[apparmor] [patch] libapparmor: add log-parsing support for encoded comm strings

Wed Nov 30 18:21:50 UTC 2011

While trying to track down the source of the problem for
https://bugs.launchpad.net/apparmor/+bug/897957/ I discovered that the
libapparmor log parsing library doesn't take into account comm entries
that have been hex-encoded; these occur when the binary path name
includes a space or other character that needs encoding.

The attached patch fixes the issue as well as adding a testcase that
demonstrates the issue.

Unfortunately, this does not appear to be the cause of LP: #897957.

=== modified file 'libraries/libapparmor/src/grammar.y'

--- libraries/libapparmor/src/grammar.y	2011-02-23 22:02:45 +0000
+++ libraries/libapparmor/src/grammar.y	2011-11-30 18:08:05 +0000
@@ -246,7 +246,7 @@
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
-	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_COMM TOK_EQUALS safe_string
 	{ ret_record->comm = $3;}
 	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
 	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS

=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l	2011-02-22 11:51:16 +0000
+++ libraries/libapparmor/src/scanner.l	2011-11-30 18:08:39 +0000
@@ -265,7 +265,7 @@
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
-{key_comm}		{ return(TOK_KEY_COMM); }
+{key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
 {key_capability}	{ return(TOK_KEY_CAPABILITY); }
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }

=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in	2011-11-30 18:04:43 +0000
@@ -0,0 +1,1 @@
+type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out	2011-11-30 18:12:12 +0000
@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_comm.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322676143.201:455
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: /home/steve/tmp/my prog.sh
+Name: /home/steve/tmp/my prog.sh
+Command: my prog.sh
+Parent: 10357
+PID: 22918
+Epoch: 1322676143
+Audit subid: 455


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111130/9d95bf13/attachment.pgp>
