Re: [RFC PATCH] audit-testsuite: tests for subject and object correctness

On Mon, Nov 2, 2020 at 8:19 PM Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > On 2020-11-02 14:51, Casey Schaufler wrote: >> On 11/2/2020 2:08 PM, Richard Guy Briggs wrote: >>> On 2020-11-02 13:54, Casey Schaufler wrote: >>>> Verify that there are subj= and obj= fields in a record >>>> if and only if they are expected. A system without a security >>>> module that provides these fields should not include them. >>>> A system with multiple security modules providing these fields >>>> (e.g. SELinux and AppArmor) should always provide "?" for the >>>> data and also include a AUDIT_MAC_TASK_CONTEXTS or >>>> AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from >>>> /sys/kernel/security/lsm to determine which format is expected. >>>> >>>> Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com&gt; >>>> --- >>>> tests/Makefile | 1 + >>>> tests/multiple_contexts/Makefile | 12 +++ >>>> tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++ >>>> 3 files changed, 179 insertions(+) >>>> create mode 100644 tests/multiple_contexts/Makefile >>>> create mode 100755 tests/multiple_contexts/test >>>> >>>> diff --git a/tests/Makefile b/tests/Makefile >>>> index a7f242a..f20f6b1 100644 >>>> --- a/tests/Makefile >>>> +++ b/tests/Makefile >>>> @@ -18,6 +18,7 @@ TESTS := \ >>>> file_create \ >>>> file_delete \ >>>> file_rename \ >>>> + multiple_contexts \ >>> "context" is a bit ambiguous. Could this be named something to indicate >>> a security context rather than any other sort, such as audit or user >>> context? >> Would "subj_obj_fields" be better? > That is much more obvious to me. Maybe even sec_context_multi, but I > like your suggestion better? How about just "multiple_lsms"? It's relatively concise and better reflects what it is actually being tested IMHO.