[apparmor] PATCH [2/6] - Fix capability log parsing

Fri Sep 10 00:25:06 BST 2010

On Thu, Sep 09, 2010 at 03:36:18PM -0700, Steve Beattie wrote:
> On Thu, Sep 09, 2010 at 08:34:40AM -0700, John Johansen wrote:
> > The capability operation picked up the capability and capname fields.
> > capability is reported by LSM_AUDIT and is just the capability number.
> > capname is reported by the apparmor module and is the name the kernel
> > knows the capability as.
> > 
> > For now just use capname and silently drop capability when it is found.
> 
> Actually, I mildly take back my ACK here...
> 
> > Index: libapparmor/src/scanner.l
> > ===================================================================
> > --- libapparmor.orig/src/scanner.l	2010-09-09 07:18:32.214193401 -0700
> > +++ libapparmor/src/scanner.l	2010-09-09 07:40:32.814193400 -0700
> > @@ -125,7 +125,6 @@
> >  old_on			"on"
> >  old_xattr		"xattr"
> >  old_change		"change"
> > -old_capability		"capability"
> >  old_syscall		"syscall"
> >  old_link		"link"
> >  old_fork		"fork"
> > @@ -159,6 +158,8 @@
> >  key_fsuid		"fsuid"
> >  key_ouid		"ouid"
> >  key_comm		"comm"
> > +key_capability		"capability"
> > +key_capname		"capname"
> >  audit			"audit"
> >  
> >  /* syslog tokens */
> > @@ -303,7 +304,7 @@
> >  {old_extended}		{ return(TOK_OLD_EXTENDED); }
> >  {old_on}		{ return(TOK_OLD_ON); }
> >  {old_change}		{ return(TOK_OLD_CHANGE); }
> > -{old_capability}	{ BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
> > +{key_capability}	{ BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
> >  {old_syscall}		{ return(TOK_OLD_SYSCALL); }
> >  {old_fork}		{ return(TOK_OLD_FORK); }
> >  {old_child}		{ return(TOK_OLD_CHILD); }
> > @@ -343,6 +344,8 @@
> >  {key_fsuid}		{ return(TOK_KEY_FSUID); }
> >  {key_ouid}		{ return(TOK_KEY_OUID); }
> >  {key_comm}		{ return(TOK_KEY_COMM); }
> > +{key_capability}	{ return(TOK_KEY_CAPABILITY); }
> > +{key_capname}		{ return(TOK_KEY_CAPNAME); }
> >  
> >  {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> >  {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
> 
> The pattern {key_capabilty} is now listed twice, thanks to the addition
> in the last chunk. This works out somewhat okay as the first rule
> will always match (and then jump into the sub_id state which can also
> handle =ID pairs). The reason for the sub_id behavior is the old message
> style capability keyword.
> 
> I think we should have the pattern keyword just once, and have it (for
> the time being) jump to the sub_id state. Either way, it'll be mildly
> confusing to untangle when we rip out the old style message support.

This added patch passes with the testcases I provided:

=== modified file 'libraries/libapparmor/src/scanner.l'

--- libraries/libapparmor/src/scanner.l	2010-09-09 19:22:02 +0000
+++ libraries/libapparmor/src/scanner.l	2010-09-09 23:21:02 +0000
@@ -308,7 +308,6 @@
 {old_extended}		{ return(TOK_OLD_EXTENDED); }
 {old_on}		{ return(TOK_OLD_ON); }
 {old_change}		{ return(TOK_OLD_CHANGE); }
-{key_capability}	{ BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
 {old_syscall}		{ return(TOK_OLD_SYSCALL); }
 {old_fork}		{ return(TOK_OLD_FORK); }
 {old_child}		{ return(TOK_OLD_CHILD); }
@@ -348,7 +347,7 @@
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
 {key_comm}		{ return(TOK_KEY_COMM); }
-{key_capability}	{ return(TOK_KEY_CAPABILITY); }
+{key_capability}	{ BEGIN(sub_id); return(TOK_KEY_CAPABILITY); }
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }



-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100909/ace771c8/attachment.pgp 
