audit-test-developer — Communicate about status of bugs, patches, and features

Re: [Audit-test-developer] [design] How to write / run / audit syscall wrappers?

[Linda K. <lin...@hp...>]

On 7/29/2014 7:22 AM, Jiri Jaburek wrote:
> On 07/28/2014 06:39 PM, Linda Knippers wrote:
>> Hi Jiri,
>>
>> On 07/28/2014 09:33 AM, Jiri Jaburek wrote:
>>> Hello Linda & others,
>>>
>>> I've been doing some syscall work recently and while doing it,
>>> I decided to "clean up" the do_ipc and do_socketcall wrappers, which
>>> seemed like a duplicated functionality, since they call exactly the same
>>> library functions as normal do_* wrappers. Also, I really wanted to get
>>> rid of the ipc headerhack. :)
>>
>> That's a good goal.:-)
>>
>>> This was somewhat amplified by the fact that the code in ipc_common.c
>>> was over-shared, meaning that ie. semget was using flags for semctl
>>> or semop. So I made a series of ~6 commits, carefully moving all the
>>> functionality from ipc_common.c into separate wrappers and removing the
>>> do_ipc wrapper. I did the same for do_socketcall, which just calls bind,
>>> using a library function, like do_bind. All this with removing
>>> respective sections from syscalls/*.conf, of course.
>>>
>>> I was quite happy with the series, since - functionality wise - it was
>>> transparent. However when I tested it on MODE=32, the syscalls bucket
>>> started throwing ERRORs. 
>>
>> Right.  The 32-bit x86 syscalls add a lot of complexity.
>> Did you see any problems on non-x86 architectures?
> 
> I didn't test other architectures, but the code suggests that all 32bit
> variants are affected, for ipc(2) at least.
> 
>>
>>> Some investigation uncovered that the syscalls
>>> bucket was actually using these "duplicated" wrappers for proper
>>> auditing - because auditctl works with real syscalls, not libc
>>> functions. The extra wrappers were therefore nothing more than a name,
>>> simplifying logic in the syscalls bucket.
>>>
>>> This goes against some other approaches used in the suite - in the
>>> network bucket, for example, which - based on the architecture - selects
>>> proper syscall name for auditctl, while still calling the original
>>> syscall wrapper (which uses library functions).
>>>
>>> -----------------------------------------------------------------------
>>>
>>> This led me into a certain design question I'd like to ask here; how to
>>> design syscall wrappers and the execution and auditing infrastructure
>>> around them? What would be the best approach?
>>>
>>> I've identified 3 most obvious ways to write a syscall wrapper:
>>>
>>>   A) use syscall(__NR_syscallname, ...) directly, bypassing libc
>>>   B) use libc functions
>>>   C) use (A), but simulate libc using #ifdefs manually
>>
>> Today we use both A) and B), depending on the syscall.  B) is easiest
>> from a coding perspective.  A) is sometimes necessary because libc
>> might not actually be using the syscall we want in the mode we want
>> or may be doing error checking of it's own that prevent some of the case
>> we want to test.  I'm not sure I understand C).
> 
> (C) for do_chmod could look like
> 
>   #ifdef ARM
>     exitval = syscall(__NR_fchmodat, ...);
>   #else
>     exitval = syscall(__NR_chmod, ...);
>   #endif
> 
> essentially simulating glibc in a controlled manner.

I thought that was A).

In this example, I'm not sure you'd have an ifdef in do_chmod to map
it to fchmodat on ARM because do_chmod is to test chmod, and there isn't
one for arm.  You'd just use do_fchmodat, which exists for other arches too.

>>
>>> These approaches solve the "which syscalls to run where" problem
>>> somewhat differently and therefore have different benefits and
>>> drawbacks in various situations:
>>>
>>>   1) compile time
>>>
>>>     (A) is a bit problematic, since we would need to come up with a full
>>>     logic of what syscalls to compile on what architectures. We already
>>>     do that on some level, but this option calls for a separate mapping
>>>     file (or so) instead of simple Makefile-based conditions,
>>>     integrating it somehow into the make system.
>>
>> Right - we seem to be reinventing libc.
> 
> Please note that (A) isn't about reinventing libc - it isn't about
> providing abstractions for syscalls, since it's these abstractions that
> later cause "hacky" auditing code in tests.

Ok, but using the example from above, what would the audit test test for?
You can't test a chmod syscall on ARM if there isn't one.  The auditctl
to select that syscall for auditing would fail too, right?
> 
>>
>>>     (B) and (C) are really easy - the libc (or custom #ifdefs) take care
>>>     of which syscall should be called on which architecture. (C) has
>>>     the disadvantage of actually doing the mapping from (A), just in
>>>     a less visible way.
>>>
>>>   2) run (execution) time
>>>
>>>     (A) again needs to re-use the mapping file (or logic) in most cases,
>>>     since - if we want to call ie. open-like syscall, we need to call
>>>     explicitly either do_open (non-arm) or do_openat (arm)
>>
>> And in some cases, we need to do both when the arch supports both.
>>
>>>     (B) and (C) simplify this case a lot, but may fall short if we
>>>     *really* want to call openat instead of open on non-arm
>>
>> We do that today.  We test both open and openat using the do_* programs.
>>
>>>   3) auditing time
>>>
>>>    (A) shines here, IMO, since the auditctl mapping is 1:1 to the do_*
>>>    wrappers. It still needs to re-use the mapping file (and therefore
>>>    needs to manually specify which syscalls to audit on which archs),
>>>    but it's very straightforward and clear.
>>>
>>>    (B) and (C) have a significant problem here - we don't know which
>>>    syscalls are being called "under the hood" of the do_* wrappers, 
>>
>> Well, we do for all the existing calls.
> 
> *We* do, but the tests don't, which is why we have to create ad-hoc
> conditions to tell them.
> 
>>
>>>    so
>>>    we need to try them out and then create per-arch hacks in the code
>>>    similar to what we've seen in the arm patchset recently, ie.
>>>    "set up auditing for fchmodat and call do_chmod", which can be
>>>    somewhat confusing. The other option is to duplicate wrappers like
>>>    do_socketcall, but the per-arch hacks still persist. We could create
>>>    a mapping file for them, but then we might as well use (A).
>>>
>>>
>>> So what would be the best approach for new (and existing, over time)
>>> syscall wrappers?
>>>
>>> I personally really like (A) due to its clean design - there are no
>>> "Note: There is no glibc wrapper for this system call" exceptions
>>> and it's clear what syscalls run on which architectures and 32/64bit
>>> variations. The mapping file, with its helper bash functions doing ie.
>>> "is this syscall relevant for current arch/mode?" or "list all relevant
>>> syscalls for current arch/mode", along with some documentation, should
>>> be mostly easy to implement.
>>> A practical example in the syscalls bucket would be checking for arch
>>> relevancy in the `+' function with no per-arch or per-mode conditions
>>> in the .conf files. The rollup log (or run.bash --list) would then show
>>> which syscalls were actually run.
>>
>> I don't think there is one "best approach".  Some of what we have today
>> is because the suite has evolved over time but some if it is because for
>> the most part, using the libc functions is simple and appropriate.
>> Where's it's not simple or appropriate, we drop back to the the syscall(_NR...)
>> function.  Sometimes due to legacy syscalls, like the multiplexed 32-bit
>> syscalls, it gets a bit complicated but hey, we've written that code already. :-)
> 
> I agree that using libc is often better and it would be perhaps cleaner
> if auditctl supported syscall translation (ie. chmod->fchmodat on arm),
> but it doesn't, it needs a direct syscall name for a given arch / mode.

Maybe fixing auditctl is the better solution.  If we don't know what
the syscalls are, how are audit users supposed to know?

> My points for (A) go mostly towards the auditing code, see the current
> state of augrok_default and auwatch_default in network/run.conf.
> Or the per-arch conditions in syscalls/*-run.conf.

The multiplexed system calls are a pain, but it's mostly legacy pain.
Are there new syscalls that are implemented that way?
> 
> With a unified way of telling which syscalls are relevant for which
> architectures, the conditions in syscalls/ could go away. The entire
> case/esac structure in network/ could as well, since $syscall would
> always be the tested syscall and no other.

I'm not sure how unified it can really be though.  In the case of
these multiplexed system calls, we still have to test the various
options to the syscalls because they go down different security
relevant paths.  I don't think we could have just one test for
socketcall(), for example.

> The "unified way" doesn't have to be a static file, it can be generated
> using gcc from unistd.h dynamically.
> 
> Also, "we've written that code already" doesn't mean there won't be more
> of it in the future (well, near future).
> 
>>
>>> This also means that I would have to throw away most of my series on
>>> do_ipc and do_socketcall, possibly re-implementing them in the future,
>>> but I'm fine with that.
>>>
>>> What's your opinion?
>>
>> If it ain't broke....?
> 
> Right, I was wondering whether a "clean" solution wouldn't be an
> overkill, since there aren't that much differences aside from do_ipc
> and do_socketcall. For me, it's just another cleanup, like the netfilter
> or networking-related code.
> 
>>
>>> Thanks,
>>> Jiri
>>>
>>>
>>> PS: I'm asking because we currently have ~70 new syscall wrappers staged
>>>     for review and there's not much consistency in terms of (A) vs (B)
>>>     vs (C).
>>
>> I'm interesting in knowing more about your new syscalls and why you have
>> a mix of A), B) and C) (which I still don't understand but I'm sure a simple
>> example would clear things up).  Is it because 3 different people wrote them
>> or because there really is no "best approach"?
> 
> Various reasons, really. Written mostly by a single person, (A) was used
> where using (B) would pull in another suite dependency (NUMA),
> (B) was used where (A) would result in two independent wrappers (fstatat
> vs newfstatat), and various mix of both. Yes, because there's no defined
> policy of "best approach".

If fstatat and newfstatat are both syscalls that are both callable by an
architecture, then you might need two since you'd have to test both.

>> I'm not trying to say that we have to keep doing things the way we've always done it.
>> This suite has clearly evolved and improved as you and others have worked on it so I'd
>> like to continue this discussion.
> 
> Sure, I'd like to get as much feedback as possible before implementing
> anything (or deciding to leave it be in the current state).

I see you've sent another message now that I haven't read yet but
I'll read next.

-- ljk
> 
>>
>> -- ljk
>>
>>>
>>> ------------------------------------------------------------------------------
>>> Infragistics Professional
>>> Build stunning WinForms apps today!
>>> Reboot your WinForms applications with our WinForms controls. 
>>> Build a bridge from your legacy apps to the future.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Audit-test-developer mailing list
>>> Aud...@li...
>>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls. 
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
> 
> Jiri
> 

Re: [Audit-test-developer] [PATCH v4 2/5] audit-test: handle __NR3264_xxx syscall definitions

[AKASHI T. <tak...@li...>]

On 08/01/2014 05:32 PM, Miroslav Vadkerti wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Akashi,
>
> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
>> On some architectures including arm64, system call numbers are defined in
>> /usr/include/asm-generic/unistd.h. This file contains irregular style of definitions like
>> #define __NR3264_truncate 45 #define __NR_truncate __NR3264_truncate (In fact, it's more
>> complicated.)
>>
>> This patch takes care of such cases.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/utils/augrok |   15
>> +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok index 08f731a..f0542e5 100755
>> --- a/audit-test/utils/augrok +++ b/audit-test/utils/augrok @@ -113,8 +113,12 @@ sub new {
>> open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die; my $line; while (defined($line =
>> <S>)) { -            next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/; -
>> $singleton->{$1} = $2; +            if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) { +
>> $singleton->{$1} = $2; +            } +            if ($line =~
>> /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) { +                $singleton->{"3264_$1"} = $2; +
>> } } close S;
>>
>> @@ -139,6 +143,13 @@ sub new { $changed = 1; }
>>
>> +                #define __NR_truncate __NR3264_truncate +                if ($v =~
>> /^__NR3264_(\w+)$/ and +                         defined($new_v = $singleton->{"3264_$1"})) { +
>> $singleton->{$k} = $new_v; +                    $changed = 1; +                }
>
> I just realized you wanted to do here elsif not only if.

Thanks.

> Won't work and augrok breaks on s390x on defines like:
> #define __NR_mq_getsetattr (__NR_mq_open+5)
> for example
>
> Could you please confirm that with this patch you are still fine?

tested-by: AKASHI Takahiro <tak...@li...>

> diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
> index a42cd21..973b85b 100755
> - --- a/audit-test/utils/augrok
> +++ b/audit-test/utils/augrok
> @@ -144,7 +144,7 @@ sub new {
>                   }
>
>                   #define __NR_truncate __NR3264_truncate
> - -                if ($v =~ /^__NR3264_(\w+)$/ and
> +                elsif ($v =~ /^__NR3264_(\w+)$/ and
>                            defined($new_v = $singleton->{"3264_$1"})) {
>                       $singleton->{$k} = $new_v;
>                       $changed = 1;
>
> Thanks and regards,
> /M
>
>
>> + # don't know how to handle this, hope it wasn't important else { print STDERR "Removing
>> syscall{$k} = $v\n" if $opt{'debug'};
>>
>
> - --
> Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
> Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
> IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
> Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT21CZAAoJEBliWhMliBCHGeUIAJ9YUOq9RMx5Ojb2sxOyMya+
> 3sUXtHgHilZAra3x9Yg2OJDADPGO46NJ47FnqWSGTP/tZmr3ppCRCXGyYFqWPFr/
> r+f30K5vxs1YcyG7vIAj1838rds0M5c8PbXBrI2G+VT3c/1yzz96axcagQppzHvq
> +uE0kAuoHP6gkIt/g/Dqc7aIA709OXR/OT1eIt+KOX66wLo7MCMmDC+x1ZE2aORH
> CNHGB4SeGZKq3IaC1qiryAYIgBBMxTpHv+pz7Cb+vjCfx/o426Em+9fVBFXiY5mI
> fq8PnjW8jRdX36iRC4pMjRu98t0QRhTPa56LTKwQgaBUBwpOmbrxWDfqf7ei83k=
> =Gbyy
> -----END PGP SIGNATURE-----
>

Re: [Audit-test-developer] [design] How to write / run / audit syscall wrappers?

[Jiri J. <jja...@re...>]

On 07/29/2014 01:22 PM, Jiri Jaburek wrote:
> On 07/28/2014 06:39 PM, Linda Knippers wrote:
>> Hi Jiri,
>>
>> On 07/28/2014 09:33 AM, Jiri Jaburek wrote:
>>> Hello Linda & others,
>>>
>>> I've been doing some syscall work recently and while doing it,
>>> I decided to "clean up" the do_ipc and do_socketcall wrappers, which
>>> seemed like a duplicated functionality, since they call exactly the same
>>> library functions as normal do_* wrappers. Also, I really wanted to get
>>> rid of the ipc headerhack. :)
>>
>> That's a good goal.:-)
>>
>>> This was somewhat amplified by the fact that the code in ipc_common.c
>>> was over-shared, meaning that ie. semget was using flags for semctl
>>> or semop. So I made a series of ~6 commits, carefully moving all the
>>> functionality from ipc_common.c into separate wrappers and removing the
>>> do_ipc wrapper. I did the same for do_socketcall, which just calls bind,
>>> using a library function, like do_bind. All this with removing
>>> respective sections from syscalls/*.conf, of course.
>>>
>>> I was quite happy with the series, since - functionality wise - it was
>>> transparent. However when I tested it on MODE=32, the syscalls bucket
>>> started throwing ERRORs. 
>>
>> Right.  The 32-bit x86 syscalls add a lot of complexity.
>> Did you see any problems on non-x86 architectures?
> 
> I didn't test other architectures, but the code suggests that all 32bit
> variants are affected, for ipc(2) at least.
> 
>>
>>> Some investigation uncovered that the syscalls
>>> bucket was actually using these "duplicated" wrappers for proper
>>> auditing - because auditctl works with real syscalls, not libc
>>> functions. The extra wrappers were therefore nothing more than a name,
>>> simplifying logic in the syscalls bucket.
>>>
>>> This goes against some other approaches used in the suite - in the
>>> network bucket, for example, which - based on the architecture - selects
>>> proper syscall name for auditctl, while still calling the original
>>> syscall wrapper (which uses library functions).
>>>
>>> -----------------------------------------------------------------------
>>>
>>> This led me into a certain design question I'd like to ask here; how to
>>> design syscall wrappers and the execution and auditing infrastructure
>>> around them? What would be the best approach?
>>>
>>> I've identified 3 most obvious ways to write a syscall wrapper:
>>>
>>>   A) use syscall(__NR_syscallname, ...) directly, bypassing libc
>>>   B) use libc functions
>>>   C) use (A), but simulate libc using #ifdefs manually
>>
>> Today we use both A) and B), depending on the syscall.  B) is easiest
>> from a coding perspective.  A) is sometimes necessary because libc
>> might not actually be using the syscall we want in the mode we want
>> or may be doing error checking of it's own that prevent some of the case
>> we want to test.  I'm not sure I understand C).
> 
> (C) for do_chmod could look like
> 
>   #ifdef ARM
>     exitval = syscall(__NR_fchmodat, ...);
>   #else
>     exitval = syscall(__NR_chmod, ...);
>   #endif
> 
> essentially simulating glibc in a controlled manner.
> 
>>
>>> These approaches solve the "which syscalls to run where" problem
>>> somewhat differently and therefore have different benefits and
>>> drawbacks in various situations:
>>>
>>>   1) compile time
>>>
>>>     (A) is a bit problematic, since we would need to come up with a full
>>>     logic of what syscalls to compile on what architectures. We already
>>>     do that on some level, but this option calls for a separate mapping
>>>     file (or so) instead of simple Makefile-based conditions,
>>>     integrating it somehow into the make system.
>>
>> Right - we seem to be reinventing libc.
> 
> Please note that (A) isn't about reinventing libc - it isn't about
> providing abstractions for syscalls, since it's these abstractions that
> later cause "hacky" auditing code in tests.
> 
>>
>>>     (B) and (C) are really easy - the libc (or custom #ifdefs) take care
>>>     of which syscall should be called on which architecture. (C) has
>>>     the disadvantage of actually doing the mapping from (A), just in
>>>     a less visible way.
>>>
>>>   2) run (execution) time
>>>
>>>     (A) again needs to re-use the mapping file (or logic) in most cases,
>>>     since - if we want to call ie. open-like syscall, we need to call
>>>     explicitly either do_open (non-arm) or do_openat (arm)
>>
>> And in some cases, we need to do both when the arch supports both.
>>
>>>     (B) and (C) simplify this case a lot, but may fall short if we
>>>     *really* want to call openat instead of open on non-arm
>>
>> We do that today.  We test both open and openat using the do_* programs.
>>
>>>   3) auditing time
>>>
>>>    (A) shines here, IMO, since the auditctl mapping is 1:1 to the do_*
>>>    wrappers. It still needs to re-use the mapping file (and therefore
>>>    needs to manually specify which syscalls to audit on which archs),
>>>    but it's very straightforward and clear.
>>>
>>>    (B) and (C) have a significant problem here - we don't know which
>>>    syscalls are being called "under the hood" of the do_* wrappers, 
>>
>> Well, we do for all the existing calls.
> 
> *We* do, but the tests don't, which is why we have to create ad-hoc
> conditions to tell them.
> 
>>
>>>    so
>>>    we need to try them out and then create per-arch hacks in the code
>>>    similar to what we've seen in the arm patchset recently, ie.
>>>    "set up auditing for fchmodat and call do_chmod", which can be
>>>    somewhat confusing. The other option is to duplicate wrappers like
>>>    do_socketcall, but the per-arch hacks still persist. We could create
>>>    a mapping file for them, but then we might as well use (A).
>>>
>>>
>>> So what would be the best approach for new (and existing, over time)
>>> syscall wrappers?
>>>
>>> I personally really like (A) due to its clean design - there are no
>>> "Note: There is no glibc wrapper for this system call" exceptions
>>> and it's clear what syscalls run on which architectures and 32/64bit
>>> variations. The mapping file, with its helper bash functions doing ie.
>>> "is this syscall relevant for current arch/mode?" or "list all relevant
>>> syscalls for current arch/mode", along with some documentation, should
>>> be mostly easy to implement.
>>> A practical example in the syscalls bucket would be checking for arch
>>> relevancy in the `+' function with no per-arch or per-mode conditions
>>> in the .conf files. The rollup log (or run.bash --list) would then show
>>> which syscalls were actually run.
>>
>> I don't think there is one "best approach".  Some of what we have today
>> is because the suite has evolved over time but some if it is because for
>> the most part, using the libc functions is simple and appropriate.
>> Where's it's not simple or appropriate, we drop back to the the syscall(_NR...)
>> function.  Sometimes due to legacy syscalls, like the multiplexed 32-bit
>> syscalls, it gets a bit complicated but hey, we've written that code already. :-)
> 
> I agree that using libc is often better and it would be perhaps cleaner
> if auditctl supported syscall translation (ie. chmod->fchmodat on arm),
> but it doesn't, it needs a direct syscall name for a given arch / mode.
> 
> My points for (A) go mostly towards the auditing code, see the current
> state of augrok_default and auwatch_default in network/run.conf.
> Or the per-arch conditions in syscalls/*-run.conf.
> 
> With a unified way of telling which syscalls are relevant for which
> architectures, the conditions in syscalls/ could go away. The entire
> case/esac structure in network/ could as well, since $syscall would
> always be the tested syscall and no other.
> 
> The "unified way" doesn't have to be a static file, it can be generated
> using gcc from unistd.h dynamically.
> 
> Also, "we've written that code already" doesn't mean there won't be more
> of it in the future (well, near future).
> 
>>
>>> This also means that I would have to throw away most of my series on
>>> do_ipc and do_socketcall, possibly re-implementing them in the future,
>>> but I'm fine with that.
>>>
>>> What's your opinion?
>>
>> If it ain't broke....?
> 
> Right, I was wondering whether a "clean" solution wouldn't be an
> overkill, since there aren't that much differences aside from do_ipc
> and do_socketcall. For me, it's just another cleanup, like the netfilter
> or networking-related code.
> 
>>
>>> Thanks,
>>> Jiri
>>>
>>>
>>> PS: I'm asking because we currently have ~70 new syscall wrappers staged
>>>     for review and there's not much consistency in terms of (A) vs (B)
>>>     vs (C).
>>
>> I'm interesting in knowing more about your new syscalls and why you have
>> a mix of A), B) and C) (which I still don't understand but I'm sure a simple
>> example would clear things up).  Is it because 3 different people wrote them
>> or because there really is no "best approach"?
> 
> Various reasons, really. Written mostly by a single person, (A) was used
> where using (B) would pull in another suite dependency (NUMA),
> (B) was used where (A) would result in two independent wrappers (fstatat
> vs newfstatat), and various mix of both. Yes, because there's no defined
> policy of "best approach".
> 
>>
>> I'm not trying to say that we have to keep doing things the way we've always done it.
>> This suite has clearly evolved and improved as you and others have worked on it so I'd
>> like to continue this discussion.
> 
> Sure, I'd like to get as much feedback as possible before implementing
> anything (or deciding to leave it be in the current state).
> 

I made some proof-of-concept attempts regarding the automatic build of
only relevant syscalls and I'm not sure anymore whether it's a good
idea. The thing is - it's too "smart", which would be beneficial for
something like LTP (which has TCONF), but not really for our suite,
where we want things to be as static as possible.

IOW the way I understood it, we don't have any advanced output-checking
logic that would guarantee that all the required/expected syscall tests
were run - this is guaranteed by the (static) logic itself.

Using a static list both as a replacement for utils/bin/Makefile and for
execution/auditing could work, but I'm not really sure of its format
and whether it wouldn't go against KISS. Meaning that, sometimes,
leaving things in apparent disorder might be the best solution.

The implication being that I'll stick with (B), eg. using library
functions where possible, ie. fstatat() instead of newfstatat(), etc.

This also means that I can finish that ipc/socketcall patchseries,
I'm still undecided whether to do it network-style (add ie. do_msgget,
call it, but audit syscall==ipc on related arch/modes) or whether leave
do_ipc in place and just make it a special case (calling bodies of the
"normal" do_* ipc wrappers) instead of a feature.

Jiri

Re: [Audit-test-developer] [PATCH v4 2/5] audit-test: handle __NR3264_xxx syscall definitions

[Miroslav V. <mva...@re...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Akashi,

On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
> On some architectures including arm64, system call numbers are defined in
> /usr/include/asm-generic/unistd.h. This file contains irregular style of definitions like 
> #define __NR3264_truncate 45 #define __NR_truncate __NR3264_truncate (In fact, it's more
> complicated.)
> 
> This patch takes care of such cases.
> 
> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/utils/augrok |   15
> +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok index 08f731a..f0542e5 100755 
> --- a/audit-test/utils/augrok +++ b/audit-test/utils/augrok @@ -113,8 +113,12 @@ sub new { 
> open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die; my $line; while (defined($line =
> <S>)) { -            next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/; -
> $singleton->{$1} = $2; +            if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) { +
> $singleton->{$1} = $2; +            } +            if ($line =~
> /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) { +                $singleton->{"3264_$1"} = $2; +
> } } close S;
> 
> @@ -139,6 +143,13 @@ sub new { $changed = 1; }
> 
> +                #define __NR_truncate __NR3264_truncate +                if ($v =~
> /^__NR3264_(\w+)$/ and +                         defined($new_v = $singleton->{"3264_$1"})) { +
> $singleton->{$k} = $new_v; +                    $changed = 1; +                }

I just realized you wanted to do here elsif not only if.

Won't work and augrok breaks on s390x on defines like:
#define __NR_mq_getsetattr (__NR_mq_open+5)
for example

Could you please confirm that with this patch you are still fine?

diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index a42cd21..973b85b 100755
- --- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -144,7 +144,7 @@ sub new {
                 }

                 #define __NR_truncate __NR3264_truncate
- -                if ($v =~ /^__NR3264_(\w+)$/ and
+                elsif ($v =~ /^__NR3264_(\w+)$/ and
                          defined($new_v = $singleton->{"3264_$1"})) {
                     $singleton->{$k} = $new_v;
                     $changed = 1;

Thanks and regards,
/M


> + # don't know how to handle this, hope it wasn't important else { print STDERR "Removing
> syscall{$k} = $v\n" if $opt{'debug'};
> 

- -- 
Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT21CZAAoJEBliWhMliBCHGeUIAJ9YUOq9RMx5Ojb2sxOyMya+
3sUXtHgHilZAra3x9Yg2OJDADPGO46NJ47FnqWSGTP/tZmr3ppCRCXGyYFqWPFr/
r+f30K5vxs1YcyG7vIAj1838rds0M5c8PbXBrI2G+VT3c/1yzz96axcagQppzHvq
+uE0kAuoHP6gkIt/g/Dqc7aIA709OXR/OT1eIt+KOX66wLo7MCMmDC+x1ZE2aORH
CNHGB4SeGZKq3IaC1qiryAYIgBBMxTpHv+pz7Cb+vjCfx/o426Em+9fVBFXiY5mI
fq8PnjW8jRdX36iRC4pMjRu98t0QRhTPa56LTKwQgaBUBwpOmbrxWDfqf7ei83k=
=Gbyy
-----END PGP SIGNATURE-----

Re: [Audit-test-developer] [PATCH v4 0/5] add arm/aarch64(arm64) support

[Miroslav V. <mva...@re...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone,

The patches are now upstream with one mentioned fix in rules.mk.

Thank you very much for the patches Akashi, Linda and Jirka for the review.

Best regards,
/M

On 07/25/2014 04:32 PM, Linda Knippers wrote:
> Hi Miroslav,
> 
> I didn't have any comments on the patches but I did want know that they had been tested on x86.
> I haven't had a chance to try them myself so I really appreciate your test results and the
> Linaro testing with this series.
> 
> Thank you and Jiri for the reviews and testing.  When you're happy, please go ahead and push
> the changes.
> 
> Thank you Linaro developers for your work on this.
> 
> -- ljk
> 
> 
> On 7/25/2014 9:04 AM, Miroslav Vadkerti wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
>> Hi Linda,
> 
>> according to our testing this patch set looks good (after small correction in Makefile) - all
>> tests pass in Base and MLS.
> 
>> Do you have any comments to the final v4 patch set? If not after correcting the Makefile we
>> will push the changes upstream.
> 
>> Thanks, /M
> 
>> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
>>> This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with
>>> 64-bit and 32-bit userspace. I successfully built and ran it on - ARMv8 fast model - x86_64
>>> Fedora 20 but only against audit-test/syscalls and filter, and so fixes here might be
>>> incomplete in the other categories (and on other architectures). See audit-test/Makefile,
>>> which is a bit messy in general.
>>> 
>>> v4: * fix usages of LSM_SELINUX macro
>>> 
>>> v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro * untabify the
>>> leading tabs * protect utils/network-server with LSM_SELINUX
>>> 
>>> v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS * cosmetic changes
>>> (indentation, splitting lines) for readability
>>> 
>>> AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
>>> audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64
>>> support audit-test/filter: add aarch64 support audit-test/syscalls: add arm support
>>> 
>>> audit-test/filter/run.conf                         |    2 ++ 
>>> audit-test/filter/tests/test_auid.bash             |    9 +++++-- 
>>> audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
>>> audit-test/filter/tests/test_dev_inode.bash        | 11 +++++---
>>> audit-test/filter/tests/test_success.bash          |    8 ++++--
>>> audit-test/filter/tests/test_syscall.bash          |    8 ++++-- 
>>> audit-test/filter/tests/test_type.bash             |    9 +++++-- 
>>> audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------ 
>>> audit-test/filter/tests/test_watch_open.bash       |   10 +++++-- 
>>> audit-test/filter/tests/test_watch_remove.bash     |    4 +++ audit-test/rules.mk |   11
>>> +++++--- audit-test/syscalls/cap-run.conf |   15 +++++++----
>>> audit-test/syscalls/dac-run.conf                   | 24 +++++++++++------
>>> audit-test/syscalls/mac-run.conf                   | 24 +++++++++++------
>>> audit-test/utils/Makefile                          | 7 ++++- audit-test/utils/augrok |   17
>>> ++++++++++-- audit-test/utils/bin/Makefile                      |   14 +++++++--- 
>>> audit-test/utils/bin/do_creat.c                    |    4 +-- 
>>> audit-test/utils/bin/do_mkdir.c |    4 +-- audit-test/utils/bin/do_mkdirat.c
>>> |    4 +-- audit-test/utils/bin/do_mknod.c                    |    4 +-- 
>>> audit-test/utils/bin/do_mknodat.c |    4 +-- audit-test/utils/bin/do_mq_open.c
>>> |    4 +-- audit-test/utils/bin/do_open.c                     |    4 +-- 
>>> audit-test/utils/bin/do_openat.c |    4 +-- audit-test/utils/bin/do_symlink.c
>>> |    4 +-- audit-test/utils/bin/do_symlinkat.c                |    4 +-- 
>>> audit-test/utils/run.bash |    8 ++++-- 28 files changed, 188 insertions(+), 81
>>> deletions(-)
>>> 
> 
>> - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
>> Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440 IRC mvadkert
>> at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova
>> 99/71, 612 45, Brno, Czech Republic

> 

- -- 
Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT16JLAAoJEBliWhMliBCHZZ4IAMGycvYifELNaO18H53pQ7X8
/0eOC5n5QIb3pCPSRxjwr5cYlgbqGsj14kOMwu6ZvF+cNWPhZrcA0m+zjgcXCa30
9BlnOWsC/JHMpNlA/GtYDhh4BbxMtfqh5uQ8VBIklZ1oaYYtQe+7IegSVeqj3EsS
n9kiPN43d3BOfSTa6+fP6+MmZPVLFzcO/PG94Q9L3CnK97B5/43ndZTka2mFAlWI
S/7qxJgkeSWYHLVbrBydI/Yowe3lxL6y4BSzGc6w8PR3xsgUioODne7Spu3GFzvg
ZEbH+ynnMbnAb/KjAE4C9Viq089UmyHJQ05Z/Eu6yFmOzAfwQBKi1vvItlvxpg8=
=HHYL
-----END PGP SIGNATURE-----

Re: [Audit-test-developer] [design] How to write / run / audit syscall wrappers?

[Jiri J. <jja...@re...>]

On 07/28/2014 06:39 PM, Linda Knippers wrote:
> Hi Jiri,
> 
> On 07/28/2014 09:33 AM, Jiri Jaburek wrote:
>> Hello Linda & others,
>>
>> I've been doing some syscall work recently and while doing it,
>> I decided to "clean up" the do_ipc and do_socketcall wrappers, which
>> seemed like a duplicated functionality, since they call exactly the same
>> library functions as normal do_* wrappers. Also, I really wanted to get
>> rid of the ipc headerhack. :)
> 
> That's a good goal.:-)
> 
>> This was somewhat amplified by the fact that the code in ipc_common.c
>> was over-shared, meaning that ie. semget was using flags for semctl
>> or semop. So I made a series of ~6 commits, carefully moving all the
>> functionality from ipc_common.c into separate wrappers and removing the
>> do_ipc wrapper. I did the same for do_socketcall, which just calls bind,
>> using a library function, like do_bind. All this with removing
>> respective sections from syscalls/*.conf, of course.
>>
>> I was quite happy with the series, since - functionality wise - it was
>> transparent. However when I tested it on MODE=32, the syscalls bucket
>> started throwing ERRORs. 
> 
> Right.  The 32-bit x86 syscalls add a lot of complexity.
> Did you see any problems on non-x86 architectures?

I didn't test other architectures, but the code suggests that all 32bit
variants are affected, for ipc(2) at least.

> 
>> Some investigation uncovered that the syscalls
>> bucket was actually using these "duplicated" wrappers for proper
>> auditing - because auditctl works with real syscalls, not libc
>> functions. The extra wrappers were therefore nothing more than a name,
>> simplifying logic in the syscalls bucket.
>>
>> This goes against some other approaches used in the suite - in the
>> network bucket, for example, which - based on the architecture - selects
>> proper syscall name for auditctl, while still calling the original
>> syscall wrapper (which uses library functions).
>>
>> -----------------------------------------------------------------------
>>
>> This led me into a certain design question I'd like to ask here; how to
>> design syscall wrappers and the execution and auditing infrastructure
>> around them? What would be the best approach?
>>
>> I've identified 3 most obvious ways to write a syscall wrapper:
>>
>>   A) use syscall(__NR_syscallname, ...) directly, bypassing libc
>>   B) use libc functions
>>   C) use (A), but simulate libc using #ifdefs manually
> 
> Today we use both A) and B), depending on the syscall.  B) is easiest
> from a coding perspective.  A) is sometimes necessary because libc
> might not actually be using the syscall we want in the mode we want
> or may be doing error checking of it's own that prevent some of the case
> we want to test.  I'm not sure I understand C).

(C) for do_chmod could look like

  #ifdef ARM
    exitval = syscall(__NR_fchmodat, ...);
  #else
    exitval = syscall(__NR_chmod, ...);
  #endif

essentially simulating glibc in a controlled manner.

> 
>> These approaches solve the "which syscalls to run where" problem
>> somewhat differently and therefore have different benefits and
>> drawbacks in various situations:
>>
>>   1) compile time
>>
>>     (A) is a bit problematic, since we would need to come up with a full
>>     logic of what syscalls to compile on what architectures. We already
>>     do that on some level, but this option calls for a separate mapping
>>     file (or so) instead of simple Makefile-based conditions,
>>     integrating it somehow into the make system.
> 
> Right - we seem to be reinventing libc.

Please note that (A) isn't about reinventing libc - it isn't about
providing abstractions for syscalls, since it's these abstractions that
later cause "hacky" auditing code in tests.

> 
>>     (B) and (C) are really easy - the libc (or custom #ifdefs) take care
>>     of which syscall should be called on which architecture. (C) has
>>     the disadvantage of actually doing the mapping from (A), just in
>>     a less visible way.
>>
>>   2) run (execution) time
>>
>>     (A) again needs to re-use the mapping file (or logic) in most cases,
>>     since - if we want to call ie. open-like syscall, we need to call
>>     explicitly either do_open (non-arm) or do_openat (arm)
> 
> And in some cases, we need to do both when the arch supports both.
> 
>>     (B) and (C) simplify this case a lot, but may fall short if we
>>     *really* want to call openat instead of open on non-arm
> 
> We do that today.  We test both open and openat using the do_* programs.
> 
>>   3) auditing time
>>
>>    (A) shines here, IMO, since the auditctl mapping is 1:1 to the do_*
>>    wrappers. It still needs to re-use the mapping file (and therefore
>>    needs to manually specify which syscalls to audit on which archs),
>>    but it's very straightforward and clear.
>>
>>    (B) and (C) have a significant problem here - we don't know which
>>    syscalls are being called "under the hood" of the do_* wrappers, 
> 
> Well, we do for all the existing calls.

*We* do, but the tests don't, which is why we have to create ad-hoc
conditions to tell them.

> 
>>    so
>>    we need to try them out and then create per-arch hacks in the code
>>    similar to what we've seen in the arm patchset recently, ie.
>>    "set up auditing for fchmodat and call do_chmod", which can be
>>    somewhat confusing. The other option is to duplicate wrappers like
>>    do_socketcall, but the per-arch hacks still persist. We could create
>>    a mapping file for them, but then we might as well use (A).
>>
>>
>> So what would be the best approach for new (and existing, over time)
>> syscall wrappers?
>>
>> I personally really like (A) due to its clean design - there are no
>> "Note: There is no glibc wrapper for this system call" exceptions
>> and it's clear what syscalls run on which architectures and 32/64bit
>> variations. The mapping file, with its helper bash functions doing ie.
>> "is this syscall relevant for current arch/mode?" or "list all relevant
>> syscalls for current arch/mode", along with some documentation, should
>> be mostly easy to implement.
>> A practical example in the syscalls bucket would be checking for arch
>> relevancy in the `+' function with no per-arch or per-mode conditions
>> in the .conf files. The rollup log (or run.bash --list) would then show
>> which syscalls were actually run.
> 
> I don't think there is one "best approach".  Some of what we have today
> is because the suite has evolved over time but some if it is because for
> the most part, using the libc functions is simple and appropriate.
> Where's it's not simple or appropriate, we drop back to the the syscall(_NR...)
> function.  Sometimes due to legacy syscalls, like the multiplexed 32-bit
> syscalls, it gets a bit complicated but hey, we've written that code already. :-)

I agree that using libc is often better and it would be perhaps cleaner
if auditctl supported syscall translation (ie. chmod->fchmodat on arm),
but it doesn't, it needs a direct syscall name for a given arch / mode.

My points for (A) go mostly towards the auditing code, see the current
state of augrok_default and auwatch_default in network/run.conf.
Or the per-arch conditions in syscalls/*-run.conf.

With a unified way of telling which syscalls are relevant for which
architectures, the conditions in syscalls/ could go away. The entire
case/esac structure in network/ could as well, since $syscall would
always be the tested syscall and no other.

The "unified way" doesn't have to be a static file, it can be generated
using gcc from unistd.h dynamically.

Also, "we've written that code already" doesn't mean there won't be more
of it in the future (well, near future).

> 
>> This also means that I would have to throw away most of my series on
>> do_ipc and do_socketcall, possibly re-implementing them in the future,
>> but I'm fine with that.
>>
>> What's your opinion?
> 
> If it ain't broke....?

Right, I was wondering whether a "clean" solution wouldn't be an
overkill, since there aren't that much differences aside from do_ipc
and do_socketcall. For me, it's just another cleanup, like the netfilter
or networking-related code.

> 
>> Thanks,
>> Jiri
>>
>>
>> PS: I'm asking because we currently have ~70 new syscall wrappers staged
>>     for review and there's not much consistency in terms of (A) vs (B)
>>     vs (C).
> 
> I'm interesting in knowing more about your new syscalls and why you have
> a mix of A), B) and C) (which I still don't understand but I'm sure a simple
> example would clear things up).  Is it because 3 different people wrote them
> or because there really is no "best approach"?

Various reasons, really. Written mostly by a single person, (A) was used
where using (B) would pull in another suite dependency (NUMA),
(B) was used where (A) would result in two independent wrappers (fstatat
vs newfstatat), and various mix of both. Yes, because there's no defined
policy of "best approach".

> 
> I'm not trying to say that we have to keep doing things the way we've always done it.
> This suite has clearly evolved and improved as you and others have worked on it so I'd
> like to continue this discussion.

Sure, I'd like to get as much feedback as possible before implementing
anything (or deciding to leave it be in the current state).

> 
> -- ljk
> 
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls. 
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
> 
> 
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls. 
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
> 

Jiri

Re: [Audit-test-developer] [design] How to write / run / audit syscall wrappers?

[Linda K. <lin...@hp...>]

Hi Jiri,

On 07/28/2014 09:33 AM, Jiri Jaburek wrote:
> Hello Linda & others,
> 
> I've been doing some syscall work recently and while doing it,
> I decided to "clean up" the do_ipc and do_socketcall wrappers, which
> seemed like a duplicated functionality, since they call exactly the same
> library functions as normal do_* wrappers. Also, I really wanted to get
> rid of the ipc headerhack. :)

That's a good goal.:-)

> This was somewhat amplified by the fact that the code in ipc_common.c
> was over-shared, meaning that ie. semget was using flags for semctl
> or semop. So I made a series of ~6 commits, carefully moving all the
> functionality from ipc_common.c into separate wrappers and removing the
> do_ipc wrapper. I did the same for do_socketcall, which just calls bind,
> using a library function, like do_bind. All this with removing
> respective sections from syscalls/*.conf, of course.
> 
> I was quite happy with the series, since - functionality wise - it was
> transparent. However when I tested it on MODE=32, the syscalls bucket
> started throwing ERRORs. 

Right.  The 32-bit x86 syscalls add a lot of complexity.
Did you see any problems on non-x86 architectures?

> Some investigation uncovered that the syscalls
> bucket was actually using these "duplicated" wrappers for proper
> auditing - because auditctl works with real syscalls, not libc
> functions. The extra wrappers were therefore nothing more than a name,
> simplifying logic in the syscalls bucket.
> 
> This goes against some other approaches used in the suite - in the
> network bucket, for example, which - based on the architecture - selects
> proper syscall name for auditctl, while still calling the original
> syscall wrapper (which uses library functions).
> 
> -----------------------------------------------------------------------
> 
> This led me into a certain design question I'd like to ask here; how to
> design syscall wrappers and the execution and auditing infrastructure
> around them? What would be the best approach?
> 
> I've identified 3 most obvious ways to write a syscall wrapper:
> 
>   A) use syscall(__NR_syscallname, ...) directly, bypassing libc
>   B) use libc functions
>   C) use (A), but simulate libc using #ifdefs manually

Today we use both A) and B), depending on the syscall.  B) is easiest
from a coding perspective.  A) is sometimes necessary because libc
might not actually be using the syscall we want in the mode we want
or may be doing error checking of it's own that prevent some of the case
we want to test.  I'm not sure I understand C).

> These approaches solve the "which syscalls to run where" problem
> somewhat differently and therefore have different benefits and
> drawbacks in various situations:
> 
>   1) compile time
> 
>     (A) is a bit problematic, since we would need to come up with a full
>     logic of what syscalls to compile on what architectures. We already
>     do that on some level, but this option calls for a separate mapping
>     file (or so) instead of simple Makefile-based conditions,
>     integrating it somehow into the make system.

Right - we seem to be reinventing libc.

>     (B) and (C) are really easy - the libc (or custom #ifdefs) take care
>     of which syscall should be called on which architecture. (C) has
>     the disadvantage of actually doing the mapping from (A), just in
>     a less visible way.
> 
>   2) run (execution) time
> 
>     (A) again needs to re-use the mapping file (or logic) in most cases,
>     since - if we want to call ie. open-like syscall, we need to call
>     explicitly either do_open (non-arm) or do_openat (arm)

And in some cases, we need to do both when the arch supports both.

>     (B) and (C) simplify this case a lot, but may fall short if we
>     *really* want to call openat instead of open on non-arm

We do that today.  We test both open and openat using the do_* programs.

>   3) auditing time
> 
>    (A) shines here, IMO, since the auditctl mapping is 1:1 to the do_*
>    wrappers. It still needs to re-use the mapping file (and therefore
>    needs to manually specify which syscalls to audit on which archs),
>    but it's very straightforward and clear.
> 
>    (B) and (C) have a significant problem here - we don't know which
>    syscalls are being called "under the hood" of the do_* wrappers, 

Well, we do for all the existing calls.

>    so
>    we need to try them out and then create per-arch hacks in the code
>    similar to what we've seen in the arm patchset recently, ie.
>    "set up auditing for fchmodat and call do_chmod", which can be
>    somewhat confusing. The other option is to duplicate wrappers like
>    do_socketcall, but the per-arch hacks still persist. We could create
>    a mapping file for them, but then we might as well use (A).
> 
> 
> So what would be the best approach for new (and existing, over time)
> syscall wrappers?
> 
> I personally really like (A) due to its clean design - there are no
> "Note: There is no glibc wrapper for this system call" exceptions
> and it's clear what syscalls run on which architectures and 32/64bit
> variations. The mapping file, with its helper bash functions doing ie.
> "is this syscall relevant for current arch/mode?" or "list all relevant
> syscalls for current arch/mode", along with some documentation, should
> be mostly easy to implement.
> A practical example in the syscalls bucket would be checking for arch
> relevancy in the `+' function with no per-arch or per-mode conditions
> in the .conf files. The rollup log (or run.bash --list) would then show
> which syscalls were actually run.

I don't think there is one "best approach".  Some of what we have today
is because the suite has evolved over time but some if it is because for
the most part, using the libc functions is simple and appropriate.
Where's it's not simple or appropriate, we drop back to the the syscall(_NR...)
function.  Sometimes due to legacy syscalls, like the multiplexed 32-bit
syscalls, it gets a bit complicated but hey, we've written that code already. :-)

> This also means that I would have to throw away most of my series on
> do_ipc and do_socketcall, possibly re-implementing them in the future,
> but I'm fine with that.
> 
> What's your opinion?

If it ain't broke....?

> Thanks,
> Jiri
> 
> 
> PS: I'm asking because we currently have ~70 new syscall wrappers staged
>     for review and there's not much consistency in terms of (A) vs (B)
>     vs (C).

I'm interesting in knowing more about your new syscalls and why you have
a mix of A), B) and C) (which I still don't understand but I'm sure a simple
example would clear things up).  Is it because 3 different people wrote them
or because there really is no "best approach"?

I'm not trying to say that we have to keep doing things the way we've always done it.
This suite has clearly evolved and improved as you and others have worked on it so I'd
like to continue this discussion.

-- ljk

> 
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls. 
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer

[Audit-test-developer] [design] How to write / run / audit syscall wrappers?

[Jiri J. <jja...@re...>]

Hello Linda & others,

I've been doing some syscall work recently and while doing it,
I decided to "clean up" the do_ipc and do_socketcall wrappers, which
seemed like a duplicated functionality, since they call exactly the same
library functions as normal do_* wrappers. Also, I really wanted to get
rid of the ipc headerhack. :)
This was somewhat amplified by the fact that the code in ipc_common.c
was over-shared, meaning that ie. semget was using flags for semctl
or semop. So I made a series of ~6 commits, carefully moving all the
functionality from ipc_common.c into separate wrappers and removing the
do_ipc wrapper. I did the same for do_socketcall, which just calls bind,
using a library function, like do_bind. All this with removing
respective sections from syscalls/*.conf, of course.

I was quite happy with the series, since - functionality wise - it was
transparent. However when I tested it on MODE=32, the syscalls bucket
started throwing ERRORs. Some investigation uncovered that the syscalls
bucket was actually using these "duplicated" wrappers for proper
auditing - because auditctl works with real syscalls, not libc
functions. The extra wrappers were therefore nothing more than a name,
simplifying logic in the syscalls bucket.

This goes against some other approaches used in the suite - in the
network bucket, for example, which - based on the architecture - selects
proper syscall name for auditctl, while still calling the original
syscall wrapper (which uses library functions).

-----------------------------------------------------------------------

This led me into a certain design question I'd like to ask here; how to
design syscall wrappers and the execution and auditing infrastructure
around them? What would be the best approach?

I've identified 3 most obvious ways to write a syscall wrapper:

  A) use syscall(__NR_syscallname, ...) directly, bypassing libc
  B) use libc functions
  C) use (A), but simulate libc using #ifdefs manually

These approaches solve the "which syscalls to run where" problem
somewhat differently and therefore have different benefits and
drawbacks in various situations:

  1) compile time

    (A) is a bit problematic, since we would need to come up with a full
    logic of what syscalls to compile on what architectures. We already
    do that on some level, but this option calls for a separate mapping
    file (or so) instead of simple Makefile-based conditions,
    integrating it somehow into the make system.

    (B) and (C) are really easy - the libc (or custom #ifdefs) take care
    of which syscall should be called on which architecture. (C) has
    the disadvantage of actually doing the mapping from (A), just in
    a less visible way.

  2) run (execution) time

    (A) again needs to re-use the mapping file (or logic) in most cases,
    since - if we want to call ie. open-like syscall, we need to call
    explicitly either do_open (non-arm) or do_openat (arm)

    (B) and (C) simplify this case a lot, but may fall short if we
    *really* want to call openat instead of open on non-arm

  3) auditing time

   (A) shines here, IMO, since the auditctl mapping is 1:1 to the do_*
   wrappers. It still needs to re-use the mapping file (and therefore
   needs to manually specify which syscalls to audit on which archs),
   but it's very straightforward and clear.

   (B) and (C) have a significant problem here - we don't know which
   syscalls are being called "under the hood" of the do_* wrappers, so
   we need to try them out and then create per-arch hacks in the code
   similar to what we've seen in the arm patchset recently, ie.
   "set up auditing for fchmodat and call do_chmod", which can be
   somewhat confusing. The other option is to duplicate wrappers like
   do_socketcall, but the per-arch hacks still persist. We could create
   a mapping file for them, but then we might as well use (A).


So what would be the best approach for new (and existing, over time)
syscall wrappers?

I personally really like (A) due to its clean design - there are no
"Note: There is no glibc wrapper for this system call" exceptions
and it's clear what syscalls run on which architectures and 32/64bit
variations. The mapping file, with its helper bash functions doing ie.
"is this syscall relevant for current arch/mode?" or "list all relevant
syscalls for current arch/mode", along with some documentation, should
be mostly easy to implement.
A practical example in the syscalls bucket would be checking for arch
relevancy in the `+' function with no per-arch or per-mode conditions
in the .conf files. The rollup log (or run.bash --list) would then show
which syscalls were actually run.

This also means that I would have to throw away most of my series on
do_ipc and do_socketcall, possibly re-implementing them in the future,
but I'm fine with that.

What's your opinion?

Thanks,
Jiri


PS: I'm asking because we currently have ~70 new syscall wrappers staged
    for review and there's not much consistency in terms of (A) vs (B)
    vs (C).

Re: [Audit-test-developer] [PATCH v4 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[AKASHI T. <tak...@li...>]

On 07/25/2014 10:01 PM, Miroslav Vadkerti wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> thanks for the patches.
>
> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
>> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and
>> executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and
>> OpenEmbedded.
>>
>> This patch introduces LSM_SELINUX instead to do the same thing.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/run.conf
>> |    2 ++ audit-test/rules.mk                 |    9 +++++---- audit-test/utils/Makefile
>> |    7 ++++++- audit-test/utils/bin/Makefile       |    2 +- audit-test/utils/bin/do_creat.c
>> |    4 ++-- audit-test/utils/bin/do_mkdir.c     |    4 ++-- audit-test/utils/bin/do_mkdirat.c
>> |    4 ++-- audit-test/utils/bin/do_mknod.c     |    4 ++-- audit-test/utils/bin/do_mknodat.c
>> |    4 ++-- audit-test/utils/bin/do_mq_open.c   |    4 ++-- audit-test/utils/bin/do_open.c
>> |    4 ++-- audit-test/utils/bin/do_openat.c    |    4 ++-- audit-test/utils/bin/do_symlink.c
>> |    4 ++-- audit-test/utils/bin/do_symlinkat.c |    4 ++-- audit-test/utils/run.bash
>> |    8 ++++++-- 15 files changed, 40 insertions(+), 28 deletions(-)
>>
>> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf index 3ac111a..d52cf00
>> 100644 --- a/audit-test/filter/run.conf +++ b/audit-test/filter/run.conf @@ -79,11 +79,13 @@
>> fi + class_write + class_exec + class_attr +if [[ $LSM_SELINUX ]]; then + secontext subj_sen +
>> secontext subj_clr + secontext subj_role + secontext obj_lev_low + secontext obj_lev_high_base
>> +fi if [[ $PPROFILE == lspp ]]; then + secontext obj_lev_high_mls fi diff --git
>> a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..49c0df2 100644 ---
>> a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -75,13 +75,14 @@ RELEASE = $(wildcard
>> /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE
>> -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora,
>> $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>
> This will not work, you need to omit the double quotes, the compiler will silently ignore
> those CFLAGS:

Thank you.

> cc -g -O2 -Wall -Werror -D_GNU_SOURCE -fno-strict-aliasing "-DRHEL -DLSM_SELINUX" -I../include
> do_creat.c  -lselinux -o do_creat
>
> will you correct these small typos or should we do it?

I hope you will fix them on merging this patch.

-Takahiro AKASHI

> With these corrections all test pass also in MLS:
>
> TALLIED RESULTS
> 1049 pass (100%)
>     0 fail (0%)
>     0 error (0%)
> - ------------------
> 1049 total
>
>
> Best regards,
> /M
>
>> export DISTRO=FEDORA +export LSM_SELINUX=1 else ifeq (redhat, $(findstring redhat,
>> $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export
>> LSM_SELINUX=1 endif
>>
>> ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile
>> b/audit-test/utils/Makefile index 489d98b..f43b0f1 100644 --- a/audit-test/utils/Makefile +++
>> b/audit-test/utils/Makefile @@ -18,14 +18,19 @@ TOPDIR		= .. UTILSDIR	= . CPPFLAGS 	+=
>> -I$(UTILSDIR)/include +ifdef LSM_SELINUX LDLIBS		+= -lselinux
>>
>> UTILS_EXE	= test_context \ test_setcon +endif
>>
>> ALL_EXE		= $(UTILS_EXE)
>>
>> -SUB_DIRS	= bin network-server +SUB_DIRS	= bin +ifdef LSM_SELINUX +SUB_DIRS	+= network-server
>> +endif
>>
>> include $(TOPDIR)/rules.mk
>>
>> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index
>> 098d46c..654ef9c 100644 --- a/audit-test/utils/bin/Makefile +++
>> b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE) endif
>>
>> $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifdef LSM_SELINUX $(CREATE_EXE): LDLIBS
>> += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git
>> a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686
>> 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c
>> b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 ---
>> a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c
>> b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 ---
>> a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git
>> a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d
>> 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c
>> b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 ---
>> a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
>> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 &&
>> setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff
>> --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index
>> 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++
>> b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@
>>
>> #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include
>> <selinux/selinux.h> #endif
>>
>> @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c
>> b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 ---
>> a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c
>> b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 ---
>> a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return
>> TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0)
>> { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git
>> a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493
>> 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_symlink: setfscreatecon"); return 1; diff --git
>> a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index
>> 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++
>> b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
>> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 &&
>> setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff
>> --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..721e744 100755 ---
>> a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function
>> show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname:
>> "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" -        printf "%-32s %s\n"
>> "selinux-policy version:" "$(rpm -q selinux-policy)" +        if [[ $LSM_SELINUX ]] ; then +
>> printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" +        fi if [[
>> $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
>> grep lspp_test | awk '{print $2}')" fi -        printf "\n%s\n" "$(sestatus)" +        if [[
>> $LSM_SELINUX ]] ; then +          printf "\n%s\n" "$(sestatus)" +        fi echo } | tee
>> $opt_logdir/$header_log }
>>
>
> - --
> Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
> Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
> IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
> Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT0lUTAAoJEBliWhMliBCHaOcIAJ3Xe7zNoZy+mSIFo+Krax4c
> hxOXQuR2UiBTowiC78vNWxoCG0u1sN2iSM76O4UTNwQ2ILIF4tOpFYE8d2/K+xke
> zsLG+vTUbaTIRO0TEyl6V42Kpmrj5KVW4ipEiic/EQhHgKoMmNxVb2jL9ZACoOgm
> pzIqjjw3atjN5A+MnBqna+G3542cP/rhjCJn5J6eD7aPkT/iNB0sPfWjH2BYXMaW
> ZPoWh3jUhhFzP0+lCkbSbs7GnPtEnDlPH9uBcGA5W+ftHMyVwLOlPYxeSRxv5BDW
> ZhDd18Gm/OYEl7AeGEdQKD2vcb1E8D4b5yXyYhT9+TxQVmJk4koghsDMRPpr4p0=
> =xFXJ
> -----END PGP SIGNATURE-----
>

Re: [Audit-test-developer] [PATCH v4 0/5] add arm/aarch64(arm64) support

[Linda K. <lin...@hp...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Miroslav,

I didn't have any comments on the patches but I did want know that
they had been tested on x86.  I haven't had a chance to try them
myself so I really appreciate your test results and the Linaro
testing with this series.

Thank you and Jiri for the reviews and testing.  When you're happy,
please go ahead and push the changes.

Thank you Linaro developers for your work on this.

- -- ljk


On 7/25/2014 9:04 AM, Miroslav Vadkerti wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
> Hi Linda,
> 
> according to our testing this patch set looks good (after small correction 
> in Makefile) - all tests pass in Base and MLS.
> 
> Do you have any comments to the final v4 patch set? If not after
> correcting the Makefile we will push the changes upstream.
> 
> Thanks, /M
> 
> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
>> This patch allows the test suite to be run on aarch64 (or arm64 in kernel
>> jargon) with 64-bit and 32-bit userspace. I successfully built and ran it
>> on - ARMv8 fast model - x86_64 Fedora 20 but only against
>> audit-test/syscalls and filter, and so fixes here might be incomplete in
>> the other categories (and on other architectures). See
>> audit-test/Makefile, which is a bit messy in general.
>> 
>> v4: * fix usages of LSM_SELINUX macro
>> 
>> v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro *
>> untabify the leading tabs * protect utils/network-server with
>> LSM_SELINUX
>> 
>> v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS *
>> cosmetic changes (indentation, splitting lines) for readability
>> 
>> AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to
>> work-around SE-Linux audit-test: handle __NR3264_xxx syscall definitions
>> audit-test/syscalls: add aarch64 support audit-test/filter: add aarch64
>> support audit-test/syscalls: add arm support
>> 
>> audit-test/filter/run.conf                         |    2 ++ 
>> audit-test/filter/tests/test_auid.bash             |    9 +++++-- 
>> audit-test/filter/tests/test_class_attr.bash       |   28
>> +++++++++++++++----- audit-test/filter/tests/test_dev_inode.bash        |
>> 11 +++++--- audit-test/filter/tests/test_success.bash          |    8
>> ++++-- audit-test/filter/tests/test_syscall.bash          |    8 ++++-- 
>> audit-test/filter/tests/test_type.bash             |    9 +++++-- 
>> audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
>>  audit-test/filter/tests/test_watch_open.bash       |   10 +++++-- 
>> audit-test/filter/tests/test_watch_remove.bash     |    4 +++
>> audit-test/rules.mk |   11 +++++--- audit-test/syscalls/cap-run.conf
>> |   15 +++++++---- audit-test/syscalls/dac-run.conf                   |
>> 24 +++++++++++------ audit-test/syscalls/mac-run.conf                   |
>> 24 +++++++++++------ audit-test/utils/Makefile                          |
>> 7 ++++- audit-test/utils/augrok |   17 ++++++++++--
>> audit-test/utils/bin/Makefile                      |   14 +++++++--- 
>> audit-test/utils/bin/do_creat.c                    |    4 +--
>> audit-test/utils/bin/do_mkdir.c |    4 +--
>> audit-test/utils/bin/do_mkdirat.c                  |    4 +-- 
>> audit-test/utils/bin/do_mknod.c                    |    4 +--
>> audit-test/utils/bin/do_mknodat.c |    4 +--
>> audit-test/utils/bin/do_mq_open.c                  |    4 +-- 
>> audit-test/utils/bin/do_open.c                     |    4 +--
>> audit-test/utils/bin/do_openat.c |    4 +--
>> audit-test/utils/bin/do_symlink.c                  |    4 +-- 
>> audit-test/utils/bin/do_symlinkat.c                |    4 +--
>> audit-test/utils/run.bash |    8 ++++-- 28 files changed, 188
>> insertions(+), 81 deletions(-)
>> 
> 
> - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS ::
> BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 776 864 252 ::
> SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG
> ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno,
> Czech Republic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment:
> Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJT0lXfAAoJEBliWhMliBCHjMAH/3f01WQcKsc3CWKN6NcEKP3p 
> vlYCJWJd78BNOfZD+qRZYIxklevomzgxo0r4t29fMsD1s8fsj6Tfpehcxt94wJtZ 
> /gz0hDvsPeJqhxGiw8vrme4Rx7BQ3iFr18YmN9Fnpn+sBPR08dvPy/IO035AgF1d 
> 7u33LIRKNuKU7ItQ7erVwZTzO8dA4bwFwJRydyOMtmhNjeX3JeOqziF6kkXz5LrT 
> +4bqJTucR8V5A5H2pOmIjyb5kkCRV0kB6Hdik7xZKUtnR8Eceo1LBwnB67CuOGGg 
> GxiPNUudHm5/Ut1+tGJLCdQBBMJHPyVxumjkbNJS37z+JOtRp7Fm3gGTGfo6w+k= =b3f7 
> -----END PGP SIGNATURE-----
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlPSam0ACgkQNGBeuemHzRuJmwCdEiS9I90p8q2pVqUutOBBCpvn
OhoAn37QCiU5+8BzKIoN65RsI+2k4pgM
=XFNx
-----END PGP SIGNATURE-----

Re: [Audit-test-developer] [PATCH v4 0/5] add arm/aarch64(arm64) support

[Miroslav V. <mva...@re...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Linda,

according to our testing this patch set looks good (after small correction
in Makefile) - all tests pass in Base and MLS.

Do you have any comments to the final v4 patch set? If not after correcting
the Makefile we will push the changes upstream.

Thanks,
/M

On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
> This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with 64-bit
> and 32-bit userspace. I successfully built and ran it on - ARMv8 fast model - x86_64 Fedora 20 
> but only against audit-test/syscalls and filter, and so fixes here might be incomplete in the
> other categories (and on other architectures). See audit-test/Makefile, which is a bit messy in
> general.
> 
> v4: * fix usages of LSM_SELINUX macro
> 
> v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro * untabify the leading
> tabs * protect utils/network-server with LSM_SELINUX
> 
> v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS * cosmetic changes
> (indentation, splitting lines) for readability
> 
> AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux 
> audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 support 
> audit-test/filter: add aarch64 support audit-test/syscalls: add arm support
> 
> audit-test/filter/run.conf                         |    2 ++ 
> audit-test/filter/tests/test_auid.bash             |    9 +++++-- 
> audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++----- 
> audit-test/filter/tests/test_dev_inode.bash        |   11 +++++--- 
> audit-test/filter/tests/test_success.bash          |    8 ++++-- 
> audit-test/filter/tests/test_syscall.bash          |    8 ++++-- 
> audit-test/filter/tests/test_type.bash             |    9 +++++-- 
> audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------ 
> audit-test/filter/tests/test_watch_open.bash       |   10 +++++-- 
> audit-test/filter/tests/test_watch_remove.bash     |    4 +++ audit-test/rules.mk
> |   11 +++++--- audit-test/syscalls/cap-run.conf                   |   15 +++++++---- 
> audit-test/syscalls/dac-run.conf                   |   24 +++++++++++------ 
> audit-test/syscalls/mac-run.conf                   |   24 +++++++++++------ 
> audit-test/utils/Makefile                          |    7 ++++- audit-test/utils/augrok
> |   17 ++++++++++-- audit-test/utils/bin/Makefile                      |   14 +++++++--- 
> audit-test/utils/bin/do_creat.c                    |    4 +-- audit-test/utils/bin/do_mkdir.c
> |    4 +-- audit-test/utils/bin/do_mkdirat.c                  |    4 +-- 
> audit-test/utils/bin/do_mknod.c                    |    4 +-- audit-test/utils/bin/do_mknodat.c
> |    4 +-- audit-test/utils/bin/do_mq_open.c                  |    4 +-- 
> audit-test/utils/bin/do_open.c                     |    4 +-- audit-test/utils/bin/do_openat.c
> |    4 +-- audit-test/utils/bin/do_symlink.c                  |    4 +-- 
> audit-test/utils/bin/do_symlinkat.c                |    4 +-- audit-test/utils/run.bash
> |    8 ++++-- 28 files changed, 188 insertions(+), 81 deletions(-)
> 

- -- 
Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT0lXfAAoJEBliWhMliBCHjMAH/3f01WQcKsc3CWKN6NcEKP3p
vlYCJWJd78BNOfZD+qRZYIxklevomzgxo0r4t29fMsD1s8fsj6Tfpehcxt94wJtZ
/gz0hDvsPeJqhxGiw8vrme4Rx7BQ3iFr18YmN9Fnpn+sBPR08dvPy/IO035AgF1d
7u33LIRKNuKU7ItQ7erVwZTzO8dA4bwFwJRydyOMtmhNjeX3JeOqziF6kkXz5LrT
+4bqJTucR8V5A5H2pOmIjyb5kkCRV0kB6Hdik7xZKUtnR8Eceo1LBwnB67CuOGGg
GxiPNUudHm5/Ut1+tGJLCdQBBMJHPyVxumjkbNJS37z+JOtRp7Fm3gGTGfo6w+k=
=b3f7
-----END PGP SIGNATURE-----

Re: [Audit-test-developer] [PATCH v4 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[Miroslav V. <mva...@re...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

thanks for the patches.

On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and
> executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and
> OpenEmbedded.
> 
> This patch introduces LSM_SELINUX instead to do the same thing.
> 
> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/run.conf
> |    2 ++ audit-test/rules.mk                 |    9 +++++---- audit-test/utils/Makefile
> |    7 ++++++- audit-test/utils/bin/Makefile       |    2 +- audit-test/utils/bin/do_creat.c
> |    4 ++-- audit-test/utils/bin/do_mkdir.c     |    4 ++-- audit-test/utils/bin/do_mkdirat.c
> |    4 ++-- audit-test/utils/bin/do_mknod.c     |    4 ++-- audit-test/utils/bin/do_mknodat.c
> |    4 ++-- audit-test/utils/bin/do_mq_open.c   |    4 ++-- audit-test/utils/bin/do_open.c
> |    4 ++-- audit-test/utils/bin/do_openat.c    |    4 ++-- audit-test/utils/bin/do_symlink.c
> |    4 ++-- audit-test/utils/bin/do_symlinkat.c |    4 ++-- audit-test/utils/run.bash
> |    8 ++++++-- 15 files changed, 40 insertions(+), 28 deletions(-)
> 
> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf index 3ac111a..d52cf00
> 100644 --- a/audit-test/filter/run.conf +++ b/audit-test/filter/run.conf @@ -79,11 +79,13 @@
> fi + class_write + class_exec + class_attr +if [[ $LSM_SELINUX ]]; then + secontext subj_sen +
> secontext subj_clr + secontext subj_role + secontext obj_lev_low + secontext obj_lev_high_base 
> +fi if [[ $PPROFILE == lspp ]]; then + secontext obj_lev_high_mls fi diff --git
> a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..49c0df2 100644 ---
> a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -75,13 +75,14 @@ RELEASE = $(wildcard
> /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE 
> -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora,
> $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX"

This will not work, you need to omit the double quotes, the compiler will silently ignore
those CFLAGS:

cc -g -O2 -Wall -Werror -D_GNU_SOURCE -fno-strict-aliasing "-DRHEL -DLSM_SELINUX" -I../include
do_creat.c  -lselinux -o do_creat

will you correct these small typos or should we do it?

With these corrections all test pass also in MLS:

TALLIED RESULTS
1049 pass (100%)
   0 fail (0%)
   0 error (0%)
- ------------------
1049 total


Best regards,
/M

> export DISTRO=FEDORA +export LSM_SELINUX=1 else ifeq (redhat, $(findstring redhat,
> $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export
> LSM_SELINUX=1 endif
> 
> ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile
> b/audit-test/utils/Makefile index 489d98b..f43b0f1 100644 --- a/audit-test/utils/Makefile +++
> b/audit-test/utils/Makefile @@ -18,14 +18,19 @@ TOPDIR		= .. UTILSDIR	= . CPPFLAGS 	+=
> -I$(UTILSDIR)/include +ifdef LSM_SELINUX LDLIBS		+= -lselinux
> 
> UTILS_EXE	= test_context \ test_setcon +endif
> 
> ALL_EXE		= $(UTILS_EXE)
> 
> -SUB_DIRS	= bin network-server +SUB_DIRS	= bin +ifdef LSM_SELINUX +SUB_DIRS	+= network-server 
> +endif
> 
> include $(TOPDIR)/rules.mk
> 
> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index
> 098d46c..654ef9c 100644 --- a/audit-test/utils/bin/Makefile +++
> b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE) endif
> 
> $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifdef LSM_SELINUX $(CREATE_EXE): LDLIBS
> += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git
> a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686
> 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7
> +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { 
> perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c
> b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 ---
> a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { 
> perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c
> b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 ---
> a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@ 
> */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { 
> perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git
> a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d
> 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7
> +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { 
> perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c
> b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 ---
> a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@ 
> */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 &&
> setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff
> --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index
> 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++
> b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@
> 
> #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include
> <selinux/selinux.h> #endif
> 
> @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { 
> perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c
> b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 ---
> a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { 
> perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c
> b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 ---
> a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return
> TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0)
> { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git
> a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493
> 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7
> +14,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
> 
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { 
> perror("do_symlink: setfscreatecon"); return 1; diff --git
> a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index
> 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++
> b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */
> 
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
> 
> @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 &&
> setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff
> --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..721e744 100755 ---
> a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function
> show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname:
> "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" -        printf "%-32s %s\n"
> "selinux-policy version:" "$(rpm -q selinux-policy)" +        if [[ $LSM_SELINUX ]] ; then +
> printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" +        fi if [[
> $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
> grep lspp_test | awk '{print $2}')" fi -        printf "\n%s\n" "$(sestatus)" +        if [[
> $LSM_SELINUX ]] ; then +          printf "\n%s\n" "$(sestatus)" +        fi echo } | tee
> $opt_logdir/$header_log }
> 

- -- 
Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT0lUTAAoJEBliWhMliBCHaOcIAJ3Xe7zNoZy+mSIFo+Krax4c
hxOXQuR2UiBTowiC78vNWxoCG0u1sN2iSM76O4UTNwQ2ILIF4tOpFYE8d2/K+xke
zsLG+vTUbaTIRO0TEyl6V42Kpmrj5KVW4ipEiic/EQhHgKoMmNxVb2jL9ZACoOgm
pzIqjjw3atjN5A+MnBqna+G3542cP/rhjCJn5J6eD7aPkT/iNB0sPfWjH2BYXMaW
ZPoWh3jUhhFzP0+lCkbSbs7GnPtEnDlPH9uBcGA5W+ftHMyVwLOlPYxeSRxv5BDW
ZhDd18Gm/OYEl7AeGEdQKD2vcb1E8D4b5yXyYhT9+TxQVmJk4koghsDMRPpr4p0=
=xFXJ
-----END PGP SIGNATURE-----

[Audit-test-developer] [PATCH v4 5/5] audit-test/syscalls: add arm support

[AKASHI T. <tak...@li...>]

This patch selectively executes appropriate test programs for arm.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/syscalls/cap-run.conf |   15 ++++++++++-----
 audit-test/syscalls/dac-run.conf |   24 ++++++++++++++++--------
 audit-test/syscalls/mac-run.conf |   24 ++++++++++++++++--------
 audit-test/utils/bin/Makefile    |    4 ++++
 4 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf
index 93454ef..8d440fc 100644
--- a/audit-test/syscalls/cap-run.conf
+++ b/audit-test/syscalls/cap-run.conf
@@ -221,7 +221,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgctl perm=msg_id_remove expres=success user=super
 + msgctl perm=msg_id_remove expres=fail user=test 
 + msgctl perm=msg_id_set expres=success user=super
@@ -250,7 +251,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semctl perm=sem_id_remove expres=success user=super
 + semctl perm=sem_id_remove expres=fail user=test 
 + semctl perm=sem_id_set expres=success user=super
@@ -279,7 +281,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmctl perm=shm_id_remove expres=success user=super
 + shmctl perm=shm_id_remove expres=fail user=test 
 + shmctl perm=shm_id_set expres=success user=super
@@ -338,7 +341,8 @@ fi
 ## 1b. If expres=fail, execute the test process as a regular user and
 ##     attempt to set port permission bits, verify the result.
 ##  2. Check the audit log for the correct syscall result
-if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ $MODE == 32 &&
+        $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then
 + ioperm perm=io_perm expres=success user=super
 + ioperm perm=io_perm expres=fail user=test 
 fi
@@ -353,7 +357,8 @@ fi
 ## 1b. If expres=fail, execute the test process as a regular user and
 ##     attempt to set process's the I/O privilege level, verify the result.
 ##  2. Check the audit log for the correct syscall result
-if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ $MODE == 32 &&
+        $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then
 + iopl perm=io_priv expres=success user=super
 + iopl perm=io_priv expres=fail user=test 
 fi
diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf
index d02b7a6..a03c637 100644
--- a/audit-test/syscalls/dac-run.conf
+++ b/audit-test/syscalls/dac-run.conf
@@ -436,7 +436,8 @@ fi
 ##     syscall using the value of flag to determine whether to open the message
 ##     queue for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgget perm=msg_key_read expres=success dacugo=user user=super
 + msgget perm=msg_key_read expres=fail dacugo=user user=test 
 + msgget perm=msg_key_write expres=success dacugo=user user=super
@@ -460,7 +461,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt to
 ##     receive a message, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgrcv perm=msg_id_recv expres=success dacugo=user user=super
 + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test 
 else
@@ -480,7 +482,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt to
 ##     send a message, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \
   user=super testfunc=test_su_msg_send
 + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \
@@ -512,7 +515,8 @@ fi
 ##     syscall using the value of flag to determine whether to open the
 ##     semaphore set for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semget perm=sem_key_read expres=success dacugo=user user=super
 + semget perm=sem_key_read expres=fail dacugo=user user=test 
 + semget perm=sem_key_write expres=success dacugo=user user=super
@@ -537,7 +541,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt a
 ##     read operation, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semop perm=sem_id_read expres=success dacugo=user user=super
 + semop perm=sem_id_read expres=fail dacugo=user user=test 
 else
@@ -558,7 +563,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt a
 ##     write operation, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semtimedop perm=sem_id_write expres=success dacugo=user user=super
 + semtimedop perm=sem_id_write expres=fail dacugo=user user=test 
 else
@@ -583,7 +589,8 @@ fi
 ##     syscall using the value of perm to determine whether to perform a read or
 ##     write operation; verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmat perm=shm_id_read expres=success dacugo=user user=super
 + shmat perm=shm_id_read expres=fail dacugo=user user=test 
 + shmat perm=shm_id_write expres=success dacugo=user user=super
@@ -618,7 +625,8 @@ fi
 ##     syscall using the value of flag to determine whether to request the
 ##     shared memory segment for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmget perm=shm_key_read expres=success dacugo=user user=super
 + shmget perm=shm_key_read expres=fail dacugo=user user=test 
 + shmget perm=shm_key_write expres=success dacugo=user user=super
diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf
index b7c064b..df7d873 100644
--- a/audit-test/syscalls/mac-run.conf
+++ b/audit-test/syscalls/mac-run.conf
@@ -702,7 +702,8 @@ fi
 ##     test process requests the message queue for read or write depending on
 ##     the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgget perm=msg_key_read expres=success mlsop=eq
 + msgget perm=msg_key_read expres=success mlsop=dom
 + msgget perm=msg_key_read expres=fail mlsop=domby 
@@ -737,7 +738,8 @@ fi
 ##     the ipc() syscall the function is determined by the 'op' variable.
 ##     Verify the result.
 ##  4. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgrcv perm=msg_id_recv expres=success mlsop=eq
 + msgrcv perm=msg_id_recv expres=success mlsop=dom
 + msgrcv perm=msg_id_recv expres=fail mlsop=domby 
@@ -763,7 +765,8 @@ fi
 ##     the ipc() syscall the function is determined by the 'op' variable.
 ##     Verify the result.
 ##  4. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \
   testfunc=test_runcon_msg_send
 + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \
@@ -801,7 +804,8 @@ fi
 ##     test process requests the semaphore set for read or write depending on
 ##     the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semget perm=sem_key_read expres=success mlsop=eq
 + semget perm=sem_key_read expres=success mlsop=dom
 + semget perm=sem_key_read expres=fail mlsop=domby 
@@ -835,7 +839,8 @@ fi
 ##     read operation.  With the ipc() syscall the function is determined by the
 ##     'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semop perm=sem_id_read expres=success mlsop=eq
 + semop perm=sem_id_read expres=success mlsop=dom
 + semop perm=sem_id_read expres=fail mlsop=domby 
@@ -861,7 +866,8 @@ fi
 ##     write operation.  With the ipc() syscall the function is determined by the
 ##     'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semtimedop perm=sem_id_write expres=success mlsop=eq
 + semtimedop perm=sem_id_write expres=fail mlsop=dom 
 + semtimedop perm=sem_id_write expres=fail mlsop=domby 
@@ -892,7 +898,8 @@ fi
 ##     'perm' variable.  With the ipc() syscall the function is determined by
 ##     the 'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmat perm=shm_id_read expres=success mlsop=eq
 + shmat perm=shm_id_read expres=success mlsop=dom
 + shmat perm=shm_id_read expres=fail mlsop=domby 
@@ -934,7 +941,8 @@ fi
 ##     test process requests the shared memory segment for read or write
 ##     depending on the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmget perm=shm_key_read expres=success mlsop=eq
 + shmget perm=shm_key_read expres=success mlsop=dom
 + shmget perm=shm_key_read expres=fail mlsop=domby 
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 53bf40d..0cc04c9 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -187,6 +187,10 @@ ALL_EXE		+= $(ONLY32_EXE)
 endif
 endif
 endif
+ifeq ($(MACHINE), arm)
+ALL_EXE		+= $(ONLY32_EXE)
+endif
+
 
 ifeq ($(MACHINE), ia64)
 ALL_EXE		+= $(ONLYIA64_EXE)
-- 
1.7.9.5

[Audit-test-developer] [PATCH v4 4/5] audit-test/filter: add aarch64 support

[AKASHI T. <tak...@li...>]

On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.

This patch adds work-arounds for these cases.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/filter/tests/test_auid.bash             |    9 +++++--
 audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
 audit-test/filter/tests/test_dev_inode.bash        |   11 +++++---
 audit-test/filter/tests/test_success.bash          |    8 ++++--
 audit-test/filter/tests/test_syscall.bash          |    8 ++++--
 audit-test/filter/tests/test_type.bash             |    9 +++++--
 audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
 audit-test/filter/tests/test_watch_open.bash       |   10 +++++--
 audit-test/filter/tests/test_watch_remove.bash     |    4 +++
 9 files changed, 79 insertions(+), 28 deletions(-)

diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..211023a 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
 augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
     && exit_error "Unexpected record found."
 
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
 
 # audit log marker
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..f2a2f8f 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,29 @@ log_mark=$(stat -c %s $audit_log)
 
 # test
 do_chmod $watch 777
-do_chown $watch root
+if [[ ${MACHINE} = "aarch64" ]]; then
+    do_fchownat $(dirname $watch) $(basename $watch) root
+else
+    do_chown $watch root
+fi
 do_unlink $watch
 
 # verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
-    || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
-    || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
-    && exit_fail "Unexpected record for 'unlink' found."
+if [[ ${MACHINE} = "aarch64" ]]; then
+    augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+        || exit_fail "Expected record for 'chmod' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==fchownat
+           name==$(basename $watch) \
+        || exit_fail "Expected record for 'chown' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+        && exit_fail "Unexpected record for 'unlink' found."
+else
+    augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+        || exit_fail "Expected record for 'chmod' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+        || exit_fail "Expected record for 'chown' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+        && exit_fail "Unexpected record for 'unlink' found."
+fi
 
 exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..33d83cf 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
 event_obj=$(get_event_obj $1)
 [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
 
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
-    -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+    -F inode=$inode -F devmajor=$major -F devminor=$minor
 prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
     -F inode=$inode -F devmajor=$major -F devminor=$minor"
 
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..b38683e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
 source filter_functions.bash || exit 2
 
 # setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 syscall_num=$(augrok --resolve $syscall_name) \
     || exit_error "unable to determine the syscall number for $syscall_name"
 
@@ -37,7 +41,7 @@ case $op in
         ;;
     *) exit_fail "unknown test operation" ;;
 esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
 
 auditctl -a $filter_rule $filter_field
 prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..3f26cec 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
 source filter_functions.bash || exit 2
 
 # setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 syscall_num=$(augrok --resolve $syscall_name) \
     || exit_error "unable to determine the syscall number for $syscall_name"
 
 op=$1
 case $op in
-    name)   filter_rule="exit,always -F arch=b$MODE -S open" ;;
+    name)   filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
     number) filter_rule="exit,always -S $syscall_num";;
     *) exit_fail "unknown test operation" ;;
 esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..aa797a0 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
 
 # setup
 user_auid=$(cat /proc/self/loginuid)
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 
 # setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
 
 # audit log marker
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..23b79ab 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
 watch="$tmpd"
 name="$tmpd/foo"
 
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
-    auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
-    auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
-    rm -rf $tmpd"
-
 case $op in
     rename) touch $name
             gen_audit_event="mv $tmp1 $name" ;;
     rmdir)  mkdir $name
+            if [[ ${MACHINE} = "aarch64" ]]; then
+                op="unlink";
+                opat="unlinkat";
+            fi
             gen_audit_event="rmdir $name" ;;
     unlink) touch $name
             gen_audit_event="rm $name" ;;
     *) exit_fail "unknown test operation: $op" ;;
 esac
 
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+    auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+    auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+    rm -rf $tmpd"
+
 log_mark=$(stat -c %s $audit_log)
 
 # test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c7fe367 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
 event_obj=$(get_event_obj $1)
 [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
 
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
 
 # test open with O_CREAT|O_RDONLY; verify audit record
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..3d370a7 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
     unlink) touch $name
             gen_audit_event="rm $name" ;;
     rmdir)  mkdir $name
+            if [[ ${MACHINE} = "aarch64" ]]; then
+                op="unlink";
+                opat="unlinkat";
+            fi
             gen_audit_event="rmdir $name" ;;
     rename) touch $name
             gen_audit_event="mv $tmp1 $name" ;;
-- 
1.7.9.5

[Audit-test-developer] [PATCH v4 3/5] audit-test/syscalls: add aarch64 support

[AKASHI T. <tak...@li...>]

This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/rules.mk           |    2 ++
 audit-test/utils/augrok       |    2 ++
 audit-test/utils/bin/Makefile |    8 ++++++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 49c0df2..41aeec5 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR		= $(AR) rc $@ $^
 LINK_EXE	= $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
 LINK_SO		= $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS)
 
+export MACHINE
+
 # If MODE isn't set explicitly, the default for the machine is used
 export NATIVE   = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}'))
 export MODE     ?= $(NATIVE)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index f0542e5..a42cd21 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
     'c0009026' => 'alpha',
     '40000028' => 'arm',
     '28'       => 'armeb',
+    'c00000b7' => 'aarch64',
+    '800000b7' => 'aarch64eb',
     '4000004c' => 'cris',
     '2e'       => 'h8300',
     '40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 654ef9c..53bf40d 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_bind \
 		  do_chdir \
 		  do_chmod \
-		  do_chown \
 		  do_clone \
 		  do_delete_module \
 		  do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_init_module \
 		  do_ioctl \
 		  do_kill \
-		  do_lchown \
 		  do_lgetxattr \
 		  do_link \
 		  do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_utimensat \
 		  do_utimes
 
+ifneq ($(MACHINE), aarch64)
+ALL_EXE		+= do_chown \
+		  do_lchown
+endif
 ifeq ($(MODE), 32)
 ifeq ($(MACHINE), ppc64)
 ALL_EXE		+= $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
 ifeq ($(MACHINE), ia64)
 ALL_EXE		+= $(ONLYIA64_EXE)
 else
+ifneq ($(MACHINE), aarch64)
 ALL_EXE		+= $(ONLY86_EXE)
 endif
+endif
 
 $(CAPS_EXE): LDLIBS += -lcap
 ifdef LSM_SELINUX
-- 
1.7.9.5

[Audit-test-developer] [PATCH v4 2/5] audit-test: handle __NR3264_xxx syscall definitions

[AKASHI T. <tak...@li...>]

On some architectures including arm64, system call numbers are defined
in /usr/include/asm-generic/unistd.h. This file contains irregular
style of definitions like
    #define __NR3264_truncate 45
    #define __NR_truncate __NR3264_truncate
(In fact, it's more complicated.)

This patch takes care of such cases.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/utils/augrok |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index 08f731a..f0542e5 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -113,8 +113,12 @@ sub new {
         open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
         my $line;
         while (defined($line = <S>)) {
-            next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
-            $singleton->{$1} = $2;
+            if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
+                $singleton->{$1} = $2;
+            }
+            if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
+                $singleton->{"3264_$1"} = $2;
+            }
         }
         close S;
 
@@ -139,6 +143,13 @@ sub new {
                     $changed = 1;
                 }
 
+                #define __NR_truncate __NR3264_truncate
+                if ($v =~ /^__NR3264_(\w+)$/ and
+                         defined($new_v = $singleton->{"3264_$1"})) {
+                    $singleton->{$k} = $new_v;
+                    $changed = 1;
+                }
+
                 # don't know how to handle this, hope it wasn't important
                 else {
                     print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
-- 
1.7.9.5

[Audit-test-developer] [PATCH v4 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[AKASHI T. <tak...@li...>]

Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
from being compiled and executed. This is incovenient for other
ditributions or rootfs build tools, like Buildroot and OpenEmbedded.

This patch introduces LSM_SELINUX instead to do the same thing.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/filter/run.conf          |    2 ++
 audit-test/rules.mk                 |    9 +++++----
 audit-test/utils/Makefile           |    7 ++++++-
 audit-test/utils/bin/Makefile       |    2 +-
 audit-test/utils/bin/do_creat.c     |    4 ++--
 audit-test/utils/bin/do_mkdir.c     |    4 ++--
 audit-test/utils/bin/do_mkdirat.c   |    4 ++--
 audit-test/utils/bin/do_mknod.c     |    4 ++--
 audit-test/utils/bin/do_mknodat.c   |    4 ++--
 audit-test/utils/bin/do_mq_open.c   |    4 ++--
 audit-test/utils/bin/do_open.c      |    4 ++--
 audit-test/utils/bin/do_openat.c    |    4 ++--
 audit-test/utils/bin/do_symlink.c   |    4 ++--
 audit-test/utils/bin/do_symlinkat.c |    4 ++--
 audit-test/utils/run.bash           |    8 ++++++--
 15 files changed, 40 insertions(+), 28 deletions(-)

diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
index 3ac111a..d52cf00 100644
--- a/audit-test/filter/run.conf
+++ b/audit-test/filter/run.conf
@@ -79,11 +79,13 @@ fi
 + class_write
 + class_exec
 + class_attr
+if [[ $LSM_SELINUX ]]; then
 + secontext subj_sen
 + secontext subj_clr
 + secontext subj_role
 + secontext obj_lev_low
 + secontext obj_lev_high_base
+fi
 if [[ $PPROFILE == lspp ]]; then
 + secontext obj_lev_high_mls
 fi
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..49c0df2 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
 ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
 CFLAGS +=-DSUSE
 export DISTRO=SUSE
-endif
-ifeq (fedora, $(findstring fedora, $(RELEASE)))
-CFLAGS +=-DFEDORA
+else ifeq (fedora, $(findstring fedora, $(RELEASE)))
+CFLAGS +="-DFEDORA -DLSM_SELINUX"
 export DISTRO=FEDORA
+export LSM_SELINUX=1
 else ifeq (redhat, $(findstring redhat, $(RELEASE)))
-CFLAGS +=-DRHEL
+CFLAGS +="-DRHEL -DLSM_SELINUX"
 export DISTRO=RHEL
+export LSM_SELINUX=1
 endif
 
 ifeq (s390x, $(findstring s390x, $(MACHINE)))
diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
index 489d98b..f43b0f1 100644
--- a/audit-test/utils/Makefile
+++ b/audit-test/utils/Makefile
@@ -18,14 +18,19 @@
 TOPDIR		= ..
 UTILSDIR	= .
 CPPFLAGS 	+= -I$(UTILSDIR)/include
+ifdef LSM_SELINUX
 LDLIBS		+= -lselinux
 
 UTILS_EXE	= test_context \
 		  test_setcon
+endif
 
 ALL_EXE		= $(UTILS_EXE)
 
-SUB_DIRS	= bin network-server
+SUB_DIRS	= bin
+ifdef LSM_SELINUX
+SUB_DIRS	+= network-server
+endif
 
 include $(TOPDIR)/rules.mk
 
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 098d46c..654ef9c 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE)
 endif
 
 $(CAPS_EXE): LDLIBS += -lcap
-ifneq ($(DISTRO), SUSE)
+ifdef LSM_SELINUX
 $(CREATE_EXE): LDLIBS += -lselinux
 $(MQ_EXE): LDLIBS += -lrt -lselinux
 else
diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
index 85b31fb..81b0686 100644
--- a/audit-test/utils/bin/do_creat.c
+++ b/audit-test/utils/bin/do_creat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_creat: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
index f06f394..d601903 100644
--- a/audit-test/utils/bin/do_mkdir.c
+++ b/audit-test/utils/bin/do_mkdir.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_mkdir: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
index 67d5ac9..5a6e54f 100644
--- a/audit-test/utils/bin/do_mkdirat.c
+++ b/audit-test/utils/bin/do_mkdirat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -28,7 +28,7 @@ int main(int argc, char **argv)
 	return TEST_ERROR;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_mkdirat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
index 07ca554..c12c76d 100644
--- a/audit-test/utils/bin/do_mknod.c
+++ b/audit-test/utils/bin/do_mknod.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_mknod: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
index 5acb057..7e9ea2c 100644
--- a/audit-test/utils/bin/do_mknodat.c
+++ b/audit-test/utils/bin/do_mknodat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
     dir_fd = open(argv[1], O_DIRECTORY);
     if (dir_fd < 0)
 	    return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 4 && setfscreatecon(argv[3]) < 0) {
 	perror("do_mknodat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
index 25adc8b..8d0ec9d 100644
--- a/audit-test/utils/bin/do_mq_open.c
+++ b/audit-test/utils/bin/do_mq_open.c
@@ -15,7 +15,7 @@
 
 #include "includes.h"
 #include <mqueue.h>
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -45,7 +45,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_mq_open: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
index 1068461..781f6f9 100644
--- a/audit-test/utils/bin/do_open.c
+++ b/audit-test/utils/bin/do_open.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -46,7 +46,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_open: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
index 43da725..6205406 100644
--- a/audit-test/utils/bin/do_openat.c
+++ b/audit-test/utils/bin/do_openat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -53,7 +53,7 @@ int main(int argc, char **argv)
 	perror("do_openat: open dirfd");
 	return TEST_ERROR;
     }
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 5 && setfscreatecon(argv[4]) < 0) {
 	perror("do_openat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
index 75dfe0b..d902493 100644
--- a/audit-test/utils/bin/do_symlink.c
+++ b/audit-test/utils/bin/do_symlink.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif 
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_symlink: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
index 9e67a28..1829dcf 100644
--- a/audit-test/utils/bin/do_symlinkat.c
+++ b/audit-test/utils/bin/do_symlinkat.c
@@ -15,7 +15,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -32,7 +32,7 @@ int main(int argc, char **argv)
     dir_fd = open(argv[1], O_DIRECTORY);
     if (dir_fd < 0)
 	    return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 5 && setfscreatecon(argv[4]) < 0) {
 	perror("do_symlinkat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index a2a5da6..721e744 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -463,11 +463,15 @@ function show_header {
         printf "%-32s %s\n" Mode: "${MODE:-(native)}"
         printf "%-32s %s\n" Hostname: "$(uname -n)"
         printf "%-32s %s\n" Profile: "$PPROFILE"
-        printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+        if [[ $LSM_SELINUX ]] ; then
+          printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+        fi
         if [[ $PPROFILE == lspp ]] ; then
           printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
         fi
-        printf "\n%s\n" "$(sestatus)"
+        if [[ $LSM_SELINUX ]] ; then
+          printf "\n%s\n" "$(sestatus)"
+        fi
         echo
     } | tee $opt_logdir/$header_log
 }
-- 
1.7.9.5

[Audit-test-developer] [PATCH v4 0/5] add arm/aarch64(arm64) support

[AKASHI T. <tak...@li...>]

This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
    - ARMv8 fast model
    - x86_64 Fedora 20
but only against audit-test/syscalls and filter, and so fixes here might be
incomplete in the other categories (and on other architectures).
See audit-test/Makefile, which is a bit messy in general.

v4:
 * fix usages of LSM_SELINUX macro

v3:
 * correct makefiles/bash scripts around usages of LSM_SELINUX macro
 * untabify the leading tabs
 * protect utils/network-server with LSM_SELINUX

v2:
 * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS
 * cosmetic changes (indentation, splitting lines) for readability

AKASHI Takahiro (5):
  audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
  audit-test: handle __NR3264_xxx syscall definitions
  audit-test/syscalls: add aarch64 support
  audit-test/filter: add aarch64 support
  audit-test/syscalls: add arm support

 audit-test/filter/run.conf                         |    2 ++
 audit-test/filter/tests/test_auid.bash             |    9 +++++--
 audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
 audit-test/filter/tests/test_dev_inode.bash        |   11 +++++---
 audit-test/filter/tests/test_success.bash          |    8 ++++--
 audit-test/filter/tests/test_syscall.bash          |    8 ++++--
 audit-test/filter/tests/test_type.bash             |    9 +++++--
 audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
 audit-test/filter/tests/test_watch_open.bash       |   10 +++++--
 audit-test/filter/tests/test_watch_remove.bash     |    4 +++
 audit-test/rules.mk                                |   11 +++++---
 audit-test/syscalls/cap-run.conf                   |   15 +++++++----
 audit-test/syscalls/dac-run.conf                   |   24 +++++++++++------
 audit-test/syscalls/mac-run.conf                   |   24 +++++++++++------
 audit-test/utils/Makefile                          |    7 ++++-
 audit-test/utils/augrok                            |   17 ++++++++++--
 audit-test/utils/bin/Makefile                      |   14 +++++++---
 audit-test/utils/bin/do_creat.c                    |    4 +--
 audit-test/utils/bin/do_mkdir.c                    |    4 +--
 audit-test/utils/bin/do_mkdirat.c                  |    4 +--
 audit-test/utils/bin/do_mknod.c                    |    4 +--
 audit-test/utils/bin/do_mknodat.c                  |    4 +--
 audit-test/utils/bin/do_mq_open.c                  |    4 +--
 audit-test/utils/bin/do_open.c                     |    4 +--
 audit-test/utils/bin/do_openat.c                   |    4 +--
 audit-test/utils/bin/do_symlink.c                  |    4 +--
 audit-test/utils/bin/do_symlinkat.c                |    4 +--
 audit-test/utils/run.bash                          |    8 ++++--
 28 files changed, 188 insertions(+), 81 deletions(-)

-- 
1.7.9.5

===

>From 33f1b4c73a0586cf3416e3ab98156c7076901dd7 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <tak...@li...>
Date: Wed, 23 Jul 2014 13:44:28 +0900
Subject: [PATCH v3 0/5] add arm/aarch64(arm64) support

This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
    - ARMv8 fast model
    - x86_64 Fedora 20
but only against audit-test/syscalls and filter, and so fixes here might be
incomplete in the other categories (and on other architectures).
See audit-test/Makefile, which is a bit messy in general.

v3:
 * correct makefiles/bash scripts around usages of LSM_SELINUX macro
 * untabify the leading tabs
 * protect utils/network-server with LSM_SELINUX

v2:
 * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS
 * cosmetic changes (indentation, splitting lines) for readability

AKASHI Takahiro (5):
  audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
  audit-test: handle __NR3264_xxx syscall definitions
  audit-test/syscalls: add aarch64 support
  audit-test/filter: add aarch64 support
  audit-test/syscalls: add arm support

 audit-test/filter/run.conf                         |    2 ++
 audit-test/filter/tests/test_auid.bash             |    9 +++++--
 audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
 audit-test/filter/tests/test_dev_inode.bash        |   11 +++++---
 audit-test/filter/tests/test_success.bash          |    8 ++++--
 audit-test/filter/tests/test_syscall.bash          |    8 ++++--
 audit-test/filter/tests/test_type.bash             |    9 +++++--
 audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
 audit-test/filter/tests/test_watch_open.bash       |   10 +++++--
 audit-test/filter/tests/test_watch_remove.bash     |    4 +++
 audit-test/rules.mk                                |   11 +++++---
 audit-test/syscalls/cap-run.conf                   |   15 +++++++----
 audit-test/syscalls/dac-run.conf                   |   24 +++++++++++------
 audit-test/syscalls/mac-run.conf                   |   24 +++++++++++------
 audit-test/utils/Makefile                          |    7 ++++-
 audit-test/utils/augrok                            |   17 ++++++++++--
 audit-test/utils/bin/Makefile                      |   14 +++++++---
 audit-test/utils/bin/do_creat.c                    |    4 +--
 audit-test/utils/bin/do_mkdir.c                    |    4 +--
 audit-test/utils/bin/do_mkdirat.c                  |    4 +--
 audit-test/utils/bin/do_mknod.c                    |    4 +--
 audit-test/utils/bin/do_mknodat.c                  |    4 +--
 audit-test/utils/bin/do_mq_open.c                  |    4 +--
 audit-test/utils/bin/do_open.c                     |    4 +--
 audit-test/utils/bin/do_openat.c                   |    4 +--
 audit-test/utils/bin/do_symlink.c                  |    4 +--
 audit-test/utils/bin/do_symlinkat.c                |    4 +--
 audit-test/utils/run.bash                          |    8 ++++--
 28 files changed, 188 insertions(+), 81 deletions(-)

-- 
1.7.9.5

===

>From a241a8d3b61b48da3af5086d631bb61b59265317 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <tak...@li...>
Date: Fri, 18 Jul 2014 18:01:51 +0900
Subject: [PATCH v2 0/5] add arm/aarch64(arm64) support

This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
    - ARMv8 fast model
    - x86_64 Fedora 20
(but only against audit-test/syscalls and filter)

v2:
 * clean up the usages of macros, MACHINE, LSM_MACHINE and UTILS
 * cosmetic changes (indentation, splitting lines) for readability

AKASHI Takahiro (5):
  audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
  audit-test: handle __NR3264_xxx syscall definitions
  audit-test/syscalls: add aarch64 support
  audit-test/filter: add aarch64 support
  audit-test/syscalls: add arm support

 audit-test/filter/run.conf                         |    2 ++
 audit-test/filter/tests/test_auid.bash             |    9 +++++--
 audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
 audit-test/filter/tests/test_dev_inode.bash        |   11 +++++---
 audit-test/filter/tests/test_success.bash          |    8 ++++--
 audit-test/filter/tests/test_syscall.bash          |    8 ++++--
 audit-test/filter/tests/test_type.bash             |    9 +++++--
 audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
 audit-test/filter/tests/test_watch_open.bash       |   10 +++++--
 audit-test/filter/tests/test_watch_remove.bash     |    4 +++
 audit-test/rules.mk                                |   11 +++++---
 audit-test/syscalls/cap-run.conf                   |   15 +++++++----
 audit-test/syscalls/dac-run.conf                   |   24 +++++++++++------
 audit-test/syscalls/mac-run.conf                   |   24 +++++++++++------
 audit-test/utils/Makefile                          |    2 ++
 audit-test/utils/augrok                            |   17 ++++++++++--
 audit-test/utils/bin/Makefile                      |   14 +++++++---
 audit-test/utils/bin/do_creat.c                    |    4 +--
 audit-test/utils/bin/do_mkdir.c                    |    4 +--
 audit-test/utils/bin/do_mkdirat.c                  |    4 +--
 audit-test/utils/bin/do_mknod.c                    |    4 +--
 audit-test/utils/bin/do_mknodat.c                  |    4 +--
 audit-test/utils/bin/do_mq_open.c                  |    4 +--
 audit-test/utils/bin/do_open.c                     |    4 +--
 audit-test/utils/bin/do_openat.c                   |    4 +--
 audit-test/utils/bin/do_symlink.c                  |    4 +--
 audit-test/utils/bin/do_symlinkat.c                |    4 +--
 audit-test/utils/run.bash                          |    8 ++++--
 28 files changed, 184 insertions(+), 80 deletions(-)

-- 
1.7.9.5

Re: [Audit-test-developer] [PATCH v3 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[AKASHI T. <tak...@li...>]

On 07/23/2014 05:40 PM, Jiri Jaburek wrote:
> On 07/23/2014 09:37 AM, AKASHI Takahiro wrote:
>> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
>> from being compiled and executed. This is incovenient for other
>> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
>>
>> This patch introduces LSM_SELINUX instead to do the same thing.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...>
>> ---
>>   audit-test/filter/run.conf          |    2 ++
>>   audit-test/rules.mk                 |    9 +++++----
>>   audit-test/utils/Makefile           |    7 ++++++-
>>   audit-test/utils/bin/Makefile       |    2 +-
>>   audit-test/utils/bin/do_creat.c     |    4 ++--
>>   audit-test/utils/bin/do_mkdir.c     |    4 ++--
>>   audit-test/utils/bin/do_mkdirat.c   |    4 ++--
>>   audit-test/utils/bin/do_mknod.c     |    4 ++--
>>   audit-test/utils/bin/do_mknodat.c   |    4 ++--
>>   audit-test/utils/bin/do_mq_open.c   |    4 ++--
>>   audit-test/utils/bin/do_open.c      |    4 ++--
>>   audit-test/utils/bin/do_openat.c    |    4 ++--
>>   audit-test/utils/bin/do_symlink.c   |    4 ++--
>>   audit-test/utils/bin/do_symlinkat.c |    4 ++--
>>   audit-test/utils/run.bash           |    8 ++++++--
>>   15 files changed, 40 insertions(+), 28 deletions(-)
>>
>> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
>> index 3ac111a..6d46786 100644
>> --- a/audit-test/filter/run.conf
>> +++ b/audit-test/filter/run.conf
>> @@ -79,11 +79,13 @@ fi
>>   + class_write
>>   + class_exec
>>   + class_attr
>> +if [[ $LSM_SELINUX == true ]]; then
>>   + secontext subj_sen
>>   + secontext subj_clr
>>   + secontext subj_role
>>   + secontext obj_lev_low
>>   + secontext obj_lev_high_base
>> +fi
>>   if [[ $PPROFILE == lspp ]]; then
>>   + secontext obj_lev_high_mls
>>   fi
>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>> index fd2f8a5..509b288 100644
>> --- a/audit-test/rules.mk
>> +++ b/audit-test/rules.mk
>> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
>>   ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
>>   CFLAGS +=-DSUSE
>>   export DISTRO=SUSE
>> -endif
>> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> -CFLAGS +=-DFEDORA
>> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>>   export DISTRO=FEDORA
>> +export LSM_SELINUX=true
>>   else ifeq (redhat, $(findstring redhat, $(RELEASE)))
>> -CFLAGS +=-DRHEL
>> +CFLAGS +="-DRHEL -DLSM_SELINUX"
>>   export DISTRO=RHEL
>> +export LSM_SELINUX=true
>>   endif
>>
>>   ifeq (s390x, $(findstring s390x, $(MACHINE)))
>> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
>> index 489d98b..52b9f38 100644
>> --- a/audit-test/utils/Makefile
>> +++ b/audit-test/utils/Makefile
>> @@ -18,14 +18,19 @@
>>   TOPDIR		= ..
>>   UTILSDIR	= .
>>   CPPFLAGS 	+= -I$(UTILSDIR)/include
>> +ifeq ($(LSM_SELINUX), true)
>
> You missed the point. :)
>
> The ifdef / simple [[ $var ]] works and IMHO should be used,
> the variable just needs to be nonempty.

OK.
Unless you have other comments, I will submit new series tomorrow:)

-Takahiro AKASHI


> ie.
>
>    export LSM_SELINUX=1
>
>    ifdef LSM_SELINUX
>      ...
>    endif
>
>    if [[ "$LSM_SELINUX" ]]; then
>      ...
>    fi
>
>>   LDLIBS		+= -lselinux
>>
>>   UTILS_EXE	= test_context \
>>   		  test_setcon
>> +endif
>>
>>   ALL_EXE		= $(UTILS_EXE)
>>
>> -SUB_DIRS	= bin network-server
>> +SUB_DIRS	= bin
>> +ifeq ($(LSM_SELINUX), true)
>> +SUB_DIRS	+= network-server
>> +endif
>>
>>   include $(TOPDIR)/rules.mk
>>
>> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
>> index 098d46c..42b94ea 100644
>> --- a/audit-test/utils/bin/Makefile
>> +++ b/audit-test/utils/bin/Makefile
>> @@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE)
>>   endif
>>
>>   $(CAPS_EXE): LDLIBS += -lcap
>> -ifneq ($(DISTRO), SUSE)
>> +ifeq ($(LSM_SELINUX), true)
>>   $(CREATE_EXE): LDLIBS += -lselinux
>>   $(MQ_EXE): LDLIBS += -lrt -lselinux
>>   else
>> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
>> index 85b31fb..81b0686 100644
>> --- a/audit-test/utils/bin/do_creat.c
>> +++ b/audit-test/utils/bin/do_creat.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>>   	perror("do_creat: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
>> index f06f394..d601903 100644
>> --- a/audit-test/utils/bin/do_mkdir.c
>> +++ b/audit-test/utils/bin/do_mkdir.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>>   	perror("do_mkdir: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
>> index 67d5ac9..5a6e54f 100644
>> --- a/audit-test/utils/bin/do_mkdirat.c
>> +++ b/audit-test/utils/bin/do_mkdirat.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
>>   	return TEST_ERROR;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>>   	perror("do_mkdirat: setfscreatecon");
>>   	return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
>> index 07ca554..c12c76d 100644
>> --- a/audit-test/utils/bin/do_mknod.c
>> +++ b/audit-test/utils/bin/do_mknod.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>>   	perror("do_mknod: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
>> index 5acb057..7e9ea2c 100644
>> --- a/audit-test/utils/bin/do_mknodat.c
>> +++ b/audit-test/utils/bin/do_mknodat.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
>>       dir_fd = open(argv[1], O_DIRECTORY);
>>       if (dir_fd < 0)
>>   	    return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if (argc == 4 && setfscreatecon(argv[3]) < 0) {
>>   	perror("do_mknodat: setfscreatecon");
>>   	return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
>> index 25adc8b..8d0ec9d 100644
>> --- a/audit-test/utils/bin/do_mq_open.c
>> +++ b/audit-test/utils/bin/do_mq_open.c
>> @@ -15,7 +15,7 @@
>>
>>   #include "includes.h"
>>   #include <mqueue.h>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>>   	perror("do_mq_open: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
>> index 1068461..781f6f9 100644
>> --- a/audit-test/utils/bin/do_open.c
>> +++ b/audit-test/utils/bin/do_open.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>>   	perror("do_open: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
>> index 43da725..6205406 100644
>> --- a/audit-test/utils/bin/do_openat.c
>> +++ b/audit-test/utils/bin/do_openat.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
>>   	perror("do_openat: open dirfd");
>>   	return TEST_ERROR;
>>       }
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>>   	perror("do_openat: setfscreatecon");
>>   	return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
>> index 75dfe0b..d902493 100644
>> --- a/audit-test/utils/bin/do_symlink.c
>> +++ b/audit-test/utils/bin/do_symlink.c
>> @@ -14,7 +14,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>>   	return 1;
>>       }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>>   	perror("do_symlink: setfscreatecon");
>>   	return 1;
>> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
>> index 9e67a28..1829dcf 100644
>> --- a/audit-test/utils/bin/do_symlinkat.c
>> +++ b/audit-test/utils/bin/do_symlinkat.c
>> @@ -15,7 +15,7 @@
>>    */
>>
>>   #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>   #include <selinux/selinux.h>
>>   #endif
>>
>> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
>>       dir_fd = open(argv[1], O_DIRECTORY);
>>       if (dir_fd < 0)
>>   	    return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>>       if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>>   	perror("do_symlinkat: setfscreatecon");
>>   	return TEST_ERROR;
>> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
>> index a2a5da6..ca7aad7 100755
>> --- a/audit-test/utils/run.bash
>> +++ b/audit-test/utils/run.bash
>> @@ -463,11 +463,15 @@ function show_header {
>>           printf "%-32s %s\n" Mode: "${MODE:-(native)}"
>>           printf "%-32s %s\n" Hostname: "$(uname -n)"
>>           printf "%-32s %s\n" Profile: "$PPROFILE"
>> -        printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> +        if [[ $LSM_SELINUX == true ]] ; then
>> +          printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> +        fi
>>           if [[ $PPROFILE == lspp ]] ; then
>>             printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
>>           fi
>> -        printf "\n%s\n" "$(sestatus)"
>> +        if [[ $LSM_SELINUX == true ]] ; then
>> +          printf "\n%s\n" "$(sestatus)"
>> +        fi
>>           echo
>>       } | tee $opt_logdir/$header_log
>>   }
>>
>

Re: [Audit-test-developer] [PATCH v3 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[Jiri J. <jja...@re...>]

On 07/23/2014 09:37 AM, AKASHI Takahiro wrote:
> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
> from being compiled and executed. This is incovenient for other
> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
> 
> This patch introduces LSM_SELINUX instead to do the same thing.
> 
> Signed-off-by: AKASHI Takahiro <tak...@li...>
> ---
>  audit-test/filter/run.conf          |    2 ++
>  audit-test/rules.mk                 |    9 +++++----
>  audit-test/utils/Makefile           |    7 ++++++-
>  audit-test/utils/bin/Makefile       |    2 +-
>  audit-test/utils/bin/do_creat.c     |    4 ++--
>  audit-test/utils/bin/do_mkdir.c     |    4 ++--
>  audit-test/utils/bin/do_mkdirat.c   |    4 ++--
>  audit-test/utils/bin/do_mknod.c     |    4 ++--
>  audit-test/utils/bin/do_mknodat.c   |    4 ++--
>  audit-test/utils/bin/do_mq_open.c   |    4 ++--
>  audit-test/utils/bin/do_open.c      |    4 ++--
>  audit-test/utils/bin/do_openat.c    |    4 ++--
>  audit-test/utils/bin/do_symlink.c   |    4 ++--
>  audit-test/utils/bin/do_symlinkat.c |    4 ++--
>  audit-test/utils/run.bash           |    8 ++++++--
>  15 files changed, 40 insertions(+), 28 deletions(-)
> 
> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
> index 3ac111a..6d46786 100644
> --- a/audit-test/filter/run.conf
> +++ b/audit-test/filter/run.conf
> @@ -79,11 +79,13 @@ fi
>  + class_write
>  + class_exec
>  + class_attr
> +if [[ $LSM_SELINUX == true ]]; then
>  + secontext subj_sen
>  + secontext subj_clr
>  + secontext subj_role
>  + secontext obj_lev_low
>  + secontext obj_lev_high_base
> +fi
>  if [[ $PPROFILE == lspp ]]; then
>  + secontext obj_lev_high_mls
>  fi
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index fd2f8a5..509b288 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
>  ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
>  CFLAGS +=-DSUSE
>  export DISTRO=SUSE
> -endif
> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
> -CFLAGS +=-DFEDORA
> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>  export DISTRO=FEDORA
> +export LSM_SELINUX=true
>  else ifeq (redhat, $(findstring redhat, $(RELEASE)))
> -CFLAGS +=-DRHEL
> +CFLAGS +="-DRHEL -DLSM_SELINUX"
>  export DISTRO=RHEL
> +export LSM_SELINUX=true
>  endif
>  
>  ifeq (s390x, $(findstring s390x, $(MACHINE)))
> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
> index 489d98b..52b9f38 100644
> --- a/audit-test/utils/Makefile
> +++ b/audit-test/utils/Makefile
> @@ -18,14 +18,19 @@
>  TOPDIR		= ..
>  UTILSDIR	= .
>  CPPFLAGS 	+= -I$(UTILSDIR)/include
> +ifeq ($(LSM_SELINUX), true)

You missed the point. :)

The ifdef / simple [[ $var ]] works and IMHO should be used,
the variable just needs to be nonempty.

ie.

  export LSM_SELINUX=1

  ifdef LSM_SELINUX
    ...
  endif

  if [[ "$LSM_SELINUX" ]]; then
    ...
  fi

>  LDLIBS		+= -lselinux
>  
>  UTILS_EXE	= test_context \
>  		  test_setcon
> +endif
>  
>  ALL_EXE		= $(UTILS_EXE)
>  
> -SUB_DIRS	= bin network-server
> +SUB_DIRS	= bin
> +ifeq ($(LSM_SELINUX), true)
> +SUB_DIRS	+= network-server
> +endif
>  
>  include $(TOPDIR)/rules.mk
>  
> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
> index 098d46c..42b94ea 100644
> --- a/audit-test/utils/bin/Makefile
> +++ b/audit-test/utils/bin/Makefile
> @@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE)
>  endif
>  
>  $(CAPS_EXE): LDLIBS += -lcap
> -ifneq ($(DISTRO), SUSE)
> +ifeq ($(LSM_SELINUX), true)
>  $(CREATE_EXE): LDLIBS += -lselinux
>  $(MQ_EXE): LDLIBS += -lrt -lselinux
>  else
> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
> index 85b31fb..81b0686 100644
> --- a/audit-test/utils/bin/do_creat.c
> +++ b/audit-test/utils/bin/do_creat.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>  	perror("do_creat: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
> index f06f394..d601903 100644
> --- a/audit-test/utils/bin/do_mkdir.c
> +++ b/audit-test/utils/bin/do_mkdir.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>  	perror("do_mkdir: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
> index 67d5ac9..5a6e54f 100644
> --- a/audit-test/utils/bin/do_mkdirat.c
> +++ b/audit-test/utils/bin/do_mkdirat.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
>  	return TEST_ERROR;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>  	perror("do_mkdirat: setfscreatecon");
>  	return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
> index 07ca554..c12c76d 100644
> --- a/audit-test/utils/bin/do_mknod.c
> +++ b/audit-test/utils/bin/do_mknod.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>  	perror("do_mknod: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
> index 5acb057..7e9ea2c 100644
> --- a/audit-test/utils/bin/do_mknodat.c
> +++ b/audit-test/utils/bin/do_mknodat.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
>      dir_fd = open(argv[1], O_DIRECTORY);
>      if (dir_fd < 0)
>  	    return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if (argc == 4 && setfscreatecon(argv[3]) < 0) {
>  	perror("do_mknodat: setfscreatecon");
>  	return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
> index 25adc8b..8d0ec9d 100644
> --- a/audit-test/utils/bin/do_mq_open.c
> +++ b/audit-test/utils/bin/do_mq_open.c
> @@ -15,7 +15,7 @@
>  
>  #include "includes.h"
>  #include <mqueue.h>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>  	perror("do_mq_open: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
> index 1068461..781f6f9 100644
> --- a/audit-test/utils/bin/do_open.c
> +++ b/audit-test/utils/bin/do_open.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>  	perror("do_open: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
> index 43da725..6205406 100644
> --- a/audit-test/utils/bin/do_openat.c
> +++ b/audit-test/utils/bin/do_openat.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
>  	perror("do_openat: open dirfd");
>  	return TEST_ERROR;
>      }
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>  	perror("do_openat: setfscreatecon");
>  	return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
> index 75dfe0b..d902493 100644
> --- a/audit-test/utils/bin/do_symlink.c
> +++ b/audit-test/utils/bin/do_symlink.c
> @@ -14,7 +14,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif 
>  
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>  	return 1;
>      }
>  
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>  	perror("do_symlink: setfscreatecon");
>  	return 1;
> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
> index 9e67a28..1829dcf 100644
> --- a/audit-test/utils/bin/do_symlinkat.c
> +++ b/audit-test/utils/bin/do_symlinkat.c
> @@ -15,7 +15,7 @@
>   */
>  
>  #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  
> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
>      dir_fd = open(argv[1], O_DIRECTORY);
>      if (dir_fd < 0)
>  	    return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
>      if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>  	perror("do_symlinkat: setfscreatecon");
>  	return TEST_ERROR;
> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> index a2a5da6..ca7aad7 100755
> --- a/audit-test/utils/run.bash
> +++ b/audit-test/utils/run.bash
> @@ -463,11 +463,15 @@ function show_header {
>          printf "%-32s %s\n" Mode: "${MODE:-(native)}"
>          printf "%-32s %s\n" Hostname: "$(uname -n)"
>          printf "%-32s %s\n" Profile: "$PPROFILE"
> -        printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> +        if [[ $LSM_SELINUX == true ]] ; then
> +          printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> +        fi
>          if [[ $PPROFILE == lspp ]] ; then
>            printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
>          fi
> -        printf "\n%s\n" "$(sestatus)"
> +        if [[ $LSM_SELINUX == true ]] ; then
> +          printf "\n%s\n" "$(sestatus)"
> +        fi
>          echo
>      } | tee $opt_logdir/$header_log
>  }
> 

[Audit-test-developer] [PATCH v3 5/5] audit-test/syscalls: add arm support

[AKASHI T. <tak...@li...>]

This patch selectively executes appropriate test programs for arm.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/syscalls/cap-run.conf |   15 ++++++++++-----
 audit-test/syscalls/dac-run.conf |   24 ++++++++++++++++--------
 audit-test/syscalls/mac-run.conf |   24 ++++++++++++++++--------
 audit-test/utils/bin/Makefile    |    4 ++++
 4 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf
index 93454ef..8d440fc 100644
--- a/audit-test/syscalls/cap-run.conf
+++ b/audit-test/syscalls/cap-run.conf
@@ -221,7 +221,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgctl perm=msg_id_remove expres=success user=super
 + msgctl perm=msg_id_remove expres=fail user=test 
 + msgctl perm=msg_id_set expres=success user=super
@@ -250,7 +251,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semctl perm=sem_id_remove expres=success user=super
 + semctl perm=sem_id_remove expres=fail user=test 
 + semctl perm=sem_id_set expres=success user=super
@@ -279,7 +281,8 @@ fi
 ##     syscall using the value of flag to determine the control operation;
 ##     verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmctl perm=shm_id_remove expres=success user=super
 + shmctl perm=shm_id_remove expres=fail user=test 
 + shmctl perm=shm_id_set expres=success user=super
@@ -338,7 +341,8 @@ fi
 ## 1b. If expres=fail, execute the test process as a regular user and
 ##     attempt to set port permission bits, verify the result.
 ##  2. Check the audit log for the correct syscall result
-if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ $MODE == 32 &&
+        $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then
 + ioperm perm=io_perm expres=success user=super
 + ioperm perm=io_perm expres=fail user=test 
 fi
@@ -353,7 +357,8 @@ fi
 ## 1b. If expres=fail, execute the test process as a regular user and
 ##     attempt to set process's the I/O privilege level, verify the result.
 ##  2. Check the audit log for the correct syscall result
-if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ $MODE == 32 &&
+        $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then
 + iopl perm=io_priv expres=success user=super
 + iopl perm=io_priv expres=fail user=test 
 fi
diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf
index d02b7a6..a03c637 100644
--- a/audit-test/syscalls/dac-run.conf
+++ b/audit-test/syscalls/dac-run.conf
@@ -436,7 +436,8 @@ fi
 ##     syscall using the value of flag to determine whether to open the message
 ##     queue for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgget perm=msg_key_read expres=success dacugo=user user=super
 + msgget perm=msg_key_read expres=fail dacugo=user user=test 
 + msgget perm=msg_key_write expres=success dacugo=user user=super
@@ -460,7 +461,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt to
 ##     receive a message, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgrcv perm=msg_id_recv expres=success dacugo=user user=super
 + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test 
 else
@@ -480,7 +482,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt to
 ##     send a message, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \
   user=super testfunc=test_su_msg_send
 + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \
@@ -512,7 +515,8 @@ fi
 ##     syscall using the value of flag to determine whether to open the
 ##     semaphore set for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semget perm=sem_key_read expres=success dacugo=user user=super
 + semget perm=sem_key_read expres=fail dacugo=user user=test 
 + semget perm=sem_key_write expres=success dacugo=user user=super
@@ -537,7 +541,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt a
 ##     read operation, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semop perm=sem_id_read expres=success dacugo=user user=super
 + semop perm=sem_id_read expres=fail dacugo=user user=test 
 else
@@ -558,7 +563,8 @@ fi
 ## 2b. If expres=fail, execute the test process as another user and attempt a
 ##     write operation, verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semtimedop perm=sem_id_write expres=success dacugo=user user=super
 + semtimedop perm=sem_id_write expres=fail dacugo=user user=test 
 else
@@ -583,7 +589,8 @@ fi
 ##     syscall using the value of perm to determine whether to perform a read or
 ##     write operation; verify the result
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmat perm=shm_id_read expres=success dacugo=user user=super
 + shmat perm=shm_id_read expres=fail dacugo=user user=test 
 + shmat perm=shm_id_write expres=success dacugo=user user=super
@@ -618,7 +625,8 @@ fi
 ##     syscall using the value of flag to determine whether to request the
 ##     shared memory segment for read or write; verify the result.
 ## 3.  Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmget perm=shm_key_read expres=success dacugo=user user=super
 + shmget perm=shm_key_read expres=fail dacugo=user user=test 
 + shmget perm=shm_key_write expres=success dacugo=user user=super
diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf
index b7c064b..df7d873 100644
--- a/audit-test/syscalls/mac-run.conf
+++ b/audit-test/syscalls/mac-run.conf
@@ -702,7 +702,8 @@ fi
 ##     test process requests the message queue for read or write depending on
 ##     the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgget perm=msg_key_read expres=success mlsop=eq
 + msgget perm=msg_key_read expres=success mlsop=dom
 + msgget perm=msg_key_read expres=fail mlsop=domby 
@@ -737,7 +738,8 @@ fi
 ##     the ipc() syscall the function is determined by the 'op' variable.
 ##     Verify the result.
 ##  4. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgrcv perm=msg_id_recv expres=success mlsop=eq
 + msgrcv perm=msg_id_recv expres=success mlsop=dom
 + msgrcv perm=msg_id_recv expres=fail mlsop=domby 
@@ -763,7 +765,8 @@ fi
 ##     the ipc() syscall the function is determined by the 'op' variable.
 ##     Verify the result.
 ##  4. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \
   testfunc=test_runcon_msg_send
 + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \
@@ -801,7 +804,8 @@ fi
 ##     test process requests the semaphore set for read or write depending on
 ##     the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semget perm=sem_key_read expres=success mlsop=eq
 + semget perm=sem_key_read expres=success mlsop=dom
 + semget perm=sem_key_read expres=fail mlsop=domby 
@@ -835,7 +839,8 @@ fi
 ##     read operation.  With the ipc() syscall the function is determined by the
 ##     'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semop perm=sem_id_read expres=success mlsop=eq
 + semop perm=sem_id_read expres=success mlsop=dom
 + semop perm=sem_id_read expres=fail mlsop=domby 
@@ -861,7 +866,8 @@ fi
 ##     write operation.  With the ipc() syscall the function is determined by the
 ##     'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + semtimedop perm=sem_id_write expres=success mlsop=eq
 + semtimedop perm=sem_id_write expres=fail mlsop=dom 
 + semtimedop perm=sem_id_write expres=fail mlsop=domby 
@@ -892,7 +898,8 @@ fi
 ##     'perm' variable.  With the ipc() syscall the function is determined by
 ##     the 'op' variable.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmat perm=shm_id_read expres=success mlsop=eq
 + shmat perm=shm_id_read expres=success mlsop=dom
 + shmat perm=shm_id_read expres=fail mlsop=domby 
@@ -934,7 +941,8 @@ fi
 ##     test process requests the shared memory segment for read or write
 ##     depending on the 'perm' value '*_read' or '*_write'.  Verify the result.
 ##  3. Check the audit log for the correct syscall result
-if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then
+if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ||
+        $ARCH == "arm" ]]; then
 + shmget perm=shm_key_read expres=success mlsop=eq
 + shmget perm=shm_key_read expres=success mlsop=dom
 + shmget perm=shm_key_read expres=fail mlsop=domby 
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 62c5538..0f2852f 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -187,6 +187,10 @@ ALL_EXE		+= $(ONLY32_EXE)
 endif
 endif
 endif
+ifeq ($(MACHINE), arm)
+ALL_EXE		+= $(ONLY32_EXE)
+endif
+
 
 ifeq ($(MACHINE), ia64)
 ALL_EXE		+= $(ONLYIA64_EXE)
-- 
1.7.9.5

[Audit-test-developer] [PATCH v3 4/5] audit-test/filter: add aarch64 support

[AKASHI T. <tak...@li...>]

On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.

This patch adds work-arounds for these cases.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/filter/tests/test_auid.bash             |    9 +++++--
 audit-test/filter/tests/test_class_attr.bash       |   28 +++++++++++++++-----
 audit-test/filter/tests/test_dev_inode.bash        |   11 +++++---
 audit-test/filter/tests/test_success.bash          |    8 ++++--
 audit-test/filter/tests/test_syscall.bash          |    8 ++++--
 audit-test/filter/tests/test_type.bash             |    9 +++++--
 audit-test/filter/tests/test_watch_dir_remove.bash |   20 ++++++++------
 audit-test/filter/tests/test_watch_open.bash       |   10 +++++--
 audit-test/filter/tests/test_watch_remove.bash     |    4 +++
 9 files changed, 79 insertions(+), 28 deletions(-)

diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..211023a 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
 augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
     && exit_error "Unexpected record found."
 
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
 
 # audit log marker
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..f2a2f8f 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,29 @@ log_mark=$(stat -c %s $audit_log)
 
 # test
 do_chmod $watch 777
-do_chown $watch root
+if [[ ${MACHINE} = "aarch64" ]]; then
+    do_fchownat $(dirname $watch) $(basename $watch) root
+else
+    do_chown $watch root
+fi
 do_unlink $watch
 
 # verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
-    || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
-    || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
-    && exit_fail "Unexpected record for 'unlink' found."
+if [[ ${MACHINE} = "aarch64" ]]; then
+    augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+        || exit_fail "Expected record for 'chmod' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==fchownat
+           name==$(basename $watch) \
+        || exit_fail "Expected record for 'chown' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+        && exit_fail "Unexpected record for 'unlink' found."
+else
+    augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+        || exit_fail "Expected record for 'chmod' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+        || exit_fail "Expected record for 'chown' not found."
+    augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+        && exit_fail "Unexpected record for 'unlink' found."
+fi
 
 exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..33d83cf 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
 event_obj=$(get_event_obj $1)
 [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
 
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
-    -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+    -F inode=$inode -F devmajor=$major -F devminor=$minor
 prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
     -F inode=$inode -F devmajor=$major -F devminor=$minor"
 
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..b38683e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
 source filter_functions.bash || exit 2
 
 # setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 syscall_num=$(augrok --resolve $syscall_name) \
     || exit_error "unable to determine the syscall number for $syscall_name"
 
@@ -37,7 +41,7 @@ case $op in
         ;;
     *) exit_fail "unknown test operation" ;;
 esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
 
 auditctl -a $filter_rule $filter_field
 prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..3f26cec 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
 source filter_functions.bash || exit 2
 
 # setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 syscall_num=$(augrok --resolve $syscall_name) \
     || exit_error "unable to determine the syscall number for $syscall_name"
 
 op=$1
 case $op in
-    name)   filter_rule="exit,always -F arch=b$MODE -S open" ;;
+    name)   filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
     number) filter_rule="exit,always -S $syscall_num";;
     *) exit_fail "unknown test operation" ;;
 esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..aa797a0 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
 
 # setup
 user_auid=$(cat /proc/self/loginuid)
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
 
 # setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
 
 # audit log marker
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..23b79ab 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
 watch="$tmpd"
 name="$tmpd/foo"
 
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
-    auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
-    auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
-    rm -rf $tmpd"
-
 case $op in
     rename) touch $name
             gen_audit_event="mv $tmp1 $name" ;;
     rmdir)  mkdir $name
+            if [[ ${MACHINE} = "aarch64" ]]; then
+                op="unlink";
+                opat="unlinkat";
+            fi
             gen_audit_event="rmdir $name" ;;
     unlink) touch $name
             gen_audit_event="rm $name" ;;
     *) exit_fail "unknown test operation: $op" ;;
 esac
 
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+    auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+    auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+    rm -rf $tmpd"
+
 log_mark=$(stat -c %s $audit_log)
 
 # test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c7fe367 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
 event_obj=$(get_event_obj $1)
 [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
 
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [[ ${MACHINE} = "aarch64" ]]; then
+    syscall_name="openat"
+else
+    syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
 
 # test open with O_CREAT|O_RDONLY; verify audit record
 log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..3d370a7 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
     unlink) touch $name
             gen_audit_event="rm $name" ;;
     rmdir)  mkdir $name
+            if [[ ${MACHINE} = "aarch64" ]]; then
+                op="unlink";
+                opat="unlinkat";
+            fi
             gen_audit_event="rmdir $name" ;;
     rename) touch $name
             gen_audit_event="mv $tmp1 $name" ;;
-- 
1.7.9.5

[Audit-test-developer] [PATCH v3 3/5] audit-test/syscalls: add aarch64 support

[AKASHI T. <tak...@li...>]

This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/rules.mk           |    2 ++
 audit-test/utils/augrok       |    2 ++
 audit-test/utils/bin/Makefile |    8 ++++++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 509b288..1cfa098 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR		= $(AR) rc $@ $^
 LINK_EXE	= $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
 LINK_SO		= $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS)
 
+export MACHINE
+
 # If MODE isn't set explicitly, the default for the machine is used
 export NATIVE   = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}'))
 export MODE     ?= $(NATIVE)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index f0542e5..a42cd21 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
     'c0009026' => 'alpha',
     '40000028' => 'arm',
     '28'       => 'armeb',
+    'c00000b7' => 'aarch64',
+    '800000b7' => 'aarch64eb',
     '4000004c' => 'cris',
     '2e'       => 'h8300',
     '40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 42b94ea..62c5538 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_bind \
 		  do_chdir \
 		  do_chmod \
-		  do_chown \
 		  do_clone \
 		  do_delete_module \
 		  do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_init_module \
 		  do_ioctl \
 		  do_kill \
-		  do_lchown \
 		  do_lgetxattr \
 		  do_link \
 		  do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE		= $(CAPS_EXE) \
 		  do_utimensat \
 		  do_utimes
 
+ifneq ($(MACHINE), aarch64)
+ALL_EXE		+= do_chown \
+		  do_lchown
+endif
 ifeq ($(MODE), 32)
 ifeq ($(MACHINE), ppc64)
 ALL_EXE		+= $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
 ifeq ($(MACHINE), ia64)
 ALL_EXE		+= $(ONLYIA64_EXE)
 else
+ifneq ($(MACHINE), aarch64)
 ALL_EXE		+= $(ONLY86_EXE)
 endif
+endif
 
 $(CAPS_EXE): LDLIBS += -lcap
 ifeq ($(LSM_SELINUX), true)
-- 
1.7.9.5

[Audit-test-developer] [PATCH v3 2/5] audit-test: handle __NR3264_xxx syscall definitions

[AKASHI T. <tak...@li...>]

On some architectures including arm64, system call numbers are defined
in /usr/include/asm-generic/unistd.h. This file contains irregular
style of definitions like
    #define __NR3264_truncate 45
    #define __NR_truncate __NR3264_truncate
(In fact, it's more complicated.)

This patch takes care of such cases.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/utils/augrok |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index 08f731a..f0542e5 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -113,8 +113,12 @@ sub new {
         open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
         my $line;
         while (defined($line = <S>)) {
-            next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
-            $singleton->{$1} = $2;
+            if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
+                $singleton->{$1} = $2;
+            }
+            if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
+                $singleton->{"3264_$1"} = $2;
+            }
         }
         close S;
 
@@ -139,6 +143,13 @@ sub new {
                     $changed = 1;
                 }
 
+                #define __NR_truncate __NR3264_truncate
+                if ($v =~ /^__NR3264_(\w+)$/ and
+                         defined($new_v = $singleton->{"3264_$1"})) {
+                    $singleton->{$k} = $new_v;
+                    $changed = 1;
+                }
+
                 # don't know how to handle this, hope it wasn't important
                 else {
                     print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
-- 
1.7.9.5

[Audit-test-developer] [PATCH v3 1/5] audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux

[AKASHI T. <tak...@li...>]

Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
from being compiled and executed. This is incovenient for other
ditributions or rootfs build tools, like Buildroot and OpenEmbedded.

This patch introduces LSM_SELINUX instead to do the same thing.

Signed-off-by: AKASHI Takahiro <tak...@li...>
---
 audit-test/filter/run.conf          |    2 ++
 audit-test/rules.mk                 |    9 +++++----
 audit-test/utils/Makefile           |    7 ++++++-
 audit-test/utils/bin/Makefile       |    2 +-
 audit-test/utils/bin/do_creat.c     |    4 ++--
 audit-test/utils/bin/do_mkdir.c     |    4 ++--
 audit-test/utils/bin/do_mkdirat.c   |    4 ++--
 audit-test/utils/bin/do_mknod.c     |    4 ++--
 audit-test/utils/bin/do_mknodat.c   |    4 ++--
 audit-test/utils/bin/do_mq_open.c   |    4 ++--
 audit-test/utils/bin/do_open.c      |    4 ++--
 audit-test/utils/bin/do_openat.c    |    4 ++--
 audit-test/utils/bin/do_symlink.c   |    4 ++--
 audit-test/utils/bin/do_symlinkat.c |    4 ++--
 audit-test/utils/run.bash           |    8 ++++++--
 15 files changed, 40 insertions(+), 28 deletions(-)

diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
index 3ac111a..6d46786 100644
--- a/audit-test/filter/run.conf
+++ b/audit-test/filter/run.conf
@@ -79,11 +79,13 @@ fi
 + class_write
 + class_exec
 + class_attr
+if [[ $LSM_SELINUX == true ]]; then
 + secontext subj_sen
 + secontext subj_clr
 + secontext subj_role
 + secontext obj_lev_low
 + secontext obj_lev_high_base
+fi
 if [[ $PPROFILE == lspp ]]; then
 + secontext obj_lev_high_mls
 fi
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..509b288 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
 ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
 CFLAGS +=-DSUSE
 export DISTRO=SUSE
-endif
-ifeq (fedora, $(findstring fedora, $(RELEASE)))
-CFLAGS +=-DFEDORA
+else ifeq (fedora, $(findstring fedora, $(RELEASE)))
+CFLAGS +="-DFEDORA -DLSM_SELINUX"
 export DISTRO=FEDORA
+export LSM_SELINUX=true
 else ifeq (redhat, $(findstring redhat, $(RELEASE)))
-CFLAGS +=-DRHEL
+CFLAGS +="-DRHEL -DLSM_SELINUX"
 export DISTRO=RHEL
+export LSM_SELINUX=true
 endif
 
 ifeq (s390x, $(findstring s390x, $(MACHINE)))
diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
index 489d98b..52b9f38 100644
--- a/audit-test/utils/Makefile
+++ b/audit-test/utils/Makefile
@@ -18,14 +18,19 @@
 TOPDIR		= ..
 UTILSDIR	= .
 CPPFLAGS 	+= -I$(UTILSDIR)/include
+ifeq ($(LSM_SELINUX), true)
 LDLIBS		+= -lselinux
 
 UTILS_EXE	= test_context \
 		  test_setcon
+endif
 
 ALL_EXE		= $(UTILS_EXE)
 
-SUB_DIRS	= bin network-server
+SUB_DIRS	= bin
+ifeq ($(LSM_SELINUX), true)
+SUB_DIRS	+= network-server
+endif
 
 include $(TOPDIR)/rules.mk
 
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 098d46c..42b94ea 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -193,7 +193,7 @@ ALL_EXE		+= $(ONLY86_EXE)
 endif
 
 $(CAPS_EXE): LDLIBS += -lcap
-ifneq ($(DISTRO), SUSE)
+ifeq ($(LSM_SELINUX), true)
 $(CREATE_EXE): LDLIBS += -lselinux
 $(MQ_EXE): LDLIBS += -lrt -lselinux
 else
diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
index 85b31fb..81b0686 100644
--- a/audit-test/utils/bin/do_creat.c
+++ b/audit-test/utils/bin/do_creat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_creat: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
index f06f394..d601903 100644
--- a/audit-test/utils/bin/do_mkdir.c
+++ b/audit-test/utils/bin/do_mkdir.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_mkdir: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
index 67d5ac9..5a6e54f 100644
--- a/audit-test/utils/bin/do_mkdirat.c
+++ b/audit-test/utils/bin/do_mkdirat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -28,7 +28,7 @@ int main(int argc, char **argv)
 	return TEST_ERROR;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_mkdirat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
index 07ca554..c12c76d 100644
--- a/audit-test/utils/bin/do_mknod.c
+++ b/audit-test/utils/bin/do_mknod.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
 	perror("do_mknod: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
index 5acb057..7e9ea2c 100644
--- a/audit-test/utils/bin/do_mknodat.c
+++ b/audit-test/utils/bin/do_mknodat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
     dir_fd = open(argv[1], O_DIRECTORY);
     if (dir_fd < 0)
 	    return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 4 && setfscreatecon(argv[3]) < 0) {
 	perror("do_mknodat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
index 25adc8b..8d0ec9d 100644
--- a/audit-test/utils/bin/do_mq_open.c
+++ b/audit-test/utils/bin/do_mq_open.c
@@ -15,7 +15,7 @@
 
 #include "includes.h"
 #include <mqueue.h>
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -45,7 +45,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_mq_open: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
index 1068461..781f6f9 100644
--- a/audit-test/utils/bin/do_open.c
+++ b/audit-test/utils/bin/do_open.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -46,7 +46,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_open: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
index 43da725..6205406 100644
--- a/audit-test/utils/bin/do_openat.c
+++ b/audit-test/utils/bin/do_openat.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -53,7 +53,7 @@ int main(int argc, char **argv)
 	perror("do_openat: open dirfd");
 	return TEST_ERROR;
     }
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 5 && setfscreatecon(argv[4]) < 0) {
 	perror("do_openat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
index 75dfe0b..d902493 100644
--- a/audit-test/utils/bin/do_symlink.c
+++ b/audit-test/utils/bin/do_symlink.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif 
 
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 	return 1;
     }
 
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
 	perror("do_symlink: setfscreatecon");
 	return 1;
diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
index 9e67a28..1829dcf 100644
--- a/audit-test/utils/bin/do_symlinkat.c
+++ b/audit-test/utils/bin/do_symlinkat.c
@@ -15,7 +15,7 @@
  */
 
 #include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
 #include <selinux/selinux.h>
 #endif
 
@@ -32,7 +32,7 @@ int main(int argc, char **argv)
     dir_fd = open(argv[1], O_DIRECTORY);
     if (dir_fd < 0)
 	    return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
     if (argc == 5 && setfscreatecon(argv[4]) < 0) {
 	perror("do_symlinkat: setfscreatecon");
 	return TEST_ERROR;
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index a2a5da6..ca7aad7 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -463,11 +463,15 @@ function show_header {
         printf "%-32s %s\n" Mode: "${MODE:-(native)}"
         printf "%-32s %s\n" Hostname: "$(uname -n)"
         printf "%-32s %s\n" Profile: "$PPROFILE"
-        printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+        if [[ $LSM_SELINUX == true ]] ; then
+          printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+        fi
         if [[ $PPROFILE == lspp ]] ; then
           printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
         fi
-        printf "\n%s\n" "$(sestatus)"
+        if [[ $LSM_SELINUX == true ]] ; then
+          printf "\n%s\n" "$(sestatus)"
+        fi
         echo
     } | tee $opt_logdir/$header_log
 }
-- 
1.7.9.5