From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Fri, 30 May 2014 15:53:49 -0400
Message-ID: <31153503.SQnCbJNRtA@x2>
References: <53866422.5010709@suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <53866422.5010709@suse.de>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Tony Jones <tonyj@suse.de>
Cc: seth.arnold@canonical.com, linux-audit@redhat.com, wpreston@suse.com
List-Id: linux-audit@redhat.com

On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
> This patch came from our L3 department.  AppArmor LSM is logging using the
> common_lsm_audit() call but the audit userspace parsing code expects to see
> an SELinux tclass field. This patch doesn't address the lack of support for
> AppArmor in "aureport --avc".  Talking to Seth Arnold, Canonical apparently
> has patches for this; if this is true perhaps they can post for inclusion.
> 
> Based-on-work-by: William Preston <wpreston@suse.com>
> Signed-off-by: Tony Jones <tonyj@suse.de>

I was looking at this patch and was wondering something. Does AppArmor produce 
AUDIT_AVC events? If not, how does the code even get into parse_avc? IOW, is 
there another part of the patch missing in the switch statement that direct 
AUDIT_APPARMOR_*  events into parse_avc?

-Steve

> --- a/src/ausearch-parse.c      2014-05-21 14:45:22.000000000 +0200
> +++ b/src/ausearch-parse.c      2014-05-21 14:53:55.000000000 +0200
> @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
> 
>         // Now get the class...its at the end, so we do things different
>         str = strstr(term, "tclass=");
> -       if (str == NULL) {
> -               rc = 9;
> -               goto err;
> +       if (str) {
> +               str += 7;
> +               term = strchr(str, ' ');
> +               if (term)
> +                       *term = 0;
> +               an.avc_class = strdup(str);
> +               if (term)
> +                       *term = ' ';
>         }
> -       str += 7;
> -       term = strchr(str, ' ');
> -       if (term)
> -               *term = 0;
> -       an.avc_class = strdup(str);
> -       if (term)
> -               *term = ' ';
> 
>         if (audit_avc_init(s) == 0) {
>                 alist_append(s->avc, &an);