Menu
▾
▴
audit-test-developer — Communicate about status of bugs, patches, and features
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(8) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(8) |
Feb
(23) |
Mar
(11) |
Apr
(8) |
May
(2) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(23) |
Mar
(140) |
Apr
(35) |
May
(49) |
Jun
(176) |
Jul
(73) |
Aug
(50) |
Sep
(78) |
Oct
(102) |
Nov
(150) |
Dec
(94) |
| 2012 |
Jan
(120) |
Feb
(77) |
Mar
(29) |
Apr
(4) |
May
(19) |
Jun
|
Jul
(19) |
Aug
(9) |
Sep
|
Oct
(6) |
Nov
(3) |
Dec
|
| 2013 |
Jan
(4) |
Feb
(28) |
Mar
(5) |
Apr
(69) |
May
(34) |
Jun
(11) |
Jul
(13) |
Aug
(55) |
Sep
(5) |
Oct
(31) |
Nov
|
Dec
(25) |
| 2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(53) |
Aug
(17) |
Sep
(50) |
Oct
(15) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(3) |
Apr
(9) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jiri J. <jja...@re...> - 2014-07-03 09:19:02
|
Hello,
the following is just a quick look and by no means a complete review.
On 07/03/2014 09:45 AM, AKASHI Takahiro wrote:
> On arm64/aarch64, some system calls are implemented in glibc using other
> primitive system calls, say open() vs. openat(). Therefore, audit logs
> have only records for primitive ones.
>
> This patch adds work-arounds for these cases.
>
> Signed-off-by: AKASHI Takahiro <tak...@li...>
> ---
> audit-test/filter/tests/test_auid.bash | 9 +++++++--
> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++
> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++---
> audit-test/filter/tests/test_success.bash | 6 +++++-
> audit-test/filter/tests/test_syscall.bash | 6 +++++-
> audit-test/filter/tests/test_type.bash | 9 +++++++--
> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++--------
> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++--
> audit-test/filter/tests/test_watch_remove.bash | 4 ++++
> audit-test/rules.mk | 6 ++++--
> 10 files changed, 73 insertions(+), 21 deletions(-)
>
> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
> index c165cf3..63098b7 100755
> --- a/audit-test/filter/tests/test_auid.bash
> +++ b/audit-test/filter/tests/test_auid.bash
> @@ -33,8 +33,13 @@ do_open_file $tmp1
> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
> && exit_error "Unexpected record found."
>
> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
> +if [ ${MACHINE} = "aarch64" ]; then
> +syscall_name="openat"
> +else
> +syscall_name="open"
> +fi
[ "$MACHINE" = "aarch64" ] && syscall_name="openat" || syscall_name="open"
would have been perhaps more compact, but yours works as well.
> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
>
> # audit log marker
> log_mark=$(stat -c %s $audit_log)
<snip>
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index 25c9758..4af7c13 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -186,13 +186,15 @@ run.bash:
> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash
>
> run: all
> - @$(check_set_PPROFILE); \
> + @export MACHINE=$(MACHINE); \
> + $(check_set_PPROFILE); \
> $(check_set_PASSWD); \
> ./run.bash --header; \
> ./run.bash
>
> rerun: all
> - @$(check_set_PPROFILE); \
> + @export MACHINE=$(MACHINE); \
> + $(check_set_PPROFILE); \
> $(check_set_PASSWD); \
> ./run.bash --rerun
> endif
>
Can't we do this in a less hack-ish way? What about this?
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..15b81e0 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^
LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES)
$(LDLIBS)
+export MACHINE
+
# If MODE isn't set explicitly, the default for the machine is used
export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print
$$3}'))
export MODE ?= $(NATIVE)
Jiri
|
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:53
|
This patch selectively executes appropriate test programs for arm. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/syscalls/cap-run.conf | 10 +++++----- audit-test/syscalls/dac-run.conf | 16 ++++++++-------- audit-test/syscalls/mac-run.conf | 16 ++++++++-------- audit-test/utils/bin/Makefile | 4 ++++ 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf index 93454ef..a6fbaa1 100644 --- a/audit-test/syscalls/cap-run.conf +++ b/audit-test/syscalls/cap-run.conf @@ -221,7 +221,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgctl perm=msg_id_remove expres=success user=super + msgctl perm=msg_id_remove expres=fail user=test + msgctl perm=msg_id_set expres=success user=super @@ -250,7 +250,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semctl perm=sem_id_remove expres=success user=super + semctl perm=sem_id_remove expres=fail user=test + semctl perm=sem_id_set expres=success user=super @@ -279,7 +279,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmctl perm=shm_id_remove expres=success user=super + shmctl perm=shm_id_remove expres=fail user=test + shmctl perm=shm_id_set expres=success user=super @@ -338,7 +338,7 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set port permission bits, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + ioperm perm=io_perm expres=success user=super + ioperm perm=io_perm expres=fail user=test fi @@ -353,7 +353,7 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set process's the I/O privilege level, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + iopl perm=io_priv expres=success user=super + iopl perm=io_priv expres=fail user=test fi diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf index d02b7a6..08fe5fb 100644 --- a/audit-test/syscalls/dac-run.conf +++ b/audit-test/syscalls/dac-run.conf @@ -436,7 +436,7 @@ fi ## syscall using the value of flag to determine whether to open the message ## queue for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgget perm=msg_key_read expres=success dacugo=user user=super + msgget perm=msg_key_read expres=fail dacugo=user user=test + msgget perm=msg_key_write expres=success dacugo=user user=super @@ -460,7 +460,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## receive a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgrcv perm=msg_id_recv expres=success dacugo=user user=super + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test else @@ -480,7 +480,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## send a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \ user=super testfunc=test_su_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \ @@ -512,7 +512,7 @@ fi ## syscall using the value of flag to determine whether to open the ## semaphore set for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semget perm=sem_key_read expres=success dacugo=user user=super + semget perm=sem_key_read expres=fail dacugo=user user=test + semget perm=sem_key_write expres=success dacugo=user user=super @@ -537,7 +537,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## read operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semop perm=sem_id_read expres=success dacugo=user user=super + semop perm=sem_id_read expres=fail dacugo=user user=test else @@ -558,7 +558,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## write operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semtimedop perm=sem_id_write expres=success dacugo=user user=super + semtimedop perm=sem_id_write expres=fail dacugo=user user=test else @@ -583,7 +583,7 @@ fi ## syscall using the value of perm to determine whether to perform a read or ## write operation; verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmat perm=shm_id_read expres=success dacugo=user user=super + shmat perm=shm_id_read expres=fail dacugo=user user=test + shmat perm=shm_id_write expres=success dacugo=user user=super @@ -618,7 +618,7 @@ fi ## syscall using the value of flag to determine whether to request the ## shared memory segment for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmget perm=shm_key_read expres=success dacugo=user user=super + shmget perm=shm_key_read expres=fail dacugo=user user=test + shmget perm=shm_key_write expres=success dacugo=user user=super diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf index b7c064b..958f161 100644 --- a/audit-test/syscalls/mac-run.conf +++ b/audit-test/syscalls/mac-run.conf @@ -702,7 +702,7 @@ fi ## test process requests the message queue for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgget perm=msg_key_read expres=success mlsop=eq + msgget perm=msg_key_read expres=success mlsop=dom + msgget perm=msg_key_read expres=fail mlsop=domby @@ -737,7 +737,7 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgrcv perm=msg_id_recv expres=success mlsop=eq + msgrcv perm=msg_id_recv expres=success mlsop=dom + msgrcv perm=msg_id_recv expres=fail mlsop=domby @@ -763,7 +763,7 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \ testfunc=test_runcon_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \ @@ -801,7 +801,7 @@ fi ## test process requests the semaphore set for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semget perm=sem_key_read expres=success mlsop=eq + semget perm=sem_key_read expres=success mlsop=dom + semget perm=sem_key_read expres=fail mlsop=domby @@ -835,7 +835,7 @@ fi ## read operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semop perm=sem_id_read expres=success mlsop=eq + semop perm=sem_id_read expres=success mlsop=dom + semop perm=sem_id_read expres=fail mlsop=domby @@ -861,7 +861,7 @@ fi ## write operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semtimedop perm=sem_id_write expres=success mlsop=eq + semtimedop perm=sem_id_write expres=fail mlsop=dom + semtimedop perm=sem_id_write expres=fail mlsop=domby @@ -892,7 +892,7 @@ fi ## 'perm' variable. With the ipc() syscall the function is determined by ## the 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmat perm=shm_id_read expres=success mlsop=eq + shmat perm=shm_id_read expres=success mlsop=dom + shmat perm=shm_id_read expres=fail mlsop=domby @@ -934,7 +934,7 @@ fi ## test process requests the shared memory segment for read or write ## depending on the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmget perm=shm_key_read expres=success mlsop=eq + shmget perm=shm_key_read expres=success mlsop=dom + shmget perm=shm_key_read expres=fail mlsop=domby diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index b0f4485..43b5bdb 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -187,6 +187,10 @@ ALL_EXE += $(ONLY32_EXE) endif endif endif +ifeq ($(MACHINE), arm) +ALL_EXE += $(ONLY32_EXE) +endif + ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) -- 1.7.9.5 |
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:42
|
On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.
This patch adds work-arounds for these cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/tests/test_auid.bash | 9 +++++++--
audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++
audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++---
audit-test/filter/tests/test_success.bash | 6 +++++-
audit-test/filter/tests/test_syscall.bash | 6 +++++-
audit-test/filter/tests/test_type.bash | 9 +++++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++--------
audit-test/filter/tests/test_watch_open.bash | 10 ++++++++--
audit-test/filter/tests/test_watch_remove.bash | 4 ++++
audit-test/rules.mk | 6 ++++--
10 files changed, 73 insertions(+), 21 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..63098b7 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
+syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..2be24dc 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log)
# test
do_chmod $watch 777
+if [ ${MACHINE} = "aarch64" ]; then
+do_fchownat $(dirname $watch) $(basename $watch) root
+else
do_chown $watch root
+fi
do_unlink $watch
# verify audit record
+if [ ${MACHINE} = "aarch64" ]; then
+augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \
+ || exit_fail "Expected record for 'chown' not found."
+augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+else
augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
|| exit_fail "Expected record for 'chmod' not found."
augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
|| exit_fail "Expected record for 'chown' not found."
augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
&& exit_fail "Unexpected record for 'unlink' found."
+fi
exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..4611cfa 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
- -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
+syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
-F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..a54c36e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
source filter_functions.bash || exit 2
# setup
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
@@ -37,7 +41,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..fc5934b 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
source filter_functions.bash || exit 2
# setup
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
op=$1
case $op in
- name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..450c926 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
# setup
user_auid=$(cat /proc/self/loginuid)
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
+syscall_name="open"
+fi
# setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..fbb54b8 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
watch="$tmpd"
name="$tmpd/foo"
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
- auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
- auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
- rm -rf $tmpd"
-
case $op in
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
rmdir) mkdir $name
+ if [ ${MACHINE} = "aarch64" ]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
unlink) touch $name
gen_audit_event="rm $name" ;;
*) exit_fail "unknown test operation: $op" ;;
esac
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+ auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+ auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+ rm -rf $tmpd"
+
log_mark=$(stat -c %s $audit_log)
# test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c357a81 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
event_obj=$(get_event_obj $1)
[[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [ ${MACHINE} = "aarch64" ]; then
+syscall_name="openat"
+else
+syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
# test open with O_CREAT|O_RDONLY; verify audit record
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..97cd1ff 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
unlink) touch $name
gen_audit_event="rm $name" ;;
rmdir) mkdir $name
+ if [ ${MACHINE} = "aarch64" ]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 25c9758..4af7c13 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -186,13 +186,15 @@ run.bash:
[[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash
run: all
- @$(check_set_PPROFILE); \
+ @export MACHINE=$(MACHINE); \
+ $(check_set_PPROFILE); \
$(check_set_PASSWD); \
./run.bash --header; \
./run.bash
rerun: all
- @$(check_set_PPROFILE); \
+ @export MACHINE=$(MACHINE); \
+ $(check_set_PPROFILE); \
$(check_set_PASSWD); \
./run.bash --rerun
endif
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:36
|
This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/utils/augrok | 2 ++
audit-test/utils/bin/Makefile | 8 ++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index c309d4f..15b33c8 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
'c0009026' => 'alpha',
'40000028' => 'arm',
'28' => 'armeb',
+ 'c00000b7' => 'aarch64',
+ '800000b7' => 'aarch64eb',
'4000004c' => 'cris',
'2e' => 'h8300',
'40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 6c361e1..b0f4485 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \
do_bind \
do_chdir \
do_chmod \
- do_chown \
do_clone \
do_delete_module \
do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \
do_init_module \
do_ioctl \
do_kill \
- do_lchown \
do_lgetxattr \
do_link \
do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \
do_utimensat \
do_utimes
+ifneq ($(MACHINE), aarch64)
+ALL_EXE += do_chown \
+ do_lchown
+endif
ifeq ($(MODE), 32)
ifeq ($(MACHINE), ppc64)
ALL_EXE += $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
ifeq ($(MACHINE), ia64)
ALL_EXE += $(ONLYIA64_EXE)
else
+ifneq ($(MACHINE), aarch64)
ALL_EXE += $(ONLY86_EXE)
endif
+endif
$(CAPS_EXE): LDLIBS += -lcap
ifeq ($(LSM_SELINUX), yes)
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:25
|
On some architectures including arm64, system call numbers are defined
in /usr/include/asm-generic/unistd.h. This file contains irregular
style of definitions like
#define __NR3264_truncate 45
#define __NR_truncate __NR3264_truncate
(In fact, it's more complicated.)
This patch takes care of such cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/utils/augrok | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index 08f731a..c309d4f 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -113,8 +113,12 @@ sub new {
open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
my $line;
while (defined($line = <S>)) {
- next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
- $singleton->{$1} = $2;
+ if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{$1} = $2;
+ }
+ if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{"3264_$1"} = $2;
+ }
}
close S;
@@ -139,6 +143,13 @@ sub new {
$changed = 1;
}
+ #define __NR_truncate __NR3264_truncate
+ if ($v =~ /^__NR3264_(\w+)$/ and
+ defined($new_v = $singleton->{"3264_$1"})) {
+ $singleton->{$k} = $new_v;
+ $changed = 1;
+ }
+
# don't know how to handle this, hope it wasn't important
else {
print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:17
|
Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
from being compiled and executed. This is incovenient for other
ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
This patch introduces LSM_SELINUX instead to do the same thing.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/rules.mk | 14 ++++++++++----
audit-test/utils/Makefile | 4 ++++
audit-test/utils/bin/Makefile | 2 +-
audit-test/utils/bin/do_creat.c | 4 ++--
audit-test/utils/bin/do_mkdir.c | 4 ++--
audit-test/utils/bin/do_mkdirat.c | 4 ++--
audit-test/utils/bin/do_mknod.c | 4 ++--
audit-test/utils/bin/do_mknodat.c | 4 ++--
audit-test/utils/bin/do_mq_open.c | 4 ++--
audit-test/utils/bin/do_open.c | 4 ++--
audit-test/utils/bin/do_openat.c | 4 ++--
audit-test/utils/bin/do_symlink.c | 4 ++--
audit-test/utils/bin/do_symlinkat.c | 4 ++--
audit-test/utils/run.bash | 8 ++++++--
14 files changed, 41 insertions(+), 27 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..25c9758 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE))
LDFLAGS += -m64
endif
endif
+export LSM_SELINUX=no
RELEASE = $(wildcard /etc/*-release)
ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
CFLAGS +=-DSUSE
export DISTRO=SUSE
-endif
-ifeq (fedora, $(findstring fedora, $(RELEASE)))
-CFLAGS +=-DFEDORA
+else ifeq (fedora, $(findstring fedora, $(RELEASE)))
+CFLAGS +="-DFEDORA -DLSM_SELINUX"
export DISTRO=FEDORA
+export LSM_SELINUX=yes
else ifeq (redhat, $(findstring redhat, $(RELEASE)))
-CFLAGS +=-DRHEL
+CFLAGS +="-DRHEL -DLSM_SELINUX"
export DISTRO=RHEL
+export LSM_SELINUX=yes
+else
+# including Buildroot & OpenEmbedded
+#CFLAGS +=-DDISTRO_MISC
+export DISTRO=MISC
endif
ifeq (s390x, $(findstring s390x, $(MACHINE)))
diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
index 489d98b..a285c45 100644
--- a/audit-test/utils/Makefile
+++ b/audit-test/utils/Makefile
@@ -20,8 +20,12 @@ UTILSDIR = .
CPPFLAGS += -I$(UTILSDIR)/include
LDLIBS += -lselinux
+ifeq ($(LSM_SELINUX), yes)
UTILS_EXE = test_context \
test_setcon
+else
+UTILS_EXE =
+endif
ALL_EXE = $(UTILS_EXE)
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 098d46c..6c361e1 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
endif
$(CAPS_EXE): LDLIBS += -lcap
-ifneq ($(DISTRO), SUSE)
+ifeq ($(LSM_SELINUX), yes)
$(CREATE_EXE): LDLIBS += -lselinux
$(MQ_EXE): LDLIBS += -lrt -lselinux
else
diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
index 85b31fb..81b0686 100644
--- a/audit-test/utils/bin/do_creat.c
+++ b/audit-test/utils/bin/do_creat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_creat: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
index f06f394..d601903 100644
--- a/audit-test/utils/bin/do_mkdir.c
+++ b/audit-test/utils/bin/do_mkdir.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mkdir: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
index 67d5ac9..5a6e54f 100644
--- a/audit-test/utils/bin/do_mkdirat.c
+++ b/audit-test/utils/bin/do_mkdirat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -28,7 +28,7 @@ int main(int argc, char **argv)
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mkdirat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
index 07ca554..c12c76d 100644
--- a/audit-test/utils/bin/do_mknod.c
+++ b/audit-test/utils/bin/do_mknod.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mknod: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
index 5acb057..7e9ea2c 100644
--- a/audit-test/utils/bin/do_mknodat.c
+++ b/audit-test/utils/bin/do_mknodat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 4 && setfscreatecon(argv[3]) < 0) {
perror("do_mknodat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
index 25adc8b..8d0ec9d 100644
--- a/audit-test/utils/bin/do_mq_open.c
+++ b/audit-test/utils/bin/do_mq_open.c
@@ -15,7 +15,7 @@
#include "includes.h"
#include <mqueue.h>
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -45,7 +45,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mq_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
index 1068461..781f6f9 100644
--- a/audit-test/utils/bin/do_open.c
+++ b/audit-test/utils/bin/do_open.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -46,7 +46,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
index 43da725..6205406 100644
--- a/audit-test/utils/bin/do_openat.c
+++ b/audit-test/utils/bin/do_openat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -53,7 +53,7 @@ int main(int argc, char **argv)
perror("do_openat: open dirfd");
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_openat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
index 75dfe0b..d902493 100644
--- a/audit-test/utils/bin/do_symlink.c
+++ b/audit-test/utils/bin/do_symlink.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_symlink: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
index 9e67a28..1829dcf 100644
--- a/audit-test/utils/bin/do_symlinkat.c
+++ b/audit-test/utils/bin/do_symlinkat.c
@@ -15,7 +15,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -32,7 +32,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_symlinkat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index a2a5da6..629e0a3 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -463,11 +463,15 @@ function show_header {
printf "%-32s %s\n" Mode: "${MODE:-(native)}"
printf "%-32s %s\n" Hostname: "$(uname -n)"
printf "%-32s %s\n" Profile: "$PPROFILE"
- printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ if [[ $LSM_SELINUX == yes ]] ; then
+ printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ fi
if [[ $PPROFILE == lspp ]] ; then
printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
fi
- printf "\n%s\n" "$(sestatus)"
+ if [[ $LSM_SELINUX == yes ]] ; then
+ printf "\n%s\n" "$(sestatus)"
+ fi
echo
} | tee $opt_logdir/$header_log
}
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:08
|
This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with 64-bit and 32-bit userspace. I successfully built and ran it on ARMv8 fast model. (but only against audit-test/syscalls and filter) AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 support audit-test/filter: add aarch64 support audit-test/syscalls: add arm support audit-test/filter/tests/test_auid.bash | 9 +++++++-- audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- audit-test/filter/tests/test_success.bash | 6 +++++- audit-test/filter/tests/test_syscall.bash | 6 +++++- audit-test/filter/tests/test_type.bash | 9 +++++++-- audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- audit-test/filter/tests/test_watch_remove.bash | 4 ++++ audit-test/rules.mk | 20 ++++++++++++++------ audit-test/syscalls/cap-run.conf | 10 +++++----- audit-test/syscalls/dac-run.conf | 16 ++++++++-------- audit-test/syscalls/mac-run.conf | 16 ++++++++-------- audit-test/utils/Makefile | 4 ++++ audit-test/utils/augrok | 17 +++++++++++++++-- audit-test/utils/bin/Makefile | 14 +++++++++++--- audit-test/utils/bin/do_creat.c | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash | 8 ++++++-- 27 files changed, 160 insertions(+), 73 deletions(-) -- 1.7.9.5 |
|
From: Miroslav V. <mva...@re...> - 2014-01-02 11:16:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the review Linda. All 14 patches are finally upstream now. /M On 12/05/2013 05:32 PM, Linda Knippers wrote: > Jiri Jaburek wrote: >> Hi, no big breakthroughs this time, just misc fixes all around >> the place: >> >> 2.4% audit-test/kvm/ 12.6% audit-test/misc/tests/ 3.0% >> audit-test/network/system/ 19.7% >> audit-test/trustedprograms/tests/ 1.2% >> audit-test/utils/selinux-policy/ 22.4% audit-test/utils/ 6.6% >> audit-test/ 31.7% ltp/ >> >> There are some run.bash related fixes for the log merging >> functionality (which was included recently), envcheck >> improvements, (hopefully) final solution to the tar --xattrs >> problem discussed in one of earlier patch series, audit-like >> ltp.run.log / ltp.rollup.log LTP logs, ... >> >> All in all, a peaceful patch series, just in time for December. >> >> The changes are RHEL6 compatible, tested on various RHEL6.y >> releases and streams by Miroslav Vadkerti. > > Thanks very much. I had a few comments but the patches look good > to me. Miroslav, please push them. > > Thanks to you both, > > -- ljk > >> Please see commit messages of respective patches for more >> information, the patches are attached via In-Reply-To/References >> to this mail. >> >> Thanks, Jiri >> >> ------------------------------------------------------------------------------ >> >> Sponsored by Intel(R) XDK >> Develop, test and display web and hybrid apps with a single code >> base. Download it for free now! >> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> Audit-test-developer mailing list >> Aud...@li... >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > >> > > ------------------------------------------------------------------------------ > > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code > base. Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSxUqMAAoJEBliWhMliBCH1VkH/j6+wlwMe5dQHyrB01NHynae HidVgveAg4nvA0Qi/DxBbguNt63NKMDqE7h4H4PDlYNm+6AMWg3mwfaXq1ofQR71 FU/DJwZhA9SMQFEwpuRQ+jb9rZqSUbcxkH2cJl0NcE8whh1oNz6trH32PkvTzAd3 RexVabbGnqTwX/lEIZrjq/IHSonXhr7PL901XUYAhSd0+eEBJTyVMB4zxtPFA2xf LHwEkDg0kFPSuAXj2a0JnzmA4ozEIK4hQHBdUpK/0eawgU4685dvLmLGh1uKBex7 pIaDiyKCWZ3xCwyQaSJNyxGai24yxvr57+LrNk4/fOvhzcpzwnVCPwZ43g/MIoY= =T3AV -----END PGP SIGNATURE----- |
|
From: Linda K. <lin...@hp...> - 2013-12-09 15:38:13
|
Jiri Jaburek wrote: > On 12/06/2013 04:01 PM, Linda Knippers wrote: >>> Well, they might not need to. Tar with --selinux will work fine in all >>> cases, just the `ls -Z' check will fail, which is indifferent from the >>> previous "version" of the test. >>> That is - unless the distro builds GNU tar --without-selinux. >>> >>> Non-selinux-enabled distros will have bigger problems anyway as >>> PPROFILE=lspp kind of needs selinux for more than just one tar test. >>> (yes, this tar test is lspp-only) >> Right. I assume that a non-SELinux would only run in CAPP mode, >> although even in CAPP mode SELinux is optional. In some cases >> we've used the DISTRO variable to skip them. >> >> The misc tests actually run in CAPP and LSPP mode, don't they? >> > > At the bottom of misc/run.conf: > > if [[ $PPROFILE == lspp ]]; then > + tar > fi Oops, missed that. > So I believe my implicit assumption of SELinux being available > should be fine. If a distro provides SELinux as an optional feature, > that distro probably builds tar --with-selinux anyway. True. Thanks, -- ljk > > Jiri > |
|
From: Jiri J. <jja...@re...> - 2013-12-09 10:06:55
|
On 12/06/2013 04:01 PM, Linda Knippers wrote:
>> Well, they might not need to. Tar with --selinux will work fine in all
>> cases, just the `ls -Z' check will fail, which is indifferent from the
>> previous "version" of the test.
>> That is - unless the distro builds GNU tar --without-selinux.
>>
>> Non-selinux-enabled distros will have bigger problems anyway as
>> PPROFILE=lspp kind of needs selinux for more than just one tar test.
>> (yes, this tar test is lspp-only)
>
> Right. I assume that a non-SELinux would only run in CAPP mode,
> although even in CAPP mode SELinux is optional. In some cases
> we've used the DISTRO variable to skip them.
>
> The misc tests actually run in CAPP and LSPP mode, don't they?
>
At the bottom of misc/run.conf:
if [[ $PPROFILE == lspp ]]; then
+ tar
fi
So I believe my implicit assumption of SELinux being available
should be fine. If a distro provides SELinux as an optional feature,
that distro probably builds tar --with-selinux anyway.
Jiri
|
|
From: Linda K. <lin...@hp...> - 2013-12-06 15:01:15
|
Jiri Jaburek wrote: > Hi Linda, > > On 12/05/2013 05:29 PM, Linda Knippers wrote: >> Jiri Jaburek wrote: >>> Also make tar use explicit --selinux and --acls. >>> >>> The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up >>> and extracts all xattrs, incl. all namespaces (security, system, >>> trusted, user). >>> On RHEL7, the --xattrs comes from upstream version of tar, which >>> backs up only the user namespace by default. >> This is just a side question - is this change going to be obvious >> to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using >> --xattrs, they're not getting what they used to get. > > Indeed, we're aware of this. In fact, I was the one who created a bug > regarding this. All I can say for sure is that it's been taken care of > and is not really relevant to this case (since we're not doing usability > testing here). > >>> This can be changed >>> to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would >>> not be backwards compatible and - furthermore - is not very correct. >>> >>> The fact is that test_tar checks for SELinux contexts using ls -Z, >>> not *any* generic file contexts. Therefore we want tar to back up >>> and restore SELinux file contexts, regardless of how they're implemented >>> internally (ie. using xattrs). It thus makes sense to use explicit >>> --selinux switch (available on RHEL5/RHEL6/RHEL7). >> Is --selinux RHEL-specific or also upstream? > > All of --xattrs, --xattrs-*, --selinux and --acls are upstream. See ie. > http://repo.or.cz/w/tar.git/commit/696338043e52f440853e11 > http://repo.or.cz/w/tar.git/commit/d36f5a3cc3280d6c4a5836 > http://repo.or.cz/w/tar.git/commit/085cace1805308589c6211 > as proof. Thanks! >> If someone wants to test ACLs on a non-SELinux distro, they will >> need to separate this test into 2 tests, one for ACLs and one for >> file contexts. I only mention this because of Stephan's comment >> on a previous patch about RPMs. > > Well, they might not need to. Tar with --selinux will work fine in all > cases, just the `ls -Z' check will fail, which is indifferent from the > previous "version" of the test. > That is - unless the distro builds GNU tar --without-selinux. > > Non-selinux-enabled distros will have bigger problems anyway as > PPROFILE=lspp kind of needs selinux for more than just one tar test. > (yes, this tar test is lspp-only) Right. I assume that a non-SELinux would only run in CAPP mode, although even in CAPP mode SELinux is optional. In some cases we've used the DISTRO variable to skip them. The misc tests actually run in CAPP and LSPP mode, don't they? > If anything, this patch is moving from rhel-specific tar flags to > distro-independent flags, which is a good thing if one wants to run the > suite on other distros. :) Yes, all a good thing. If another distro wants to pick apart the tests, they can post the patches. :-) Thanks, -- ljk > > Thanks, > Jiri > |
|
From: Jiri J. <jja...@re...> - 2013-12-06 09:15:24
|
Hi Linda, On 12/05/2013 05:29 PM, Linda Knippers wrote: > Jiri Jaburek wrote: >> Also make tar use explicit --selinux and --acls. >> >> The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up >> and extracts all xattrs, incl. all namespaces (security, system, >> trusted, user). >> On RHEL7, the --xattrs comes from upstream version of tar, which >> backs up only the user namespace by default. > > This is just a side question - is this change going to be obvious > to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using > --xattrs, they're not getting what they used to get. Indeed, we're aware of this. In fact, I was the one who created a bug regarding this. All I can say for sure is that it's been taken care of and is not really relevant to this case (since we're not doing usability testing here). > >> This can be changed >> to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would >> not be backwards compatible and - furthermore - is not very correct. >> >> The fact is that test_tar checks for SELinux contexts using ls -Z, >> not *any* generic file contexts. Therefore we want tar to back up >> and restore SELinux file contexts, regardless of how they're implemented >> internally (ie. using xattrs). It thus makes sense to use explicit >> --selinux switch (available on RHEL5/RHEL6/RHEL7). > > Is --selinux RHEL-specific or also upstream? All of --xattrs, --xattrs-*, --selinux and --acls are upstream. See ie. http://repo.or.cz/w/tar.git/commit/696338043e52f440853e11 http://repo.or.cz/w/tar.git/commit/d36f5a3cc3280d6c4a5836 http://repo.or.cz/w/tar.git/commit/085cace1805308589c6211 as proof. > > If someone wants to test ACLs on a non-SELinux distro, they will > need to separate this test into 2 tests, one for ACLs and one for > file contexts. I only mention this because of Stephan's comment > on a previous patch about RPMs. Well, they might not need to. Tar with --selinux will work fine in all cases, just the `ls -Z' check will fail, which is indifferent from the previous "version" of the test. That is - unless the distro builds GNU tar --without-selinux. Non-selinux-enabled distros will have bigger problems anyway as PPROFILE=lspp kind of needs selinux for more than just one tar test. (yes, this tar test is lspp-only) If anything, this patch is moving from rhel-specific tar flags to distro-independent flags, which is a good thing if one wants to run the suite on other distros. :) Thanks, Jiri |
|
From: Linda K. <lin...@hp...> - 2013-12-05 16:48:10
|
Jiri Jaburek wrote: > Also make tar use explicit --selinux and --acls. > > The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up > and extracts all xattrs, incl. all namespaces (security, system, > trusted, user). > On RHEL7, the --xattrs comes from upstream version of tar, which > backs up only the user namespace by default. This is just a side question - is this change going to be obvious to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using --xattrs, they're not getting what they used to get. > This can be changed > to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would > not be backwards compatible and - furthermore - is not very correct. > > The fact is that test_tar checks for SELinux contexts using ls -Z, > not *any* generic file contexts. Therefore we want tar to back up > and restore SELinux file contexts, regardless of how they're implemented > internally (ie. using xattrs). It thus makes sense to use explicit > --selinux switch (available on RHEL5/RHEL6/RHEL7). Is --selinux RHEL-specific or also upstream? If someone wants to test ACLs on a non-SELinux distro, they will need to separate this test into 2 tests, one for ACLs and one for file contexts. I only mention this because of Stephan's comment on a previous patch about RPMs. -- ljk > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/misc/tests/test_tar.bash | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) > > diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash > index 8ea8da9..f83b45f 100755 > --- a/audit-test/misc/tests/test_tar.bash > +++ b/audit-test/misc/tests/test_tar.bash > @@ -20,13 +20,14 @@ > # FILE : test_tar.bash > # > # TEST DESCRIPTION: Verify that the tar program preserves file security > -# contexts. Pack up files with various contexts using tar, > -# unpack them in another directory, and compare the file > -# contexts using ls -Z. The file contexts should all > -# be preserved. > +# (SELinux) contexts and ACLs. Pack up files with various > +# attributes using tar, unpack them in another directory > +# and compare the file contexts and ACLs. Both the file > +# contexts and ACLs should all be preserved. > # > # HISTORY: 05/2007 created by Lisa Smith <lis...@hp...> > # 08/2011 ported to audit-test by Tony Ernst <te...@sg...> > +# 10/2013 added ACL testing by Jiri Jaburek <jja...@re...> > # > ############################################################################# > source misc_functions.bash || exit 2 > @@ -55,8 +56,12 @@ chcon -t tmp_t -l SystemLow $FILE_DIR/fileLow || exit_fail > chmod 744 $FILE_DIR/fileSecret || exit_fail > chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail > > +# Add some ACL entries to one of the files > +setfacl -n -m u:1234:rwx $FILE_DIR/fileSecret > +setfacl -n -m g:4321:--x $FILE_DIR/fileSecret > + > # Pack up the files in the test_files directory > -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR . > +tar cf $TAR_FILE --selinux --acls -H posix -C $FILE_DIR . > > # Verify the files were successfully packed > if [ $? != 0 ]; then > @@ -64,7 +69,7 @@ if [ $? != 0 ]; then > fi > > # Unpack the files > -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR > +tar xvf $TAR_FILE --selinux --acls -C $EXTRACT_DIR > if [ $? != 0 ]; then > exit_error "Error unpacking tar archive" > fi > @@ -77,4 +82,8 @@ if [ $? != 0 ]; then > exit_fail "tar did not preserve correct files and/or security contexts" > fi > > +# Check ACLs > +getfacl $EXTRACT_DIR/fileSecret | grep user:1234:rwx || exit_fail > +getfacl $EXTRACT_DIR/fileSecret | grep group:4321:--x || exit_fail > + > exit_pass |
|
From: Linda K. <lin...@hp...> - 2013-12-05 16:32:55
|
Jiri Jaburek wrote: > Hi, > no big breakthroughs this time, just misc fixes all around the place: > > 2.4% audit-test/kvm/ > 12.6% audit-test/misc/tests/ > 3.0% audit-test/network/system/ > 19.7% audit-test/trustedprograms/tests/ > 1.2% audit-test/utils/selinux-policy/ > 22.4% audit-test/utils/ > 6.6% audit-test/ > 31.7% ltp/ > > There are some run.bash related fixes for the log merging functionality > (which was included recently), envcheck improvements, (hopefully) final > solution to the tar --xattrs problem discussed in one of earlier patch > series, audit-like ltp.run.log / ltp.rollup.log LTP logs, ... > > All in all, a peaceful patch series, just in time for December. > > The changes are RHEL6 compatible, tested on various RHEL6.y releases > and streams by Miroslav Vadkerti. Thanks very much. I had a few comments but the patches look good to me. Miroslav, please push them. Thanks to you both, -- ljk > Please see commit messages of respective patches for more information, > the patches are attached via In-Reply-To/References to this mail. > > Thanks, > Jiri > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
|
From: Linda K. <lin...@hp...> - 2013-12-05 16:13:24
|
Jiri Jaburek wrote:
> On 12/04/2013 03:41 PM, Stephan Mueller wrote:
>> Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek:
>>
>> Hi Jiri,
>>
>
> Hi Stephan,
>
>>> Signed-off-by: Jiri Jaburek <jja...@re...>
>>> ---
>>> audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++
>>> 1 file changed, 31 insertions(+)
>>>
>>> diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
>>> index 2e28754..d43958f 100755
>>> --- a/audit-test/utils/envcheck
>>> +++ b/audit-test/utils/envcheck
>>> @@ -143,6 +143,36 @@ check_variables() {
>>> }
>>>
>>>
>>> +### RPM DEPENDENCIES
>>> +check_rpm_deps() {
>>> + local CHECK_FAILED
>>> +
>>> + # requires for this check
>>> + which rpm &>/dev/null || {
>>> + echo "rpm binary not available, skipping rpm dependency
>>> checks" + return 2
>>> + }
>>> +
>>> + # from README.run
>>> + local rpms="audit-libs-devel expect libselinux-devel perl-devel \
>>> + perl-Expect perl-IO-Tty"
>> Question: is it wise to hard code the RPM names? Note, other distros may
>> use different names.
>
> The following was mentioned in a commit which introduced envcheck:
>
> The idea is to catch various configuration or setup errors
> and give useful hints, so that the user doesn't have to debug
> the system/suite to find out what could possibly go wrong.
>
> This script is not supposed to replace or duplicate functionality
> provided by the suite itself, it should be only used for basic sanity
> verification of the environment. It doesn't claim to reveal all
> configuration errors, but it can still be useful.
>
> Because of the reasons mentioned above, running this script
> is purely optional.
>
> The idea being that it's not the ultimate checking thing, which must
> pass in all checks.
>
> The RPM list is taken from README.run and is thus hardcoded there as
> well. I've tried to limit this new rpm deps check to RPM-specific
> distros by checking the `rpm' command availability (which itself is
> a rather lame check, better ideas welcome), but I'm not against more
> complex verification methods.
> I didn't want to limit the package names to RHEL, since there may be
> other RPM-based distros with the same package names (ie. CentOS).
> If the check starts failing on RHEL-unrelated RPM-based distros,
> it at least makes the person double-check the required dependencies
> and (hopefully) report the problem on this list, so we can come up with
> a better solution (using case/esac, for example).
>
> Overall, a much better check would be file-based. That would, however,
> require some serious suite digging for truly required files, which is
> kind of out of the scope of the envcheck script.
There is code in rules.mk that tries to identify the distro (at
least SLES, Fedora and RHEL) so if necessary, would conditionalize
these kind of checks if a distro cares to add the code to do that.
We export a DISTRO variable that can be used.
I know of no one who has tried this on a debian-based distro but
patches welcome. :-)
-- ljk
>
>>> +
>>> + for rpm in $rpms; do
>>> + check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed"
>>> + done;
>>> +
>>> + if [ "$CHECK_FAILED" ]; then
>>> + echo
>>> + echo "RPM dependency checking failed."
>>> + echo "Please make sure you have installed all necessary suite"
>>> + echo "requires / dependencies specified at the top of
>>> README.run." + return 1
>>> + else
>>> + check_rpm_deps=1
>>> + fi
>>> +}
>>> +
>>> +
>>> ### USER SESSION
>>> check_user_session() {
>>> local CHECK_FAILED
>>> @@ -396,6 +426,7 @@ check_kvm() {
>>> # checks to be run, ordering is important
>>> CHECKS="
>>> check_variables
>>> +check_rpm_deps
>>> check_user_session
>>> check_suite
>>> check_networking_if
>>
>> Ciao
>> Stephan
>>
>
>
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
|
|
From: Stephan M. <ste...@at...> - 2013-12-04 15:15:49
|
Am Mittwoch, 4. Dezember 2013, 16:10:15 schrieb Jiri Jaburek: Hi Jiri, >> >> Question: is it wise to hard code the RPM names? Note, other distros >> may use different names. > >The following was mentioned in a commit which introduced envcheck: Ok, I have not linked that explanation with your patch :-) Disregard my comment. Ciao Stephan |
|
From: Jiri J. <jja...@re...> - 2013-12-04 15:10:29
|
On 12/04/2013 03:41 PM, Stephan Mueller wrote:
> Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek:
>
> Hi Jiri,
>
Hi Stephan,
>> Signed-off-by: Jiri Jaburek <jja...@re...>
>> ---
>> audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++
>> 1 file changed, 31 insertions(+)
>>
>> diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
>> index 2e28754..d43958f 100755
>> --- a/audit-test/utils/envcheck
>> +++ b/audit-test/utils/envcheck
>> @@ -143,6 +143,36 @@ check_variables() {
>> }
>>
>>
>> +### RPM DEPENDENCIES
>> +check_rpm_deps() {
>> + local CHECK_FAILED
>> +
>> + # requires for this check
>> + which rpm &>/dev/null || {
>> + echo "rpm binary not available, skipping rpm dependency
>> checks" + return 2
>> + }
>> +
>> + # from README.run
>> + local rpms="audit-libs-devel expect libselinux-devel perl-devel \
>> + perl-Expect perl-IO-Tty"
>
> Question: is it wise to hard code the RPM names? Note, other distros may
> use different names.
The following was mentioned in a commit which introduced envcheck:
The idea is to catch various configuration or setup errors
and give useful hints, so that the user doesn't have to debug
the system/suite to find out what could possibly go wrong.
This script is not supposed to replace or duplicate functionality
provided by the suite itself, it should be only used for basic sanity
verification of the environment. It doesn't claim to reveal all
configuration errors, but it can still be useful.
Because of the reasons mentioned above, running this script
is purely optional.
The idea being that it's not the ultimate checking thing, which must
pass in all checks.
The RPM list is taken from README.run and is thus hardcoded there as
well. I've tried to limit this new rpm deps check to RPM-specific
distros by checking the `rpm' command availability (which itself is
a rather lame check, better ideas welcome), but I'm not against more
complex verification methods.
I didn't want to limit the package names to RHEL, since there may be
other RPM-based distros with the same package names (ie. CentOS).
If the check starts failing on RHEL-unrelated RPM-based distros,
it at least makes the person double-check the required dependencies
and (hopefully) report the problem on this list, so we can come up with
a better solution (using case/esac, for example).
Overall, a much better check would be file-based. That would, however,
require some serious suite digging for truly required files, which is
kind of out of the scope of the envcheck script.
>
>> +
>> + for rpm in $rpms; do
>> + check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed"
>> + done;
>> +
>> + if [ "$CHECK_FAILED" ]; then
>> + echo
>> + echo "RPM dependency checking failed."
>> + echo "Please make sure you have installed all necessary suite"
>> + echo "requires / dependencies specified at the top of
>> README.run." + return 1
>> + else
>> + check_rpm_deps=1
>> + fi
>> +}
>> +
>> +
>> ### USER SESSION
>> check_user_session() {
>> local CHECK_FAILED
>> @@ -396,6 +426,7 @@ check_kvm() {
>> # checks to be run, ordering is important
>> CHECKS="
>> check_variables
>> +check_rpm_deps
>> check_user_session
>> check_suite
>> check_networking_if
>
>
> Ciao
> Stephan
>
|
|
From: Stephan M. <ste...@at...> - 2013-12-04 14:57:22
|
Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek:
Hi Jiri,
>Signed-off-by: Jiri Jaburek <jja...@re...>
>---
> audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++
> 1 file changed, 31 insertions(+)
>
>diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
>index 2e28754..d43958f 100755
>--- a/audit-test/utils/envcheck
>+++ b/audit-test/utils/envcheck
>@@ -143,6 +143,36 @@ check_variables() {
> }
>
>
>+### RPM DEPENDENCIES
>+check_rpm_deps() {
>+ local CHECK_FAILED
>+
>+ # requires for this check
>+ which rpm &>/dev/null || {
>+ echo "rpm binary not available, skipping rpm dependency
>checks" + return 2
>+ }
>+
>+ # from README.run
>+ local rpms="audit-libs-devel expect libselinux-devel perl-devel \
>+ perl-Expect perl-IO-Tty"
Question: is it wise to hard code the RPM names? Note, other distros may
use different names.
>+
>+ for rpm in $rpms; do
>+ check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed"
>+ done;
>+
>+ if [ "$CHECK_FAILED" ]; then
>+ echo
>+ echo "RPM dependency checking failed."
>+ echo "Please make sure you have installed all necessary suite"
>+ echo "requires / dependencies specified at the top of
>README.run." + return 1
>+ else
>+ check_rpm_deps=1
>+ fi
>+}
>+
>+
> ### USER SESSION
> check_user_session() {
> local CHECK_FAILED
>@@ -396,6 +426,7 @@ check_kvm() {
> # checks to be run, ordering is important
> CHECKS="
> check_variables
>+check_rpm_deps
> check_user_session
> check_suite
> check_networking_if
Ciao
Stephan
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:23
|
From: Miroslav Vadkerti <mva...@re...> According to Red Hat SELinux developers a new domain unconfined_execmem_t is allowed to transition to svirt_t domain. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_selinux_trans_to_svirt.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/kvm/test_selinux_trans_to_svirt.bash b/audit-test/kvm/test_selinux_trans_to_svirt.bash index 45c9805..646797a 100755 --- a/audit-test/kvm/test_selinux_trans_to_svirt.bash +++ b/audit-test/kvm/test_selinux_trans_to_svirt.bash @@ -38,8 +38,8 @@ if [[ $allowed_count -eq 0 ]]; then fi for type in $allowed; do - if [[ ! "$type" =~ unconfined_t|virtd_t ]]; then - exit_fail + if [[ ! "$type" =~ unconfined_t|unconfined_execmem_t|virtd_t ]]; then + exit_fail "$type is not allowed to transition to svirt_t" fi done -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:20
|
From: Miroslav Vadkerti <mva...@re...>
Replace hardcoded audit.log location with already
defined audit_log variable.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/functions.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash
index fece1a6..9ee8ebd 100644
--- a/audit-test/utils/functions.bash
+++ b/audit-test/utils/functions.bash
@@ -270,7 +270,7 @@ function restart_auditd {
function rotate_audit_logs {
declare tmp num_logs
- if [[ -f /var/log/audit/audit.log ]]; then
+ if [[ -f "$audit_log" ]]; then
pushd /var/log/audit >/dev/null
tmp=$(mktemp $PWD/rotating.XXXXXX) || return 2
ln -f audit.log "$tmp" || return 2
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:16
|
This piece of code never actually worked as the "for" loop after it always rewrites the file(s). After recent changes, which incorporate the header into rollup logs of every bucket, this line shouldn't be needed at all. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/audit-test/Makefile b/audit-test/Makefile index c13b504..e596cc1 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -94,7 +94,6 @@ report: @# tty output has color, generated logs don't, so collect them @# instead of redirecting output of the above loop. @for l in run rollup; do \ - ( utils/run.bash --header; echo ) &> audit.$$l.log; \ for x in $(RUN_DIRS); do \ echo; \ echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:12
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- ltp/Makefile | 59 ++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/ltp/Makefile b/ltp/Makefile index 278be2b..d4fda67 100644 --- a/ltp/Makefile +++ b/ltp/Makefile @@ -30,17 +30,11 @@ TOPDIR = . include $(TOPDIR)/rules.mk -RUN_LOG = run.log -ROLLUP_LOG = rollup.log - LTP_BASE = ltp-full LTP_BASE_PATH = $(CURDIR)/$(LTP_BASE) PATCH_DIR = $(CURDIR)/patch MDIR = $(CURDIR) -LTP_ROLLUP_LOG = .rollup.log -LTP_RUN_LOG = .run.log - LTP_FULL = ltp-full.tar.bz2 LTP_SOURCE = http://sourceforge.net/projects/ltp/files/LTP%20Source/ltp-20110915/ltp-full-20110915.bz2/download @@ -89,11 +83,15 @@ clean:: echo "Makefile: clean" # remove installed ltp rm -rf /opt/ltp - # remove all logs, downloaded and created files/dirs - rm -f cc_ospp$(LTP_ROLLUP_LOG) cc_ospp$(LTP_RUN_LOG) - rm -f syscalls$(LTP_ROLLUP_LOG) syscalls$(LTP_RUN_LOG) - rm -f mnt_syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_RUN_LOG) - rm -f $(LTP_FULL) $(RUN_LOG) $(ROLLUP_LOG) + # remove logs + for logtype in rollup run; do \ + for testset in syscalls cc_ospp mnt_syscalls; do \ + rm -f "$$testset.$$logtype.log"; \ + done; \ + done; \ + rm -f ltp.rollup.log ltp.run.log + # remove downloaded and created files/dirs + rm -f $(LTP_FULL) rm -rf $(LTP_BASE) download:: @@ -113,28 +111,39 @@ runtests:: sysctl kernel.msgmni=700 # run tests echo "Running syscalls tests" - /opt/ltp/testscripts/syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/syscalls$(LTP_ROLLUP_LOG) 2>&1 | tee syscalls$(LTP_RUN_LOG) + /opt/ltp/testscripts/syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/syscalls.rollup.log 2>&1 | tee syscalls.run.log echo "Running cc_ospp tests" - /opt/ltp/testscripts/cc_ospp.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/cc_ospp$(LTP_ROLLUP_LOG) 2>&1 | tee cc_ospp$(LTP_RUN_LOG) + /opt/ltp/testscripts/cc_ospp.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/cc_ospp.rollup.log 2>&1 | tee cc_ospp.run.log echo "Running mnt_syscalls tests" - /opt/ltp/testscripts/mnt_syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | tee mnt_syscalls$(LTP_RUN_LOG) + /opt/ltp/testscripts/mnt_syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/mnt_syscalls.rollup.log 2>&1 | tee mnt_syscalls.run.log # cleanup setsebool allow_execmem=$(ORIG_BOOL) sysctl kernel.msgmni=$(ORIG_KPARAM) report:: echo "Makefile: report" - # create rollup.log - echo "TESTS PASSED = "$$(grep PASS cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l) > $(ROLLUP_LOG) - echo " FAILED =" $$(grep FAIL cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l) >> $(ROLLUP_LOG) - echo >> $(ROLLUP_LOG) - if [ "x$$(grep FAIL cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l)" != "x0" ]; then \ - echo "Failed tests:" >> $(ROLLUP_LOG); \ - echo "-------------" >> $(ROLLUP_LOG); \ - grep -H "\WFAIL\W" cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) >> $(ROLLUP_LOG); \ - fi - # create run.log - cat cc_ospp$(LTP_RUN_LOG) syscalls$(LTP_RUN_LOG) mnt_syscalls$(LTP_RUN_LOG) > $(RUN_LOG) + @for logtype in rollup run; do \ + for testset in syscalls cc_ospp mnt_syscalls; do \ + echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ + printf "::: %-52s :::\n" "$$testset"; \ + echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ + echo; \ + if [ -f "$$testset.$$logtype.log" ]; then cat "$$testset.$$logtype.log"; fi; \ + echo; \ + done &> ltp.$$logtype.log; \ + done; \ + { \ + echo "Summary:"; \ + echo "--------"; \ + echo; \ + echo "TESTS PASSED = $$(sort -u < ltp.rollup.log | grep -c ' PASS ')"; \ + echo " FAILED = $$(sort -u < ltp.rollup.log | grep -c ' FAIL ')"; \ + echo; \ + echo "Failed tests:"; \ + echo "-------------"; \ + cat ltp.rollup.log | grep ' FAIL '; \ + } 2>&1 >> ltp.rollup.log; \ + exit 0 dist: rev=$$(git log | head -n 1| awk '/^commit/{print $$2}' | cut -b 1-6 ) && \ -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:08
|
Use restorecon directly instead of wrapping it with fixfiles. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/selinux-policy/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit-test/utils/selinux-policy/Makefile b/audit-test/utils/selinux-policy/Makefile index d966c46..c6969eb 100644 --- a/audit-test/utils/selinux-policy/Makefile +++ b/audit-test/utils/selinux-policy/Makefile @@ -78,7 +78,7 @@ verify: echo "not installed"; \ fi; @echo -n " Number of LSPP test files labeled incorrectly: "; \ - fixfiles -l /dev/stdout check $(TEST_BASEDIR) | wc -l; + restorecon -rvn $(TEST_BASEDIR) | wc -l; # During this install a role is added to an SELinux user which we use # as a positive test of semanage. If this did not work correctly the -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:06
|
From: Miroslav Vadkerti <mva...@re...>
This patch enhances the semanage_chglvl and semanage_role_remove
tests to detect the default roles for a SELinux user from the system.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/trustedprograms/tests/test_semanage_chglvl.bash | 7 ++++++-
.../trustedprograms/tests/test_semanage_role_remove.bash | 10 +++++++---
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
index dc36b1c..2c1a10b 100755
--- a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
+++ b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
@@ -37,7 +37,12 @@ if [ $? -ne 0 ]; then
exit_error "semange returned an error"
fi
-msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$range exe=/usr/sbin/semanage.*res=success.*"
+# find out the default roles for $seuser role
+role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}")
+[ -z "$role" ] && exit_error "Cannot determine $seuser role(s)"
+
+# check for correct ROLE_ASSIGN audit record
+msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=$role old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=$role new-range=$range exe=/usr/sbin/semanage.*res=success.*"
augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \
|| exit_fail "ROLE_ASSIGN event missing: \"$msg_1\""
diff --git a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
index 19817a1..030bfd1 100755
--- a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
+++ b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
@@ -49,14 +49,18 @@ if [ $? -eq 0 ]; then
exit_fail "semange login -l still shows SELinux login record"
fi
-# check for ROLE_ASSIGN audit record
-msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range exe=/usr/sbin/semanage.*res=success.*"
+# find out the default roles for $seuser role
+role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}")
+[ -z "$role" ] && exit_error "Cannot determine $seuser roles"
+
+# check for correct ROLE_ASSIGN audit record
+msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=$role new-range=$def_range exe=/usr/sbin/semanage.*res=success.*"
augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \
|| exit_fail "ROLE_ASSIGN event missing: \"$msg_1\""
# check for ROLE_REMOVE audit record
-msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*"
+msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=$role old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*"
augrok -q type=ROLE_REMOVE auid=$auid msg_1=~"$msg_1" \
|| exit_fail "ROLE_REMOVE event missing: \"$msg_1\""
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:02
|
From: Miroslav Vadkerti <mva...@re...>
On some machines using run_init in capp profile can
cause the sshd service startup failure.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/tp_ssh_functions.bash | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/audit-test/utils/tp_ssh_functions.bash b/audit-test/utils/tp_ssh_functions.bash
index bcbc885..4b8280d 100644
--- a/audit-test/utils/tp_ssh_functions.bash
+++ b/audit-test/utils/tp_ssh_functions.bash
@@ -33,13 +33,17 @@ TIMEOUT=600
# Restart ssh daemon
function ssh_restart_daemon {
- expect -c "
+ if [ $PPROFILE = lspp ]; then
+ expect -c "
set timeout $TIMEOUT
spawn run_init service sshd restart
expect {
-nocase {password:} {send \"$PASSWD\r\"; exp_continue}
eof
}"
+ else
+ service sshd restart
+ fi
}
# Remove SSH_USE_STRONG_RNG from environment
--
1.8.3.1
|
5 messages has been excluded from this view by a project administrator.
