned long magic_token;
long epoch; /* example: 12345679 */
@@ -129,6 +130,7 @@ typedef struct
unsigned long fsuid; /* fsuid of task - if logged */
unsigned long ouid; /* ouid of task - if logged */
char *profile; /* The name of the profile */
+ char *peer_profile;
char *comm; /* Command that triggered msg */
char *name;
char *name2;
@@ -136,6 +138,7 @@ typedef struct
char *attribute;
unsigned long parent;
char *info;
+ char *peer_info;
int error_code; /* error_code returned if logged */
char *active_hat;
char *net_family;
@@ -145,6 +148,10 @@ typedef struct
unsigned long net_local_port;
char *net_foreign_addr;
unsigned long net_foreign_port;
+ char *dbus_bus;
+ char *dbus_path;
+ char *dbus_interface;
+ char *dbus_member;
} aa_log_record;
/**
diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index 80f659e..a9b1176 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -91,6 +91,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_OPEN_PAREN
%token TOK_CLOSE_PAREN
%token TOK_PERIOD
+%token TOK_QUESTION_MARK
+%token TOK_SINGLE_QUOTE
%token TOK_TYPE_REJECT
%token TOK_TYPE_AUDIT
@@ -105,6 +107,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_TYPE_AA_STATUS
%token TOK_TYPE_AA_ERROR
%token TOK_TYPE_LSM_AVC
+%token TOK_TYPE_USER_AVC
%token TOK_KEY_APPARMOR
%token TOK_KEY_TYPE
@@ -112,6 +115,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_OPERATION
%token TOK_KEY_NAME
%token TOK_KEY_NAME2
+%token TOK_KEY_MASK
%token TOK_KEY_DENIED_MASK
%token TOK_KEY_REQUESTED_MASK
%token TOK_KEY_ATTRIBUTE
@@ -119,8 +123,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_PARENT
%token TOK_KEY_MAGIC_TOKEN
%token TOK_KEY_INFO
+%token TOK_KEY_PEER_INFO
%token TOK_KEY_PID
+%token TOK_KEY_PEER_PID
%token TOK_KEY_PROFILE
+%token TOK_KEY_PEER_PROFILE
%token TOK_AUDIT
%token TOK_KEY_FAMILY
%token TOK_KEY_SOCK_TYPE
@@ -129,6 +136,14 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_ERROR
%token TOK_KEY_FSUID
%token TOK_KEY_OUID
+%token TOK_KEY_UID
+%token TOK_KEY_AUID
+%token TOK_KEY_SAUID
+%token TOK_KEY_SES
+%token TOK_KEY_HOSTNAME
+%token TOK_KEY_ADDR
+%token TOK_KEY_TERMINAL
+%token TOK_KEY_EXE
%token TOK_KEY_COMM
%token TOK_KEY_CAPABILITY
%token TOK_KEY_CAPNAME
@@ -138,8 +153,13 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_FADDR
%token TOK_KEY_LPORT
%token TOK_KEY_FPORT
+%token TOK_KEY_BUS
+%token TOK_KEY_PATH
+%token TOK_KEY_INTERFACE
+%token TOK_KEY_MEMBER
%token TOK_SYSLOG_KERNEL
+%token TOK_SYSLOG_USER
%%
@@ -163,6 +183,7 @@ new_syntax:
| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
| TOK_TYPE_LSM_AVC audit_msg key_list
+ | TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
;
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
@@ -182,6 +203,8 @@ syslog_type:
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
+ | syslog_date TOK_ID TOK_SYSLOG_USER key_list
+ { ret_record->version = AA_RECORD_SYNTAX_V2; }
;
/* when audit dispatches a message it doesn't prepend the audit type string */
@@ -192,6 +215,9 @@ audit_dispatch:
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
;
+audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
+ ;
+
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
{
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
@@ -219,6 +245,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->namespace = $3;}
| TOK_KEY_NAME2 TOK_EQUALS safe_string
{ ret_record->name2 = $3;}
+ | TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->denied_mask = $3;}
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->denied_mask = $3;}
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -233,9 +261,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->magic_token = $3;}
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->info = $3;}
+ | TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->peer_info = $3;}
| key_pid
+ | key_peer_pid
| TOK_KEY_PROFILE TOK_EQUALS safe_string
{ ret_record->profile = $3;}
+ | TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
+ { ret_record->peer_profile = $3;}
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_family = $3;}
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
@@ -252,8 +285,29 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->fsuid = $3;}
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
{ ret_record->ouid = $3;}
+ | TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
+ { /* Ignore - Source audit ID from user AVC messages */ }
+ | TOK_KEY_HOSTNAME TOK_EQUALS safe_string
+ { free($3); /* Ignore - hostname from user AVC messages */ }
+ | TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
+ | TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
+ | TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
+ | TOK_KEY_ADDR TOK_EQUALS safe_string
+ { free($3); /* Ignore - IP address from user AVC messages */ }
+ | TOK_KEY_TERMINAL TOK_EQUALS safe_string
+ { free($3); /* Ignore - TTY from user AVC messages */ }
+ | TOK_KEY_EXE TOK_EQUALS safe_string
+ { /* Free existing arrays because exe= and comm= maps to the same
+ aa_log_record member */
+ free(ret_record->comm);
+ ret_record->comm = $3;
+ }
| TOK_KEY_COMM TOK_EQUALS safe_string
- { ret_record->comm = $3;}
+ { /* Free existing arrays because exe= and comm= maps to the same
+ aa_log_record member */
+ free(ret_record->comm);
+ ret_record->comm = $3;
+ }
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
{ /* need to reverse map number to string, need to figure out
@@ -282,6 +336,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_local_port = $3;}
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
{ ret_record->net_foreign_port = $3;}
+ | TOK_KEY_BUS TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->dbus_bus = $3; }
+ | TOK_KEY_PATH TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->dbus_path = $3; }
+ | TOK_KEY_INTERFACE TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->dbus_interface = $3; }
+ | TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
+ { ret_record->dbus_member = $3; }
| TOK_MSG_REST
{
ret_record->event = AA_RECORD_INVALID;
@@ -301,6 +363,14 @@ apparmor_event:
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
;
+key_peer_pid: TOK_KEY_PEER_PID TOK_EQUALS TOK_DIGITS { ret_record->peer_pid = $3; }
+ ;
+
+ignored_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { /* DROP */ }
+ignored_uid: TOK_KEY_UID TOK_EQUALS TOK_DIGITS { /* DROP */ }
+ignored_auid: TOK_KEY_AUID TOK_EQUALS TOK_DIGITS { /* DROP */ }
+ignored_ses: TOK_KEY_SES TOK_EQUALS TOK_DIGITS { /* DROP */ }
+
key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
;
diff --git a/libraries/libapparmor/src/libaalogparse.c b/libraries/libapparmor/src/libaalogparse.c
index 5292830..f0b13bb 100644
--- a/libraries/libapparmor/src/libaalogparse.c
+++ b/libraries/libapparmor/src/libaalogparse.c
@@ -55,6 +55,8 @@ void free_record(aa_log_record *record)
free(record->denied_mask);
if (record->profile != NULL)
free(record->profile);
+ if (record->peer_profile != NULL)
+ free(record->peer_profile);
if (record->comm != NULL)
free(record->comm);
if (record->name != NULL)
@@ -67,6 +69,8 @@ void free_record(aa_log_record *record)
free(record->attribute);
if (record->info != NULL)
free(record->info);
+ if (record->peer_info != NULL)
+ free(record->peer_info);
if (record->active_hat != NULL)
free(record->active_hat);
if (record->audit_id != NULL)
@@ -77,6 +81,14 @@ void free_record(aa_log_record *record)
free(record->net_protocol);
if (record->net_sock_type != NULL)
free(record->net_sock_type);
+ if (record->dbus_bus != NULL)
+ free(record->dbus_bus);
+ if (record->dbus_path != NULL)
+ free(record->dbus_path);
+ if (record->dbus_interface != NULL)
+ free(record->dbus_interface);
+ if (record->dbus_member != NULL)
+ free(record->dbus_member);
free(record);
}
diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
index 0a619a2..2f25b04 100644
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -86,6 +86,8 @@ close_paren ")"
ID [^ \t\n\(\)="'!]
hexstring ({hex}{hex})+
period "\."
+question_mark "?"
+single_quote "'"
mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
/* New message types */
@@ -103,6 +105,7 @@ hint_type "\"HINT\""
status_type "\"STATUS\""
error_type "\"ERROR\""
lsm_avc_type "AVC"
+user_avc_type "USER_AVC"
unknown_type UNKNOWN\[{digits}+\]
other_audit_type [[:alnum:]\[\]_-]+
@@ -115,6 +118,7 @@ key_operation "operation"
key_name "name"
key_name2 "name2"
key_namespace "namespace"
+key_mask "mask"
key_denied_mask "denied_mask"
key_requested_mask "requested_mask"
key_attribute "attribute"
@@ -122,14 +126,25 @@ key_task "task"
key_parent "parent"
key_magic_token "magic_token"
key_info "info"
+key_peer_info "peer_info"
key_pid "pid"
+key_peer_pid "peer_pid"
key_profile "profile"
+key_peer_profile "peer_profile"
key_family "family"
key_sock_type "sock_type"
key_protocol "protocol"
key_error "error"
key_fsuid "fsuid"
key_ouid "ouid"
+key_uid "uid"
+key_auid "auid"
+key_sauid "sauid"
+key_ses "ses"
+key_hostname "hostname"
+key_addr "addr"
+key_terminal "terminal"
+key_exe "exe"
key_comm "comm"
key_capability "capability"
key_capname "capname"
@@ -139,6 +154,11 @@ key_laddr "laddr"
key_faddr "faddr"
key_lport "lport"
key_fport "fport"
+key_bus "bus"
+key_dest "dest"
+key_path "path"
+key_interface "interface"
+key_member "member"
audit "audit"
/* network addrs */
@@ -146,6 +166,7 @@ ip_addr [a-f[:digit:].:]{3,}
/* syslog tokens */
syslog_kernel kernel{colon}
+syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon}
syslog_yyyymmdd {digit}{4}{minus}{digit}{2}{minus}{digit}{2}
syslog_date {syslog_yyyymmdd}
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
@@ -155,6 +176,7 @@ syslog_time {hhmmss}({period}{digits})?{timezone}?
syslog_hostname [[:alnum:]_-]+
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
+%x single_quoted_string
%x quoted_string
%x sub_id
%x audit_id
@@ -237,6 +259,7 @@ yy_flex_debug = 0;
{aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
{aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
{lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
+ {user_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_USER_AVC); }
{unknown_type} { char *yptr = yytext;
while (*yptr && *yptr != '[')
yptr++;
@@ -262,6 +285,8 @@ yy_flex_debug = 0;
}
{close_paren} { return(TOK_CLOSE_PAREN); }
{period} { return(TOK_PERIOD); }
+{question_mark} { return(TOK_QUESTION_MARK); }
+{single_quote} { return(TOK_SINGLE_QUOTE); }
{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -270,6 +295,7 @@ yy_flex_debug = 0;
{key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
{key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
{key_namespace} { BEGIN(safe_string); return(TOK_KEY_NAMESPACE); }
+{key_mask} { return(TOK_KEY_MASK); }
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
@@ -277,14 +303,25 @@ yy_flex_debug = 0;
{key_parent} { return(TOK_KEY_PARENT); }
{key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
{key_info} { return(TOK_KEY_INFO); }
+{key_peer_info} { return(TOK_KEY_PEER_INFO); }
{key_pid} { return(TOK_KEY_PID); }
+{key_peer_pid} { return(TOK_KEY_PEER_PID); }
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
+{key_peer_profile} { BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
{key_family} { return(TOK_KEY_FAMILY); }
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
{key_protocol} { return(TOK_KEY_PROTOCOL); }
{key_error} { return(TOK_KEY_ERROR); }
{key_fsuid} { return(TOK_KEY_FSUID); }
{key_ouid} { return(TOK_KEY_OUID); }
+{key_uid} { return(TOK_KEY_UID); }
+{key_auid} { return(TOK_KEY_AUID); }
+{key_sauid} { return(TOK_KEY_SAUID); }
+{key_ses} { return(TOK_KEY_SES); }
+{key_hostname} { return(TOK_KEY_HOSTNAME); }
+{key_addr} { return(TOK_KEY_ADDR); }
+{key_terminal} { return(TOK_KEY_TERMINAL); }
+{key_exe} { BEGIN(safe_string); return(TOK_KEY_EXE); }
{key_comm} { BEGIN(safe_string); return(TOK_KEY_COMM); }
{key_capability} { return(TOK_KEY_CAPABILITY); }
{key_capname} { return(TOK_KEY_CAPNAME); }
@@ -294,8 +331,13 @@ yy_flex_debug = 0;
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
{key_lport} { return(TOK_KEY_LPORT); }
{key_fport} { return(TOK_KEY_FPORT); }
+{key_bus} { return(TOK_KEY_BUS); }
+{key_path} { return(TOK_KEY_PATH); }
+{key_interface} { return(TOK_KEY_INTERFACE); }
+{key_member} { return(TOK_KEY_MEMBER); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
+{syslog_user} { return(TOK_SYSLOG_USER); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
{syslog_date} { yylval->t_str = strdup(yytext); return(TOK_DATE); }
{syslog_date}T/{syslog_time} { yylval->t_str = strndup(yytext, strlen(yytext)-1); return(TOK_DATE); }
--
1.8.3.2
More information about the AppArmor
mailing list