[apparmor] [patch 1/3] libaalogparse: fix for new kernel dmesg format
Seth Arnold
seth.arnold at canonical.com
Sat Dec 13 00:53:14 UTC 2014
On Wed, Sep 03, 2014 at 05:23:53PM -0700, Seth Arnold wrote:
> On Wed, Sep 03, 2014 at 12:40:21AM -0700, Steve Beattie wrote:
> > The upstream kernel at some point between the 3.13 and 3.16 kernel
> > adjusted the output of audit messages to include an additional "audit:"
> > keyword. e.g. a 3.13 message would look like:
> >
> > kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]
> >
> > whereas in 3.16, it looks like:
> >
> > kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
> > ^^^^^^
> > This patch adjust the libapparmor aalogparse grammar and lexer to
> > compensate for this change.
> >
> > Signed-off-by: Steve Beattie <steve at nxnw.org>
>
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
This seems like a good fix for 2.8.x as well, also acked for 2.8.
Thanks
> Thanks
>
> > ---
> > libraries/libapparmor/src/grammar.y | 2 +
> > libraries/libapparmor/src/scanner.l | 1
> > libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in | 1
> > libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out | 15 ++++++++++
> > 4 files changed, 19 insertions(+)
> >
> > Index: b/libraries/libapparmor/src/grammar.y
> > ===================================================================
> > --- a/libraries/libapparmor/src/grammar.y
> > +++ b/libraries/libapparmor/src/grammar.y
> > @@ -203,6 +203,8 @@ syslog_type:
> > { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> > | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
> > { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> > + | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
> > + { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> > | syslog_date TOK_ID TOK_SYSLOG_USER key_list
> > { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
> > ;
> > Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
> > ===================================================================
> > --- /dev/null
> > +++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
> > @@ -0,0 +1 @@
> > +Sep 2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> > Index: b/libraries/libapparmor/src/scanner.l
> > ===================================================================
> > --- a/libraries/libapparmor/src/scanner.l
> > +++ b/libraries/libapparmor/src/scanner.l
> > @@ -198,6 +198,7 @@ yy_flex_debug = 0;
> >
> > <audit_id>{
> > {digits} { yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
> > + {colon}{ws} { yy_pop_state(yyscanner); return(TOK_COLON); }
> > {colon} { return(TOK_COLON); }
> > {period} { return(TOK_PERIOD); }
> > {open_paren} { return(TOK_OPEN_PAREN); }
> > Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
> > ===================================================================
> > --- /dev/null
> > +++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
> > @@ -0,0 +1,15 @@
> > +START
> > +File: syslog_audit_01.in
> > +Event type: AA_RECORD_DENIED
> > +Audit ID: 1409684003.960:273342
> > +Operation: mkdir
> > +Mask: c
> > +Denied Mask: c
> > +fsuid: 0
> > +ouid: 0
> > +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir
> > +Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/
> > +Command: mkdir
> > +PID: 7314
> > +Epoch: 1409684003
> > +Audit subid: 273342
> >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141212/a423d466/attachment-0001.pgp>
More information about the AppArmor
mailing list