Menu
▾
▴
Re: [Audit-test-developer] [PATCH 4/5] audit-test/filter: add aarch64 support
|
From: Jiri J. <jja...@re...> - 2014-07-11 13:43:19
|
On 07/11/2014 03:20 PM, AKASHI Takahiro wrote:
> On 07/11/2014 01:49 PM, Jiri Jaburek wrote:
>> On 07/03/2014 09:45 AM, AKASHI Takahiro wrote:
>>> On arm64/aarch64, some system calls are implemented in glibc using other
>>> primitive system calls, say open() vs. openat(). Therefore, audit logs
>>> have only records for primitive ones.
>>>
>>> This patch adds work-arounds for these cases.
>>>
>>> Signed-off-by: AKASHI Takahiro <tak...@li...>
>>> ---
>>> audit-test/filter/tests/test_auid.bash | 9 +++++++--
>>> audit-test/filter/tests/test_class_attr.bash | 13 +++++++++++++
>>> audit-test/filter/tests/test_dev_inode.bash | 11 ++++++++---
>>> audit-test/filter/tests/test_success.bash | 6 +++++-
>>> audit-test/filter/tests/test_syscall.bash | 6 +++++-
>>> audit-test/filter/tests/test_type.bash | 9 +++++++--
>>> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++++++--------
>>> audit-test/filter/tests/test_watch_open.bash | 10 ++++++++--
>>> audit-test/filter/tests/test_watch_remove.bash | 4 ++++
>>> audit-test/rules.mk | 6 ++++--
>>> 10 files changed, 73 insertions(+), 21 deletions(-)
>>>
>>> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
>>> index c165cf3..63098b7 100755
>>> --- a/audit-test/filter/tests/test_auid.bash
>>> +++ b/audit-test/filter/tests/test_auid.bash
>>> @@ -33,8 +33,13 @@ do_open_file $tmp1
>>> augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
>>> && exit_error "Unexpected record found."
>>>
>>> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
>>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> +syscall_name="open"
>>> +fi
>>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
>>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
>>>
>>> # audit log marker
>>> log_mark=$(stat -c %s $audit_log)
>>> diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
>>> index 687b3d9..2be24dc 100755
>>> --- a/audit-test/filter/tests/test_class_attr.bash
>>> +++ b/audit-test/filter/tests/test_class_attr.bash
>>> @@ -32,15 +32,28 @@ log_mark=$(stat -c %s $audit_log)
>>>
>>> # test
>>> do_chmod $watch 777
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +do_fchownat $(dirname $watch) $(basename $watch) root
>>
>> I have a patch staged for review that implements AT_FDCWD to all *at
>> syscall wrappers, simplifying this case somewhat.
>
> Sounds cool.
> Are you going to have a definition like
> MACH_AT_FDCWD = aarch64 ...
> or manage it somehow automatically?
Not sure at this point, but at least the dirname/basename hack
won't be necessary.
>
> -Takahiro AKASHI
>
>> This is just a reminder to myself to cleanup this piece of code once
>> the patch is upstream.
> >
>>> +else
>>> do_chown $watch root
>>> +fi
>>> do_unlink $watch
>>>
>>> # verify audit record
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
>>> + || exit_fail "Expected record for 'chmod' not found."
>>> +augrok --seek=$log_mark type==SYSCALL syscall==fchownat name==$(basename $watch) \
>>> + || exit_fail "Expected record for 'chown' not found."
>>> +augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
>>> + && exit_fail "Unexpected record for 'unlink' found."
I noticed you rely on glibc to use fchmodat/unlinkat for chmod(2) and
unlink(2) (which fails to automatically use fchownat on chown(2)).
This might not be the best idea for the future in terms of code
consistency, we're using syscall(__NR_*) for new syscall wrappers and
doing conditions elsewhere (in tests, but #ifdef in the wrappers would
work as well).
The point is that trusting glibc to call the relevant syscalls is not
a good idea, ie. fork(), getpid(), etc.
Meaning that something along the lines of
diff --git a/audit-test/filter/tests/test_class_attr.bash
b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..975794d 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -31,16 +31,28 @@ prepend_cleanup "auditctl -d exit,always -F
path=$watch -F perm=a"
log_mark=$(stat -c %s $audit_log)
# test
-do_chmod $watch 777
-do_chown $watch root
-do_unlink $watch
-
-# verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
- || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
- || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
- && exit_fail "Unexpected record for 'unlink' found."
+if [ ${MACHINE} = "aarch64" ]; then
+ do_fchmodat AT_FDCWD $watch 777
+ do_fchownat AT_FDCWD $watch root
+ do_unlinkat AT_FDCWD $watch
+
+ augrok --seek=$log_mark type==SYSCALL syscall==fchmodat
name==$watch \
+ || exit_fail "Expected record for 'fchmodat' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==fchownat
name==$watch \
+ || exit_fail "Expected record for 'fchownat' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlinkat
name==$watch \
+ && exit_fail "Unexpected record for 'unlinkat' found."
+else
+ do_chmod $watch 777
+ do_chown $watch root
+ do_unlink $watch
+
+ augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+fi
exit_pass
might be a better idea (in the future).
>>> +else
>>> augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
>>> || exit_fail "Expected record for 'chmod' not found."
>>> augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
>>> || exit_fail "Expected record for 'chown' not found."
>>> augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
>>> && exit_fail "Unexpected record for 'unlink' found."
>>> +fi
>>>
>>> exit_pass
>>> diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
>>> index 30ea580..4611cfa 100755
>>> --- a/audit-test/filter/tests/test_dev_inode.bash
>>> +++ b/audit-test/filter/tests/test_dev_inode.bash
>>> @@ -34,11 +34,16 @@ minor=$((0x$minor))
>>> event_obj=$(get_event_obj $1)
>>> [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
>>>
>>> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
>>> - -F inode=$inode -F devmajor=$major -F devminor=$minor
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> +syscall_name="open"
>>> +fi
>>>
>>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
>>> + -F inode=$inode -F devmajor=$major -F devminor=$minor
>>> prepend_cleanup "
>>> -auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
>>> +auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
>>> -F inode=$inode -F devmajor=$major -F devminor=$minor"
>>>
>>> log_mark=$(stat -c %s $audit_log)
>>> diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
>>> index 497959b..a54c36e 100755
>>> --- a/audit-test/filter/tests/test_success.bash
>>> +++ b/audit-test/filter/tests/test_success.bash
>>> @@ -21,7 +21,11 @@
>>> source filter_functions.bash || exit 2
>>>
>>> # setup
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> syscall_name="open"
>>> +fi
>>> syscall_num=$(augrok --resolve $syscall_name) \
>>> || exit_error "unable to determine the syscall number for $syscall_name"
>>>
>>> @@ -37,7 +41,7 @@ case $op in
>>> ;;
>>> *) exit_fail "unknown test operation" ;;
>>> esac
>>> -filter_rule="exit,always -F arch=b$MODE -S open"
>>> +filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
>>>
>>> auditctl -a $filter_rule $filter_field
>>> prepend_cleanup "auditctl -d $filter_rule $filter_field"
>>> diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
>>> index 8159b92..fc5934b 100755
>>> --- a/audit-test/filter/tests/test_syscall.bash
>>> +++ b/audit-test/filter/tests/test_syscall.bash
>>> @@ -21,13 +21,17 @@
>>> source filter_functions.bash || exit 2
>>>
>>> # setup
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> syscall_name="open"
>>> +fi
>>> syscall_num=$(augrok --resolve $syscall_name) \
>>> || exit_error "unable to determine the syscall number for $syscall_name"
>>>
>>> op=$1
>>> case $op in
>>> - name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
>>> + name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
>>> number) filter_rule="exit,always -S $syscall_num";;
>>> *) exit_fail "unknown test operation" ;;
>>> esac
>>> diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
>>> index 16c63f4..450c926 100755
>>> --- a/audit-test/filter/tests/test_type.bash
>>> +++ b/audit-test/filter/tests/test_type.bash
>>> @@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
>>>
>>> # setup
>>> user_auid=$(cat /proc/self/loginuid)
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> +syscall_name="open"
>>> +fi
>>>
>>> # setup auditctl
>>> -auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
>>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
>>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
>>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
>>>
>>> # audit log marker
>>> log_mark=$(stat -c %s $audit_log)
>>> diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
>>> index bbdd9fb..fbb54b8 100755
>>> --- a/audit-test/filter/tests/test_watch_dir_remove.bash
>>> +++ b/audit-test/filter/tests/test_watch_dir_remove.bash
>>> @@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
>>> watch="$tmpd"
>>> name="$tmpd/foo"
>>>
>>> -auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
>>> -auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
>>> -
>>> -prepend_cleanup "
>>> - auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
>>> - auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
>>> - rm -rf $tmpd"
>>> -
>>> case $op in
>>> rename) touch $name
>>> gen_audit_event="mv $tmp1 $name" ;;
>>> rmdir) mkdir $name
>>> + if [ ${MACHINE} = "aarch64" ]; then
>>> + op="unlink";
>>> + opat="unlinkat";
>>> + fi
>>> gen_audit_event="rmdir $name" ;;
>>> unlink) touch $name
>>> gen_audit_event="rm $name" ;;
>>> *) exit_fail "unknown test operation: $op" ;;
>>> esac
>>>
>>> +auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
>>> +auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
>>> +
>>> +prepend_cleanup "
>>> + auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
>>> + auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
>>> + rm -rf $tmpd"
>>> +
>>> log_mark=$(stat -c %s $audit_log)
>>>
>>> # test
>>> diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
>>> index 525ac31..c357a81 100755
>>> --- a/audit-test/filter/tests/test_watch_open.bash
>>> +++ b/audit-test/filter/tests/test_watch_open.bash
>>> @@ -29,8 +29,14 @@ watch=$tmp1
>>> event_obj=$(get_event_obj $1)
>>> [[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
>>>
>>> -auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
>>> -prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
>>> +if [ ${MACHINE} = "aarch64" ]; then
>>> +syscall_name="openat"
>>> +else
>>> +syscall_name="open"
>>> +fi
>>> +
>>> +auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
>>> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
>>>
>>> # test open with O_CREAT|O_RDONLY; verify audit record
>>> log_mark=$(stat -c %s $audit_log)
>>> diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
>>> index 2e00a50..97cd1ff 100755
>>> --- a/audit-test/filter/tests/test_watch_remove.bash
>>> +++ b/audit-test/filter/tests/test_watch_remove.bash
>>> @@ -30,6 +30,10 @@ case $op in
>>> unlink) touch $name
>>> gen_audit_event="rm $name" ;;
>>> rmdir) mkdir $name
>>> + if [ ${MACHINE} = "aarch64" ]; then
>>> + op="unlink";
>>> + opat="unlinkat";
>>> + fi
>>> gen_audit_event="rmdir $name" ;;
>>> rename) touch $name
>>> gen_audit_event="mv $tmp1 $name" ;;
>>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>>> index 25c9758..4af7c13 100644
>>> --- a/audit-test/rules.mk
>>> +++ b/audit-test/rules.mk
>>> @@ -186,13 +186,15 @@ run.bash:
>>> [[ -f run.bash ]] || ln -sfn $(TOPDIR)/utils/run.bash run.bash
>>>
>>> run: all
>>> - @$(check_set_PPROFILE); \
>>> + @export MACHINE=$(MACHINE); \
>>> + $(check_set_PPROFILE); \
>>> $(check_set_PASSWD); \
>>> ./run.bash --header; \
>>> ./run.bash
>>>
>>> rerun: all
>>> - @$(check_set_PPROFILE); \
>>> + @export MACHINE=$(MACHINE); \
>>> + $(check_set_PPROFILE); \
>>> $(check_set_PASSWD); \
>>> ./run.bash --rerun
>>> endif
>>>
>>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>
|
