Verify that there are subj= and obj= fields in a record if and only if they are expected. A system without a security module that provides these fields should not include them. A system with multiple security modules providing these fields (e.g. SELinux and AppArmor) should always provide "?" for the data and also include a AUDIT_MAC_TASK_CONTEXTS or AUDIT_MAC_OBJ_CONTEXTS record. The test uses the LSM list from /sys/kernel/security/lsm to determine which format is expected. Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com&gt; --- tests/Makefile | 1 + tests/multiple_contexts/Makefile | 12 +++ tests/multiple_contexts/test | 166 +++++++++++++++++++++++++++++++ 3 files changed, 179 insertions(+) create mode 100644 tests/multiple_contexts/Makefile create mode 100755 tests/multiple_contexts/test diff --git a/tests/Makefile b/tests/Makefile index a7f242a..f20f6b1 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -18,6 +18,7 @@ TESTS := \ file_create \ file_delete \ file_rename \ + multiple_contexts \ filter_exclude \ filter_saddr_fam \ filter_sessionid \ diff --git a/tests/multiple_contexts/Makefile b/tests/multiple_contexts/Makefile new file mode 100644 index 0000000..c2a8e87 --- /dev/null +++ b/tests/multiple_contexts/Makefile @@ -0,0 +1,12 @@ +# +# Copyright (C) Intel Corporation, 2020 +# + +TARGETS=$(patsubst %.c,%,$(wildcard *.c)) + +LDLIBS += -lpthread + +all: $(TARGETS) +clean: + rm -f $(TARGETS) + diff --git a/tests/multiple_contexts/test b/tests/multiple_contexts/test new file mode 100755 index 0000000..c9afed5 --- /dev/null +++ b/tests/multiple_contexts/test @@ -0,0 +1,166 @@ +#!/usr/bin/perl +# +# Copyright (C) Intel Corporation, 2020 +# + +use strict; + +use Test; +BEGIN { plan tests => 3 } + +use File::Temp qw/ tempdir tempfile /; + +### +# functions + +sub key_gen { + my @chars = ( "A" .. "Z", "a" .. "z" ); + my $key = "testsuite-" . time . "-"; + $key .= $chars[ rand @chars ] for 1 .. 8; + return $key; +} + +### +# setup + +# reset audit +system("auditctl -D >& /dev/null"); + +my $line; +my $lsm_out; +my $lsm_count = 0; +my $bpf_enabled = 0; + +open($lsm_out, "cat /sys/kernel/security/lsm |"); +while ( $line = <$lsm_out> ) { + if ( $line =~ /selinux/ ) { + $lsm_count = $lsm_count + 1; + } + if ( $line =~ /smack/ ) { + $lsm_count = $lsm_count + 1; + } + if ( $line =~ /apparmor/ ) { + $lsm_count = $lsm_count + 1; + } + if ( $line =~ /bpf/ ) { + $bpf_enabled = 1; + } +} +close($lsm_out); + +if ( $lsm_count and $bpf_enabled ) { + $lsm_count = $lsm_count + 1; +} +# create temp directory +my $dir = tempdir( TEMPLATE => '/tmp/audit-testsuite-XXXX', CLEANUP => 1 ); + +# create stdout/stderr sinks +( my $fh_out, my $stdout ) = tempfile( + TEMPLATE => '/tmp/audit-testsuite-out-XXXX', + UNLINK => 1 +); +( my $fh_err, my $stderr ) = tempfile( + TEMPLATE => '/tmp/audit-testsuite-err-XXXX', + UNLINK => 1 +); + +### +# tests + +# create a test file +( my $fh, my $filename ) = + tempfile( TEMPLATE => $dir . "/file-XXXX", UNLINK => 1 ); + +# set the directory watch +my $key = key_gen(); +system("auditctl -w $dir -k $key"); + +# delete file +unlink($filename); + +# make sure the records had a chance to bubble through to the logs +system("auditctl -m syncmarker-$key"); +for ( my $i = 0 ; $i < 10 ; $i++ ) { + if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) { + last; + } + sleep(0.2); +} + +# test if we generate any audit records from the watch +my $result = system("ausearch -i -k $key > $stdout 2> $stderr"); +ok( $result, 0 ); + +# test if we generate a MAC_TASK_CONTEXTS record if and +# only if it is required. +# +# test if we generate a MAC_OBJ_CONTEXTS record if and +# only if it is required. + +my $found_auxsubj = 0; +my $found_subjattr = 0; +my $found_regsubj = 0; + +my $found_auxobj = 0; +my $found_objattr = 0; +my $found_regobj = 0; + +while ( $line = <$fh_out> ) { + + if ( $line =~ / subj=\? / ) { + $found_auxsubj = 1; + } elsif ( $line =~ / subj=/ ) { + $found_regsubj = 1; + } + if ( $line =~ / subj_selinux=/ ) { + $found_subjattr = 1; + } + if ( $line =~ / subj_apparmor=/ ) { + $found_subjattr = 1; + } + if ( $line =~ / subj_smack=/ ) { + $found_subjattr = 1; + } + + if ( $line =~ / obj=\? / ) { + $found_auxobj = 1; + } elsif ( $line =~ / obj=/ ) { + $found_regobj = 1; + } + if ( $line =~ / obj_selinux=/ ) { + $found_objattr = 1; + } + if ( $line =~ / obj_apparmor=/ ) { + $found_objattr = 1; + } + if ( $line =~ / obj_smack=/ ) { + $found_objattr = 1; + } +} + +# three cases: +# no subj= field or MAC_TASK_CONTEXTS when no supplying LSM +# subj=$value field, no MAC_TASK_CONTEXTS for exactly one supplying LSM +# subj=? field and a MAC_TASK_CONTEXTS for more than one supplying LSM +# +if ($lsm_count == 0) { + ok($found_regsubj == 0 and $found_auxsubj == 0); +} elsif ($lsm_count == 1) { + ok($found_regsubj and $found_auxsubj == 0); +} else { + ok($found_subjattr and $found_auxsubj); +} + +if ($lsm_count == 0) { + ok($found_regobj == 0 and $found_auxobj == 0); +} elsif ($lsm_count == 1) { + ok($found_regobj and $found_auxobj == 0); +} else { + ok($found_objattr and $found_auxobj); +} + +### +# cleanup + +system("auditctl -D >& /dev/null"); + -- 2.24.1