Add sockaddr accessor functions in auparse

caidongyun · Sep 27, 2017 · 214c358 · 214c358
1 parent c48401c
commit 214c358
Show file tree

Hide file tree

Showing 7 changed files with 143 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -12,6 +12,7 @@
 - In auparse_normalize, correct object for USER_MGMT, ACCT_LOCK, & ACCT_UNLOCK
 - Add default port to auditd.conf (#1455598)
 - Fix auvirt to report AVC's (#982154)
+- Add sockaddr accessor functions in auparse
 
 2.7.8
 - Add config option to auditd to not verify email addr domain (#1406887)

diff --git a/TODO b/TODO
@@ -5,7 +5,6 @@ Things that need to be done:
 * Suppress file systems for module load
 * If server suspends after client sends event &before ack, client wont reconnect
 * non-equality comparisons for values other than \timestamp, \timestamp_ex and \record_type in ausearch-expression (#1399314)
-* Add sockaddr accessor functions in auparse
 
 2.8.1
 * Support ipv6 remote logging

diff --git a/auparse/auparse.c b/auparse/auparse.c
@@ -521,6 +521,7 @@ auparse_state_t *auparse_init(ausource_t source, const void *b)
 	au->escape_mode = AUPARSE_ESC_TTY;
 	au->message_mode = MSG_QUIET;
 	au->debug_message = DBG_NO;
+	au->tmp_translation = NULL;
 	init_normalizer(&au->norm_data);
 
 	return au;
@@ -931,6 +932,7 @@ static void auparse_destroy_common(auparse_state_t *au)
 	free_interpretation_list();
 	clear_normalizer(&au->norm_data);
 	au_lol_clear(au->au_lo, 0);
+	free(au->tmp_translation);
 	free(au->au_lo);
 	free(au);
 }
@@ -2012,3 +2014,60 @@ const char *auparse_interpret_realpath(auparse_state_t *au)
 	return NULL;
 }
 
+static const char *auparse_interpret_sock_parts(auparse_state_t *au,
+	const char *field)
+{
+	if (au->le == NULL)
+		return NULL;
+
+        if (au->le->e.sec) {
+        	rnode *r = aup_list_get_cur(au->le);
+		if (r == NULL)
+			return NULL;
+		// This is limited to socket address fields
+		if (nvlist_get_cur_type(r) != AUPARSE_TYPE_SOCKADDR)
+			return NULL;
+		// Get interpretation
+		const char *val = nvlist_interp_cur_val(r, au->escape_mode);
+		if (val == NULL)
+			return NULL;
+		// make a copy since we modify it
+		char *tmp = strdup(val);
+		if (tmp == NULL)
+			return NULL;
+		// Locate the address part
+		val = strstr(tmp, field);
+		if (val) {
+			// Get past the =
+			val += strlen(field);
+			// find other side
+			char *ptr = strchr(val, ' ');
+			if (ptr) {
+				// terminate, copy, and return it
+				*ptr = 0;
+				const char *final = strdup(val);
+				free(tmp);
+				free(au->tmp_translation);
+				au->tmp_translation = final;
+				return final;
+			}
+		}
+        }
+	return NULL;
+}
+
+const char *auparse_interpret_sock_family(auparse_state_t *au)
+{
+	return auparse_interpret_sock_parts(au, "fam=");
+}
+
+const char *auparse_interpret_sock_port(auparse_state_t *au)
+{
+	return auparse_interpret_sock_parts(au, "lport=");
+}
+
+const char *auparse_interpret_sock_address(auparse_state_t *au)
+{
+	return auparse_interpret_sock_parts(au, "laddr=");
+}
+
diff --git a/auparse/auparse.h b/auparse/auparse.h
@@ -147,7 +147,9 @@ int auparse_get_field_type(auparse_state_t *au);
 int auparse_get_field_int(auparse_state_t *au);
 const char *auparse_interpret_field(auparse_state_t *au);
 const char *auparse_interpret_realpath(auparse_state_t *au);
-
+const char *auparse_interpret_sock_family(auparse_state_t *au);
+const char *auparse_interpret_sock_port(auparse_state_t *au);
+const char *auparse_interpret_sock_address(auparse_state_t *au);
 #ifdef __cplusplus
 }
 #endif

diff --git a/auparse/internal.h b/auparse/internal.h
@@ -182,6 +182,7 @@ struct opaque
 	auparse_esc_t escape_mode;
 	message_t message_mode;		// Where to send error messages
 	debug_message_t debug_message;	// Whether or not messages are debug or not
+	const char *tmp_translation;	// Pointer to manage mem for field translation
 	normalize_data norm_data;
 };
 

diff --git a/bindings/python/auparse_python.c b/bindings/python/auparse_python.c
@@ -2051,6 +2051,69 @@ AuParser_interpret_realpath(AuParser *self)
     return Py_BuildValue("s", value);
 }
 
+PyDoc_STRVAR(interpret_sock_family_doc,
+"interpret_sock_family() Return an interpretation of the current field's socket family. Only supported on sockaddr field types.\n\
+\n\
+If the field cannot be interpreted the field is returned unmodified.\n\
+Raises exception (RuntimeError) on error\n\
+");
+static PyObject *
+AuParser_interpret_sock_family(AuParser *self)
+{
+    const char *value = NULL;
+
+    PARSER_CHECK;
+    value = auparse_interpret_sock_family(self->au);
+    if (value == NULL) {
+        PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL");
+        return NULL;
+    }
+    return Py_BuildValue("s", value);
+}
+
+PyDoc_STRVAR(interpret_sock_port_doc,
+"interpret_sock_address() Return an interpretation of the current field's socket port. Only supported on sockaddr field types.\n\
+\n\
+If the field cannot be interpreted the field is returned unmodified.\n\
+Raises exception (RuntimeError) on error\n\
+");
+static PyObject *
+AuParser_interpret_sock_port(AuParser *self)
+{
+    const char *value = NULL;
+
+    PARSER_CHECK;
+    value = auparse_interpret_sock_port(self->au);
+    if (value == NULL) {
+        PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL");
+        return NULL;
+    }
+    return Py_BuildValue("s", value);
+}
+
+PyDoc_STRVAR(interpret_sock_address_doc,
+"interpret_sock_address() Return an interpretation of the current field's socket address. Only supported on sockaddr field types.\n\
+\n\
+If the field cannot be interpreted the field is returned unmodified.\n\
+Raises exception (RuntimeError) on error\n\
+");
+static PyObject *
+AuParser_interpret_sock_address(AuParser *self)
+{
+    const char *value = NULL;
+
+    PARSER_CHECK;
+    value = auparse_interpret_sock_address(self->au);
+    if (value == NULL) {
+        PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL");
+        return NULL;
+    }
+    return Py_BuildValue("s", value);
+}
+
+static
+static
+static
 static
 PyGetSetDef AuParser_getseters[] = {
     {NULL}  /* Sentinel */
@@ -2117,6 +2180,9 @@ static PyMethodDef AuParser_methods[] = {
     {"get_field_int",     (PyCFunction)AuParser_get_field_int,     METH_NOARGS,  get_field_int_doc},
     {"interpret_field",   (PyCFunction)AuParser_interpret_field,   METH_NOARGS,  interpret_field_doc},
     {"interpret_realpath",   (PyCFunction)AuParser_interpret_realpath, METH_NOARGS,  interpret_realpath_doc},
+    {"interpret_sock_family",   (PyCFunction)AuParser_interpret_sock_family, METH_NOARGS,  interpret_sock_family_doc},
+    {"interpret_sock_port",   (PyCFunction)AuParser_interpret_sock_port, METH_NOARGS,  interpret_sock_port_doc},
+    {"interpret_sock_address",   (PyCFunction)AuParser_interpret_sock_address, METH_NOARGS,  interpret_sock_address_doc},
     {NULL, NULL}  /* Sentinel */
 };
 

diff --git a/docs/auparse_interpret_field.3 b/docs/auparse_interpret_field.3
@@ -1,14 +1,17 @@
 .TH "AUPARSE_INTERPRET_FIELD" "3" "August 2017" "Red Hat" "Linux Audit API"
 .SH NAME
 .nf
-auparse_interpret_field, auparse_interpret_realpath \- get current field's interpreted value
+auparse_interpret_field, auparse_interpret_realpath,auparse_interpret_sock_family,auparse_interpret_sock_port,auparse_interpret_sock_address \- get current field's interpreted value
 .fi
 .SH "SYNOPSIS"
 .nf
 .B #include <auparse.h>
 .sp
 const char *auparse_interpret_field(auparse_state_t *au);
 const char *auparse_interpret_realpath(auparse_state_t *au);
+const char *auparse_interpret_sock_family(auparse_state_t *au);
+const char *auparse_interpret_sock_port(auparse_state_t *au);
+const char *auparse_interpret_sock_address(auparse_state_t *au);
 
 .SH "DESCRIPTION"
 
@@ -20,6 +23,15 @@ Examples of things that could be interpreted are: uid, gid, syscall numbers, exi
 .B auparse_interpret_realpath
 is like auparse_interpret_field except that it will call realpath on the results of gluing the cwd and file together. This also implies that it only valid to be called for the file name given in a PATH record.
 
+.B auparse_interpret_sock_family
+will only return the socket family portion of a socket address.
+
+.B auparse_interpret_sock_port
+will only return the port portion of a socket address. Not all socket families have a port. If that is the case, you will get a NULL value in which case your best option is to use the normal interpretation function.
+
+.B auparse_interpret_sock_address
+will only return the address portion of a socket address. Not all socket families have an ip address. If that is the case, you will get a NULL value in which case your best option is to use the normal interpretation function.
+
 .SH "RETURN VALUE"
 
 Returns NULL if there is an error otherwise a pointer to the interpreted value.