[RFC PATCH] audit-testsuite: tests for subject and object correctness
Casey Schaufler
casey at schaufler-ca.com
Sat Nov 7 00:51:55 UTC 2020
On 11/2/2020 7:31 PM, Paul Moore wrote:
> On Mon, Nov 2, 2020 at 8:19 PM Richard Guy Briggs <rgb at redhat.com> wrote:
>> On 2020-11-02 14:51, Casey Schaufler wrote:
>>> On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
>>>> On 2020-11-02 13:54, Casey Schaufler wrote:
>>>>> Verify that there are subj= and obj= fields in a record
>>>>> if and only if they are expected. A system without a security
>>>>> module that provides these fields should not include them.
>>>>> A system with multiple security modules providing these fields
>>>>> (e.g. SELinux and AppArmor) should always provide "?" for the
>>>>> data and also include a AUDIT_MAC_TASK_CONTEXTS or
>>>>> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from
>>>>> /sys/kernel/security/lsm to determine which format is expected.
>>>>>
>>>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>>>>> ---
>>>>> tests/Makefile | 1 +
>>>>> tests/multiple_contexts/Makefile | 12 +++
>>>>> tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++
>>>>> 3 files changed, 179 insertions(+)
>>>>> create mode 100644 tests/multiple_contexts/Makefile
>>>>> create mode 100755 tests/multiple_contexts/test
>>>>>
>>>>> diff --git a/tests/Makefile b/tests/Makefile
>>>>> index a7f242a..f20f6b1 100644
>>>>> --- a/tests/Makefile
>>>>> +++ b/tests/Makefile
>>>>> @@ -18,6 +18,7 @@ TESTS := \
>>>>> file_create \
>>>>> file_delete \
>>>>> file_rename \
>>>>> + multiple_contexts \
>>>> "context" is a bit ambiguous. Could this be named something to indicate
>>>> a security context rather than any other sort, such as audit or user
>>>> context?
>>> Would "subj_obj_fields" be better?
>> That is much more obvious to me. Maybe even sec_context_multi, but I
>> like your suggestion better?
> How about just "multiple_lsms"? It's relatively concise and better
> reflects what it is actually being tested IMHO.
I'm perfectly happy to call it whatever you'd prefer.
Anything substantive about the test itself?
More information about the Linux-audit
mailing list