[apparmor] [patch 3/3] libaalogparse: support missing mount keywords

Seth Arnold seth.arnold at canonical.com
Thu Sep 4 00:56:21 UTC 2014 

On Wed, Sep 03, 2014 at 12:40:23AM -0700, Steve Beattie wrote:
> This patch adds support for the mount and pivotroot related keywords,
> fstype, flags, and srcname.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  libraries/libapparmor/include/aalogparse.h                           |    5 +++
>  libraries/libapparmor/src/grammar.y                                  |   11 ++++++
>  libraries/libapparmor/src/libaalogparse.c                            |    6 +++
>  libraries/libapparmor/src/scanner.l                                  |    6 +++
>  libraries/libapparmor/testsuite/test_multi.c                         |    4 ++
>  libraries/libapparmor/testsuite/test_multi/testcase_mount_01.in      |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_mount_01.out     |   16 ++++++++++
>  libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.in  |    1 
>  libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.out |   12 +++++++
>  9 files changed, 62 insertions(+)
> 
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1409700640.016:547457): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount" name="/tmp/sdtest.19033-29001-MPfz98/mountpoint/" pid=19085 comm="mount" fstype="ext2" srcname="/dev/loop0/" flags="rw, mand"
> Index: b/libraries/libapparmor/include/aalogparse.h
> ===================================================================
> --- a/libraries/libapparmor/include/aalogparse.h
> +++ b/libraries/libapparmor/include/aalogparse.h
> @@ -154,6 +154,11 @@ typedef struct
>  	char *dbus_member;
>  	char *signal;			/* signal name */
>  	char *peer;
> +
> +	/* mount et al specific bits */
> +	char *fs_type;
> +	char *flags;
> +	char *src_name;
>  } aa_log_record;
>  
>  /**
> Index: b/libraries/libapparmor/src/grammar.y
> ===================================================================
> --- a/libraries/libapparmor/src/grammar.y
> +++ b/libraries/libapparmor/src/grammar.y
> @@ -159,6 +159,9 @@ aa_record_event_type lookup_aa_event(uns
>  %token TOK_KEY_INTERFACE
>  %token TOK_KEY_MEMBER
>  %token TOK_KEY_SIGNAL
> +%token TOK_KEY_FSTYPE
> +%token TOK_KEY_FLAGS
> +%token TOK_KEY_SRCNAME
>  
>  %token TOK_SYSLOG_KERNEL
>  %token TOK_SYSLOG_USER
> @@ -354,6 +357,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
>  	{ ret_record->dbus_member = $3; }
>  	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
>  	{ ret_record->signal = $3; }
> +
> +	| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->fs_type = $3; }
> +	| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->flags = $3; }
> +	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
> +	{ ret_record->src_name = $3; }
> +
>  	| TOK_MSG_REST
>  	{
>  		ret_record->event = AA_RECORD_INVALID;
> Index: b/libraries/libapparmor/src/scanner.l
> ===================================================================
> --- a/libraries/libapparmor/src/scanner.l
> +++ b/libraries/libapparmor/src/scanner.l
> @@ -161,6 +161,9 @@ key_interface		"interface"
>  key_member		"member"
>  key_signal		"signal"
>  key_peer		"peer"
> +key_fstype		"fstype"
> +key_flags		"flags"
> +key_srcname		"srcname"
>  audit			"audit"
>  
>  /* network addrs */
> @@ -340,6 +343,9 @@ yy_flex_debug = 0;
>  {key_member}		{ return(TOK_KEY_MEMBER); }
>  {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
>  {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
> +{key_fstype}		{ return(TOK_KEY_FSTYPE); }
> +{key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
> +{key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
>  
>  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
>  {syslog_user}		{ return(TOK_SYSLOG_USER); }
> Index: b/libraries/libapparmor/testsuite/test_multi.c
> ===================================================================
> --- a/libraries/libapparmor/testsuite/test_multi.c
> +++ b/libraries/libapparmor/testsuite/test_multi.c
> @@ -129,6 +129,10 @@ int print_results(aa_log_record *record)
>  
>  		print_string("Signal", record->signal);
>  
> +		print_string("FS Type", record->fs_type);
> +		print_string("Flags", record->flags);
> +		print_string("Src name", record->src_name);
> +
>  		print_long("Epoch", record->epoch, 0);
>  		print_long("Audit subid", (long) record->audit_sub_id, 0);
>  	return(0);
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.in
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.in
> @@ -0,0 +1 @@
> +type=AVC msg=audit(1409700678.384:547594): apparmor="DENIED" operation="pivotroot" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/pivot_root" name="/tmp/sdtest.21082-7446-EeefO6/new_root/" pid=21162 comm="pivot_root" srcname="/tmp/sdtest.21082-7446-EeefO6/new_root/put_old/"
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_pivotroot_01.out
> @@ -0,0 +1,12 @@
> +START
> +File: testcase_pivotroot_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409700678.384:547594
> +Operation: pivotroot
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/pivot_root
> +Name: /tmp/sdtest.21082-7446-EeefO6/new_root/
> +Command: pivot_root
> +PID: 21162
> +Src name: /tmp/sdtest.21082-7446-EeefO6/new_root/put_old/
> +Epoch: 1409700678
> +Audit subid: 547594
> Index: b/libraries/libapparmor/src/libaalogparse.c
> ===================================================================
> --- a/libraries/libapparmor/src/libaalogparse.c
> +++ b/libraries/libapparmor/src/libaalogparse.c
> @@ -97,6 +97,12 @@ void free_record(aa_log_record *record)
>  			free(record->dbus_member);
>  		if (record->signal != NULL)
>  			free(record->signal );
> +		if (record->fs_type != NULL)
> +			free(record->fs_type);
> +		if (record->flags != NULL)
> +			free(record->flags);
> +		if (record->src_name != NULL)
> +			free(record->src_name);
>  
>  		free(record);
>  	}
> Index: b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.out
> ===================================================================
> --- /dev/null
> +++ b/libraries/libapparmor/testsuite/test_multi/testcase_mount_01.out
> @@ -0,0 +1,16 @@
> +START
> +File: testcase_mount_01.in
> +Event type: AA_RECORD_DENIED
> +Audit ID: 1409700640.016:547457
> +Operation: mount
> +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount
> +Name: /tmp/sdtest.19033-29001-MPfz98/mountpoint/
> +Command: mount
> +Info: failed mntpnt match
> +ErrorCode: 13
> +PID: 19085
> +FS Type: ext2
> +Flags: rw, mand
> +Src name: /dev/loop0/
> +Epoch: 1409700640
> +Audit subid: 547457
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140903/9181bfb9/attachment.pgp>

More information about the AppArmor mailing list