[apparmor] [PATCH 1/2] libaalogparse: Parse dbus-daemon audit messages

Fri Aug 9 06:39:48 UTC 2013

On Thu, Aug 01, 2013 at 12:31:30AM -0700, Tyler Hicks wrote:
> This requires libaalogparse to become aware of USER_AVC messages.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> ---
>  libraries/libapparmor/src/aalogparse.h    |  7 +++
>  libraries/libapparmor/src/grammar.y       | 72 ++++++++++++++++++++++++++++++-
>  libraries/libapparmor/src/libaalogparse.c | 12 ++++++
>  libraries/libapparmor/src/scanner.l       | 42 ++++++++++++++++++
>  4 files changed, 132 insertions(+), 1 deletion(-)
> 
> diff --git a/libraries/libapparmor/src/aalogparse.h b/libraries/libapparmor/src/aalogparse.h
> index 2079669..ceaa4ec 100644
> --- a/libraries/libapparmor/src/aalogparse.h
> +++ b/libraries/libapparmor/src/aalogparse.h
> @@ -116,6 +116,7 @@ typedef struct
>  	aa_record_syntax_version version;
>  	aa_record_event_type event;	/* Event type */
>  	unsigned long pid;		/* PID of the program logging the message */
> +	unsigned long peer_pid;
>  	unsigned long task;
>  	unsigned long magic_token;
>  	long epoch;			/* example: 12345679 */
> @@ -129,6 +130,7 @@ typedef struct
>  	unsigned long fsuid;		/* fsuid of task - if logged */
>  	unsigned long ouid;		/* ouid of task - if logged */
>  	char *profile;			/* The name of the profile */
> +	char *peer_profile;
>  	char *comm;			/* Command that triggered msg */
>  	char *name;
>  	char *name2;
> @@ -136,6 +138,7 @@ typedef struct
>  	char *attribute;
>  	unsigned long parent;	
>  	char *info;
> +	char *peer_info;
>  	int error_code;			/* error_code returned if logged */
>  	char *active_hat;
>  	char *net_family;
> @@ -145,6 +148,10 @@ typedef struct
>  	unsigned long net_local_port;
>  	char *net_foreign_addr;
>  	unsigned long net_foreign_port;
> +	char *dbus_bus;
> +	char *dbus_path;
> +	char *dbus_interface;
> +	char *dbus_member;
>  } aa_log_record;
>  
>  /**
> diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
> index 80f659e..a9b1176 100644
> --- a/libraries/libapparmor/src/grammar.y
> +++ b/libraries/libapparmor/src/grammar.y
> @@ -91,6 +91,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_OPEN_PAREN
>  %token TOK_CLOSE_PAREN
>  %token TOK_PERIOD
> +%token TOK_QUESTION_MARK
> +%token TOK_SINGLE_QUOTE
>  
>  %token TOK_TYPE_REJECT
>  %token TOK_TYPE_AUDIT
> @@ -105,6 +107,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_TYPE_AA_STATUS
>  %token TOK_TYPE_AA_ERROR
>  %token TOK_TYPE_LSM_AVC
> +%token TOK_TYPE_USER_AVC
>  
>  %token TOK_KEY_APPARMOR
>  %token TOK_KEY_TYPE
> @@ -112,6 +115,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_KEY_OPERATION
>  %token TOK_KEY_NAME
>  %token TOK_KEY_NAME2
> +%token TOK_KEY_MASK
>  %token TOK_KEY_DENIED_MASK
>  %token TOK_KEY_REQUESTED_MASK
>  %token TOK_KEY_ATTRIBUTE
> @@ -119,8 +123,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_KEY_PARENT
>  %token TOK_KEY_MAGIC_TOKEN
>  %token TOK_KEY_INFO
> +%token TOK_KEY_PEER_INFO
>  %token TOK_KEY_PID
> +%token TOK_KEY_PEER_PID
>  %token TOK_KEY_PROFILE
> +%token TOK_KEY_PEER_PROFILE
>  %token TOK_AUDIT
>  %token TOK_KEY_FAMILY
>  %token TOK_KEY_SOCK_TYPE
> @@ -129,6 +136,14 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_KEY_ERROR
>  %token TOK_KEY_FSUID
>  %token TOK_KEY_OUID
> +%token TOK_KEY_UID
> +%token TOK_KEY_AUID
> +%token TOK_KEY_SAUID
> +%token TOK_KEY_SES
> +%token TOK_KEY_HOSTNAME
> +%token TOK_KEY_ADDR
> +%token TOK_KEY_TERMINAL
> +%token TOK_KEY_EXE
>  %token TOK_KEY_COMM
>  %token TOK_KEY_CAPABILITY
>  %token TOK_KEY_CAPNAME
> @@ -138,8 +153,13 @@ aa_record_event_type lookup_aa_event(unsigned int type)
>  %token TOK_KEY_FADDR
>  %token TOK_KEY_LPORT
>  %token TOK_KEY_FPORT
> +%token TOK_KEY_BUS
> +%token TOK_KEY_PATH
> +%token TOK_KEY_INTERFACE
> +%token TOK_KEY_MEMBER
>  
>  %token TOK_SYSLOG_KERNEL
> +%token TOK_SYSLOG_USER
>  
>  %%
>  
> @@ -163,6 +183,7 @@ new_syntax:
>  	| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
>  	| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
>  	| TOK_TYPE_LSM_AVC audit_msg key_list
> +	| TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
>  	;
>  
>  other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
> @@ -182,6 +203,8 @@ syslog_type:
>  	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
>  	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
>  	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
> +	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
> +	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
>  	;
>  
>  /* when audit dispatches a message it doesn't prepend the audit type string */
> @@ -192,6 +215,9 @@ audit_dispatch:
>  audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
>  	;
>  
> +audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
> +	;
> +
>  audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
>  	{
>  		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
> @@ -219,6 +245,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->namespace = $3;}
>  	| TOK_KEY_NAME2 TOK_EQUALS safe_string
>  	{ ret_record->name2 = $3;}
> +	| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->denied_mask = $3;}
>  	| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->denied_mask = $3;}
>  	| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
> @@ -233,9 +261,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->magic_token = $3;}
>  	| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->info = $3;}
> +	| TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->peer_info = $3;}
>  	| key_pid
> +	| key_peer_pid
>  	| TOK_KEY_PROFILE TOK_EQUALS safe_string
>  	{ ret_record->profile = $3;}
> +	| TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
> +	{ ret_record->peer_profile = $3;}
>  	| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->net_family = $3;}
>  	| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
> @@ -252,8 +285,29 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->fsuid = $3;}
>  	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
>  	{ ret_record->ouid = $3;}
> +	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
> +	{ /* Ignore - Source audit ID from user AVC messages */ }
> +	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
> +	{ free($3); /* Ignore - hostname from user AVC messages */ }
> +	| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
> +	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
> +	| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
> +	| TOK_KEY_ADDR TOK_EQUALS safe_string
> +	{ free($3); /* Ignore - IP address from user AVC messages */ }
> +	| TOK_KEY_TERMINAL TOK_EQUALS safe_string
> +	{ free($3); /* Ignore - TTY from user AVC messages */ }
> +	| TOK_KEY_EXE TOK_EQUALS safe_string
> +	{ /* Free existing arrays because exe= and comm= maps to the same
> +	     aa_log_record member */
> +	  free(ret_record->comm);
> +	  ret_record->comm = $3;
> +	}
>  	| TOK_KEY_COMM TOK_EQUALS safe_string
> -	{ ret_record->comm = $3;}
> +	{ /* Free existing arrays because exe= and comm= maps to the same
> +	     aa_log_record member */
> +	  free(ret_record->comm);
> +	  ret_record->comm = $3;
> +	}
>  	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
>  	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
>  	{ /* need to reverse map number to string, need to figure out
> @@ -282,6 +336,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->net_local_port = $3;}
>  	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
>  	{ ret_record->net_foreign_port = $3;}
> +	| TOK_KEY_BUS TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->dbus_bus = $3; }
> +	| TOK_KEY_PATH TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->dbus_path = $3; }
> +	| TOK_KEY_INTERFACE TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->dbus_interface = $3; }
> +	| TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->dbus_member = $3; }
>  	| TOK_MSG_REST
>  	{
>  		ret_record->event = AA_RECORD_INVALID;
> @@ -301,6 +363,14 @@ apparmor_event:
>  key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
>  	;
>  
> +key_peer_pid: TOK_KEY_PEER_PID TOK_EQUALS TOK_DIGITS { ret_record->peer_pid = $3; }
> +	;
> +
> +ignored_pid:  TOK_KEY_PID  TOK_EQUALS TOK_DIGITS { /* DROP */ }
> +ignored_uid:  TOK_KEY_UID  TOK_EQUALS TOK_DIGITS { /* DROP */ }
> +ignored_auid: TOK_KEY_AUID TOK_EQUALS TOK_DIGITS { /* DROP */ }
> +ignored_ses:  TOK_KEY_SES  TOK_EQUALS TOK_DIGITS { /* DROP */ }
> +
>  key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
>  	;
>  
> diff --git a/libraries/libapparmor/src/libaalogparse.c b/libraries/libapparmor/src/libaalogparse.c
> index 5292830..f0b13bb 100644
> --- a/libraries/libapparmor/src/libaalogparse.c
> +++ b/libraries/libapparmor/src/libaalogparse.c
> @@ -55,6 +55,8 @@ void free_record(aa_log_record *record)
>  			free(record->denied_mask);
>  		if (record->profile != NULL)
>  			free(record->profile);
> +		if (record->peer_profile != NULL)
> +			free(record->peer_profile);
>  		if (record->comm != NULL)
>  			free(record->comm);
>  		if (record->name != NULL)
> @@ -67,6 +69,8 @@ void free_record(aa_log_record *record)
>  			free(record->attribute);
>  		if (record->info != NULL)
>  			free(record->info);
> +		if (record->peer_info != NULL)
> +			free(record->peer_info);
>  		if (record->active_hat != NULL)
>  			free(record->active_hat);
>  		if (record->audit_id != NULL)
> @@ -77,6 +81,14 @@ void free_record(aa_log_record *record)
>  			free(record->net_protocol);
>  		if (record->net_sock_type != NULL)
>  			free(record->net_sock_type);
> +		if (record->dbus_bus != NULL)
> +			free(record->dbus_bus);
> +		if (record->dbus_path != NULL)
> +			free(record->dbus_path);
> +		if (record->dbus_interface != NULL)
> +			free(record->dbus_interface);
> +		if (record->dbus_member != NULL)
> +			free(record->dbus_member);
>  
>  		free(record);
>  	}
> diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
> index 0a619a2..2f25b04 100644
> --- a/libraries/libapparmor/src/scanner.l
> +++ b/libraries/libapparmor/src/scanner.l
> @@ -86,6 +86,8 @@ close_paren	")"
>  ID		[^ \t\n\(\)="'!]
>  hexstring	({hex}{hex})+
>  period		"\."
> +question_mark	"?"
> +single_quote	"'"
>  mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
>  modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
>  /* New message types */
> @@ -103,6 +105,7 @@ hint_type		"\"HINT\""
>  status_type		"\"STATUS\""
>  error_type		"\"ERROR\""
>  lsm_avc_type		"AVC"
> +user_avc_type		"USER_AVC"
>  unknown_type		UNKNOWN\[{digits}+\]
>  other_audit_type	[[:alnum:]\[\]_-]+
>  
> @@ -115,6 +118,7 @@ key_operation		"operation"
>  key_name		"name"
>  key_name2		"name2"
>  key_namespace		"namespace"
> +key_mask		"mask"
>  key_denied_mask		"denied_mask"
>  key_requested_mask	"requested_mask"
>  key_attribute		"attribute"
> @@ -122,14 +126,25 @@ key_task		"task"
>  key_parent		"parent"
>  key_magic_token		"magic_token"
>  key_info		"info"
> +key_peer_info		"peer_info"
>  key_pid			"pid"
> +key_peer_pid		"peer_pid"
>  key_profile		"profile"
> +key_peer_profile	"peer_profile"
>  key_family		"family"
>  key_sock_type		"sock_type"
>  key_protocol		"protocol"
>  key_error		"error"
>  key_fsuid		"fsuid"
>  key_ouid		"ouid"
> +key_uid			"uid"
> +key_auid		"auid"
> +key_sauid		"sauid"
> +key_ses			"ses"
> +key_hostname		"hostname"
> +key_addr		"addr"
> +key_terminal		"terminal"
> +key_exe			"exe"
>  key_comm		"comm"
>  key_capability		"capability"
>  key_capname		"capname"
> @@ -139,6 +154,11 @@ key_laddr		"laddr"
>  key_faddr		"faddr"
>  key_lport		"lport"
>  key_fport		"fport"
> +key_bus			"bus"
> +key_dest		"dest"
> +key_path		"path"
> +key_interface		"interface"
> +key_member		"member"
>  audit			"audit"
>  
>  /* network addrs */
> @@ -146,6 +166,7 @@ ip_addr			[a-f[:digit:].:]{3,}
>  
>  /* syslog tokens */
>  syslog_kernel		kernel{colon}
> +syslog_user		[[:alnum:]_-]+\[[[:digit:]]+\]{colon}
>  syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
>  syslog_date		{syslog_yyyymmdd}
>  syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
> @@ -155,6 +176,7 @@ syslog_time 		{hhmmss}({period}{digits})?{timezone}?
>  syslog_hostname		[[:alnum:]_-]+
>  dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
>  
> +%x single_quoted_string
>  %x quoted_string
>  %x sub_id
>  %x audit_id
> @@ -237,6 +259,7 @@ yy_flex_debug = 0;
>  	{aa_status_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
>  	{aa_error_type}	{ BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
>  	{lsm_avc_type}	{ BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
> +	{user_avc_type}	{ BEGIN(INITIAL); return(TOK_TYPE_USER_AVC); }
>  	{unknown_type}	{ char *yptr = yytext;
>  			  while (*yptr && *yptr != '[')
>  			  	yptr++;
> @@ -262,6 +285,8 @@ yy_flex_debug = 0;
>  			}
>  {close_paren}		{ return(TOK_CLOSE_PAREN); }
>  {period}		{ return(TOK_PERIOD); }
> +{question_mark}		{ return(TOK_QUESTION_MARK); }
> +{single_quote}		{ return(TOK_SINGLE_QUOTE); }
>  
>  {key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
>  {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
> @@ -270,6 +295,7 @@ yy_flex_debug = 0;
>  {key_name}		{ BEGIN(safe_string); return(TOK_KEY_NAME); }
>  {key_name2}		{ BEGIN(safe_string); return(TOK_KEY_NAME2); }
>  {key_namespace}		{ BEGIN(safe_string); return(TOK_KEY_NAMESPACE); }
> +{key_mask}		{ return(TOK_KEY_MASK); }
>  {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
>  {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
>  {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
> @@ -277,14 +303,25 @@ yy_flex_debug = 0;
>  {key_parent}		{ return(TOK_KEY_PARENT); }
>  {key_magic_token}	{ return(TOK_KEY_MAGIC_TOKEN); }
>  {key_info}		{ return(TOK_KEY_INFO); }
> +{key_peer_info}		{ return(TOK_KEY_PEER_INFO); }
>  {key_pid}		{ return(TOK_KEY_PID); }
> +{key_peer_pid}		{ return(TOK_KEY_PEER_PID); }
>  {key_profile}		{ BEGIN(safe_string); return(TOK_KEY_PROFILE); }
> +{key_peer_profile}	{ BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
>  {key_family}		{ return(TOK_KEY_FAMILY); }
>  {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
>  {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
>  {key_error}		{ return(TOK_KEY_ERROR); }
>  {key_fsuid}		{ return(TOK_KEY_FSUID); }
>  {key_ouid}		{ return(TOK_KEY_OUID); }
> +{key_uid}		{ return(TOK_KEY_UID); }
> +{key_auid}		{ return(TOK_KEY_AUID); }
> +{key_sauid}		{ return(TOK_KEY_SAUID); }
> +{key_ses}		{ return(TOK_KEY_SES); }
> +{key_hostname}		{ return(TOK_KEY_HOSTNAME); }
> +{key_addr}		{ return(TOK_KEY_ADDR); }
> +{key_terminal}		{ return(TOK_KEY_TERMINAL); }
> +{key_exe}		{ BEGIN(safe_string); return(TOK_KEY_EXE); }
>  {key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
>  {key_capability}	{ return(TOK_KEY_CAPABILITY); }
>  {key_capname}		{ return(TOK_KEY_CAPNAME); }
> @@ -294,8 +331,13 @@ yy_flex_debug = 0;
>  {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
>  {key_lport}		{ return(TOK_KEY_LPORT); }
>  {key_fport}		{ return(TOK_KEY_FPORT); }
> +{key_bus}		{ return(TOK_KEY_BUS); }
> +{key_path}		{ return(TOK_KEY_PATH); }
> +{key_interface}		{ return(TOK_KEY_INTERFACE); }
> +{key_member}		{ return(TOK_KEY_MEMBER); }
>  
>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> +{syslog_user}		{ return(TOK_SYSLOG_USER); }
>  {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
>  {syslog_date}		{ yylval->t_str = strdup(yytext); return(TOK_DATE); }
>  {syslog_date}T/{syslog_time}	{ yylval->t_str = strndup(yytext, strlen(yytext)-1); return(TOK_DATE); }
> -- 
> 1.8.3.2
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130808/8f1b04ed/attachment-0001.pgp>