Origin: https://bazaar.launchpad.net/~apparmor-dev/apparmor/2.9/2647
  https://bazaar.launchpad.net/~apparmor-dev/apparmor/2.9/2830
fixes bug: https://launchpad.net/bugs/1399027
Subject: library: fix parsing for yet another format

libaalogparse: fix for new kernel dmesg format

The upstream kernel at some point between the 3.13 and 3.16 kernel
adjusted the output of audit messages to include an additional "audit:"
keyword. e.g. a 3.13 message would look like:

  kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]

whereas in 3.16, it looks like:

  kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
                          ^^^^^^

This patch adjust the libapparmor aalogparse grammar and lexer to
compensate for this change.

This patch fixes the libapparmor log parsing library to take into
account yet another log format style, as well as incorporating a
testcase for it.

=== modified file 'libraries/libapparmor/src/grammar.y'
---
 libraries/libapparmor/src/grammar.y                            |    4 ++
 libraries/libapparmor/src/scanner.l                            |    1 
 libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in  |    1 
 libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out |   15 ++++++++++
 libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in  |    1 
 libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out |   15 ++++++++++
 6 files changed, 37 insertions(+)

Index: b/libraries/libapparmor/src/grammar.y
===================================================================
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -203,6 +203,10 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
Index: b/libraries/libapparmor/src/scanner.l
===================================================================
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -198,6 +198,7 @@ yy_flex_debug = 0;
 
 <audit_id>{
 	{digits}		{ yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
+	{colon}{ws}		{ yy_pop_state(yyscanner); return(TOK_COLON); }
 	{colon}			{ return(TOK_COLON); }
 	{period}		{ return(TOK_PERIOD); }
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in
@@ -0,0 +1 @@
+Sep  2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out
@@ -0,0 +1,15 @@
+START
+File: syslog_audit_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409684003.960:273342
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 0
+ouid: 0
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir
+Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/
+Command: mkdir
+PID: 7314
+Epoch: 1409684003
+Audit subid: 273342
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
@@ -0,0 +1 @@
+Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Index: b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
===================================================================
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
@@ -0,0 +1,15 @@
+START
+File: syslog_audit_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1417954745.397:82
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /home/simi/bin/aa-test
+Name: /usr/bin/
+Command: ls
+PID: 3231
+Epoch: 1417954745
+Audit subid: 82