[apparmor] [PATCH 1/2] libaalogparse: Parse dbus-daemon audit messages
Tyler Hicks
tyhicks at canonical.com
Fri Aug 9 02:07:06 UTC 2013
On 2013-08-08 18:17:08, Seth Arnold wrote:
> On Thu, Aug 01, 2013 at 12:31:30AM -0700, Tyler Hicks wrote:
> > This requires libaalogparse to become aware of USER_AVC messages.
>
> A few questions inline..
>
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> > libraries/libapparmor/src/aalogparse.h | 7 +++
> > libraries/libapparmor/src/grammar.y | 72 ++++++++++++++++++++++++++++++-
> > libraries/libapparmor/src/libaalogparse.c | 12 ++++++
> > libraries/libapparmor/src/scanner.l | 42 ++++++++++++++++++
> > 4 files changed, 132 insertions(+), 1 deletion(-)
> >
> > diff --git a/libraries/libapparmor/src/aalogparse.h b/libraries/libapparmor/src/aalogparse.h
> > index 2079669..ceaa4ec 100644
> > --- a/libraries/libapparmor/src/aalogparse.h
> > +++ b/libraries/libapparmor/src/aalogparse.h
> > @@ -116,6 +116,7 @@ typedef struct
> > aa_record_syntax_version version;
> > aa_record_event_type event; /* Event type */
> > unsigned long pid; /* PID of the program logging the message */
> > + unsigned long peer_pid;
> > unsigned long task;
> > unsigned long magic_token;
> > long epoch; /* example: 12345679 */
> > @@ -129,6 +130,7 @@ typedef struct
> > unsigned long fsuid; /* fsuid of task - if logged */
> > unsigned long ouid; /* ouid of task - if logged */
> > char *profile; /* The name of the profile */
> > + char *peer_profile;
> > char *comm; /* Command that triggered msg */
> > char *name;
> > char *name2;
> > @@ -136,6 +138,7 @@ typedef struct
> > char *attribute;
> > unsigned long parent;
> > char *info;
> > + char *peer_info;
> > int error_code; /* error_code returned if logged */
> > char *active_hat;
> > char *net_family;
> > @@ -145,6 +148,10 @@ typedef struct
> > unsigned long net_local_port;
> > char *net_foreign_addr;
> > unsigned long net_foreign_port;
> > + char *dbus_bus;
> > + char *dbus_path;
> > + char *dbus_interface;
> > + char *dbus_member;
> > } aa_log_record;
> >
> > /**
> > diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
> > index 80f659e..a9b1176 100644
> > --- a/libraries/libapparmor/src/grammar.y
> > +++ b/libraries/libapparmor/src/grammar.y
> > @@ -91,6 +91,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_OPEN_PAREN
> > %token TOK_CLOSE_PAREN
> > %token TOK_PERIOD
> > +%token TOK_QUESTION_MARK
> > +%token TOK_SINGLE_QUOTE
> >
> > %token TOK_TYPE_REJECT
> > %token TOK_TYPE_AUDIT
> > @@ -105,6 +107,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_TYPE_AA_STATUS
> > %token TOK_TYPE_AA_ERROR
> > %token TOK_TYPE_LSM_AVC
> > +%token TOK_TYPE_USER_AVC
> >
> > %token TOK_KEY_APPARMOR
> > %token TOK_KEY_TYPE
> > @@ -112,6 +115,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_KEY_OPERATION
> > %token TOK_KEY_NAME
> > %token TOK_KEY_NAME2
> > +%token TOK_KEY_MASK
> > %token TOK_KEY_DENIED_MASK
> > %token TOK_KEY_REQUESTED_MASK
> > %token TOK_KEY_ATTRIBUTE
> > @@ -119,8 +123,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_KEY_PARENT
> > %token TOK_KEY_MAGIC_TOKEN
> > %token TOK_KEY_INFO
> > +%token TOK_KEY_PEER_INFO
> > %token TOK_KEY_PID
> > +%token TOK_KEY_PEER_PID
> > %token TOK_KEY_PROFILE
> > +%token TOK_KEY_PEER_PROFILE
> > %token TOK_AUDIT
> > %token TOK_KEY_FAMILY
> > %token TOK_KEY_SOCK_TYPE
> > @@ -129,6 +136,14 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_KEY_ERROR
> > %token TOK_KEY_FSUID
> > %token TOK_KEY_OUID
> > +%token TOK_KEY_UID
> > +%token TOK_KEY_AUID
> > +%token TOK_KEY_SAUID
> > +%token TOK_KEY_SES
> > +%token TOK_KEY_HOSTNAME
> > +%token TOK_KEY_ADDR
> > +%token TOK_KEY_TERMINAL
> > +%token TOK_KEY_EXE
> > %token TOK_KEY_COMM
> > %token TOK_KEY_CAPABILITY
> > %token TOK_KEY_CAPNAME
> > @@ -138,8 +153,13 @@ aa_record_event_type lookup_aa_event(unsigned int type)
> > %token TOK_KEY_FADDR
> > %token TOK_KEY_LPORT
> > %token TOK_KEY_FPORT
> > +%token TOK_KEY_BUS
> > +%token TOK_KEY_PATH
> > +%token TOK_KEY_INTERFACE
> > +%token TOK_KEY_MEMBER
> >
> > %token TOK_SYSLOG_KERNEL
> > +%token TOK_SYSLOG_USER
> >
> > %%
> >
> > @@ -163,6 +183,7 @@ new_syntax:
> > | TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
> > | TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
> > | TOK_TYPE_LSM_AVC audit_msg key_list
> > + | TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
> > ;
> >
> > other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
> > @@ -182,6 +203,8 @@ syslog_type:
> > { ret_record->version = AA_RECORD_SYNTAX_V2; }
> > | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
> > { ret_record->version = AA_RECORD_SYNTAX_V2; }
> > + | syslog_date TOK_ID TOK_SYSLOG_USER key_list
> > + { ret_record->version = AA_RECORD_SYNTAX_V2; }
> > ;
> >
> > /* when audit dispatches a message it doesn't prepend the audit type string */
> > @@ -192,6 +215,9 @@ audit_dispatch:
> > audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
> > ;
> >
> > +audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
> > + ;
> > +
> > audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
> > {
> > if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
> > @@ -219,6 +245,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->namespace = $3;}
> > | TOK_KEY_NAME2 TOK_EQUALS safe_string
> > { ret_record->name2 = $3;}
> > + | TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->denied_mask = $3;}
> > | TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->denied_mask = $3;}
> > | TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
> > @@ -233,9 +261,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->magic_token = $3;}
> > | TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->info = $3;}
> > + | TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->peer_info = $3;}
> > | key_pid
> > + | key_peer_pid
> > | TOK_KEY_PROFILE TOK_EQUALS safe_string
> > { ret_record->profile = $3;}
>
> Hrm, how does a 'key_pid' or 'key_peer_pid' match, in a way that there's
> a $3 to assign from?
I wish I knew the correct yacc terminology to use to describe what I
believe to be happening, but I don't. :)
I'll point out where there's a $3 to assign from further down.
>
> > + | TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
> > + { ret_record->peer_profile = $3;}
> > | TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->net_family = $3;}
> > | TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
> > @@ -252,8 +285,29 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->fsuid = $3;}
> > | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
> > { ret_record->ouid = $3;}
> > + | TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
> > + { /* Ignore - Source audit ID from user AVC messages */ }
> > + | TOK_KEY_HOSTNAME TOK_EQUALS safe_string
> > + { free($3); /* Ignore - hostname from user AVC messages */ }
> > + | TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
> > + | TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
> > + | TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
> > + | TOK_KEY_ADDR TOK_EQUALS safe_string
> > + { free($3); /* Ignore - IP address from user AVC messages */ }
>
> We may wish to investigate %destructor to avoid hand-freeing
> safe_string, TOK_QUESTION_MARK, and so forth.
That would clean things up. free()'s are scattered throughout.
>
> > + | TOK_KEY_TERMINAL TOK_EQUALS safe_string
> > + { free($3); /* Ignore - TTY from user AVC messages */ }
> > + | TOK_KEY_EXE TOK_EQUALS safe_string
> > + { /* Free existing arrays because exe= and comm= maps to the same
> > + aa_log_record member */
> > + free(ret_record->comm);
> > + ret_record->comm = $3;
> > + }
> > | TOK_KEY_COMM TOK_EQUALS safe_string
> > - { ret_record->comm = $3;}
> > + { /* Free existing arrays because exe= and comm= maps to the same
> > + aa_log_record member */
> > + free(ret_record->comm);
> > + ret_record->comm = $3;
> > + }
>
> The actions for TOK_KEY_COMM and TOK_KEY_EXE are the same, we could
> combine them into one action block.
Good catch, I incorporated the patch below into the greater patch:
diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index a9b1176..de75143 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -297,11 +297,6 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_TERMINAL TOK_EQUALS safe_string
{ free($3); /* Ignore - TTY from user AVC messages */ }
| TOK_KEY_EXE TOK_EQUALS safe_string
- { /* Free existing arrays because exe= and comm= maps to the same
- aa_log_record member */
- free(ret_record->comm);
- ret_record->comm = $3;
- }
| TOK_KEY_COMM TOK_EQUALS safe_string
{ /* Free existing arrays because exe= and comm= maps to the same
aa_log_record member */
>
> > | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
> > | TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
> > { /* need to reverse map number to string, need to figure out
> > @@ -282,6 +336,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
> > { ret_record->net_local_port = $3;}
> > | TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
> > { ret_record->net_foreign_port = $3;}
> > + | TOK_KEY_BUS TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->dbus_bus = $3; }
> > + | TOK_KEY_PATH TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->dbus_path = $3; }
> > + | TOK_KEY_INTERFACE TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->dbus_interface = $3; }
> > + | TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
> > + { ret_record->dbus_member = $3; }
> > | TOK_MSG_REST
> > {
> > ret_record->event = AA_RECORD_INVALID;
> > @@ -301,6 +363,14 @@ apparmor_event:
> > key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
> > ;
> >
> > +key_peer_pid: TOK_KEY_PEER_PID TOK_EQUALS TOK_DIGITS { ret_record->peer_pid = $3; }
Here's where key_pid and key_peer_pid have a $3 to assign from.
Tyler
> > + ;
> > +
> > +ignored_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { /* DROP */ }
> > +ignored_uid: TOK_KEY_UID TOK_EQUALS TOK_DIGITS { /* DROP */ }
> > +ignored_auid: TOK_KEY_AUID TOK_EQUALS TOK_DIGITS { /* DROP */ }
> > +ignored_ses: TOK_KEY_SES TOK_EQUALS TOK_DIGITS { /* DROP */ }
> > +
> > key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
> > ;
> >
> > diff --git a/libraries/libapparmor/src/libaalogparse.c b/libraries/libapparmor/src/libaalogparse.c
> > index 5292830..f0b13bb 100644
> > --- a/libraries/libapparmor/src/libaalogparse.c
> > +++ b/libraries/libapparmor/src/libaalogparse.c
> > @@ -55,6 +55,8 @@ void free_record(aa_log_record *record)
> > free(record->denied_mask);
> > if (record->profile != NULL)
> > free(record->profile);
> > + if (record->peer_profile != NULL)
> > + free(record->peer_profile);
> > if (record->comm != NULL)
> > free(record->comm);
> > if (record->name != NULL)
> > @@ -67,6 +69,8 @@ void free_record(aa_log_record *record)
> > free(record->attribute);
> > if (record->info != NULL)
> > free(record->info);
> > + if (record->peer_info != NULL)
> > + free(record->peer_info);
> > if (record->active_hat != NULL)
> > free(record->active_hat);
> > if (record->audit_id != NULL)
> > @@ -77,6 +81,14 @@ void free_record(aa_log_record *record)
> > free(record->net_protocol);
> > if (record->net_sock_type != NULL)
> > free(record->net_sock_type);
> > + if (record->dbus_bus != NULL)
> > + free(record->dbus_bus);
> > + if (record->dbus_path != NULL)
> > + free(record->dbus_path);
> > + if (record->dbus_interface != NULL)
> > + free(record->dbus_interface);
> > + if (record->dbus_member != NULL)
> > + free(record->dbus_member);
> >
> > free(record);
> > }
> > diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
> > index 0a619a2..2f25b04 100644
> > --- a/libraries/libapparmor/src/scanner.l
> > +++ b/libraries/libapparmor/src/scanner.l
> > @@ -86,6 +86,8 @@ close_paren ")"
> > ID [^ \t\n\(\)="'!]
> > hexstring ({hex}{hex})+
> > period "\."
> > +question_mark "?"
> > +single_quote "'"
> > mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
> > modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
> > /* New message types */
> > @@ -103,6 +105,7 @@ hint_type "\"HINT\""
> > status_type "\"STATUS\""
> > error_type "\"ERROR\""
> > lsm_avc_type "AVC"
> > +user_avc_type "USER_AVC"
> > unknown_type UNKNOWN\[{digits}+\]
> > other_audit_type [[:alnum:]\[\]_-]+
> >
> > @@ -115,6 +118,7 @@ key_operation "operation"
> > key_name "name"
> > key_name2 "name2"
> > key_namespace "namespace"
> > +key_mask "mask"
> > key_denied_mask "denied_mask"
> > key_requested_mask "requested_mask"
> > key_attribute "attribute"
> > @@ -122,14 +126,25 @@ key_task "task"
> > key_parent "parent"
> > key_magic_token "magic_token"
> > key_info "info"
> > +key_peer_info "peer_info"
> > key_pid "pid"
> > +key_peer_pid "peer_pid"
> > key_profile "profile"
> > +key_peer_profile "peer_profile"
> > key_family "family"
> > key_sock_type "sock_type"
> > key_protocol "protocol"
> > key_error "error"
> > key_fsuid "fsuid"
> > key_ouid "ouid"
> > +key_uid "uid"
> > +key_auid "auid"
> > +key_sauid "sauid"
> > +key_ses "ses"
> > +key_hostname "hostname"
> > +key_addr "addr"
> > +key_terminal "terminal"
> > +key_exe "exe"
> > key_comm "comm"
> > key_capability "capability"
> > key_capname "capname"
> > @@ -139,6 +154,11 @@ key_laddr "laddr"
> > key_faddr "faddr"
> > key_lport "lport"
> > key_fport "fport"
> > +key_bus "bus"
> > +key_dest "dest"
> > +key_path "path"
> > +key_interface "interface"
> > +key_member "member"
> > audit "audit"
> >
> > /* network addrs */
> > @@ -146,6 +166,7 @@ ip_addr [a-f[:digit:].:]{3,}
> >
> > /* syslog tokens */
> > syslog_kernel kernel{colon}
> > +syslog_user [[:alnum:]_-]+\[[[:digit:]]+\]{colon}
> > syslog_yyyymmdd {digit}{4}{minus}{digit}{2}{minus}{digit}{2}
> > syslog_date {syslog_yyyymmdd}
> > syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
> > @@ -155,6 +176,7 @@ syslog_time {hhmmss}({period}{digits})?{timezone}?
> > syslog_hostname [[:alnum:]_-]+
> > dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
> >
> > +%x single_quoted_string
> > %x quoted_string
> > %x sub_id
> > %x audit_id
> > @@ -237,6 +259,7 @@ yy_flex_debug = 0;
> > {aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
> > {aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
> > {lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
> > + {user_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_USER_AVC); }
> > {unknown_type} { char *yptr = yytext;
> > while (*yptr && *yptr != '[')
> > yptr++;
> > @@ -262,6 +285,8 @@ yy_flex_debug = 0;
> > }
> > {close_paren} { return(TOK_CLOSE_PAREN); }
> > {period} { return(TOK_PERIOD); }
> > +{question_mark} { return(TOK_QUESTION_MARK); }
> > +{single_quote} { return(TOK_SINGLE_QUOTE); }
> >
> > {key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
> > {key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
> > @@ -270,6 +295,7 @@ yy_flex_debug = 0;
> > {key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
> > {key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
> > {key_namespace} { BEGIN(safe_string); return(TOK_KEY_NAMESPACE); }
> > +{key_mask} { return(TOK_KEY_MASK); }
> > {key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
> > {key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
> > {key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
> > @@ -277,14 +303,25 @@ yy_flex_debug = 0;
> > {key_parent} { return(TOK_KEY_PARENT); }
> > {key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
> > {key_info} { return(TOK_KEY_INFO); }
> > +{key_peer_info} { return(TOK_KEY_PEER_INFO); }
> > {key_pid} { return(TOK_KEY_PID); }
> > +{key_peer_pid} { return(TOK_KEY_PEER_PID); }
> > {key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
> > +{key_peer_profile} { BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
> > {key_family} { return(TOK_KEY_FAMILY); }
> > {key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
> > {key_protocol} { return(TOK_KEY_PROTOCOL); }
> > {key_error} { return(TOK_KEY_ERROR); }
> > {key_fsuid} { return(TOK_KEY_FSUID); }
> > {key_ouid} { return(TOK_KEY_OUID); }
> > +{key_uid} { return(TOK_KEY_UID); }
> > +{key_auid} { return(TOK_KEY_AUID); }
> > +{key_sauid} { return(TOK_KEY_SAUID); }
> > +{key_ses} { return(TOK_KEY_SES); }
> > +{key_hostname} { return(TOK_KEY_HOSTNAME); }
> > +{key_addr} { return(TOK_KEY_ADDR); }
> > +{key_terminal} { return(TOK_KEY_TERMINAL); }
> > +{key_exe} { BEGIN(safe_string); return(TOK_KEY_EXE); }
> > {key_comm} { BEGIN(safe_string); return(TOK_KEY_COMM); }
> > {key_capability} { return(TOK_KEY_CAPABILITY); }
> > {key_capname} { return(TOK_KEY_CAPNAME); }
> > @@ -294,8 +331,13 @@ yy_flex_debug = 0;
> > {key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
> > {key_lport} { return(TOK_KEY_LPORT); }
> > {key_fport} { return(TOK_KEY_FPORT); }
> > +{key_bus} { return(TOK_KEY_BUS); }
> > +{key_path} { return(TOK_KEY_PATH); }
> > +{key_interface} { return(TOK_KEY_INTERFACE); }
> > +{key_member} { return(TOK_KEY_MEMBER); }
> >
> > {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> > +{syslog_user} { return(TOK_SYSLOG_USER); }
> > {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
> > {syslog_date} { yylval->t_str = strdup(yytext); return(TOK_DATE); }
> > {syslog_date}T/{syslog_time} { yylval->t_str = strndup(yytext, strlen(yytext)-1); return(TOK_DATE); }
> > --
>
> Thanks
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130808/c64f2db1/attachment.pgp>
More information about the AppArmor
mailing list