[apparmor] [patch] libapparmor: add log-parsing support for encoded comm strings

Wed, 30 Nov 2011 10:22:04 -0800 

While trying to track down the source of the problem for
https://bugs.launchpad.net/apparmor/+bug/897957/ I discovered that the
libapparmor log parsing library doesn't take into account comm entries
that have been hex-encoded; these occur when the binary path name
includes a space or other character that needs encoding.

The attached patch fixes the issue as well as adding a testcase that
demonstrates the issue.

Unfortunately, this does not appear to be the cause of LP: #897957.

=== modified file 'libraries/libapparmor/src/grammar.y'
--- libraries/libapparmor/src/grammar.y 2011-02-23 22:02:45 +0000
+++ libraries/libapparmor/src/grammar.y 2011-11-30 18:08:05 +0000
@@ -246,7 +246,7 @@
        { ret_record->fsuid = $3;}
        | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
        { ret_record->ouid = $3;}
-       | TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+       | TOK_KEY_COMM TOK_EQUALS safe_string
        { ret_record->comm = $3;}
        | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
        | TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS

=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l 2011-02-22 11:51:16 +0000
+++ libraries/libapparmor/src/scanner.l 2011-11-30 18:08:39 +0000
@@ -265,7 +265,7 @@
 {key_error}            { return(TOK_KEY_ERROR); }
 {key_fsuid}            { return(TOK_KEY_FSUID); }
 {key_ouid}             { return(TOK_KEY_OUID); }
-{key_comm}             { return(TOK_KEY_COMM); }
+{key_comm}             { BEGIN(safe_string); return(TOK_KEY_COMM); }
 {key_capability}       { return(TOK_KEY_CAPABILITY); }
 {key_capname}          { return(TOK_KEY_CAPNAME); }
 {key_offset}           { return(TOK_KEY_OFFSET); }

=== added file 
'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.err'
=== added file 
'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in 
1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in 
2011-11-30 18:04:43 +0000
@@ -0,0 +1,1 @@
+type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" 
parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 
name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 
comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000

=== added file 
'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out        
1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out        
2011-11-30 18:12:12 +0000
@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_comm.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322676143.201:455
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: /home/steve/tmp/my prog.sh
+Name: /home/steve/tmp/my prog.sh
+Command: my prog.sh
+Parent: 10357
+PID: 22918
+Epoch: 1322676143
+Audit subid: 455


-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to