[apparmor] [patch 2/3] libaalogparse: add signal and peer keyword support

Steve Beattie steve at nxnw.org
Wed Sep 3 07:40:22 UTC 2014 

When signals and ptrace mediation were added to apparmor, the aalogparse
routines were not adjusted to compensate. This patch adds support for
the signal and peer keywords.

A couple of notes/questions:

  1) The signal value is not a quoted string, is this intentional?

  2) signal and ptrace rejections use the 'peer' keyword to report the
     peer profile/label, yet dbus rejections use 'peer_profile'. Should
     these be the same? Even if they are kept different in the logging,
     should they map to the same field in the structure generated by
     aalogparse?

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 libraries/libapparmor/include/aalogparse.h                        |    2 +
 libraries/libapparmor/src/grammar.y                               |    6 ++++
 libraries/libapparmor/src/libaalogparse.c                         |    4 ++
 libraries/libapparmor/src/scanner.l                               |    4 ++
 libraries/libapparmor/testsuite/test_multi.c                      |    3 ++
 libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in  |    1 
 libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out |   13 +++++++++
 libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in  |    1 
 libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out |   14 ++++++++++
 libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in  |    1 
 libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out |   14 ++++++++++
 11 files changed, 63 insertions(+)

Index: b/libraries/libapparmor/src/grammar.y
===================================================================
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -128,6 +128,7 @@ aa_record_event_type lookup_aa_event(uns
 %token TOK_KEY_PEER_PID
 %token TOK_KEY_PROFILE
 %token TOK_KEY_PEER_PROFILE
+%token TOK_KEY_PEER
 %token TOK_AUDIT
 %token TOK_KEY_FAMILY
 %token TOK_KEY_SOCK_TYPE
@@ -157,6 +158,7 @@ aa_record_event_type lookup_aa_event(uns
 %token TOK_KEY_PATH
 %token TOK_KEY_INTERFACE
 %token TOK_KEY_MEMBER
+%token TOK_KEY_SIGNAL
 
 %token TOK_SYSLOG_KERNEL
 %token TOK_SYSLOG_USER
@@ -267,6 +269,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
 	{ ret_record->info = $3;}
 	| TOK_KEY_PEER_INFO TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->peer_info = $3;}
+	| TOK_KEY_PEER TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->peer = $3;}
 	| key_pid
 	| key_peer_pid
 	| TOK_KEY_PROFILE TOK_EQUALS safe_string
@@ -348,6 +352,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QU
 	{ ret_record->dbus_interface = $3; }
 	| TOK_KEY_MEMBER TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->dbus_member = $3; }
+	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
+	{ ret_record->signal = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
Index: b/libraries/libapparmor/src/scanner.l
===================================================================
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -159,6 +159,8 @@ key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_signal		"signal"
+key_peer		"peer"
 audit			"audit"
 
 /* network addrs */
@@ -336,6 +338,8 @@ yy_flex_debug = 0;
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
+{key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_user}		{ return(TOK_SYSLOG_USER); }
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1409438250.564:201): apparmor="DENIED" operation="signal" profile="/usr/bin/pulseaudio" pid=2531 comm="pulseaudio" requested_mask="send" denied_mask="send" signal=term peer="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper"
Index: b/libraries/libapparmor/include/aalogparse.h
===================================================================
--- a/libraries/libapparmor/include/aalogparse.h
+++ b/libraries/libapparmor/include/aalogparse.h
@@ -152,6 +152,8 @@ typedef struct
 	char *dbus_path;
 	char *dbus_interface;
 	char *dbus_member;
+	char *signal;			/* signal name */
+	char *peer;
 } aa_log_record;
 
 /**
Index: b/libraries/libapparmor/src/libaalogparse.c
===================================================================
--- a/libraries/libapparmor/src/libaalogparse.c
+++ b/libraries/libapparmor/src/libaalogparse.c
@@ -71,6 +71,8 @@ void free_record(aa_log_record *record)
 			free(record->info);
 		if (record->peer_info != NULL)
 			free(record->peer_info);
+		if (record->peer != NULL)
+			free(record->peer);
 		if (record->active_hat != NULL)
 			free(record->active_hat);
 		if (record->audit_id != NULL)
@@ -93,6 +95,8 @@ void free_record(aa_log_record *record)
 			free(record->dbus_interface);
 		if (record->dbus_member != NULL)
 			free(record->dbus_member);
+		if (record->signal != NULL)
+			free(record->signal );
 
 		free(record);
 	}
Index: b/libraries/libapparmor/testsuite/test_multi.c
===================================================================
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@@ -98,6 +98,7 @@ int print_results(aa_log_record *record)
 
 		print_string("Profile", record->profile);
 		print_string("Peer profile", record->peer_profile);
+		print_string("Peer", record->peer);
 		print_string("Name", record->name);
 		print_string("Command", record->comm);
 		print_string("Name2", record->name2);
@@ -126,6 +127,8 @@ int print_results(aa_log_record *record)
 		print_string("DBus interface", record->dbus_interface);
 		print_string("DBus member", record->dbus_member);
 
+		print_string("Signal", record->signal);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1409438250.564:201): apparmor="DENIED" operation="signal" profile="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper" pid=2531 comm="pulseaudio" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/bin/pulseaudio"
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_01.out
@@ -0,0 +1,14 @@
+START
+File: testcase_signal_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409438250.564:201
+Operation: signal
+Mask: send
+Denied Mask: send
+Profile: /usr/bin/pulseaudio
+Peer: /usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper
+Command: pulseaudio
+PID: 2531
+Signal: term
+Epoch: 1409438250
+Audit subid: 201
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_signal_02.out
@@ -0,0 +1,14 @@
+START
+File: testcase_signal_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409438250.564:201
+Operation: signal
+Mask: receive
+Denied Mask: receive
+Profile: /usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper
+Peer: /usr/bin/pulseaudio
+Command: pulseaudio
+PID: 2531
+Signal: term
+Epoch: 1409438250
+Audit subid: 201
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1409700683.304:547661): apparmor="DENIED" operation="ptrace" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace" pid=22465 comm="ptrace" requested_mask="tracedby" denied_mask="tracedby" peer="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace"
Index: b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_ptrace_01.out
@@ -0,0 +1,13 @@
+START
+File: testcase_ptrace_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409700683.304:547661
+Operation: ptrace
+Mask: tracedby
+Denied Mask: tracedby
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace
+Peer: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace
+Command: ptrace
+PID: 22465
+Epoch: 1409700683
+Audit subid: 547661

More information about the AppArmor mailing list