From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tyler Hicks Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Date: Thu, 29 May 2014 17:21:24 +0200 Message-ID: <20140529152123.GB12950@boyd> References: <53866422.5010709@suse.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3223277119154915679==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s4TFLUct025172 for ; Thu, 29 May 2014 11:21:30 -0400 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s4TFLQ6e032059 for ; Thu, 29 May 2014 11:21:27 -0400 In-Reply-To: <53866422.5010709@suse.de> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tony Jones Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com List-Id: linux-audit@redhat.com --===============3223277119154915679== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lEGEL1/lMxI0MVQ2" Content-Disposition: inline --lEGEL1/lMxI0MVQ2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2014-05-28 15:33:06, Tony Jones wrote: > This patch came from our L3 department. AppArmor LSM is logging using th= e common_lsm_audit()=20 > call but the audit userspace parsing code expects to see an SELinux tclas= s field. This patch=20 > doesn't address the lack of support for AppArmor in "aureport --avc". Ta= lking to Seth Arnold,=20 > Canonical apparently has patches for this; if this is true perhaps they c= an post for inclusion. >=20 > Based-on-work-by: William Preston > Signed-off-by: Tony Jones >=20 > --- a/src/ausearch-parse.c 2014-05-21 14:45:22.000000000 +0200 > +++ b/src/ausearch-parse.c 2014-05-21 14:53:55.000000000 +0200 > @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea >=20 > // Now get the class...its at the end, so we do things different > str =3D strstr(term, "tclass=3D"); > - if (str =3D=3D NULL) { > - rc =3D 9; It is nitpicky, but all error return codes after this should be decremented (there is only one to do). The rest of the patch looks fine to me. Tyler > - goto err; > + if (str) { > + str +=3D 7; > + term =3D strchr(str, ' '); > + if (term) > + *term =3D 0; > + an.avc_class =3D strdup(str); > + if (term) > + *term =3D ' '; > } > - str +=3D 7; > - term =3D strchr(str, ' '); > - if (term) > - *term =3D 0; > - an.avc_class =3D strdup(str); > - if (term) > - *term =3D ' '; >=20 > if (audit_avc_init(s) =3D=3D 0) { > alist_append(s->avc, &an); >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit --lEGEL1/lMxI0MVQ2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTh1BzAAoJENaSAD2qAscKIxQP/09GQrTB8zkwAP+g6xDxeiKs Rvfllvv13Ju+fvtGFzcnQ/tnVZpTIij7dKYgMLtMmbIkNmrH5b80Q4a+UGluQeS3 LRr25EvOUPnjqcEPKEvpWSO46Ck4KBQL1nL3oOnIK1nZk9kQjDYTsglJHKq3ECX4 XP7II77jkipbHQM7qf+mY5qFlT+8ettGIcP1GpEOJnbq3Cm7Mw4ytAb1eM9Luwwh LW82e23N/FIbZwA5pnQma2WQ4Saj/C71E6KZL/yW/sUb1hxaLqSIgFyv1/Akm/hG CC33sMTvtWJZejtezYuv8c7yda0/2Nmja9RFZuDDsHdNvdZUHyFUqU8cLUcPv5Cz 0BIzsWozROVuPcRZMORp5JOM/gIatgTtEGSwO899g2uMWZ6p6HuR+fiOvWHICZPX CzXe9rxRGJRK3sWGO1cjqhh8BPY+askqt8n3s6ZkGCbIQ5+uoUN3k1vb5zO3j+uV z0ZcBP4atbUrLUgissWaOGeGrpl7Yj+5LOi8gilOZSLwb/IjllO0z9ZCc/n6DnGn Ppvmtf+LzRAyQFgI27UNFoJmgBp/b+zE8y14TSFTMF3lvjzyQX3eOuTWYQIZTp2g BBbkAZEFsxP3T3+a5g/N+P45zpGhSJW03RPmREgof3p/LWddI61TahwlCvLBXcg0 Q+Dncle5lz9hL6Fl4DYJ =GfBo -----END PGP SIGNATURE----- --lEGEL1/lMxI0MVQ2-- --===============3223277119154915679== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3223277119154915679==--