[apparmor] [patch 1/3] libaalogparse: fix for new kernel dmesg format
Seth Arnold
seth.arnold at canonical.com
Thu Sep 4 00:23:53 UTC 2014
On Wed, Sep 03, 2014 at 12:40:21AM -0700, Steve Beattie wrote:
> The upstream kernel at some point between the 3.13 and 3.16 kernel
> adjusted the output of audit messages to include an additional "audit:"
> keyword. e.g. a 3.13 message would look like:
>
> kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]
>
> whereas in 3.16, it looks like:
>
> kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
> ^^^^^^
> This patch adjust the libapparmor aalogparse grammar and lexer to
> compensate for this change.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> libraries/libapparmor/src/grammar.y | 2 +
> libraries/libapparmor/src/scanner.l | 1
> libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in | 1
> libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out | 15 ++++++++++
> 4 files changed, 19 insertions(+)
>
> Index: b/libraries/libapparmor/src/grammar.y
> ===================================================================
> --- a/libraries/libapparmor/src/grammar.y
> +++ b/libraries/libapparmor/src/grammar.y
> @@ -203,6 +203,8 @@ syslog_type:
> { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
> { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> + | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
> + { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
> | syslog_date TOK_ID TOK_SYSLOG_USER key_list
> { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
> ;
> Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
> @@ -0,0 +1 @@
> +Sep 2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> Index: b/libraries/libapparmor/src/scanner.l
> ===================================================================
> --- a/libraries/libapparmor/src/scanner.l
> +++ b/libraries/libapparmor/src/scanner.l
> @@ -198,6 +198,7 @@ yy_flex_debug = 0;
>
> <audit_id>{
> {digits} { yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
> + {colon}{ws} { yy_pop_state(yyscanner); return(TOK_COLON); }
> {colon} { return(TOK_COLON); }
> {period} { return(TOK_PERIOD); }
> {open_paren} { return(TOK_OPEN_PAREN); }
> Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
> @@ -0,0 +1,15 @@
> +START
> +File: syslog_audit_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409684003.960:273342
> +Operation: mkdir
> +Mask: c
> +Denied Mask: c
> +fsuid: 0
> +ouid: 0
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir
> +Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/
> +Command: mkdir
> +PID: 7314
> +Epoch: 1409684003
> +Audit subid: 273342
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140903/857accc5/attachment-0001.pgp>
More information about the AppArmor
mailing list