/usr/sbin/aa-decode is in apparmor-utils 2.11.0-3+deb9u2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | #!/bin/bash
#
# Copyright (C) 2009-2010, 2012 Canonical Ltd.
# Copyright (C) 2012 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Canonical, Ltd.
#
set -e
help() {
cat <<EOM
USAGE: aa-decode [OPTIONS] <encoded string>
Decode a hex-encoded string to ASCII. It will also take an audit log on
standard input and convert any hex-encoded AppArmor log entries and display
them on standard output.
OPTIONS:
--help display this help
EXAMPLES:
$ aa-decode 2F746D702F666F6F20626172
Decoded: /tmp/foo bar
$ cat /var/log/kern.log | aa-decode
... denied_mask="r::" fsuid=1000 ouid=1000 name=/tmp/foo bar
EOM
}
decode() {
decoded=`perl -le "\\$s = uc('$1') ; if (\\$s =~ /^[0-9A-F]*$/) { print pack 'H*', \\$s; }"`
echo "$decoded"
}
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
help
exit
fi
# if have an argument, then use it, otherwise process stdin
if [ -n "$1" ]; then
e="$1"
if ! echo "$e" | egrep -q "^[0-9A-Fa-f]+$" ; then
echo "String should only contain hex characters (0-9, a-f, A-F)"
exit 1
fi
d=`decode $e`
if [ -z "$d" ]; then
echo "Could not decode string"
exit 1
fi
echo "Decoded: $d"
exit 0
fi
# For now just look at 'name=...' and 'profile=...',
# so validate input against this and output based on it.
# TODO: better handle other cases too
while read line ; do
# check if line contains encoded name= or profile=
if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then
# cut the encoded filename/profile name out of the line and decode it
ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
nd="$(decode ${ne/\'/\\\'})"
pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
pd="$(decode ${pe/\'/\\\'})"
# replace encoded name and profile with its decoded counterparts (only if it was encoded)
test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
fi
echo "$line"
done
|