[RFC PATCH] audit-testsuite: tests for subject and object correctness
Casey Schaufler
casey at schaufler-ca.com
Mon Nov 2 22:51:11 UTC 2020
On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
> On 2020-11-02 13:54, Casey Schaufler wrote:
>> Verify that there are subj= and obj= fields in a record
>> if and only if they are expected. A system without a security
>> module that provides these fields should not include them.
>> A system with multiple security modules providing these fields
>> (e.g. SELinux and AppArmor) should always provide "?" for the
>> data and also include a AUDIT_MAC_TASK_CONTEXTS or
>> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from
>> /sys/kernel/security/lsm to determine which format is expected.
>>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>> tests/Makefile | 1 +
>> tests/multiple_contexts/Makefile | 12 +++
>> tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++
>> 3 files changed, 179 insertions(+)
>> create mode 100644 tests/multiple_contexts/Makefile
>> create mode 100755 tests/multiple_contexts/test
>>
>> diff --git a/tests/Makefile b/tests/Makefile
>> index a7f242a..f20f6b1 100644
>> --- a/tests/Makefile
>> +++ b/tests/Makefile
>> @@ -18,6 +18,7 @@ TESTS := \
>> file_create \
>> file_delete \
>> file_rename \
>> + multiple_contexts \
> "context" is a bit ambiguous. Could this be named something to indicate
> a security context rather than any other sort, such as audit or user
> context?
Would "subj_obj_fields" be better?
More information about the Linux-audit
mailing list