[apparmor] [patch 1/3] libaalogparse: fix for new kernel dmesg format

Steve Beattie steve at nxnw.org
Wed Sep 3 07:40:21 UTC 2014 

The upstream kernel at some point between the 3.13 and 3.16 kernel
adjusted the output of audit messages to include an additional "audit:"
keyword. e.g. a 3.13 message would look like:

  kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]

whereas in 3.16, it looks like:

  kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
                          ^^^^^^
This patch adjust the libapparmor aalogparse grammar and lexer to
compensate for this change.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 libraries/libapparmor/src/grammar.y                            |    2 +
 libraries/libapparmor/src/scanner.l                            |    1 
 libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in  |    1 
 libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out |   15 ++++++++++
 4 files changed, 19 insertions(+)

Index: b/libraries/libapparmor/src/grammar.y
===================================================================
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -203,6 +203,8 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
@@ -0,0 +1 @@
+Sep  2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Index: b/libraries/libapparmor/src/scanner.l
===================================================================
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -198,6 +198,7 @@ yy_flex_debug = 0;
 
 <audit_id>{
 	{digits}		{ yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
+	{colon}{ws}		{ yy_pop_state(yyscanner); return(TOK_COLON); }
 	{colon}			{ return(TOK_COLON); }
 	{period}		{ return(TOK_PERIOD); }
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
@@ -0,0 +1,15 @@
+START
+File: syslog_audit_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409684003.960:273342
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 0
+ouid: 0
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir
+Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/
+Command: mkdir
+PID: 7314
+Epoch: 1409684003
+Audit subid: 273342

More information about the AppArmor mailing list