[apparmor] PATCH [2/6] - Fix capability log parsing
John Johansen
john.johansen at canonical.com
Thu Sep 9 16:34:40 BST 2010
The capability operation picked up the capability and capname fields.
capability is reported by LSM_AUDIT and is just the capability number.
capname is reported by the apparmor module and is the name the kernel
knows the capability as.
For now just use capname and silently drop capability when it is found.
Index: libapparmor/src/grammar.y
===================================================================
--- libapparmor.orig/src/grammar.y 2010-09-09 07:39:19.954193423 -0700
+++ libapparmor/src/grammar.y 2010-09-09 07:44:21.124193399 -0700
@@ -130,7 +130,6 @@
%token TOK_OLD_RMDIR
%token TOK_OLD_XATTR
%token TOK_OLD_CHANGE
-%token TOK_OLD_CAPABILITY
%token TOK_OLD_SYSCALL
%token TOK_OLD_LINK
%token TOK_OLD_FORK
@@ -161,6 +160,8 @@
%token TOK_KEY_FSUID
%token TOK_KEY_OUID
%token TOK_KEY_COMM
+%token TOK_KEY_CAPABILITY
+%token TOK_KEY_CAPNAME
%token TOK_SYSLOG_KERNEL
@@ -258,7 +259,7 @@
ret_record->attribute = $3;
ret_record->name = $7;
}
- | TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_CAPABILITY TOK_SINGLE_QUOTED_STRING
+ | TOK_OLD_ACCESS TOK_OLD_TO TOK_KEY_CAPABILITY TOK_SINGLE_QUOTED_STRING
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->operation = strdup("capability");
@@ -440,6 +441,16 @@
| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->comm = $3;}
| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
+ | TOK_KEY_CAPABILITY TOK_EQUALS TOK_ID
+ { /* need to reverse map number to string, need to figure out
+ * how to get auto generation of reverse mapping table into
+ * autotools Makefile. For now just drop assumming capname is
+ * present which it should be with current kernels */
+ }
+ | TOK_KEY_CAPNAME TOK_EQUALS TOK_QUOTED_STRING
+ { /* capname used to be reported in name */
+ ret_record->name = $3;
+ }
;
apparmor_event:
Index: libapparmor/src/scanner.l
===================================================================
--- libapparmor.orig/src/scanner.l 2010-09-09 07:18:32.214193401 -0700
+++ libapparmor/src/scanner.l 2010-09-09 07:40:32.814193400 -0700
@@ -125,7 +125,6 @@
old_on "on"
old_xattr "xattr"
old_change "change"
-old_capability "capability"
old_syscall "syscall"
old_link "link"
old_fork "fork"
@@ -159,6 +158,8 @@
key_fsuid "fsuid"
key_ouid "ouid"
key_comm "comm"
+key_capability "capability"
+key_capname "capname"
audit "audit"
/* syslog tokens */
@@ -303,7 +304,7 @@
{old_extended} { return(TOK_OLD_EXTENDED); }
{old_on} { return(TOK_OLD_ON); }
{old_change} { return(TOK_OLD_CHANGE); }
-{old_capability} { BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
+{key_capability} { BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
{old_syscall} { return(TOK_OLD_SYSCALL); }
{old_fork} { return(TOK_OLD_FORK); }
{old_child} { return(TOK_OLD_CHILD); }
@@ -343,6 +344,8 @@
{key_fsuid} { return(TOK_KEY_FSUID); }
{key_ouid} { return(TOK_KEY_OUID); }
{key_comm} { return(TOK_KEY_COMM); }
+{key_capability} { return(TOK_KEY_CAPABILITY); }
+{key_capname} { return(TOK_KEY_CAPNAME); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
More information about the AppArmor
mailing list