[RFC PATCH] audit-testsuite: tests for subject and object correctness
Richard Guy Briggs
rgb at redhat.com
Mon Nov 9 13:07:07 UTC 2020
On 2020-11-06 16:51, Casey Schaufler wrote:
> On 11/2/2020 7:31 PM, Paul Moore wrote:
> > On Mon, Nov 2, 2020 at 8:19 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> >> On 2020-11-02 14:51, Casey Schaufler wrote:
> >>> On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
> >>>> On 2020-11-02 13:54, Casey Schaufler wrote:
> >>>>> Verify that there are subj= and obj= fields in a record
> >>>>> if and only if they are expected. A system without a security
> >>>>> module that provides these fields should not include them.
> >>>>> A system with multiple security modules providing these fields
> >>>>> (e.g. SELinux and AppArmor) should always provide "?" for the
> >>>>> data and also include a AUDIT_MAC_TASK_CONTEXTS or
> >>>>> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from
> >>>>> /sys/kernel/security/lsm to determine which format is expected.
> >>>>>
> >>>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> >>>>> ---
> >>>>> tests/Makefile | 1 +
> >>>>> tests/multiple_contexts/Makefile | 12 +++
> >>>>> tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++
> >>>>> 3 files changed, 179 insertions(+)
> >>>>> create mode 100644 tests/multiple_contexts/Makefile
> >>>>> create mode 100755 tests/multiple_contexts/test
> >>>>>
> >>>>> diff --git a/tests/Makefile b/tests/Makefile
> >>>>> index a7f242a..f20f6b1 100644
> >>>>> --- a/tests/Makefile
> >>>>> +++ b/tests/Makefile
> >>>>> @@ -18,6 +18,7 @@ TESTS := \
> >>>>> file_create \
> >>>>> file_delete \
> >>>>> file_rename \
> >>>>> + multiple_contexts \
> >>>> "context" is a bit ambiguous. Could this be named something to indicate
> >>>> a security context rather than any other sort, such as audit or user
> >>>> context?
> >>> Would "subj_obj_fields" be better?
> >> That is much more obvious to me. Maybe even sec_context_multi, but I
> >> like your suggestion better?
> > How about just "multiple_lsms"? It's relatively concise and better
> > reflects what it is actually being tested IMHO.
>
> I'm perfectly happy to call it whatever you'd prefer.
> Anything substantive about the test itself?
The test looked reasonable to me...
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list