From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:08
|
This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with 64-bit and 32-bit userspace. I successfully built and ran it on ARMv8 fast model. (but only against audit-test/syscalls and filter) AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 support audit-test/filter: add aarch64 support audit-test/syscalls: add arm support audit-test/filter/tests/test_auid.bash | 9 +++++++-- audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- audit-test/filter/tests/test_success.bash | 6 +++++- audit-test/filter/tests/test_syscall.bash | 6 +++++- audit-test/filter/tests/test_type.bash | 9 +++++++-- audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- audit-test/filter/tests/test_watch_remove.bash | 4 ++++ audit-test/rules.mk | 20 ++++++++++++++------ audit-test/syscalls/cap-run.conf | 10 +++++----- audit-test/syscalls/dac-run.conf | 16 ++++++++-------- audit-test/syscalls/mac-run.conf | 16 ++++++++-------- audit-test/utils/Makefile | 4 ++++ audit-test/utils/augrok | 17 +++++++++++++++-- audit-test/utils/bin/Makefile | 14 +++++++++++--- audit-test/utils/bin/do_creat.c | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash | 8 ++++++-- 27 files changed, 160 insertions(+), 73 deletions(-) -- 1.7.9.5 |
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:17
|
Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and OpenEmbedded. This patch introduces LSM_SELINUX instead to do the same thing. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/rules.mk | 14 ++++++++++---- audit-test/utils/Makefile | 4 ++++ audit-test/utils/bin/Makefile | 2 +- audit-test/utils/bin/do_creat.c | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash | 8 ++++++-- 14 files changed, 41 insertions(+), 27 deletions(-) diff --git a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..25c9758 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE)) LDFLAGS += -m64 endif endif +export LSM_SELINUX=no RELEASE = $(wildcard /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora, $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX" export DISTRO=FEDORA +export LSM_SELINUX=yes else ifeq (redhat, $(findstring redhat, $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export LSM_SELINUX=yes +else +# including Buildroot & OpenEmbedded +#CFLAGS +=-DDISTRO_MISC +export DISTRO=MISC endif ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile index 489d98b..a285c45 100644 --- a/audit-test/utils/Makefile +++ b/audit-test/utils/Makefile @@ -20,8 +20,12 @@ UTILSDIR = . CPPFLAGS += -I$(UTILSDIR)/include LDLIBS += -lselinux +ifeq ($(LSM_SELINUX), yes) UTILS_EXE = test_context \ test_setcon +else +UTILS_EXE = +endif ALL_EXE = $(UTILS_EXE) diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 098d46c..6c361e1 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) endif $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifeq ($(LSM_SELINUX), yes) $(CREATE_EXE): LDLIBS += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 --- a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 --- a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 --- a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 && setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++ b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@ #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 --- a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 --- a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0) { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_symlink: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++ b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..629e0a3 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname: "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + if [[ $LSM_SELINUX == yes ]] ; then + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + fi if [[ $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" fi - printf "\n%s\n" "$(sestatus)" + if [[ $LSM_SELINUX == yes ]] ; then + printf "\n%s\n" "$(sestatus)" + fi echo } | tee $opt_logdir/$header_log } -- 1.7.9.5 |
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:25
|
On some architectures including arm64, system call numbers are defined in /usr/include/asm-generic/unistd.h. This file contains irregular style of definitions like #define __NR3264_truncate 45 #define __NR_truncate __NR3264_truncate (In fact, it's more complicated.) This patch takes care of such cases. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/utils/augrok | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok index 08f731a..c309d4f 100755 --- a/audit-test/utils/augrok +++ b/audit-test/utils/augrok @@ -113,8 +113,12 @@ sub new { open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die; my $line; while (defined($line = <S>)) { - next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/; - $singleton->{$1} = $2; + if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) { + $singleton->{$1} = $2; + } + if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) { + $singleton->{"3264_$1"} = $2; + } } close S; @@ -139,6 +143,13 @@ sub new { $changed = 1; } + #define __NR_truncate __NR3264_truncate + if ($v =~ /^__NR3264_(\w+)$/ and + defined($new_v = $singleton->{"3264_$1"})) { + $singleton->{$k} = $new_v; + $changed = 1; + } + # don't know how to handle this, hope it wasn't important else { print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'}; -- 1.7.9.5 |
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:36
|
This patch defines a architecture type for arm64/aarch64, and excludes some system call tests. For example, chown is not a native system call on arm64/aarch64 and so __NR_chown is not defined. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/utils/augrok | 2 ++ audit-test/utils/bin/Makefile | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok index c309d4f..15b33c8 100755 --- a/audit-test/utils/augrok +++ b/audit-test/utils/augrok @@ -585,6 +585,8 @@ our (%archtab) = ( 'c0009026' => 'alpha', '40000028' => 'arm', '28' => 'armeb', + 'c00000b7' => 'aarch64', + '800000b7' => 'aarch64eb', '4000004c' => 'cris', '2e' => 'h8300', '40000003' => 'i386', diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 6c361e1..b0f4485 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \ do_bind \ do_chdir \ do_chmod \ - do_chown \ do_clone \ do_delete_module \ do_dummy \ @@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \ do_init_module \ do_ioctl \ do_kill \ - do_lchown \ do_lgetxattr \ do_link \ do_linkat \ @@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \ do_utimensat \ do_utimes +ifneq ($(MACHINE), aarch64) +ALL_EXE += do_chown \ + do_lchown +endif ifeq ($(MODE), 32) ifeq ($(MACHINE), ppc64) ALL_EXE += $(ONLY32P_EXE) @@ -189,8 +191,10 @@ endif ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) else +ifneq ($(MACHINE), aarch64) ALL_EXE += $(ONLY86_EXE) endif +endif $(CAPS_EXE): LDLIBS += -lcap ifeq ($(LSM_SELINUX), yes) -- 1.7.9.5 |
From: Linda K. <lin...@hp...> - 2014-07-14 01:25:39
|
On 07/03/2014 03:45 AM, AKASHI Takahiro wrote: > This patch defines a architecture type for arm64/aarch64, and excludes some > system call tests. For example, chown is not a native system call > on arm64/aarch64 and so __NR_chown is not defined. Are there any arm64/aarch64-specific syscalls that should be added? We don't audit all syscalls but we do audit ones that have permission checks or can change anything that would affect those checks. -- ljk > > Signed-off-by: AKASHI Takahiro <tak...@li...> > --- > audit-test/utils/augrok | 2 ++ > audit-test/utils/bin/Makefile | 8 ++++++-- > 2 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok > index c309d4f..15b33c8 100755 > --- a/audit-test/utils/augrok > +++ b/audit-test/utils/augrok > @@ -585,6 +585,8 @@ our (%archtab) = ( > 'c0009026' => 'alpha', > '40000028' => 'arm', > '28' => 'armeb', > + 'c00000b7' => 'aarch64', > + '800000b7' => 'aarch64eb', > '4000004c' => 'cris', > '2e' => 'h8300', > '40000003' => 'i386', > diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile > index 6c361e1..b0f4485 100644 > --- a/audit-test/utils/bin/Makefile > +++ b/audit-test/utils/bin/Makefile > @@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \ > do_bind \ > do_chdir \ > do_chmod \ > - do_chown \ > do_clone \ > do_delete_module \ > do_dummy \ > @@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \ > do_init_module \ > do_ioctl \ > do_kill \ > - do_lchown \ > do_lgetxattr \ > do_link \ > do_linkat \ > @@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \ > do_utimensat \ > do_utimes > > +ifneq ($(MACHINE), aarch64) > +ALL_EXE += do_chown \ > + do_lchown > +endif > ifeq ($(MODE), 32) > ifeq ($(MACHINE), ppc64) > ALL_EXE += $(ONLY32P_EXE) > @@ -189,8 +191,10 @@ endif > ifeq ($(MACHINE), ia64) > ALL_EXE += $(ONLYIA64_EXE) > else > +ifneq ($(MACHINE), aarch64) > ALL_EXE += $(ONLY86_EXE) > endif > +endif > > $(CAPS_EXE): LDLIBS += -lcap > ifeq ($(LSM_SELINUX), yes) > |
From: AKASHI T. <tak...@li...> - 2014-07-14 07:18:03
|
On 07/14/2014 10:25 AM, Linda Knippers wrote: > On 07/03/2014 03:45 AM, AKASHI Takahiro wrote: >> This patch defines a architecture type for arm64/aarch64, and excludes some >> system call tests. For example, chown is not a native system call >> on arm64/aarch64 and so __NR_chown is not defined. > > Are there any arm64/aarch64-specific syscalls that should be added? > We don't audit all syscalls but we do audit ones that have permission > checks or can change anything that would affect those checks. I don't think we have arm64-specific syscalls because arm64 supports only the syscalls defined in uapi/asm-generic/unistd.h. -Takahiro AKASHI > -- ljk > >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/utils/augrok | 2 ++ >> audit-test/utils/bin/Makefile | 8 ++++++-- >> 2 files changed, 8 insertions(+), 2 deletions(-) >> >> diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok >> index c309d4f..15b33c8 100755 >> --- a/audit-test/utils/augrok >> +++ b/audit-test/utils/augrok >> @@ -585,6 +585,8 @@ our (%archtab) = ( >> 'c0009026' => 'alpha', >> '40000028' => 'arm', >> '28' => 'armeb', >> + 'c00000b7' => 'aarch64', >> + '800000b7' => 'aarch64eb', >> '4000004c' => 'cris', >> '2e' => 'h8300', >> '40000003' => 'i386', >> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile >> index 6c361e1..b0f4485 100644 >> --- a/audit-test/utils/bin/Makefile >> +++ b/audit-test/utils/bin/Makefile >> @@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \ >> do_bind \ >> do_chdir \ >> do_chmod \ >> - do_chown \ >> do_clone \ >> do_delete_module \ >> do_dummy \ >> @@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \ >> do_init_module \ >> do_ioctl \ >> do_kill \ >> - do_lchown \ >> do_lgetxattr \ >> do_link \ >> do_linkat \ >> @@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \ >> do_utimensat \ >> do_utimes >> >> +ifneq ($(MACHINE), aarch64) >> +ALL_EXE += do_chown \ >> + do_lchown >> +endif >> ifeq ($(MODE), 32) >> ifeq ($(MACHINE), ppc64) >> ALL_EXE += $(ONLY32P_EXE) >> @@ -189,8 +191,10 @@ endif >> ifeq ($(MACHINE), ia64) >> ALL_EXE += $(ONLYIA64_EXE) >> else >> +ifneq ($(MACHINE), aarch64) >> ALL_EXE += $(ONLY86_EXE) >> endif >> +endif >> >> $(CAPS_EXE): LDLIBS += -lcap >> ifeq ($(LSM_SELINUX), yes) >> > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck® > Code Sight™ - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:42
|
On arm64/aarch64, some system calls are implemented in glibc using other primitive system calls, say open() vs. openat(). Therefore, audit logs have only records for primitive ones. This patch adds work-arounds for these cases. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/tests/test_auid.bash | 9 +++++++-- audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- audit-test/filter/tests/test_success.bash | 6 +++++- audit-test/filter/tests/test_syscall.bash | 6 +++++- audit-test/filter/tests/test_type.bash | 9 +++++++-- audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- audit-test/filter/tests/test_watch_remove.bash | 4 ++++ audit-test/rules.mk | 6 ++++-- 10 files changed, 73 insertions(+), 21 deletions(-) diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash index c165cf3..63098b7 100755 --- a/audit-test/filter/tests/test_auid.bash +++ b/audit-test/filter/tests/test_auid.bash @@ -33,8 +33,13 @@ do_open_file $tmp1 augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ && exit_error "Unexpected record found." -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else +syscall_name="open" +fi +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" # audit log marker log_mark=$(stat -c %s $audit_log) diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash index 687b3d9..2be24dc 100755 --- a/audit-test/filter/tests/test_class_attr.bash +++ b/audit-test/filter/tests/test_class_attr.bash @@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log) # test do_chmod $watch 777 +if [ ${MACHINE} = "aarch64" ]; then +do_fchownat $(dirname $watch) $(basename $watch) root +else do_chown $watch root +fi do_unlink $watch # verify audit record +if [ ${MACHINE} = "aarch64" ]; then +augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \ + || exit_fail "Expected record for 'chmod' not found." +augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \ + || exit_fail "Expected record for 'chown' not found." +augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \ + && exit_fail "Unexpected record for 'unlink' found." +else augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ || exit_fail "Expected record for 'chmod' not found." augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ || exit_fail "Expected record for 'chown' not found." augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ && exit_fail "Unexpected record for 'unlink' found." +fi exit_pass diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash index 30ea580..4611cfa 100755 --- a/audit-test/filter/tests/test_dev_inode.bash +++ b/audit-test/filter/tests/test_dev_inode.bash @@ -34,11 +34,16 @@ minor=$((0x$minor)) event_obj=$(get_event_obj $1) [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj" -auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \ - -F inode=$inode -F devmajor=$major -F devminor=$minor +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else +syscall_name="open" +fi +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ + -F inode=$inode -F devmajor=$major -F devminor=$minor prepend_cleanup " -auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \ +auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ -F inode=$inode -F devmajor=$major -F devminor=$minor" log_mark=$(stat -c %s $audit_log) diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash index 497959b..a54c36e 100755 --- a/audit-test/filter/tests/test_success.bash +++ b/audit-test/filter/tests/test_success.bash @@ -21,7 +21,11 @@ source filter_functions.bash || exit 2 # setup +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else syscall_name="open" +fi syscall_num=$(augrok --resolve $syscall_name) \ || exit_error "unable to determine the syscall number for $syscall_name" @@ -37,7 +41,7 @@ case $op in ;; *) exit_fail "unknown test operation" ;; esac -filter_rule="exit,always -F arch=b$MODE -S open" +filter_rule="exit,always -F arch=b$MODE -S $syscall_name" auditctl -a $filter_rule $filter_field prepend_cleanup "auditctl -d $filter_rule $filter_field" diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash index 8159b92..fc5934b 100755 --- a/audit-test/filter/tests/test_syscall.bash +++ b/audit-test/filter/tests/test_syscall.bash @@ -21,13 +21,17 @@ source filter_functions.bash || exit 2 # setup +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else syscall_name="open" +fi syscall_num=$(augrok --resolve $syscall_name) \ || exit_error "unable to determine the syscall number for $syscall_name" op=$1 case $op in - name) filter_rule="exit,always -F arch=b$MODE -S open" ;; + name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;; number) filter_rule="exit,always -S $syscall_num";; *) exit_fail "unknown test operation" ;; esac diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash index 16c63f4..450c926 100755 --- a/audit-test/filter/tests/test_type.bash +++ b/audit-test/filter/tests/test_type.bash @@ -27,10 +27,15 @@ source filter_functions.bash || exit 2 # setup user_auid=$(cat /proc/self/loginuid) +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else +syscall_name="open" +fi # setup auditctl -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" # audit log marker log_mark=$(stat -c %s $audit_log) diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash index bbdd9fb..fbb54b8 100755 --- a/audit-test/filter/tests/test_watch_dir_remove.bash +++ b/audit-test/filter/tests/test_watch_dir_remove.bash @@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed" watch="$tmpd" name="$tmpd/foo" -auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch -auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch - -prepend_cleanup " - auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch - auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch - rm -rf $tmpd" - case $op in rename) touch $name gen_audit_event="mv $tmp1 $name" ;; rmdir) mkdir $name + if [ ${MACHINE} = "aarch64" ]; then + op="unlink"; + opat="unlinkat"; + fi gen_audit_event="rmdir $name" ;; unlink) touch $name gen_audit_event="rm $name" ;; *) exit_fail "unknown test operation: $op" ;; esac +auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch +auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch + +prepend_cleanup " + auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch + auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch + rm -rf $tmpd" + log_mark=$(stat -c %s $audit_log) # test diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash index 525ac31..c357a81 100755 --- a/audit-test/filter/tests/test_watch_open.bash +++ b/audit-test/filter/tests/test_watch_open.bash @@ -29,8 +29,14 @@ watch=$tmp1 event_obj=$(get_event_obj $1) [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj" -auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch" +if [ ${MACHINE} = "aarch64" ]; then +syscall_name="openat" +else +syscall_name="open" +fi + +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch" # test open with O_CREAT|O_RDONLY; verify audit record log_mark=$(stat -c %s $audit_log) diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash index 2e00a50..97cd1ff 100755 --- a/audit-test/filter/tests/test_watch_remove.bash +++ b/audit-test/filter/tests/test_watch_remove.bash @@ -30,6 +30,10 @@ case $op in unlink) touch $name gen_audit_event="rm $name" ;; rmdir) mkdir $name + if [ ${MACHINE} = "aarch64" ]; then + op="unlink"; + opat="unlinkat"; + fi gen_audit_event="rmdir $name" ;; rename) touch $name gen_audit_event="mv $tmp1 $name" ;; diff --git a/audit-test/rules.mk b/audit-test/rules.mk index 25c9758..4af7c13 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -186,13 +186,15 @@ run.bash: [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash run: all - @$(check_set_PPROFILE); \ + @export MACHINE=$(MACHINE); \ + $(check_set_PPROFILE); \ $(check_set_PASSWD); \ ./run.bash --header; \ ./run.bash rerun: all - @$(check_set_PPROFILE); \ + @export MACHINE=$(MACHINE); \ + $(check_set_PPROFILE); \ $(check_set_PASSWD); \ ./run.bash --rerun endif -- 1.7.9.5 |
From: Jiri J. <jja...@re...> - 2014-07-11 11:50:09
|
On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: > On arm64/aarch64, some system calls are implemented in glibc using other > primitive system calls, say open() vs. openat(). Therefore, audit logs > have only records for primitive ones. > > This patch adds work-arounds for these cases. > > Signed-off-by: AKASHI Takahiro <tak...@li...> > --- > audit-test/filter/tests/test_auid.bash | 9 +++++++-- > audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ > audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- > audit-test/filter/tests/test_success.bash | 6 +++++- > audit-test/filter/tests/test_syscall.bash | 6 +++++- > audit-test/filter/tests/test_type.bash | 9 +++++++-- > audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- > audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- > audit-test/filter/tests/test_watch_remove.bash | 4 ++++ > audit-test/rules.mk | 6 ++++-- > 10 files changed, 73 insertions(+), 21 deletions(-) > > diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash > index c165cf3..63098b7 100755 > --- a/audit-test/filter/tests/test_auid.bash > +++ b/audit-test/filter/tests/test_auid.bash > @@ -33,8 +33,13 @@ do_open_file $tmp1 > augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ > && exit_error "Unexpected record found." > > -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid > -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > +syscall_name="open" > +fi > +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" > > # audit log marker > log_mark=$(stat -c %s $audit_log) > diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash > index 687b3d9..2be24dc 100755 > --- a/audit-test/filter/tests/test_class_attr.bash > +++ b/audit-test/filter/tests/test_class_attr.bash > @@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log) > > # test > do_chmod $watch 777 > +if [ ${MACHINE} = "aarch64" ]; then > +do_fchownat $(dirname $watch) $(basename $watch) root I have a patch staged for review that implements AT_FDCWD to all *at syscall wrappers, simplifying this case somewhat. This is just a reminder to myself to cleanup this piece of code once the patch is upstream. > +else > do_chown $watch root > +fi > do_unlink $watch > > # verify audit record > +if [ ${MACHINE} = "aarch64" ]; then > +augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \ > + || exit_fail "Expected record for 'chmod' not found." > +augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \ > + || exit_fail "Expected record for 'chown' not found." > +augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \ > + && exit_fail "Unexpected record for 'unlink' found." > +else > augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ > || exit_fail "Expected record for 'chmod' not found." > augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ > || exit_fail "Expected record for 'chown' not found." > augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ > && exit_fail "Unexpected record for 'unlink' found." > +fi > > exit_pass > diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash > index 30ea580..4611cfa 100755 > --- a/audit-test/filter/tests/test_dev_inode.bash > +++ b/audit-test/filter/tests/test_dev_inode.bash > @@ -34,11 +34,16 @@ minor=$((0x$minor)) > event_obj=$(get_event_obj $1) > [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj" > > -auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \ > - -F inode=$inode -F devmajor=$major -F devminor=$minor > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > +syscall_name="open" > +fi > > +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ > + -F inode=$inode -F devmajor=$major -F devminor=$minor > prepend_cleanup " > -auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \ > +auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ > -F inode=$inode -F devmajor=$major -F devminor=$minor" > > log_mark=$(stat -c %s $audit_log) > diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash > index 497959b..a54c36e 100755 > --- a/audit-test/filter/tests/test_success.bash > +++ b/audit-test/filter/tests/test_success.bash > @@ -21,7 +21,11 @@ > source filter_functions.bash || exit 2 > > # setup > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > syscall_name="open" > +fi > syscall_num=$(augrok --resolve $syscall_name) \ > || exit_error "unable to determine the syscall number for $syscall_name" > > @@ -37,7 +41,7 @@ case $op in > ;; > *) exit_fail "unknown test operation" ;; > esac > -filter_rule="exit,always -F arch=b$MODE -S open" > +filter_rule="exit,always -F arch=b$MODE -S $syscall_name" > > auditctl -a $filter_rule $filter_field > prepend_cleanup "auditctl -d $filter_rule $filter_field" > diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash > index 8159b92..fc5934b 100755 > --- a/audit-test/filter/tests/test_syscall.bash > +++ b/audit-test/filter/tests/test_syscall.bash > @@ -21,13 +21,17 @@ > source filter_functions.bash || exit 2 > > # setup > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > syscall_name="open" > +fi > syscall_num=$(augrok --resolve $syscall_name) \ > || exit_error "unable to determine the syscall number for $syscall_name" > > op=$1 > case $op in > - name) filter_rule="exit,always -F arch=b$MODE -S open" ;; > + name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;; > number) filter_rule="exit,always -S $syscall_num";; > *) exit_fail "unknown test operation" ;; > esac > diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash > index 16c63f4..450c926 100755 > --- a/audit-test/filter/tests/test_type.bash > +++ b/audit-test/filter/tests/test_type.bash > @@ -27,10 +27,15 @@ source filter_functions.bash || exit 2 > > # setup > user_auid=$(cat /proc/self/loginuid) > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > +syscall_name="open" > +fi > > # setup auditctl > -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid > -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" > +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" > > # audit log marker > log_mark=$(stat -c %s $audit_log) > diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash > index bbdd9fb..fbb54b8 100755 > --- a/audit-test/filter/tests/test_watch_dir_remove.bash > +++ b/audit-test/filter/tests/test_watch_dir_remove.bash > @@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed" > watch="$tmpd" > name="$tmpd/foo" > > -auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch > -auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch > - > -prepend_cleanup " > - auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch > - auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch > - rm -rf $tmpd" > - > case $op in > rename) touch $name > gen_audit_event="mv $tmp1 $name" ;; > rmdir) mkdir $name > + if [ ${MACHINE} = "aarch64" ]; then > + op="unlink"; > + opat="unlinkat"; > + fi > gen_audit_event="rmdir $name" ;; > unlink) touch $name > gen_audit_event="rm $name" ;; > *) exit_fail "unknown test operation: $op" ;; > esac > > +auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch > +auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch > + > +prepend_cleanup " > + auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch > + auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch > + rm -rf $tmpd" > + > log_mark=$(stat -c %s $audit_log) > > # test > diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash > index 525ac31..c357a81 100755 > --- a/audit-test/filter/tests/test_watch_open.bash > +++ b/audit-test/filter/tests/test_watch_open.bash > @@ -29,8 +29,14 @@ watch=$tmp1 > event_obj=$(get_event_obj $1) > [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj" > > -auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch > -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch" > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > +syscall_name="open" > +fi > + > +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch" > > # test open with O_CREAT|O_RDONLY; verify audit record > log_mark=$(stat -c %s $audit_log) > diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash > index 2e00a50..97cd1ff 100755 > --- a/audit-test/filter/tests/test_watch_remove.bash > +++ b/audit-test/filter/tests/test_watch_remove.bash > @@ -30,6 +30,10 @@ case $op in > unlink) touch $name > gen_audit_event="rm $name" ;; > rmdir) mkdir $name > + if [ ${MACHINE} = "aarch64" ]; then > + op="unlink"; > + opat="unlinkat"; > + fi > gen_audit_event="rmdir $name" ;; > rename) touch $name > gen_audit_event="mv $tmp1 $name" ;; > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index 25c9758..4af7c13 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -186,13 +186,15 @@ run.bash: > [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash > > run: all > - @$(check_set_PPROFILE); \ > + @export MACHINE=$(MACHINE); \ > + $(check_set_PPROFILE); \ > $(check_set_PASSWD); \ > ./run.bash --header; \ > ./run.bash > > rerun: all > - @$(check_set_PPROFILE); \ > + @export MACHINE=$(MACHINE); \ > + $(check_set_PPROFILE); \ > $(check_set_PASSWD); \ > ./run.bash --rerun > endif > |
From: AKASHI T. <tak...@li...> - 2014-07-11 13:20:24
|
On 07/11/2014 01:49 PM, Jiri Jaburek wrote: > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> On arm64/aarch64, some system calls are implemented in glibc using other >> primitive system calls, say open() vs. openat(). Therefore, audit logs >> have only records for primitive ones. >> >> This patch adds work-arounds for these cases. >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/filter/tests/test_auid.bash | 9 +++++++-- >> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ >> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- >> audit-test/filter/tests/test_success.bash | 6 +++++- >> audit-test/filter/tests/test_syscall.bash | 6 +++++- >> audit-test/filter/tests/test_type.bash | 9 +++++++-- >> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- >> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- >> audit-test/filter/tests/test_watch_remove.bash | 4 ++++ >> audit-test/rules.mk | 6 ++++-- >> 10 files changed, 73 insertions(+), 21 deletions(-) >> >> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash >> index c165cf3..63098b7 100755 >> --- a/audit-test/filter/tests/test_auid.bash >> +++ b/audit-test/filter/tests/test_auid.bash >> @@ -33,8 +33,13 @@ do_open_file $tmp1 >> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ >> && exit_error "Unexpected record found." >> >> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >> >> # audit log marker >> log_mark=$(stat -c %s $audit_log) >> diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash >> index 687b3d9..2be24dc 100755 >> --- a/audit-test/filter/tests/test_class_attr.bash >> +++ b/audit-test/filter/tests/test_class_attr.bash >> @@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log) >> >> # test >> do_chmod $watch 777 >> +if [ ${MACHINE} = "aarch64" ]; then >> +do_fchownat $(dirname $watch) $(basename $watch) root > > I have a patch staged for review that implements AT_FDCWD to all *at > syscall wrappers, simplifying this case somewhat. Sounds cool. Are you going to have a definition like MACH_AT_FDCWD = aarch64 ... or manage it somehow automatically? -Takahiro AKASHI > This is just a reminder to myself to cleanup this piece of code once > the patch is upstream. > >> +else >> do_chown $watch root >> +fi >> do_unlink $watch >> >> # verify audit record >> +if [ ${MACHINE} = "aarch64" ]; then >> +augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \ >> + || exit_fail "Expected record for 'chmod' not found." >> +augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \ >> + || exit_fail "Expected record for 'chown' not found." >> +augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \ >> + && exit_fail "Unexpected record for 'unlink' found." >> +else >> augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ >> || exit_fail "Expected record for 'chmod' not found." >> augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ >> || exit_fail "Expected record for 'chown' not found." >> augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ >> && exit_fail "Unexpected record for 'unlink' found." >> +fi >> >> exit_pass >> diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash >> index 30ea580..4611cfa 100755 >> --- a/audit-test/filter/tests/test_dev_inode.bash >> +++ b/audit-test/filter/tests/test_dev_inode.bash >> @@ -34,11 +34,16 @@ minor=$((0x$minor)) >> event_obj=$(get_event_obj $1) >> [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj" >> >> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \ >> - -F inode=$inode -F devmajor=$major -F devminor=$minor >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi >> >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ >> + -F inode=$inode -F devmajor=$major -F devminor=$minor >> prepend_cleanup " >> -auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \ >> +auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ >> -F inode=$inode -F devmajor=$major -F devminor=$minor" >> >> log_mark=$(stat -c %s $audit_log) >> diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash >> index 497959b..a54c36e 100755 >> --- a/audit-test/filter/tests/test_success.bash >> +++ b/audit-test/filter/tests/test_success.bash >> @@ -21,7 +21,11 @@ >> source filter_functions.bash || exit 2 >> >> # setup >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> syscall_name="open" >> +fi >> syscall_num=$(augrok --resolve $syscall_name) \ >> || exit_error "unable to determine the syscall number for $syscall_name" >> >> @@ -37,7 +41,7 @@ case $op in >> ;; >> *) exit_fail "unknown test operation" ;; >> esac >> -filter_rule="exit,always -F arch=b$MODE -S open" >> +filter_rule="exit,always -F arch=b$MODE -S $syscall_name" >> >> auditctl -a $filter_rule $filter_field >> prepend_cleanup "auditctl -d $filter_rule $filter_field" >> diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash >> index 8159b92..fc5934b 100755 >> --- a/audit-test/filter/tests/test_syscall.bash >> +++ b/audit-test/filter/tests/test_syscall.bash >> @@ -21,13 +21,17 @@ >> source filter_functions.bash || exit 2 >> >> # setup >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> syscall_name="open" >> +fi >> syscall_num=$(augrok --resolve $syscall_name) \ >> || exit_error "unable to determine the syscall number for $syscall_name" >> >> op=$1 >> case $op in >> - name) filter_rule="exit,always -F arch=b$MODE -S open" ;; >> + name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;; >> number) filter_rule="exit,always -S $syscall_num";; >> *) exit_fail "unknown test operation" ;; >> esac >> diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash >> index 16c63f4..450c926 100755 >> --- a/audit-test/filter/tests/test_type.bash >> +++ b/audit-test/filter/tests/test_type.bash >> @@ -27,10 +27,15 @@ source filter_functions.bash || exit 2 >> >> # setup >> user_auid=$(cat /proc/self/loginuid) >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi >> >> # setup auditctl >> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >> >> # audit log marker >> log_mark=$(stat -c %s $audit_log) >> diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash >> index bbdd9fb..fbb54b8 100755 >> --- a/audit-test/filter/tests/test_watch_dir_remove.bash >> +++ b/audit-test/filter/tests/test_watch_dir_remove.bash >> @@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed" >> watch="$tmpd" >> name="$tmpd/foo" >> >> -auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch >> -auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch >> - >> -prepend_cleanup " >> - auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch >> - auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch >> - rm -rf $tmpd" >> - >> case $op in >> rename) touch $name >> gen_audit_event="mv $tmp1 $name" ;; >> rmdir) mkdir $name >> + if [ ${MACHINE} = "aarch64" ]; then >> + op="unlink"; >> + opat="unlinkat"; >> + fi >> gen_audit_event="rmdir $name" ;; >> unlink) touch $name >> gen_audit_event="rm $name" ;; >> *) exit_fail "unknown test operation: $op" ;; >> esac >> >> +auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch >> +auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch >> + >> +prepend_cleanup " >> + auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch >> + auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch >> + rm -rf $tmpd" >> + >> log_mark=$(stat -c %s $audit_log) >> >> # test >> diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash >> index 525ac31..c357a81 100755 >> --- a/audit-test/filter/tests/test_watch_open.bash >> +++ b/audit-test/filter/tests/test_watch_open.bash >> @@ -29,8 +29,14 @@ watch=$tmp1 >> event_obj=$(get_event_obj $1) >> [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj" >> >> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch >> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch" >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi >> + >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch >> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch" >> >> # test open with O_CREAT|O_RDONLY; verify audit record >> log_mark=$(stat -c %s $audit_log) >> diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash >> index 2e00a50..97cd1ff 100755 >> --- a/audit-test/filter/tests/test_watch_remove.bash >> +++ b/audit-test/filter/tests/test_watch_remove.bash >> @@ -30,6 +30,10 @@ case $op in >> unlink) touch $name >> gen_audit_event="rm $name" ;; >> rmdir) mkdir $name >> + if [ ${MACHINE} = "aarch64" ]; then >> + op="unlink"; >> + opat="unlinkat"; >> + fi >> gen_audit_event="rmdir $name" ;; >> rename) touch $name >> gen_audit_event="mv $tmp1 $name" ;; >> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >> index 25c9758..4af7c13 100644 >> --- a/audit-test/rules.mk >> +++ b/audit-test/rules.mk >> @@ -186,13 +186,15 @@ run.bash: >> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash >> >> run: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --header; \ >> ./run.bash >> >> rerun: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --rerun >> endif >> > |
From: Jiri J. <jja...@re...> - 2014-07-11 13:43:19
|
On 07/11/2014 03:20 PM, AKASHI Takahiro wrote: > On 07/11/2014 01:49 PM, Jiri Jaburek wrote: >> On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >>> On arm64/aarch64, some system calls are implemented in glibc using other >>> primitive system calls, say open() vs. openat(). Therefore, audit logs >>> have only records for primitive ones. >>> >>> This patch adds work-arounds for these cases. >>> >>> Signed-off-by: AKASHI Takahiro <tak...@li...> >>> --- >>> audit-test/filter/tests/test_auid.bash | 9 +++++++-- >>> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ >>> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- >>> audit-test/filter/tests/test_success.bash | 6 +++++- >>> audit-test/filter/tests/test_syscall.bash | 6 +++++- >>> audit-test/filter/tests/test_type.bash | 9 +++++++-- >>> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- >>> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- >>> audit-test/filter/tests/test_watch_remove.bash | 4 ++++ >>> audit-test/rules.mk | 6 ++++-- >>> 10 files changed, 73 insertions(+), 21 deletions(-) >>> >>> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash >>> index c165cf3..63098b7 100755 >>> --- a/audit-test/filter/tests/test_auid.bash >>> +++ b/audit-test/filter/tests/test_auid.bash >>> @@ -33,8 +33,13 @@ do_open_file $tmp1 >>> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ >>> && exit_error "Unexpected record found." >>> >>> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> +syscall_name="open" >>> +fi >>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >>> >>> # audit log marker >>> log_mark=$(stat -c %s $audit_log) >>> diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash >>> index 687b3d9..2be24dc 100755 >>> --- a/audit-test/filter/tests/test_class_attr.bash >>> +++ b/audit-test/filter/tests/test_class_attr.bash >>> @@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log) >>> >>> # test >>> do_chmod $watch 777 >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +do_fchownat $(dirname $watch) $(basename $watch) root >> >> I have a patch staged for review that implements AT_FDCWD to all *at >> syscall wrappers, simplifying this case somewhat. > > Sounds cool. > Are you going to have a definition like > MACH_AT_FDCWD = aarch64 ... > or manage it somehow automatically? Not sure at this point, but at least the dirname/basename hack won't be necessary. > > -Takahiro AKASHI > >> This is just a reminder to myself to cleanup this piece of code once >> the patch is upstream. > > >>> +else >>> do_chown $watch root >>> +fi >>> do_unlink $watch >>> >>> # verify audit record >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \ >>> + || exit_fail "Expected record for 'chmod' not found." >>> +augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \ >>> + || exit_fail "Expected record for 'chown' not found." >>> +augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \ >>> + && exit_fail "Unexpected record for 'unlink' found." I noticed you rely on glibc to use fchmodat/unlinkat for chmod(2) and unlink(2) (which fails to automatically use fchownat on chown(2)). This might not be the best idea for the future in terms of code consistency, we're using syscall(__NR_*) for new syscall wrappers and doing conditions elsewhere (in tests, but #ifdef in the wrappers would work as well). The point is that trusting glibc to call the relevant syscalls is not a good idea, ie. fork(), getpid(), etc. Meaning that something along the lines of diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash index 687b3d9..975794d 100755 --- a/audit-test/filter/tests/test_class_attr.bash +++ b/audit-test/filter/tests/test_class_attr.bash @@ -31,16 +31,28 @@ prepend_cleanup "auditctl -d exit,always -F path=$watch -F perm=a" log_mark=$(stat -c %s $audit_log) # test -do_chmod $watch 777 -do_chown $watch root -do_unlink $watch - -# verify audit record -augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ - || exit_fail "Expected record for 'chmod' not found." -augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ - || exit_fail "Expected record for 'chown' not found." -augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ - && exit_fail "Unexpected record for 'unlink' found." +if [ ${MACHINE} = "aarch64" ]; then + do_fchmodat AT_FDCWD $watch 777 + do_fchownat AT_FDCWD $watch root + do_unlinkat AT_FDCWD $watch + + augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \ + || exit_fail "Expected record for 'fchmodat' not found." + augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$watch \ + || exit_fail "Expected record for 'fchownat' not found." + augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \ + && exit_fail "Unexpected record for 'unlinkat' found." +else + do_chmod $watch 777 + do_chown $watch root + do_unlink $watch + + augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ + || exit_fail "Expected record for 'chmod' not found." + augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ + || exit_fail "Expected record for 'chown' not found." + augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ + && exit_fail "Unexpected record for 'unlink' found." +fi exit_pass might be a better idea (in the future). >>> +else >>> augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \ >>> || exit_fail "Expected record for 'chmod' not found." >>> augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \ >>> || exit_fail "Expected record for 'chown' not found." >>> augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \ >>> && exit_fail "Unexpected record for 'unlink' found." >>> +fi >>> >>> exit_pass >>> diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash >>> index 30ea580..4611cfa 100755 >>> --- a/audit-test/filter/tests/test_dev_inode.bash >>> +++ b/audit-test/filter/tests/test_dev_inode.bash >>> @@ -34,11 +34,16 @@ minor=$((0x$minor)) >>> event_obj=$(get_event_obj $1) >>> [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj" >>> >>> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \ >>> - -F inode=$inode -F devmajor=$major -F devminor=$minor >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> +syscall_name="open" >>> +fi >>> >>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ >>> + -F inode=$inode -F devmajor=$major -F devminor=$minor >>> prepend_cleanup " >>> -auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \ >>> +auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \ >>> -F inode=$inode -F devmajor=$major -F devminor=$minor" >>> >>> log_mark=$(stat -c %s $audit_log) >>> diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash >>> index 497959b..a54c36e 100755 >>> --- a/audit-test/filter/tests/test_success.bash >>> +++ b/audit-test/filter/tests/test_success.bash >>> @@ -21,7 +21,11 @@ >>> source filter_functions.bash || exit 2 >>> >>> # setup >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> syscall_name="open" >>> +fi >>> syscall_num=$(augrok --resolve $syscall_name) \ >>> || exit_error "unable to determine the syscall number for $syscall_name" >>> >>> @@ -37,7 +41,7 @@ case $op in >>> ;; >>> *) exit_fail "unknown test operation" ;; >>> esac >>> -filter_rule="exit,always -F arch=b$MODE -S open" >>> +filter_rule="exit,always -F arch=b$MODE -S $syscall_name" >>> >>> auditctl -a $filter_rule $filter_field >>> prepend_cleanup "auditctl -d $filter_rule $filter_field" >>> diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash >>> index 8159b92..fc5934b 100755 >>> --- a/audit-test/filter/tests/test_syscall.bash >>> +++ b/audit-test/filter/tests/test_syscall.bash >>> @@ -21,13 +21,17 @@ >>> source filter_functions.bash || exit 2 >>> >>> # setup >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> syscall_name="open" >>> +fi >>> syscall_num=$(augrok --resolve $syscall_name) \ >>> || exit_error "unable to determine the syscall number for $syscall_name" >>> >>> op=$1 >>> case $op in >>> - name) filter_rule="exit,always -F arch=b$MODE -S open" ;; >>> + name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;; >>> number) filter_rule="exit,always -S $syscall_num";; >>> *) exit_fail "unknown test operation" ;; >>> esac >>> diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash >>> index 16c63f4..450c926 100755 >>> --- a/audit-test/filter/tests/test_type.bash >>> +++ b/audit-test/filter/tests/test_type.bash >>> @@ -27,10 +27,15 @@ source filter_functions.bash || exit 2 >>> >>> # setup >>> user_auid=$(cat /proc/self/loginuid) >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> +syscall_name="open" >>> +fi >>> >>> # setup auditctl >>> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >>> >>> # audit log marker >>> log_mark=$(stat -c %s $audit_log) >>> diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash >>> index bbdd9fb..fbb54b8 100755 >>> --- a/audit-test/filter/tests/test_watch_dir_remove.bash >>> +++ b/audit-test/filter/tests/test_watch_dir_remove.bash >>> @@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed" >>> watch="$tmpd" >>> name="$tmpd/foo" >>> >>> -auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch >>> -auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch >>> - >>> -prepend_cleanup " >>> - auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch >>> - auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch >>> - rm -rf $tmpd" >>> - >>> case $op in >>> rename) touch $name >>> gen_audit_event="mv $tmp1 $name" ;; >>> rmdir) mkdir $name >>> + if [ ${MACHINE} = "aarch64" ]; then >>> + op="unlink"; >>> + opat="unlinkat"; >>> + fi >>> gen_audit_event="rmdir $name" ;; >>> unlink) touch $name >>> gen_audit_event="rm $name" ;; >>> *) exit_fail "unknown test operation: $op" ;; >>> esac >>> >>> +auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch >>> +auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch >>> + >>> +prepend_cleanup " >>> + auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch >>> + auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch >>> + rm -rf $tmpd" >>> + >>> log_mark=$(stat -c %s $audit_log) >>> >>> # test >>> diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash >>> index 525ac31..c357a81 100755 >>> --- a/audit-test/filter/tests/test_watch_open.bash >>> +++ b/audit-test/filter/tests/test_watch_open.bash >>> @@ -29,8 +29,14 @@ watch=$tmp1 >>> event_obj=$(get_event_obj $1) >>> [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj" >>> >>> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch >>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch" >>> +if [ ${MACHINE} = "aarch64" ]; then >>> +syscall_name="openat" >>> +else >>> +syscall_name="open" >>> +fi >>> + >>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch >>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch" >>> >>> # test open with O_CREAT|O_RDONLY; verify audit record >>> log_mark=$(stat -c %s $audit_log) >>> diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash >>> index 2e00a50..97cd1ff 100755 >>> --- a/audit-test/filter/tests/test_watch_remove.bash >>> +++ b/audit-test/filter/tests/test_watch_remove.bash >>> @@ -30,6 +30,10 @@ case $op in >>> unlink) touch $name >>> gen_audit_event="rm $name" ;; >>> rmdir) mkdir $name >>> + if [ ${MACHINE} = "aarch64" ]; then >>> + op="unlink"; >>> + opat="unlinkat"; >>> + fi >>> gen_audit_event="rmdir $name" ;; >>> rename) touch $name >>> gen_audit_event="mv $tmp1 $name" ;; >>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >>> index 25c9758..4af7c13 100644 >>> --- a/audit-test/rules.mk >>> +++ b/audit-test/rules.mk >>> @@ -186,13 +186,15 @@ run.bash: >>> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash >>> >>> run: all >>> - @$(check_set_PPROFILE); \ >>> + @export MACHINE=$(MACHINE); \ >>> + $(check_set_PPROFILE); \ >>> $(check_set_PASSWD); \ >>> ./run.bash --header; \ >>> ./run.bash >>> >>> rerun: all >>> - @$(check_set_PPROFILE); \ >>> + @export MACHINE=$(MACHINE); \ >>> + $(check_set_PPROFILE); \ >>> $(check_set_PASSWD); \ >>> ./run.bash --rerun >>> endif >>> >> > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: AKASHI T. <tak...@li...> - 2014-07-03 07:46:53
|
This patch selectively executes appropriate test programs for arm. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/syscalls/cap-run.conf | 10 +++++----- audit-test/syscalls/dac-run.conf | 16 ++++++++-------- audit-test/syscalls/mac-run.conf | 16 ++++++++-------- audit-test/utils/bin/Makefile | 4 ++++ 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf index 93454ef..a6fbaa1 100644 --- a/audit-test/syscalls/cap-run.conf +++ b/audit-test/syscalls/cap-run.conf @@ -221,7 +221,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgctl perm=msg_id_remove expres=success user=super + msgctl perm=msg_id_remove expres=fail user=test + msgctl perm=msg_id_set expres=success user=super @@ -250,7 +250,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semctl perm=sem_id_remove expres=success user=super + semctl perm=sem_id_remove expres=fail user=test + semctl perm=sem_id_set expres=success user=super @@ -279,7 +279,7 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmctl perm=shm_id_remove expres=success user=super + shmctl perm=shm_id_remove expres=fail user=test + shmctl perm=shm_id_set expres=success user=super @@ -338,7 +338,7 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set port permission bits, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + ioperm perm=io_perm expres=success user=super + ioperm perm=io_perm expres=fail user=test fi @@ -353,7 +353,7 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set process's the I/O privilege level, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + iopl perm=io_priv expres=success user=super + iopl perm=io_priv expres=fail user=test fi diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf index d02b7a6..08fe5fb 100644 --- a/audit-test/syscalls/dac-run.conf +++ b/audit-test/syscalls/dac-run.conf @@ -436,7 +436,7 @@ fi ## syscall using the value of flag to determine whether to open the message ## queue for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgget perm=msg_key_read expres=success dacugo=user user=super + msgget perm=msg_key_read expres=fail dacugo=user user=test + msgget perm=msg_key_write expres=success dacugo=user user=super @@ -460,7 +460,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## receive a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgrcv perm=msg_id_recv expres=success dacugo=user user=super + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test else @@ -480,7 +480,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## send a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \ user=super testfunc=test_su_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \ @@ -512,7 +512,7 @@ fi ## syscall using the value of flag to determine whether to open the ## semaphore set for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semget perm=sem_key_read expres=success dacugo=user user=super + semget perm=sem_key_read expres=fail dacugo=user user=test + semget perm=sem_key_write expres=success dacugo=user user=super @@ -537,7 +537,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## read operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semop perm=sem_id_read expres=success dacugo=user user=super + semop perm=sem_id_read expres=fail dacugo=user user=test else @@ -558,7 +558,7 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## write operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semtimedop perm=sem_id_write expres=success dacugo=user user=super + semtimedop perm=sem_id_write expres=fail dacugo=user user=test else @@ -583,7 +583,7 @@ fi ## syscall using the value of perm to determine whether to perform a read or ## write operation; verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmat perm=shm_id_read expres=success dacugo=user user=super + shmat perm=shm_id_read expres=fail dacugo=user user=test + shmat perm=shm_id_write expres=success dacugo=user user=super @@ -618,7 +618,7 @@ fi ## syscall using the value of flag to determine whether to request the ## shared memory segment for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmget perm=shm_key_read expres=success dacugo=user user=super + shmget perm=shm_key_read expres=fail dacugo=user user=test + shmget perm=shm_key_write expres=success dacugo=user user=super diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf index b7c064b..958f161 100644 --- a/audit-test/syscalls/mac-run.conf +++ b/audit-test/syscalls/mac-run.conf @@ -702,7 +702,7 @@ fi ## test process requests the message queue for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgget perm=msg_key_read expres=success mlsop=eq + msgget perm=msg_key_read expres=success mlsop=dom + msgget perm=msg_key_read expres=fail mlsop=domby @@ -737,7 +737,7 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgrcv perm=msg_id_recv expres=success mlsop=eq + msgrcv perm=msg_id_recv expres=success mlsop=dom + msgrcv perm=msg_id_recv expres=fail mlsop=domby @@ -763,7 +763,7 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \ testfunc=test_runcon_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \ @@ -801,7 +801,7 @@ fi ## test process requests the semaphore set for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semget perm=sem_key_read expres=success mlsop=eq + semget perm=sem_key_read expres=success mlsop=dom + semget perm=sem_key_read expres=fail mlsop=domby @@ -835,7 +835,7 @@ fi ## read operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semop perm=sem_id_read expres=success mlsop=eq + semop perm=sem_id_read expres=success mlsop=dom + semop perm=sem_id_read expres=fail mlsop=domby @@ -861,7 +861,7 @@ fi ## write operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + semtimedop perm=sem_id_write expres=success mlsop=eq + semtimedop perm=sem_id_write expres=fail mlsop=dom + semtimedop perm=sem_id_write expres=fail mlsop=domby @@ -892,7 +892,7 @@ fi ## 'perm' variable. With the ipc() syscall the function is determined by ## the 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmat perm=shm_id_read expres=success mlsop=eq + shmat perm=shm_id_read expres=success mlsop=dom + shmat perm=shm_id_read expres=fail mlsop=domby @@ -934,7 +934,7 @@ fi ## test process requests the shared memory segment for read or write ## depending on the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $ARCH == "arm" || ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) ]]; then + shmget perm=shm_key_read expres=success mlsop=eq + shmget perm=shm_key_read expres=success mlsop=dom + shmget perm=shm_key_read expres=fail mlsop=domby diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index b0f4485..43b5bdb 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -187,6 +187,10 @@ ALL_EXE += $(ONLY32_EXE) endif endif endif +ifeq ($(MACHINE), arm) +ALL_EXE += $(ONLY32_EXE) +endif + ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) -- 1.7.9.5 |
From: Jiri J. <jja...@re...> - 2014-07-03 09:19:02
|
Hello, the following is just a quick look and by no means a complete review. On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: > On arm64/aarch64, some system calls are implemented in glibc using other > primitive system calls, say open() vs. openat(). Therefore, audit logs > have only records for primitive ones. > > This patch adds work-arounds for these cases. > > Signed-off-by: AKASHI Takahiro <tak...@li...> > --- > audit-test/filter/tests/test_auid.bash | 9 +++++++-- > audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ > audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- > audit-test/filter/tests/test_success.bash | 6 +++++- > audit-test/filter/tests/test_syscall.bash | 6 +++++- > audit-test/filter/tests/test_type.bash | 9 +++++++-- > audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- > audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- > audit-test/filter/tests/test_watch_remove.bash | 4 ++++ > audit-test/rules.mk | 6 ++++-- > 10 files changed, 73 insertions(+), 21 deletions(-) > > diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash > index c165cf3..63098b7 100755 > --- a/audit-test/filter/tests/test_auid.bash > +++ b/audit-test/filter/tests/test_auid.bash > @@ -33,8 +33,13 @@ do_open_file $tmp1 > augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ > && exit_error "Unexpected record found." > > -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid > -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" > +if [ ${MACHINE} = "aarch64" ]; then > +syscall_name="openat" > +else > +syscall_name="open" > +fi [ "$MACHINE" = "aarch64" ] && syscall_name="openat" || syscall_name="open" would have been perhaps more compact, but yours works as well. > +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" > > # audit log marker > log_mark=$(stat -c %s $audit_log) <snip> > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index 25c9758..4af7c13 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -186,13 +186,15 @@ run.bash: > [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash > > run: all > - @$(check_set_PPROFILE); \ > + @export MACHINE=$(MACHINE); \ > + $(check_set_PPROFILE); \ > $(check_set_PASSWD); \ > ./run.bash --header; \ > ./run.bash > > rerun: all > - @$(check_set_PPROFILE); \ > + @export MACHINE=$(MACHINE); \ > + $(check_set_PPROFILE); \ > $(check_set_PASSWD); \ > ./run.bash --rerun > endif > Can't we do this in a less hack-ish way? What about this? diff --git a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..15b81e0 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^ LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS) LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS) +export MACHINE + # If MODE isn't set explicitly, the default for the machine is used export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}')) export MODE ?= $(NATIVE) Jiri |
From: AKASHI T. <tak...@li...> - 2014-07-04 07:37:11
|
On 07/03/2014 06:18 PM, Jiri Jaburek wrote: > Hello, > the following is just a quick look and by no means a complete review. Thank you. > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> On arm64/aarch64, some system calls are implemented in glibc using other >> primitive system calls, say open() vs. openat(). Therefore, audit logs >> have only records for primitive ones. >> >> This patch adds work-arounds for these cases. >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/filter/tests/test_auid.bash | 9 +++++++-- >> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ >> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- >> audit-test/filter/tests/test_success.bash | 6 +++++- >> audit-test/filter/tests/test_syscall.bash | 6 +++++- >> audit-test/filter/tests/test_type.bash | 9 +++++++-- >> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- >> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- >> audit-test/filter/tests/test_watch_remove.bash | 4 ++++ >> audit-test/rules.mk | 6 ++++-- >> 10 files changed, 73 insertions(+), 21 deletions(-) >> >> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash >> index c165cf3..63098b7 100755 >> --- a/audit-test/filter/tests/test_auid.bash >> +++ b/audit-test/filter/tests/test_auid.bash >> @@ -33,8 +33,13 @@ do_open_file $tmp1 >> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ >> && exit_error "Unexpected record found." >> >> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi > > [ "$MACHINE" = "aarch64" ] && syscall_name="openat" || syscall_name="open" > would have been perhaps more compact, but yours works as well. OK. >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >> >> # audit log marker >> log_mark=$(stat -c %s $audit_log) > > <snip> > >> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >> index 25c9758..4af7c13 100644 >> --- a/audit-test/rules.mk >> +++ b/audit-test/rules.mk >> @@ -186,13 +186,15 @@ run.bash: >> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash >> >> run: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --header; \ >> ./run.bash >> >> rerun: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --rerun >> endif >> > > Can't we do this in a less hack-ish way? What about this? > > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index fd2f8a5..15b81e0 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^ > LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS) > LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) > $(LDLIBS) > > +export MACHINE > + > # If MODE isn't set explicitly, the default for the machine is used > export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print > $$3}')) > export MODE ?= $(NATIVE) Make sense :) -Takahiro AKASHI > > Jiri > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: Linda K. <lin...@hp...> - 2014-07-14 01:37:38
|
On 07/03/2014 05:18 AM, Jiri Jaburek wrote: > Hello, > the following is just a quick look and by no means a complete review. > > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> On arm64/aarch64, some system calls are implemented in glibc using other >> primitive system calls, say open() vs. openat(). Therefore, audit logs >> have only records for primitive ones. >> >> This patch adds work-arounds for these cases. >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/filter/tests/test_auid.bash | 9 +++++++-- >> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ >> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- >> audit-test/filter/tests/test_success.bash | 6 +++++- >> audit-test/filter/tests/test_syscall.bash | 6 +++++- >> audit-test/filter/tests/test_type.bash | 9 +++++++-- >> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- >> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- >> audit-test/filter/tests/test_watch_remove.bash | 4 ++++ >> audit-test/rules.mk | 6 ++++-- >> 10 files changed, 73 insertions(+), 21 deletions(-) >> >> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash >> index c165cf3..63098b7 100755 >> --- a/audit-test/filter/tests/test_auid.bash >> +++ b/audit-test/filter/tests/test_auid.bash >> @@ -33,8 +33,13 @@ do_open_file $tmp1 >> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ >> && exit_error "Unexpected record found." >> >> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid >> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" >> +if [ ${MACHINE} = "aarch64" ]; then >> +syscall_name="openat" >> +else >> +syscall_name="open" >> +fi > > [ "$MACHINE" = "aarch64" ] && syscall_name="openat" || syscall_name="open" > would have been perhaps more compact, but yours works as well. If not the compact version, perhaps the original version with tabs for readability. > >> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid >> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid" >> >> # audit log marker >> log_mark=$(stat -c %s $audit_log) > > <snip> > >> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >> index 25c9758..4af7c13 100644 >> --- a/audit-test/rules.mk >> +++ b/audit-test/rules.mk >> @@ -186,13 +186,15 @@ run.bash: >> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash >> >> run: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --header; \ >> ./run.bash >> >> rerun: all >> - @$(check_set_PPROFILE); \ >> + @export MACHINE=$(MACHINE); \ >> + $(check_set_PPROFILE); \ >> $(check_set_PASSWD); \ >> ./run.bash --rerun >> endif >> > > Can't we do this in a less hack-ish way? What about this? > > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index fd2f8a5..15b81e0 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^ > LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS) > LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) > $(LDLIBS) > > +export MACHINE > + > # If MODE isn't set explicitly, the default for the machine is used > export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print > $$3}')) > export MODE ?= $(NATIVE) > > > Jiri > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: Jiri J. <jja...@re...> - 2014-07-11 11:21:47
|
On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: > Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs > from being compiled and executed. This is incovenient for other > ditributions or rootfs build tools, like Buildroot and OpenEmbedded. > > This patch introduces LSM_SELINUX instead to do the same thing. > > Signed-off-by: AKASHI Takahiro <tak...@li...> > --- > audit-test/rules.mk | 14 ++++++++++---- > audit-test/utils/Makefile | 4 ++++ > audit-test/utils/bin/Makefile | 2 +- > audit-test/utils/bin/do_creat.c | 4 ++-- > audit-test/utils/bin/do_mkdir.c | 4 ++-- > audit-test/utils/bin/do_mkdirat.c | 4 ++-- > audit-test/utils/bin/do_mknod.c | 4 ++-- > audit-test/utils/bin/do_mknodat.c | 4 ++-- > audit-test/utils/bin/do_mq_open.c | 4 ++-- > audit-test/utils/bin/do_open.c | 4 ++-- > audit-test/utils/bin/do_openat.c | 4 ++-- > audit-test/utils/bin/do_symlink.c | 4 ++-- > audit-test/utils/bin/do_symlinkat.c | 4 ++-- > audit-test/utils/run.bash | 8 ++++++-- > 14 files changed, 41 insertions(+), 27 deletions(-) > > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index fd2f8a5..25c9758 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE)) > LDFLAGS += -m64 > endif > endif > +export LSM_SELINUX=no > RELEASE = $(wildcard /etc/*-release) > ifeq (SuSE, $(findstring SuSE, $(RELEASE))) > CFLAGS +=-DSUSE > export DISTRO=SUSE > -endif > -ifeq (fedora, $(findstring fedora, $(RELEASE))) > -CFLAGS +=-DFEDORA > +else ifeq (fedora, $(findstring fedora, $(RELEASE))) > +CFLAGS +="-DFEDORA -DLSM_SELINUX" > export DISTRO=FEDORA > +export LSM_SELINUX=yes > else ifeq (redhat, $(findstring redhat, $(RELEASE))) > -CFLAGS +=-DRHEL > +CFLAGS +="-DRHEL -DLSM_SELINUX" > export DISTRO=RHEL > +export LSM_SELINUX=yes > +else > +# including Buildroot & OpenEmbedded > +#CFLAGS +=-DDISTRO_MISC > +export DISTRO=MISC Out of curiosity - why do you define DISTRO=MISC as a fallback instead of leaving it empty? The comment is not really clear on whether it's required/useful for something. Why can't empty DISTRO be used? (and possibly defined in other suites/buildroots if they require it) Same with LSM_SELINUX - empty value is more compatible with cases like "if [ "$LSM_SELINUX" ]; then ..." > endif > > ifeq (s390x, $(findstring s390x, $(MACHINE))) > diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile > index 489d98b..a285c45 100644 > --- a/audit-test/utils/Makefile > +++ b/audit-test/utils/Makefile > @@ -20,8 +20,12 @@ UTILSDIR = . > CPPFLAGS += -I$(UTILSDIR)/include > LDLIBS += -lselinux > > +ifeq ($(LSM_SELINUX), yes) > UTILS_EXE = test_context \ > test_setcon > +else > +UTILS_EXE = > +endif > > ALL_EXE = $(UTILS_EXE) > > diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile > index 098d46c..6c361e1 100644 > --- a/audit-test/utils/bin/Makefile > +++ b/audit-test/utils/bin/Makefile > @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) > endif > > $(CAPS_EXE): LDLIBS += -lcap > -ifneq ($(DISTRO), SUSE) > +ifeq ($(LSM_SELINUX), yes) > $(CREATE_EXE): LDLIBS += -lselinux > $(MQ_EXE): LDLIBS += -lrt -lselinux > else > diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c > index 85b31fb..81b0686 100644 > --- a/audit-test/utils/bin/do_creat.c > +++ b/audit-test/utils/bin/do_creat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_creat: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c > index f06f394..d601903 100644 > --- a/audit-test/utils/bin/do_mkdir.c > +++ b/audit-test/utils/bin/do_mkdir.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_mkdir: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c > index 67d5ac9..5a6e54f 100644 > --- a/audit-test/utils/bin/do_mkdirat.c > +++ b/audit-test/utils/bin/do_mkdirat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -28,7 +28,7 @@ int main(int argc, char **argv) > return TEST_ERROR; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_mkdirat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c > index 07ca554..c12c76d 100644 > --- a/audit-test/utils/bin/do_mknod.c > +++ b/audit-test/utils/bin/do_mknod.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_mknod: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c > index 5acb057..7e9ea2c 100644 > --- a/audit-test/utils/bin/do_mknodat.c > +++ b/audit-test/utils/bin/do_mknodat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -31,7 +31,7 @@ int main(int argc, char **argv) > dir_fd = open(argv[1], O_DIRECTORY); > if (dir_fd < 0) > return TEST_ERROR; > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 4 && setfscreatecon(argv[3]) < 0) { > perror("do_mknodat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c > index 25adc8b..8d0ec9d 100644 > --- a/audit-test/utils/bin/do_mq_open.c > +++ b/audit-test/utils/bin/do_mq_open.c > @@ -15,7 +15,7 @@ > > #include "includes.h" > #include <mqueue.h> > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -45,7 +45,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_mq_open: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c > index 1068461..781f6f9 100644 > --- a/audit-test/utils/bin/do_open.c > +++ b/audit-test/utils/bin/do_open.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -46,7 +46,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_open: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c > index 43da725..6205406 100644 > --- a/audit-test/utils/bin/do_openat.c > +++ b/audit-test/utils/bin/do_openat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -53,7 +53,7 @@ int main(int argc, char **argv) > perror("do_openat: open dirfd"); > return TEST_ERROR; > } > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 5 && setfscreatecon(argv[4]) < 0) { > perror("do_openat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c > index 75dfe0b..d902493 100644 > --- a/audit-test/utils/bin/do_symlink.c > +++ b/audit-test/utils/bin/do_symlink.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_symlink: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c > index 9e67a28..1829dcf 100644 > --- a/audit-test/utils/bin/do_symlinkat.c > +++ b/audit-test/utils/bin/do_symlinkat.c > @@ -15,7 +15,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -32,7 +32,7 @@ int main(int argc, char **argv) > dir_fd = open(argv[1], O_DIRECTORY); > if (dir_fd < 0) > return TEST_ERROR; > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 5 && setfscreatecon(argv[4]) < 0) { > perror("do_symlinkat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash > index a2a5da6..629e0a3 100755 > --- a/audit-test/utils/run.bash > +++ b/audit-test/utils/run.bash > @@ -463,11 +463,15 @@ function show_header { > printf "%-32s %s\n" Mode: "${MODE:-(native)}" > printf "%-32s %s\n" Hostname: "$(uname -n)" > printf "%-32s %s\n" Profile: "$PPROFILE" > - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" > + if [[ $LSM_SELINUX == yes ]] ; then > + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" > + fi > if [[ $PPROFILE == lspp ]] ; then > printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" > fi > - printf "\n%s\n" "$(sestatus)" > + if [[ $LSM_SELINUX == yes ]] ; then > + printf "\n%s\n" "$(sestatus)" > + fi > echo > } | tee $opt_logdir/$header_log > } > |
From: AKASHI T. <tak...@li...> - 2014-07-11 13:07:17
|
On 07/11/2014 01:21 PM, Jiri Jaburek wrote: > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs >> from being compiled and executed. This is incovenient for other >> ditributions or rootfs build tools, like Buildroot and OpenEmbedded. >> >> This patch introduces LSM_SELINUX instead to do the same thing. >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/rules.mk | 14 ++++++++++---- >> audit-test/utils/Makefile | 4 ++++ >> audit-test/utils/bin/Makefile | 2 +- >> audit-test/utils/bin/do_creat.c | 4 ++-- >> audit-test/utils/bin/do_mkdir.c | 4 ++-- >> audit-test/utils/bin/do_mkdirat.c | 4 ++-- >> audit-test/utils/bin/do_mknod.c | 4 ++-- >> audit-test/utils/bin/do_mknodat.c | 4 ++-- >> audit-test/utils/bin/do_mq_open.c | 4 ++-- >> audit-test/utils/bin/do_open.c | 4 ++-- >> audit-test/utils/bin/do_openat.c | 4 ++-- >> audit-test/utils/bin/do_symlink.c | 4 ++-- >> audit-test/utils/bin/do_symlinkat.c | 4 ++-- >> audit-test/utils/run.bash | 8 ++++++-- >> 14 files changed, 41 insertions(+), 27 deletions(-) >> >> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >> index fd2f8a5..25c9758 100644 >> --- a/audit-test/rules.mk >> +++ b/audit-test/rules.mk >> @@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE)) >> LDFLAGS += -m64 >> endif >> endif >> +export LSM_SELINUX=no >> RELEASE = $(wildcard /etc/*-release) >> ifeq (SuSE, $(findstring SuSE, $(RELEASE))) >> CFLAGS +=-DSUSE >> export DISTRO=SUSE >> -endif >> -ifeq (fedora, $(findstring fedora, $(RELEASE))) >> -CFLAGS +=-DFEDORA >> +else ifeq (fedora, $(findstring fedora, $(RELEASE))) >> +CFLAGS +="-DFEDORA -DLSM_SELINUX" >> export DISTRO=FEDORA >> +export LSM_SELINUX=yes >> else ifeq (redhat, $(findstring redhat, $(RELEASE))) >> -CFLAGS +=-DRHEL >> +CFLAGS +="-DRHEL -DLSM_SELINUX" >> export DISTRO=RHEL >> +export LSM_SELINUX=yes >> +else >> +# including Buildroot & OpenEmbedded >> +#CFLAGS +=-DDISTRO_MISC >> +export DISTRO=MISC > > Out of curiosity - why do you define DISTRO=MISC as a fallback instead > of leaving it empty? The comment is not really clear on whether it's > required/useful for something. Why can't empty DISTRO be used? Yeah, it can. > (and possibly defined in other suites/buildroots if they require it) > > Same with LSM_SELINUX - empty value is more compatible with cases like > "if [ "$LSM_SELINUX" ]; then ..." Agree. -Takahiro AKASHI >> endif >> >> ifeq (s390x, $(findstring s390x, $(MACHINE))) >> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile >> index 489d98b..a285c45 100644 >> --- a/audit-test/utils/Makefile >> +++ b/audit-test/utils/Makefile >> @@ -20,8 +20,12 @@ UTILSDIR = . >> CPPFLAGS += -I$(UTILSDIR)/include >> LDLIBS += -lselinux >> >> +ifeq ($(LSM_SELINUX), yes) >> UTILS_EXE = test_context \ >> test_setcon >> +else >> +UTILS_EXE = >> +endif >> >> ALL_EXE = $(UTILS_EXE) >> >> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile >> index 098d46c..6c361e1 100644 >> --- a/audit-test/utils/bin/Makefile >> +++ b/audit-test/utils/bin/Makefile >> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) >> endif >> >> $(CAPS_EXE): LDLIBS += -lcap >> -ifneq ($(DISTRO), SUSE) >> +ifeq ($(LSM_SELINUX), yes) >> $(CREATE_EXE): LDLIBS += -lselinux >> $(MQ_EXE): LDLIBS += -lrt -lselinux >> else >> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c >> index 85b31fb..81b0686 100644 >> --- a/audit-test/utils/bin/do_creat.c >> +++ b/audit-test/utils/bin/do_creat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_creat: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c >> index f06f394..d601903 100644 >> --- a/audit-test/utils/bin/do_mkdir.c >> +++ b/audit-test/utils/bin/do_mkdir.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_mkdir: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c >> index 67d5ac9..5a6e54f 100644 >> --- a/audit-test/utils/bin/do_mkdirat.c >> +++ b/audit-test/utils/bin/do_mkdirat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -28,7 +28,7 @@ int main(int argc, char **argv) >> return TEST_ERROR; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_mkdirat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c >> index 07ca554..c12c76d 100644 >> --- a/audit-test/utils/bin/do_mknod.c >> +++ b/audit-test/utils/bin/do_mknod.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_mknod: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c >> index 5acb057..7e9ea2c 100644 >> --- a/audit-test/utils/bin/do_mknodat.c >> +++ b/audit-test/utils/bin/do_mknodat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -31,7 +31,7 @@ int main(int argc, char **argv) >> dir_fd = open(argv[1], O_DIRECTORY); >> if (dir_fd < 0) >> return TEST_ERROR; >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 4 && setfscreatecon(argv[3]) < 0) { >> perror("do_mknodat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c >> index 25adc8b..8d0ec9d 100644 >> --- a/audit-test/utils/bin/do_mq_open.c >> +++ b/audit-test/utils/bin/do_mq_open.c >> @@ -15,7 +15,7 @@ >> >> #include "includes.h" >> #include <mqueue.h> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -45,7 +45,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_mq_open: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c >> index 1068461..781f6f9 100644 >> --- a/audit-test/utils/bin/do_open.c >> +++ b/audit-test/utils/bin/do_open.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -46,7 +46,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_open: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c >> index 43da725..6205406 100644 >> --- a/audit-test/utils/bin/do_openat.c >> +++ b/audit-test/utils/bin/do_openat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -53,7 +53,7 @@ int main(int argc, char **argv) >> perror("do_openat: open dirfd"); >> return TEST_ERROR; >> } >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 5 && setfscreatecon(argv[4]) < 0) { >> perror("do_openat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c >> index 75dfe0b..d902493 100644 >> --- a/audit-test/utils/bin/do_symlink.c >> +++ b/audit-test/utils/bin/do_symlink.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_symlink: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c >> index 9e67a28..1829dcf 100644 >> --- a/audit-test/utils/bin/do_symlinkat.c >> +++ b/audit-test/utils/bin/do_symlinkat.c >> @@ -15,7 +15,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -32,7 +32,7 @@ int main(int argc, char **argv) >> dir_fd = open(argv[1], O_DIRECTORY); >> if (dir_fd < 0) >> return TEST_ERROR; >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 5 && setfscreatecon(argv[4]) < 0) { >> perror("do_symlinkat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash >> index a2a5da6..629e0a3 100755 >> --- a/audit-test/utils/run.bash >> +++ b/audit-test/utils/run.bash >> @@ -463,11 +463,15 @@ function show_header { >> printf "%-32s %s\n" Mode: "${MODE:-(native)}" >> printf "%-32s %s\n" Hostname: "$(uname -n)" >> printf "%-32s %s\n" Profile: "$PPROFILE" >> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" >> + if [[ $LSM_SELINUX == yes ]] ; then >> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" >> + fi >> if [[ $PPROFILE == lspp ]] ; then >> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" >> fi >> - printf "\n%s\n" "$(sestatus)" >> + if [[ $LSM_SELINUX == yes ]] ; then >> + printf "\n%s\n" "$(sestatus)" >> + fi >> echo >> } | tee $opt_logdir/$header_log >> } >> > |
From: Jiri J. <jja...@re...> - 2014-07-11 11:41:23
|
On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: > Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs > from being compiled and executed. This is incovenient for other > ditributions or rootfs build tools, like Buildroot and OpenEmbedded. > > This patch introduces LSM_SELINUX instead to do the same thing. > > Signed-off-by: AKASHI Takahiro <tak...@li...> > --- > audit-test/rules.mk | 14 ++++++++++---- > audit-test/utils/Makefile | 4 ++++ > audit-test/utils/bin/Makefile | 2 +- > audit-test/utils/bin/do_creat.c | 4 ++-- > audit-test/utils/bin/do_mkdir.c | 4 ++-- > audit-test/utils/bin/do_mkdirat.c | 4 ++-- > audit-test/utils/bin/do_mknod.c | 4 ++-- > audit-test/utils/bin/do_mknodat.c | 4 ++-- > audit-test/utils/bin/do_mq_open.c | 4 ++-- > audit-test/utils/bin/do_open.c | 4 ++-- > audit-test/utils/bin/do_openat.c | 4 ++-- > audit-test/utils/bin/do_symlink.c | 4 ++-- > audit-test/utils/bin/do_symlinkat.c | 4 ++-- > audit-test/utils/run.bash | 8 ++++++-- > 14 files changed, 41 insertions(+), 27 deletions(-) > > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index fd2f8a5..25c9758 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE)) > LDFLAGS += -m64 > endif > endif > +export LSM_SELINUX=no > RELEASE = $(wildcard /etc/*-release) > ifeq (SuSE, $(findstring SuSE, $(RELEASE))) > CFLAGS +=-DSUSE > export DISTRO=SUSE > -endif > -ifeq (fedora, $(findstring fedora, $(RELEASE))) > -CFLAGS +=-DFEDORA > +else ifeq (fedora, $(findstring fedora, $(RELEASE))) > +CFLAGS +="-DFEDORA -DLSM_SELINUX" > export DISTRO=FEDORA > +export LSM_SELINUX=yes > else ifeq (redhat, $(findstring redhat, $(RELEASE))) > -CFLAGS +=-DRHEL > +CFLAGS +="-DRHEL -DLSM_SELINUX" > export DISTRO=RHEL > +export LSM_SELINUX=yes > +else > +# including Buildroot & OpenEmbedded > +#CFLAGS +=-DDISTRO_MISC > +export DISTRO=MISC > endif > > ifeq (s390x, $(findstring s390x, $(MACHINE))) > diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile > index 489d98b..a285c45 100644 > --- a/audit-test/utils/Makefile > +++ b/audit-test/utils/Makefile > @@ -20,8 +20,12 @@ UTILSDIR = . > CPPFLAGS += -I$(UTILSDIR)/include > LDLIBS += -lselinux > > +ifeq ($(LSM_SELINUX), yes) > UTILS_EXE = test_context \ > test_setcon > +else > +UTILS_EXE = > +endif Same here, why is UTILS_EXE explicitly re-defined as empty? Isn't it empty by default? Or rather - if some other utils were included in it, wouldn't it make more sense to simply not include selinux-related binaries, instead of clearing out any existing binaries in the list? > > ALL_EXE = $(UTILS_EXE) > > diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile > index 098d46c..6c361e1 100644 > --- a/audit-test/utils/bin/Makefile > +++ b/audit-test/utils/bin/Makefile > @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) > endif > > $(CAPS_EXE): LDLIBS += -lcap > -ifneq ($(DISTRO), SUSE) > +ifeq ($(LSM_SELINUX), yes) > $(CREATE_EXE): LDLIBS += -lselinux > $(MQ_EXE): LDLIBS += -lrt -lselinux > else > diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c > index 85b31fb..81b0686 100644 > --- a/audit-test/utils/bin/do_creat.c > +++ b/audit-test/utils/bin/do_creat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_creat: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c > index f06f394..d601903 100644 > --- a/audit-test/utils/bin/do_mkdir.c > +++ b/audit-test/utils/bin/do_mkdir.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_mkdir: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c > index 67d5ac9..5a6e54f 100644 > --- a/audit-test/utils/bin/do_mkdirat.c > +++ b/audit-test/utils/bin/do_mkdirat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -28,7 +28,7 @@ int main(int argc, char **argv) > return TEST_ERROR; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_mkdirat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c > index 07ca554..c12c76d 100644 > --- a/audit-test/utils/bin/do_mknod.c > +++ b/audit-test/utils/bin/do_mknod.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { > perror("do_mknod: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c > index 5acb057..7e9ea2c 100644 > --- a/audit-test/utils/bin/do_mknodat.c > +++ b/audit-test/utils/bin/do_mknodat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -31,7 +31,7 @@ int main(int argc, char **argv) > dir_fd = open(argv[1], O_DIRECTORY); > if (dir_fd < 0) > return TEST_ERROR; > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 4 && setfscreatecon(argv[3]) < 0) { > perror("do_mknodat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c > index 25adc8b..8d0ec9d 100644 > --- a/audit-test/utils/bin/do_mq_open.c > +++ b/audit-test/utils/bin/do_mq_open.c > @@ -15,7 +15,7 @@ > > #include "includes.h" > #include <mqueue.h> > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -45,7 +45,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_mq_open: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c > index 1068461..781f6f9 100644 > --- a/audit-test/utils/bin/do_open.c > +++ b/audit-test/utils/bin/do_open.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -46,7 +46,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_open: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c > index 43da725..6205406 100644 > --- a/audit-test/utils/bin/do_openat.c > +++ b/audit-test/utils/bin/do_openat.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -53,7 +53,7 @@ int main(int argc, char **argv) > perror("do_openat: open dirfd"); > return TEST_ERROR; > } > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 5 && setfscreatecon(argv[4]) < 0) { > perror("do_openat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c > index 75dfe0b..d902493 100644 > --- a/audit-test/utils/bin/do_symlink.c > +++ b/audit-test/utils/bin/do_symlink.c > @@ -14,7 +14,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -27,7 +27,7 @@ int main(int argc, char **argv) > return 1; > } > > -#ifndef SUSE > +#ifdef LSM_SELINUX > if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { > perror("do_symlink: setfscreatecon"); > return 1; > diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c > index 9e67a28..1829dcf 100644 > --- a/audit-test/utils/bin/do_symlinkat.c > +++ b/audit-test/utils/bin/do_symlinkat.c > @@ -15,7 +15,7 @@ > */ > > #include "includes.h" > -#ifndef SUSE > +#ifdef LSM_SELINUX > #include <selinux/selinux.h> > #endif > > @@ -32,7 +32,7 @@ int main(int argc, char **argv) > dir_fd = open(argv[1], O_DIRECTORY); > if (dir_fd < 0) > return TEST_ERROR; > -#ifndef SUSE > +#ifdef LSM_SELINUX > if (argc == 5 && setfscreatecon(argv[4]) < 0) { > perror("do_symlinkat: setfscreatecon"); > return TEST_ERROR; > diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash > index a2a5da6..629e0a3 100755 > --- a/audit-test/utils/run.bash > +++ b/audit-test/utils/run.bash > @@ -463,11 +463,15 @@ function show_header { > printf "%-32s %s\n" Mode: "${MODE:-(native)}" > printf "%-32s %s\n" Hostname: "$(uname -n)" > printf "%-32s %s\n" Profile: "$PPROFILE" > - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" > + if [[ $LSM_SELINUX == yes ]] ; then > + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" > + fi > if [[ $PPROFILE == lspp ]] ; then > printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" > fi > - printf "\n%s\n" "$(sestatus)" > + if [[ $LSM_SELINUX == yes ]] ; then > + printf "\n%s\n" "$(sestatus)" > + fi > echo > } | tee $opt_logdir/$header_log > } > |
From: AKASHI T. <tak...@li...> - 2014-07-11 13:09:03
|
On 07/11/2014 01:41 PM, Jiri Jaburek wrote: > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs >> from being compiled and executed. This is incovenient for other >> ditributions or rootfs build tools, like Buildroot and OpenEmbedded. >> >> This patch introduces LSM_SELINUX instead to do the same thing. >> >> Signed-off-by: AKASHI Takahiro <tak...@li...> >> --- >> audit-test/rules.mk | 14 ++++++++++---- >> audit-test/utils/Makefile | 4 ++++ >> audit-test/utils/bin/Makefile | 2 +- >> audit-test/utils/bin/do_creat.c | 4 ++-- >> audit-test/utils/bin/do_mkdir.c | 4 ++-- >> audit-test/utils/bin/do_mkdirat.c | 4 ++-- >> audit-test/utils/bin/do_mknod.c | 4 ++-- >> audit-test/utils/bin/do_mknodat.c | 4 ++-- >> audit-test/utils/bin/do_mq_open.c | 4 ++-- >> audit-test/utils/bin/do_open.c | 4 ++-- >> audit-test/utils/bin/do_openat.c | 4 ++-- >> audit-test/utils/bin/do_symlink.c | 4 ++-- >> audit-test/utils/bin/do_symlinkat.c | 4 ++-- >> audit-test/utils/run.bash | 8 ++++++-- >> 14 files changed, 41 insertions(+), 27 deletions(-) >> >> diff --git a/audit-test/rules.mk b/audit-test/rules.mk >> index fd2f8a5..25c9758 100644 >> --- a/audit-test/rules.mk >> +++ b/audit-test/rules.mk >> @@ -71,17 +71,23 @@ ifneq ($(MODE), $(NATIVE)) >> LDFLAGS += -m64 >> endif >> endif >> +export LSM_SELINUX=no >> RELEASE = $(wildcard /etc/*-release) >> ifeq (SuSE, $(findstring SuSE, $(RELEASE))) >> CFLAGS +=-DSUSE >> export DISTRO=SUSE >> -endif >> -ifeq (fedora, $(findstring fedora, $(RELEASE))) >> -CFLAGS +=-DFEDORA >> +else ifeq (fedora, $(findstring fedora, $(RELEASE))) >> +CFLAGS +="-DFEDORA -DLSM_SELINUX" >> export DISTRO=FEDORA >> +export LSM_SELINUX=yes >> else ifeq (redhat, $(findstring redhat, $(RELEASE))) >> -CFLAGS +=-DRHEL >> +CFLAGS +="-DRHEL -DLSM_SELINUX" >> export DISTRO=RHEL >> +export LSM_SELINUX=yes >> +else >> +# including Buildroot & OpenEmbedded >> +#CFLAGS +=-DDISTRO_MISC >> +export DISTRO=MISC >> endif >> >> ifeq (s390x, $(findstring s390x, $(MACHINE))) >> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile >> index 489d98b..a285c45 100644 >> --- a/audit-test/utils/Makefile >> +++ b/audit-test/utils/Makefile >> @@ -20,8 +20,12 @@ UTILSDIR = . >> CPPFLAGS += -I$(UTILSDIR)/include >> LDLIBS += -lselinux >> >> +ifeq ($(LSM_SELINUX), yes) >> UTILS_EXE = test_context \ >> test_setcon >> +else >> +UTILS_EXE = >> +endif > > Same here, why is UTILS_EXE explicitly re-defined as empty? > Isn't it empty by default? Or rather - if some other utils were > included in it, wouldn't it make more sense to simply not include > selinux-related binaries, instead of clearing out any existing binaries > in the list? Again agree with you. -Takahiro AKASHI >> >> ALL_EXE = $(UTILS_EXE) >> >> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile >> index 098d46c..6c361e1 100644 >> --- a/audit-test/utils/bin/Makefile >> +++ b/audit-test/utils/bin/Makefile >> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) >> endif >> >> $(CAPS_EXE): LDLIBS += -lcap >> -ifneq ($(DISTRO), SUSE) >> +ifeq ($(LSM_SELINUX), yes) >> $(CREATE_EXE): LDLIBS += -lselinux >> $(MQ_EXE): LDLIBS += -lrt -lselinux >> else >> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c >> index 85b31fb..81b0686 100644 >> --- a/audit-test/utils/bin/do_creat.c >> +++ b/audit-test/utils/bin/do_creat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_creat: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c >> index f06f394..d601903 100644 >> --- a/audit-test/utils/bin/do_mkdir.c >> +++ b/audit-test/utils/bin/do_mkdir.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_mkdir: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c >> index 67d5ac9..5a6e54f 100644 >> --- a/audit-test/utils/bin/do_mkdirat.c >> +++ b/audit-test/utils/bin/do_mkdirat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -28,7 +28,7 @@ int main(int argc, char **argv) >> return TEST_ERROR; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_mkdirat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c >> index 07ca554..c12c76d 100644 >> --- a/audit-test/utils/bin/do_mknod.c >> +++ b/audit-test/utils/bin/do_mknod.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { >> perror("do_mknod: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c >> index 5acb057..7e9ea2c 100644 >> --- a/audit-test/utils/bin/do_mknodat.c >> +++ b/audit-test/utils/bin/do_mknodat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -31,7 +31,7 @@ int main(int argc, char **argv) >> dir_fd = open(argv[1], O_DIRECTORY); >> if (dir_fd < 0) >> return TEST_ERROR; >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 4 && setfscreatecon(argv[3]) < 0) { >> perror("do_mknodat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c >> index 25adc8b..8d0ec9d 100644 >> --- a/audit-test/utils/bin/do_mq_open.c >> +++ b/audit-test/utils/bin/do_mq_open.c >> @@ -15,7 +15,7 @@ >> >> #include "includes.h" >> #include <mqueue.h> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -45,7 +45,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_mq_open: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c >> index 1068461..781f6f9 100644 >> --- a/audit-test/utils/bin/do_open.c >> +++ b/audit-test/utils/bin/do_open.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -46,7 +46,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_open: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c >> index 43da725..6205406 100644 >> --- a/audit-test/utils/bin/do_openat.c >> +++ b/audit-test/utils/bin/do_openat.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -53,7 +53,7 @@ int main(int argc, char **argv) >> perror("do_openat: open dirfd"); >> return TEST_ERROR; >> } >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 5 && setfscreatecon(argv[4]) < 0) { >> perror("do_openat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c >> index 75dfe0b..d902493 100644 >> --- a/audit-test/utils/bin/do_symlink.c >> +++ b/audit-test/utils/bin/do_symlink.c >> @@ -14,7 +14,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -27,7 +27,7 @@ int main(int argc, char **argv) >> return 1; >> } >> >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { >> perror("do_symlink: setfscreatecon"); >> return 1; >> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c >> index 9e67a28..1829dcf 100644 >> --- a/audit-test/utils/bin/do_symlinkat.c >> +++ b/audit-test/utils/bin/do_symlinkat.c >> @@ -15,7 +15,7 @@ >> */ >> >> #include "includes.h" >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> #include <selinux/selinux.h> >> #endif >> >> @@ -32,7 +32,7 @@ int main(int argc, char **argv) >> dir_fd = open(argv[1], O_DIRECTORY); >> if (dir_fd < 0) >> return TEST_ERROR; >> -#ifndef SUSE >> +#ifdef LSM_SELINUX >> if (argc == 5 && setfscreatecon(argv[4]) < 0) { >> perror("do_symlinkat: setfscreatecon"); >> return TEST_ERROR; >> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash >> index a2a5da6..629e0a3 100755 >> --- a/audit-test/utils/run.bash >> +++ b/audit-test/utils/run.bash >> @@ -463,11 +463,15 @@ function show_header { >> printf "%-32s %s\n" Mode: "${MODE:-(native)}" >> printf "%-32s %s\n" Hostname: "$(uname -n)" >> printf "%-32s %s\n" Profile: "$PPROFILE" >> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" >> + if [[ $LSM_SELINUX == yes ]] ; then >> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" >> + fi >> if [[ $PPROFILE == lspp ]] ; then >> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" >> fi >> - printf "\n%s\n" "$(sestatus)" >> + if [[ $LSM_SELINUX == yes ]] ; then >> + printf "\n%s\n" "$(sestatus)" >> + fi >> echo >> } | tee $opt_logdir/$header_log >> } >> > |
From: Jiri J. <jja...@re...> - 2014-07-11 11:52:17
|
On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: > This patch allows the test suite to be run on aarch64 (or arm64 in kernel > jargon) with 64-bit and 32-bit userspace. > I successfully built and ran it on ARMv8 fast model. > (but only against audit-test/syscalls and filter) > <snip> Linda, any comments on this series? It seems sane to me (once v2 version is sent), it would conflict a little with what we have, but that's easily resolvable. The Makefile changes in utils/bin/ are a bit messy (along with what we have), but I plan to rewrite the entire logic soon, so that shouldn't be a problem. Thanks, Jiri |
From: Linda K. <lin...@hp...> - 2014-07-14 01:47:58
|
On 07/11/2014 07:52 AM, Jiri Jaburek wrote: > On 07/03/2014 09:45 AM, AKASHI Takahiro wrote: >> This patch allows the test suite to be run on aarch64 (or arm64 in kernel >> jargon) with 64-bit and 32-bit userspace. >> I successfully built and ran it on ARMv8 fast model. >> (but only against audit-test/syscalls and filter) >> > <snip> > > Linda, > any comments on this series? Jiri, thank you for doing a review. I like the changes in general. I've always wanted the SELinux code to be enabled or disabled separately rather than being assumed based on the distro. > It seems sane to me (once v2 version is sent), it would conflict > a little with what we have, but that's easily resolvable. Yes, I'm happy to take the v2 version - as long as we test on x86. I was hoping to give them a test drive as part of the review which is why it has taken me so long to reply but still haven't been able to do that yet. Have you tried them? > The Makefile changes in utils/bin/ are a bit messy (along with what we > have), but I plan to rewrite the entire logic soon, so that shouldn't > be a problem. Ok, good. I don't think we should hold off reasonable patches for unmerged work so it's good that it's not a problem. Thank you Takahiro, I'm really happy that you have done this work for arm64 and a non-SELinux distro. Looking forward to a quick v2. Thanks, -- ljk > > Thanks, > Jiri > |
From: Linda K. <lin...@hp...> - 2014-07-14 01:22:51
|
On 07/03/2014 03:45 AM, AKASHI Takahiro wrote: > This patch allows the test suite to be run on aarch64 (or arm64 in kernel > jargon) with 64-bit and 32-bit userspace. > I successfully built and ran it on ARMv8 fast model. > (but only against audit-test/syscalls and filter) Have you also run this on an x86 system? Most of the code changes look safe but changes to augrok always concern me. -- ljk > > AKASHI Takahiro (5): > audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux > audit-test: handle __NR3264_xxx syscall definitions > audit-test/syscalls: add aarch64 support > audit-test/filter: add aarch64 support > audit-test/syscalls: add arm support > > audit-test/filter/tests/test_auid.bash | 9 +++++++-- > audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ > audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- > audit-test/filter/tests/test_success.bash | 6 +++++- > audit-test/filter/tests/test_syscall.bash | 6 +++++- > audit-test/filter/tests/test_type.bash | 9 +++++++-- > audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- > audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- > audit-test/filter/tests/test_watch_remove.bash | 4 ++++ > audit-test/rules.mk | 20 ++++++++++++++------ > audit-test/syscalls/cap-run.conf | 10 +++++----- > audit-test/syscalls/dac-run.conf | 16 ++++++++-------- > audit-test/syscalls/mac-run.conf | 16 ++++++++-------- > audit-test/utils/Makefile | 4 ++++ > audit-test/utils/augrok | 17 +++++++++++++++-- > audit-test/utils/bin/Makefile | 14 +++++++++++--- > audit-test/utils/bin/do_creat.c | 4 ++-- > audit-test/utils/bin/do_mkdir.c | 4 ++-- > audit-test/utils/bin/do_mkdirat.c | 4 ++-- > audit-test/utils/bin/do_mknod.c | 4 ++-- > audit-test/utils/bin/do_mknodat.c | 4 ++-- > audit-test/utils/bin/do_mq_open.c | 4 ++-- > audit-test/utils/bin/do_open.c | 4 ++-- > audit-test/utils/bin/do_openat.c | 4 ++-- > audit-test/utils/bin/do_symlink.c | 4 ++-- > audit-test/utils/bin/do_symlinkat.c | 4 ++-- > audit-test/utils/run.bash | 8 ++++++-- > 27 files changed, 160 insertions(+), 73 deletions(-) > |
From: AKASHI T. <tak...@li...> - 2014-07-14 07:06:17
|
On 07/14/2014 10:22 AM, Linda Knippers wrote: > On 07/03/2014 03:45 AM, AKASHI Takahiro wrote: >> This patch allows the test suite to be run on aarch64 (or arm64 in kernel >> jargon) with 64-bit and 32-bit userspace. >> I successfully built and ran it on ARMv8 fast model. >> (but only against audit-test/syscalls and filter) > > Have you also run this on an x86 system? Most of the code changes > look safe but changes to augrok always concern me. Not yet. OK, I will try to run my next version on x86, too. -Takahiro AKASHI > -- ljk > >> >> AKASHI Takahiro (5): >> audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux >> audit-test: handle __NR3264_xxx syscall definitions >> audit-test/syscalls: add aarch64 support >> audit-test/filter: add aarch64 support >> audit-test/syscalls: add arm support >> >> audit-test/filter/tests/test_auid.bash | 9 +++++++-- >> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++ >> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++--- >> audit-test/filter/tests/test_success.bash | 6 +++++- >> audit-test/filter/tests/test_syscall.bash | 6 +++++- >> audit-test/filter/tests/test_type.bash | 9 +++++++-- >> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++-------- >> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++-- >> audit-test/filter/tests/test_watch_remove.bash | 4 ++++ >> audit-test/rules.mk | 20 ++++++++++++++------ >> audit-test/syscalls/cap-run.conf | 10 +++++----- >> audit-test/syscalls/dac-run.conf | 16 ++++++++-------- >> audit-test/syscalls/mac-run.conf | 16 ++++++++-------- >> audit-test/utils/Makefile | 4 ++++ >> audit-test/utils/augrok | 17 +++++++++++++++-- >> audit-test/utils/bin/Makefile | 14 +++++++++++--- >> audit-test/utils/bin/do_creat.c | 4 ++-- >> audit-test/utils/bin/do_mkdir.c | 4 ++-- >> audit-test/utils/bin/do_mkdirat.c | 4 ++-- >> audit-test/utils/bin/do_mknod.c | 4 ++-- >> audit-test/utils/bin/do_mknodat.c | 4 ++-- >> audit-test/utils/bin/do_mq_open.c | 4 ++-- >> audit-test/utils/bin/do_open.c | 4 ++-- >> audit-test/utils/bin/do_openat.c | 4 ++-- >> audit-test/utils/bin/do_symlink.c | 4 ++-- >> audit-test/utils/bin/do_symlinkat.c | 4 ++-- >> audit-test/utils/run.bash | 8 ++++++-- >> 27 files changed, 160 insertions(+), 73 deletions(-) >> > |
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:13
|
This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with 64-bit and 32-bit userspace. I successfully built and ran it on - ARMv8 fast model but only against audit-test/syscalls and filter, and so fixes here might be incomplete in the other categories (and on other architectures). See audit-test/Makefile, which is a bit messy in general. v2: * clean up the usages of macros, MACHINE, LSM_MACHINE and UTILS * cosmetic changes (indentation, splitting lines) for readability AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 support audit-test/filter: add aarch64 support audit-test/syscalls: add arm support audit-test/filter/run.conf | 2 ++ audit-test/filter/tests/test_auid.bash | 9 +++++-- audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++----- audit-test/filter/tests/test_dev_inode.bash | 11 +++++--- audit-test/filter/tests/test_success.bash | 8 ++++-- audit-test/filter/tests/test_syscall.bash | 8 ++++-- audit-test/filter/tests/test_type.bash | 9 +++++-- audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------ audit-test/filter/tests/test_watch_open.bash | 10 +++++-- audit-test/filter/tests/test_watch_remove.bash | 4 +++ audit-test/rules.mk | 11 +++++--- audit-test/syscalls/cap-run.conf | 15 +++++++---- audit-test/syscalls/dac-run.conf | 24 +++++++++++------ audit-test/syscalls/mac-run.conf | 24 +++++++++++------ audit-test/utils/Makefile | 2 ++ audit-test/utils/augrok | 17 ++++++++++-- audit-test/utils/bin/Makefile | 14 +++++++--- audit-test/utils/bin/do_creat.c | 4 +-- audit-test/utils/bin/do_mkdir.c | 4 +-- audit-test/utils/bin/do_mkdirat.c | 4 +-- audit-test/utils/bin/do_mknod.c | 4 +-- audit-test/utils/bin/do_mknodat.c | 4 +-- audit-test/utils/bin/do_mq_open.c | 4 +-- audit-test/utils/bin/do_open.c | 4 +-- audit-test/utils/bin/do_openat.c | 4 +-- audit-test/utils/bin/do_symlink.c | 4 +-- audit-test/utils/bin/do_symlinkat.c | 4 +-- audit-test/utils/run.bash | 8 ++++-- 28 files changed, 184 insertions(+), 80 deletions(-) -- 1.7.9.5 |
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:20
|
Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and OpenEmbedded. This patch introduces LSM_SELINUX instead to do the same thing. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/run.conf | 2 ++ audit-test/rules.mk | 9 +++++---- audit-test/utils/Makefile | 2 ++ audit-test/utils/bin/Makefile | 2 +- audit-test/utils/bin/do_creat.c | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash | 8 ++++++-- 15 files changed, 36 insertions(+), 27 deletions(-) diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf index 3ac111a..d5618d5 100644 --- a/audit-test/filter/run.conf +++ b/audit-test/filter/run.conf @@ -79,11 +79,13 @@ fi + class_write + class_exec + class_attr +if [[ $LSM_SELNUX ]]; then + secontext subj_sen + secontext subj_clr + secontext subj_role + secontext obj_lev_low + secontext obj_lev_high_base +fi if [[ $PPROFILE == lspp ]]; then + secontext obj_lev_high_mls fi diff --git a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..837d0ee 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora, $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX" export DISTRO=FEDORA +export LSM_SELINUX else ifeq (redhat, $(findstring redhat, $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export LSM_SELINUX endif ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile index 489d98b..467469f 100644 --- a/audit-test/utils/Makefile +++ b/audit-test/utils/Makefile @@ -18,10 +18,12 @@ TOPDIR = .. UTILSDIR = . CPPFLAGS += -I$(UTILSDIR)/include +ifdef LSM_SELINUX LDLIBS += -lselinux UTILS_EXE = test_context \ test_setcon +endif ALL_EXE = $(UTILS_EXE) diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 098d46c..654ef9c 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) endif $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifdef LSM_SELINUX $(CREATE_EXE): LDLIBS += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 --- a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 --- a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) { perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 --- a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 && setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++ b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@ #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 --- a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 --- a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0) { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7 +14,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; } -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) { perror("do_symlink: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++ b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */ #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..ce2203a 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname: "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + if [[ $LSM_SELINUX ]] ; then + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + fi if [[ $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" fi - printf "\n%s\n" "$(sestatus)" + if [[ $LSM_SELINUX ]] ; then + printf "\n%s\n" "$(sestatus)" + fi echo } | tee $opt_logdir/$header_log } -- 1.7.9.5 |
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:25
|
On some architectures including arm64, system call numbers are defined in /usr/include/asm-generic/unistd.h. This file contains irregular style of definitions like #define __NR3264_truncate 45 #define __NR_truncate __NR3264_truncate (In fact, it's more complicated.) This patch takes care of such cases. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/utils/augrok | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok index 08f731a..c309d4f 100755 --- a/audit-test/utils/augrok +++ b/audit-test/utils/augrok @@ -113,8 +113,12 @@ sub new { open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die; my $line; while (defined($line = <S>)) { - next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/; - $singleton->{$1} = $2; + if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) { + $singleton->{$1} = $2; + } + if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) { + $singleton->{"3264_$1"} = $2; + } } close S; @@ -139,6 +143,13 @@ sub new { $changed = 1; } + #define __NR_truncate __NR3264_truncate + if ($v =~ /^__NR3264_(\w+)$/ and + defined($new_v = $singleton->{"3264_$1"})) { + $singleton->{$k} = $new_v; + $changed = 1; + } + # don't know how to handle this, hope it wasn't important else { print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'}; -- 1.7.9.5 |