[RFC PATCH] audit-testsuite: tests for subject and object correctness

Richard Guy Briggs rgb at redhat.com
Mon Nov 2 22:08:34 UTC 2020 

On 2020-11-02 13:54, Casey Schaufler wrote:
> Verify that there are subj= and obj= fields in a record
> if and only if they are expected. A system without a security
> module that provides these fields should not include them.
> A system with multiple security modules providing these fields
> (e.g. SELinux and AppArmor) should always provide "?" for the
> data and also include a AUDIT_MAC_TASK_CONTEXTS or
> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from
> /sys/kernel/security/lsm to determine which format is expected.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>  tests/Makefile                   |   1 +
>  tests/multiple_contexts/Makefile |  12 +++
>  tests/multiple_contexts/test     | 166 +++++++++++++++++++++++++++++++
>  3 files changed, 179 insertions(+)
>  create mode 100644 tests/multiple_contexts/Makefile
>  create mode 100755 tests/multiple_contexts/test
> 
> diff --git a/tests/Makefile b/tests/Makefile
> index a7f242a..f20f6b1 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -18,6 +18,7 @@ TESTS := \
>  	file_create \
>  	file_delete \
>  	file_rename \
> +	multiple_contexts \

"context" is a bit ambiguous.  Could this be named something to indicate
a security context rather than any other sort, such as audit or user
context?

>  	filter_exclude \
>  	filter_saddr_fam \
>  	filter_sessionid \
> diff --git a/tests/multiple_contexts/Makefile b/tests/multiple_contexts/Makefile
> new file mode 100644
> index 0000000..c2a8e87
> --- /dev/null
> +++ b/tests/multiple_contexts/Makefile
> @@ -0,0 +1,12 @@
> +#
> +# Copyright (C) Intel Corporation, 2020
> +#
> +
> +TARGETS=$(patsubst %.c,%,$(wildcard *.c))
> +
> +LDLIBS += -lpthread
> +
> +all: $(TARGETS)
> +clean:
> +	rm -f $(TARGETS)
> +
> diff --git a/tests/multiple_contexts/test b/tests/multiple_contexts/test
> new file mode 100755
> index 0000000..c9afed5
> --- /dev/null
> +++ b/tests/multiple_contexts/test
> @@ -0,0 +1,166 @@
> +#!/usr/bin/perl
> +#
> +# Copyright (C) Intel Corporation, 2020
> +#
> +
> +use strict;
> +
> +use Test;
> +BEGIN { plan tests => 3 }
> +
> +use File::Temp qw/ tempdir tempfile /;
> +
> +###
> +# functions
> +
> +sub key_gen {
> +    my @chars = ( "A" .. "Z", "a" .. "z" );
> +    my $key   = "testsuite-" . time . "-";
> +    $key .= $chars[ rand @chars ] for 1 .. 8;
> +    return $key;
> +}
> +
> +###
> +# setup
> +
> +# reset audit
> +system("auditctl -D >& /dev/null");
> +
> +my $line;
> +my $lsm_out;
> +my $lsm_count = 0;
> +my $bpf_enabled = 0;
> +
> +open($lsm_out, "cat /sys/kernel/security/lsm |");
> +while ( $line = <$lsm_out> ) {
> +    if ( $line =~ /selinux/ ) {
> +        $lsm_count = $lsm_count + 1;
> +    }
> +    if ( $line =~ /smack/ ) {
> +        $lsm_count = $lsm_count + 1;
> +    }
> +    if ( $line =~ /apparmor/ ) {
> +        $lsm_count = $lsm_count + 1;
> +    }
> +    if ( $line =~ /bpf/ ) {
> +        $bpf_enabled = 1;
> +    }
> +}
> +close($lsm_out);
> +
> +if ( $lsm_count and $bpf_enabled ) {
> +    $lsm_count = $lsm_count + 1;
> +}
> +# create temp directory
> +my $dir = tempdir( TEMPLATE => '/tmp/audit-testsuite-XXXX', CLEANUP => 1 );
> +
> +# create stdout/stderr sinks
> +( my $fh_out, my $stdout ) = tempfile(
> +    TEMPLATE => '/tmp/audit-testsuite-out-XXXX',
> +    UNLINK   => 1
> +);
> +( my $fh_err, my $stderr ) = tempfile(
> +    TEMPLATE => '/tmp/audit-testsuite-err-XXXX',
> +    UNLINK   => 1
> +);
> +
> +###
> +# tests
> +
> +# create a test file
> +( my $fh, my $filename ) =
> +  tempfile( TEMPLATE => $dir . "/file-XXXX", UNLINK => 1 );
> +
> +# set the directory watch
> +my $key = key_gen();
> +system("auditctl -w $dir -k $key");
> +
> +# delete file
> +unlink($filename);
> +
> +# make sure the records had a chance to bubble through to the logs
> +system("auditctl -m syncmarker-$key");
> +for ( my $i = 0 ; $i < 10 ; $i++ ) {
> +    if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) {
> +        last;
> +    }
> +    sleep(0.2);
> +}
> +
> +# test if we generate any audit records from the watch
> +my $result = system("ausearch -i -k $key > $stdout 2> $stderr");
> +ok( $result, 0 );
> +
> +# test if we generate a MAC_TASK_CONTEXTS record if and
> +# only if it is required.
> +#
> +# test if we generate a MAC_OBJ_CONTEXTS record if and
> +# only if it is required.
> +
> +my $found_auxsubj = 0;
> +my $found_subjattr = 0;
> +my $found_regsubj = 0;
> +
> +my $found_auxobj = 0;
> +my $found_objattr = 0;
> +my $found_regobj = 0;
> +
> +while ( $line = <$fh_out> ) {
> +
> +    if ( $line =~ / subj=\? / ) {
> +        $found_auxsubj = 1;
> +    } elsif ( $line =~ / subj=/ ) {
> +        $found_regsubj = 1;
> +    }
> +    if ( $line =~ / subj_selinux=/ ) {
> +        $found_subjattr = 1;
> +    }
> +    if ( $line =~ / subj_apparmor=/ ) {
> +        $found_subjattr = 1;
> +    }
> +    if ( $line =~ / subj_smack=/ ) {
> +        $found_subjattr = 1;
> +    }
> +
> +    if ( $line =~ / obj=\? / ) {
> +        $found_auxobj = 1;
> +    } elsif ( $line =~ / obj=/ ) {
> +        $found_regobj = 1;
> +    }
> +    if ( $line =~ / obj_selinux=/ ) {
> +        $found_objattr = 1;
> +    }
> +    if ( $line =~ / obj_apparmor=/ ) {
> +        $found_objattr = 1;
> +    }
> +    if ( $line =~ / obj_smack=/ ) {
> +        $found_objattr = 1;
> +    }
> +}
> +
> +# three cases:
> +# no subj= field or MAC_TASK_CONTEXTS when no supplying LSM
> +# subj=$value field, no MAC_TASK_CONTEXTS for exactly one supplying LSM
> +# subj=? field and a MAC_TASK_CONTEXTS for more than one supplying LSM
> +#
> +if ($lsm_count == 0) {
> +    ok($found_regsubj == 0 and $found_auxsubj == 0);
> +} elsif ($lsm_count == 1) {
> +    ok($found_regsubj and $found_auxsubj == 0);
> +} else {
> +    ok($found_subjattr and $found_auxsubj);
> +}
> +
> +if ($lsm_count == 0) {
> +    ok($found_regobj == 0 and $found_auxobj == 0);
> +} elsif ($lsm_count == 1) {
> +    ok($found_regobj and $found_auxobj == 0);
> +} else {
> +    ok($found_objattr and $found_auxobj);
> +}
> +
> +###
> +# cleanup
> +
> +system("auditctl -D >& /dev/null");
> +
> -- 
> 2.24.1
> 
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list