Hello,
the attached patch fixes aa-decode stdin handling.
Handling stdin was totally broken (= no output) with the current log
format because aa-decode expected name= to be the last entry in the
log line.
This patch for stdin handling
- fixes the pattern to match the current log format (name= is NOT the
last part in the log entry)
- uses bash replacement to avoid some sed calls (which also means the
script now needs an explicit "#!/bin/bash")
- prints decoded filenames in double instead of single quotes to be
consistent with filenames that were not encoded
- also prints lines that do not contain an encoded filename (instead of
grepping them away)
In other words: you can pipe your audit.log through aa-decode, and the
only difference to the raw audit.log is that filenames are decoded.
Signed-Off-By: Christian Boltz <appar...@cboltz.de>
=== modified file 'utils/aa-decode'
--- utils/aa-decode 2012-09-17 21:55:28 +0000
+++ utils/aa-decode 2012-10-02 23:59:06 +0000
@@ -1,6 +1,7 @@
-#!/bin/sh
+#!/bin/bash
#
# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) Christian Boltz 2012
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -63,13 +64,25 @@
exit 0
fi
-# For now just look at 'name=...' which is usually the last in the log entry,
+# For now just look at 'name=...',
# so validate input against this and output based on it.
# TODO: better handle other cases too
-egrep ' name=2[fF][0-9a-fA-F]*$' | while read line ; do
- e=`echo "$line" | sed 's/.* name=\(.*\)/\\1/g' | tr -s '[:lower:]'
'[:upper:]'`
- d=`decode $e`
- echo -n "$line" | sed "s/\(.*\) name=.*/\1 name=/g"
- echo "'$d'"
+while read line ; do
+
+ # check if line contains encoded name=
+ if echo "$line" | egrep ' name=2[fF][0-9a-fA-F]*' >/dev/null ; then
+
+ # cut the encoded filename out of the line and decode it
+ e=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g' | tr -s
'[:lower:]' '[:upper:]'`
+ d="\"`decode $e`\""
+
+ # replace encoded name with its decoded counterpart
+ echo "${line/name=$e/name=$d}"
+
+ else
+ # line does not contain encoded name= - no need to decode, print
unchanged line
+ echo "$line"
+ fi
+
done
Note: if you don't like the ${../../..} bash-ism, we can also use sed,
but the code looks ugly in comparison:
# everything till name=
echo -n "$line" | sed "s/^\(.*\) name=[^ ]*.*/\1 name=/g"
# decoded name (in quotes)
echo -n "$d"
# remaining part of the line
echo "$line" | sed "s/^.* name=[^ ]*\(.*\)$/\1/g"
Regards,
Christian Boltz
--
So... Hm... ich bin etwas aufgeschmissen.
How to troubleshoot without trouble?
[Ratti in fontlinge-devel]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
