[apparmor] [patch 2/3] libaalogparse: add signal and peer keyword support

Thu Sep 4 00:49:56 UTC 2014

On Wed, Sep 03, 2014 at 12:40:22AM -0700, Steve Beattie wrote:
> When signals and ptrace mediation were added to apparmor, the aalogparse
> routines were not adjusted to compensate. This patch adds support for
> the signal and peer keywords.
> 
> A couple of notes/questions:
> 
>   1) The signal value is not a quoted string, is this intentional?
> 
>   2) signal and ptrace rejections use the 'peer' keyword to report the
>      peer profile/label, yet dbus rejections use 'peer_profile'. Should
>      these be the same? Even if they are kept different in the logging,
>      should they map to the same field in the structure generated by
>      aalogparse?
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  libraries/libapparmor/include/aalogparse.h                        |    2 +
>  libraries/libapparmor/src/grammar.y                               |    6 ++++
>  libraries/libapparmor/src/libaalogparse.c                         |    4 ++
>  libraries/libapparmor/src/scanner.l                               |    4 ++
>  libraries/libapparmor/testsuite/test_multi.c                      |    3 ++
>  libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out |   13 +++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out |   14 ++++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out |   14 ++++++++++
>  11 files changed, 63 insertions(+)
> 
> Index: b/libraries/libapparmor/src/grammar.y
> ===================================================================
> --- a/libraries/libapparmor/src/grammar.y
> +++ b/libraries/libapparmor/src/grammar.y
> @@ -128,6 +128,7 @@ aa_record_event_type lookup_aa_event(uns
>  %token TOK_KEY_PEER_PID
>  %token TOK_KEY_PROFILE
>  %token TOK_KEY_PEER_PROFILE
> +%token TOK_KEY_PEER
>  %token TOK_AUDIT
>  %token TOK_KEY_FAMILY
>  %token TOK_KEY_SOCK_TYPE
> @@ -157,6 +158,7 @@ aa_record_event_type lookup_aa_event(uns
>  %token TOK_KEY_PATH
>  %token TOK_KEY_INTERFACE
>  %token TOK_KEY_MEMBER
> +%token TOK_KEY_SIGNAL
>  
>  %token TOK_SYSLOG_KERNEL
>  %token TOK_SYSLOG_USER
> @@ -267,6 +269,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
>  	{ ret_record->info = $3;}
>  	| TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->peer_info = $3;}
> +	| TOK_KEY_PEER TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->peer = $3;}
>  	| key_pid
>  	| key_peer_pid
>  	| TOK_KEY_PROFILE TOK_EQUALS safe_string
> @@ -348,6 +352,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
>  	{ ret_record->dbus_interface = $3; }
>  	| TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
>  	{ ret_record->dbus_member = $3; }
> +	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
> +	{ ret_record->signal = $3; }
>  	| TOK_MSG_REST
>  	{
>  		ret_record->event = AA_RECORD_INVALID;
> Index: b/libraries/libapparmor/src/scanner.l
> ===================================================================
> --- a/libraries/libapparmor/src/scanner.l
> +++ b/libraries/libapparmor/src/scanner.l
> @@ -159,6 +159,8 @@ key_dest		"dest"
>  key_path		"path"
>  key_interface		"interface"
>  key_member		"member"
> +key_signal		"signal"
> +key_peer		"peer"
>  audit			"audit"
>  
>  /* network addrs */
> @@ -336,6 +338,8 @@ yy_flex_debug = 0;
>  {key_path}		{ return(TOK_KEY_PATH); }
>  {key_interface}		{ return(TOK_KEY_INTERFACE); }
>  {key_member}		{ return(TOK_KEY_MEMBER); }
> +{key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
> +{key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
>  
>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
>  {syslog_user}		{ return(TOK_SYSLOG_USER); }
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1409438250.564:201): apparmor="DENIED" operation="signal" profile="/usr/bin/pulseaudio" pid=2531 comm="pulseaudio" requested_mask="send" denied_mask="send" signal=term peer="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper"
> Index: b/libraries/libapparmor/include/aalogparse.h
> ===================================================================
> --- a/libraries/libapparmor/include/aalogparse.h
> +++ b/libraries/libapparmor/include/aalogparse.h
> @@ -152,6 +152,8 @@ typedef struct
>  	char *dbus_path;
>  	char *dbus_interface;
>  	char *dbus_member;
> +	char *signal;			/* signal name */
> +	char *peer;
>  } aa_log_record;
>  
>  /**
> Index: b/libraries/libapparmor/src/libaalogparse.c
> ===================================================================
> --- a/libraries/libapparmor/src/libaalogparse.c
> +++ b/libraries/libapparmor/src/libaalogparse.c
> @@ -71,6 +71,8 @@ void free_record(aa_log_record *record)
>  			free(record->info);
>  		if (record->peer_info != NULL)
>  			free(record->peer_info);
> +		if (record->peer != NULL)
> +			free(record->peer);
>  		if (record->active_hat != NULL)
>  			free(record->active_hat);
>  		if (record->audit_id != NULL)
> @@ -93,6 +95,8 @@ void free_record(aa_log_record *record)
>  			free(record->dbus_interface);
>  		if (record->dbus_member != NULL)
>  			free(record->dbus_member);
> +		if (record->signal != NULL)
> +			free(record->signal );
>  
>  		free(record);
>  	}
> Index: b/libraries/libapparmor/testsuite/test_multi.c
> ===================================================================
> --- a/libraries/libapparmor/testsuite/test_multi.c
> +++ b/libraries/libapparmor/testsuite/test_multi.c
> @@ -98,6 +98,7 @@ int print_results(aa_log_record *record)
>  
>  		print_string("Profile", record->profile);
>  		print_string("Peer profile", record->peer_profile);
> +		print_string("Peer", record->peer);
>  		print_string("Name", record->name);
>  		print_string("Command", record->comm);
>  		print_string("Name2", record->name2);
> @@ -126,6 +127,8 @@ int print_results(aa_log_record *record)
>  		print_string("DBus interface", record->dbus_interface);
>  		print_string("DBus member", record->dbus_member);
>  
> +		print_string("Signal", record->signal);
> +
>  		print_long("Epoch", record->epoch, 0);
>  		print_long("Audit subid", (long) record->audit_sub_id, 0);
>  	return(0);
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1409438250.564:201): apparmor="DENIED" operation="signal" profile="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper" pid=2531 comm="pulseaudio" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/pulseaudio"
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out
> @@ -0,0 +1,14 @@
> +START
> +File: testcase_signal_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409438250.564:201
> +Operation: signal
> +Mask: send
> +Denied Mask: send
> +Profile: /usr/bin/pulseaudio
> +Peer: /usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper
> +Command: pulseaudio
> +PID: 2531
> +Signal: term
> +Epoch: 1409438250
> +Audit subid: 201
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out
> @@ -0,0 +1,14 @@
> +START
> +File: testcase_signal_02.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409438250.564:201
> +Operation: signal
> +Mask: receive
> +Denied Mask: receive
> +Profile: /usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper
> +Peer: /usr/bin/pulseaudio
> +Command: pulseaudio
> +PID: 2531
> +Signal: term
> +Epoch: 1409438250
> +Audit subid: 201
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace" pid=22465 comm="ptrace" requested_mask="tracedby" denied_mask="tracedby" peer="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace"
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out
> @@ -0,0 +1,13 @@
> +START
> +File: testcase_ptrace_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409700683.304:547661
> +Operation: ptrace
> +Mask: tracedby
> +Denied Mask: tracedby
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace
> +Peer: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace
> +Command: ptrace
> +PID: 22465
> +Epoch: 1409700683
> +Audit subid: 547661
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140903/19032105/attachment.pgp>