-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 11/30/2011 10:21 AM, Steve Beattie wrote: > While trying to track down the source of the problem for > https://bugs.launchpad.net/apparmor/+bug/897957/ I discovered that the > libapparmor log parsing library doesn't take into account comm entries > that have been hex-encoded; these occur when the binary path name > includes a space or other character that needs encoding. > > The attached patch fixes the issue as well as adding a testcase that > demonstrates the issue. > > Unfortunately, this does not appear to be the cause of LP: #897957. >
Acked-by: John Johansen <[email protected]> > === modified file 'libraries/libapparmor/src/grammar.y' > --- libraries/libapparmor/src/grammar.y 2011-02-23 22:02:45 +0000 > +++ libraries/libapparmor/src/grammar.y 2011-11-30 18:08:05 +0000 > @@ -246,7 +246,7 @@ > { ret_record->fsuid = $3;} > | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS > { ret_record->ouid = $3;} > - | TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING > + | TOK_KEY_COMM TOK_EQUALS safe_string > { ret_record->comm = $3;} > | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event > | TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS > > === modified file 'libraries/libapparmor/src/scanner.l' > --- libraries/libapparmor/src/scanner.l 2011-02-22 11:51:16 +0000 > +++ libraries/libapparmor/src/scanner.l 2011-11-30 18:08:39 +0000 > @@ -265,7 +265,7 @@ > {key_error} { return(TOK_KEY_ERROR); } > {key_fsuid} { return(TOK_KEY_FSUID); } > {key_ouid} { return(TOK_KEY_OUID); } > -{key_comm} { return(TOK_KEY_COMM); } > +{key_comm} { BEGIN(safe_string); return(TOK_KEY_COMM); } > {key_capability} { return(TOK_KEY_CAPABILITY); } > {key_capname} { return(TOK_KEY_CAPNAME); } > {key_offset} { return(TOK_KEY_OFFSET); } > > === added file > 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.err' > === added file > 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in' > --- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in > 1970-01-01 00:00:00 +0000 > +++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in > 2011-11-30 18:04:43 +0000 > @@ -0,0 +1,1 @@ > +type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" > parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 > name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 > comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 > ouid=1000 > > === added file > 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out' > --- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out > 1970-01-01 00:00:00 +0000 > +++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out > 2011-11-30 18:12:12 +0000 > @@ -0,0 +1,16 @@ > +START > +File: test_multi/testcase_encoded_comm.in > +Event type: AA_RECORD_ALLOWED > +Audit ID: 1322676143.201:455 > +Operation: open > +Mask: r > +Denied Mask: r > +fsuid: 1000 > +ouid: 1000 > +Profile: /home/steve/tmp/my prog.sh > +Name: /home/steve/tmp/my prog.sh > +Command: my prog.sh > +Parent: 10357 > +PID: 22918 > +Epoch: 1322676143 > +Audit subid: 455 > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJO1nVnAAoJEAUvNnAY1cPYkEEQAIv63mb9iqB0AHPgkIhKWHv+ +JxZjnlfuEyKFSLJ+icrQzkxyd1Pjk9A4CPgNvQGW5IbqoykrCYRPgVfwDWG8ERm 4apRN5PYxAwbAF8vvwgFM6PUQGCsD7VC9q4AQ2eeCj+QRG2gdvDOMbEzdKN2u4Vy oZiTKskI34xN9zYRWaAliIxH8xML93csCZSVHrWzVLH4ZarlKPUX0PYMzqU/P5mb PhU31JSVVAHIfjIKA6QE1h+x3dK6JbN1CMhvdRjRad/zUeuyTB/dqK57ekSkZtP5 mCeb5l8XlHoNSKBcOyDjcxcMhv8dTm4SPkkG+G/rmSCCsApfL+gyvqGODGSUq5Ub GK0I8JVtQlH7vYaYWqWisSvQ7fZDGb+L5uV4uRhfWfxkimpGxTOUSMIKTrS98Zor NVH3HcAHDBIK7Odej/CaCdDaTqkRfhgFvDTw5yVWVPGenkMavYLd9qxko4KrpBVT 8w/egb4mv+Tfq/ZYY0VQsYbY8CZFv2fvVolsy98o2Uh3yapNbwYuenBMyjkcOF17 vE0bQpIlj41OX2WsH8tm6JqdRaT2nngVUM2abO9HgV1v6RizUMTzoH4fijobyM45 w15y6Ahz5wFR6PhBjDT3cYAAXxLwWQIMN4fjbIvXVbqXUl7hgHrQ5A9f9QR4u4f8 0Mc9rBs+ZoZyAg1MoxCI =KzkT -----END PGP SIGNATURE----- -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
