[PATCH] audit-testsuite: look for both open(2) and openat(2)

Richard Guy Briggs rgb at redhat.com
Thu Jun 15 16:17:23 UTC 2017 

On 2017-06-15 11:56, Paul Moore wrote:
> From: root <root at rawhide-1.lan>
> 
> More and more tools and libraries are using openat(2) whenever
> possible so we need to make sure we check for both syscalls.
> 
> This fixes the test suite on current versions of Fedora Rawhide.
> 
> Signed-off-by: Paul Moore <paul at paul-moore.com>

Looks ok/necessary to me.  (modulo wayward From: line)
Reviewed-by: Richard Guy Briggs <rgb at redhat.com>

> ---
>  tests/file_create/test      |    4 +++-
>  tests/filter_sessionid/test |    2 +-
>  tests/syscalls_file/test    |    8 ++++----
>  3 files changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/tests/file_create/test b/tests/file_create/test
> index 08dc3ce..26a226d 100755
> --- a/tests/file_create/test
> +++ b/tests/file_create/test
> @@ -78,7 +78,9 @@ while ( $line = <$fh_out> ) {
>  
>      # test if we generate a SYSCALL record
>      if ( $line =~ /^type=SYSCALL / ) {
> -        if ( $line =~ / syscall=open / and $line =~ / success=yes / ) {
> +        if ( ( $line =~ / syscall=open / or $line =~ / syscall=openat / )
> +            and $line =~ / success=yes / )
> +        {
>              $found_syscall = 1;
>          }
>      }
> diff --git a/tests/filter_sessionid/test b/tests/filter_sessionid/test
> index de1eb72..6873bed 100755
> --- a/tests/filter_sessionid/test
> +++ b/tests/filter_sessionid/test
> @@ -65,7 +65,7 @@ chomp($pid);
>  
>  # test for the SYSCALL message
>  $result = system(
> -"ausearch -i -m SYSCALL -sc open -p $pid --session $sessionid -k $key > $stdout 2> $stderr"
> +"ausearch -i -m SYSCALL -sc open -sc openat -p $pid --session $sessionid -k $key > $stdout 2> $stderr"
>  );
>  ok( $result, 0 );
>  
> diff --git a/tests/syscalls_file/test b/tests/syscalls_file/test
> index 53d28ba..316f823 100755
> --- a/tests/syscalls_file/test
> +++ b/tests/syscalls_file/test
> @@ -62,10 +62,10 @@ my $found_create  = 0;
>  while ( $line = <$fh_out> ) {
>  
>      # test if we generate a SYSCALL record
> -    if ( $line =~ /^type=SYSCALL / ) {
> -        if ( $line =~ / syscall=open / ) {
> -            $found_syscall = 1;
> -        }
> +    if ( $line =~ /^type=SYSCALL /
> +        and ( $line =~ / syscall=open / or $line =~ / syscall=openat / ) )
> +    {
> +        $found_syscall = 1;
>      }
>  }
>  ok($found_syscall);

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list