[apparmor] [Patch] Fix date time log parsing for 2.8.1

Seth Arnold seth.arnold at canonical.com
Tue Jan 8 18:56:33 UTC 2013

On Tue, Jan 08, 2013 at 04:18:31AM -0800, John Johansen wrote:
> The following patch extends the libraries log parsing to support more date
> time formats.

I haven't tested the code but it reads very clearly. One slight concern

>  /* syslog tokens */
>  syslog_kernel		kernel{colon}
> +syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
> +syslog_date		{syslog_yyyymmdd}
>  syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
> -syslog_time 		{digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
> +hhmmss			{digit}{2}{colon}{digit}{2}{colon}{digit}{2}
> +timezone		({plus}|{minus}){digit}{2}{colon}{digit}{2}
> +syslog_time 		{hhmmss}({period}{digits})?{timezone}?
>  syslog_hostname		[[:alnum:]_-]+
>  dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]

>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
>  {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
> -{syslog_time}		{ yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
> +{syslog_date}		{ yylval->t_str = strdup(yytext); return(TOK_DATE); }
> +{syslog_date}T/{syslog_time}	{ yylval->t_str = strndup(yytext, strlen(yytext)-1); return(TOK_DATE); }

This introduces a trailing context with variable length; I couldn't
verify from the flex docs if the performance problem with variable
trailing context comes from not knowing the length of the leading and
trailing portions or just not knowing the length of the trailing

It's probably not a large concern, since parsing these correctly is more
important than parsing them at high speed :) but if it does turn into a
slow point, keep in mind that we can always re-write these rules to
remove the variable length.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130108/c6c87cde/attachment.pgp>

More information about the AppArmor mailing list