This file is indexed.

/usr/sbin/aa-decode is in apparmor-utils 2.11.0-3+deb9u2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash
#
#    Copyright (C) 2009-2010, 2012 Canonical Ltd.
#    Copyright (C) 2012 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License as published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Canonical, Ltd.
#

set -e

help() {
    cat <<EOM
USAGE: aa-decode [OPTIONS] <encoded string>
Decode a hex-encoded string to ASCII. It will also take an audit log on
standard input and convert any hex-encoded AppArmor log entries and display
them on standard output.

OPTIONS:
  --help	display this help

EXAMPLES:
$ aa-decode 2F746D702F666F6F20626172
Decoded: /tmp/foo bar
$ cat /var/log/kern.log | aa-decode
... denied_mask="r::" fsuid=1000 ouid=1000 name=/tmp/foo bar
EOM
}

decode() {
    decoded=`perl -le "\\$s = uc('$1') ; if (\\$s =~ /^[0-9A-F]*$/) { print pack 'H*', \\$s; }"`
    echo "$decoded"
}

if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
    help
    exit
fi

# if have an argument, then use it, otherwise process stdin
if [ -n "$1" ]; then
    e="$1"
    if ! echo "$e" | egrep -q "^[0-9A-Fa-f]+$" ; then
        echo "String should only contain hex characters (0-9, a-f, A-F)"
        exit 1
    fi

    d=`decode $e`
    if [ -z "$d" ]; then
        echo "Could not decode string"
        exit 1
    fi

    echo "Decoded: $d"
    exit 0
fi

# For now just look at 'name=...' and 'profile=...',
# so validate input against this and output based on it.
# TODO: better handle other cases too
while read line ; do

    # check if line contains encoded name= or profile=
    if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then

        # cut the encoded filename/profile name out of the line and decode it
        ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
        nd="$(decode ${ne/\'/\\\'})"

        pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
        pd="$(decode ${pe/\'/\\\'})"

        # replace encoded name and profile with its decoded counterparts (only if it was encoded)
        test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
        test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"

    fi

    echo "$line"

done