c97304110a
This makes the `kyua report --verbose` output a lot easier to parse when looking at failed tests. It also fixes the closefrom() test since I tested my changes with this commit but forgot to push it together withfa32350347. Fixes:fa32350347("close_range: add audit support")
332 lines
10 KiB
C
332 lines
10 KiB
C
/*-
|
|
* Copyright 2018 Aniket Pandey
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/extattr.h>
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <bsm/libbsm.h>
|
|
#include <bsm/auditd_lib.h>
|
|
#include <security/audit/audit_ioctl.h>
|
|
|
|
#include <atf-c.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
#include <unistd.h>
|
|
|
|
#include "utils.h"
|
|
|
|
/*
|
|
* Checks the presence of "auditregex" in auditpipe(4) after the
|
|
* corresponding system call has been triggered.
|
|
*/
|
|
static bool
|
|
get_records(const char *auditregex, FILE *pipestream)
|
|
{
|
|
uint8_t *buff;
|
|
tokenstr_t token;
|
|
ssize_t size = 1024;
|
|
char membuff[size];
|
|
char del[] = ",";
|
|
int reclen, bytes = 0;
|
|
FILE *memstream;
|
|
|
|
/*
|
|
* Open a stream on 'membuff' (address to memory buffer) for storing
|
|
* the audit records in the default mode.'reclen' is the length of the
|
|
* available records from auditpipe which is passed to the functions
|
|
* au_fetch_tok(3) and au_print_flags_tok(3) for further use.
|
|
*/
|
|
ATF_REQUIRE((memstream = fmemopen(membuff, size, "w")) != NULL);
|
|
ATF_REQUIRE((reclen = au_read_rec(pipestream, &buff)) != -1);
|
|
|
|
/*
|
|
* Iterate through each BSM token, extracting the bits that are
|
|
* required to start processing the token sequences.
|
|
*/
|
|
while (bytes < reclen) {
|
|
if (au_fetch_tok(&token, buff + bytes, reclen - bytes) == -1) {
|
|
perror("au_read_rec");
|
|
atf_tc_fail("Incomplete Audit Record");
|
|
}
|
|
|
|
/* Print the tokens as they are obtained, in the default form */
|
|
au_print_flags_tok(memstream, &token, del, AU_OFLAG_NONE);
|
|
fputc(',', memstream);
|
|
bytes += token.len;
|
|
}
|
|
|
|
free(buff);
|
|
ATF_REQUIRE_EQ(0, fclose(memstream));
|
|
return (atf_utils_grep_string("%s", membuff, auditregex));
|
|
}
|
|
|
|
/*
|
|
* Override the system-wide audit mask settings in /etc/security/audit_control
|
|
* and set the auditpipe's maximum allowed queue length limit
|
|
*/
|
|
static void
|
|
set_preselect_mode(int filedesc, au_mask_t *fmask)
|
|
{
|
|
int qlimit_max;
|
|
int fmode = AUDITPIPE_PRESELECT_MODE_LOCAL;
|
|
|
|
/* Set local preselection mode for auditing */
|
|
if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_MODE, &fmode) < 0)
|
|
atf_tc_fail("Preselection mode: %s", strerror(errno));
|
|
|
|
/* Set local preselection flag corresponding to the audit_event */
|
|
if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_FLAGS, fmask) < 0)
|
|
atf_tc_fail("Preselection flag: %s", strerror(errno));
|
|
|
|
/* Set local preselection flag for non-attributable audit_events */
|
|
if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_NAFLAGS, fmask) < 0)
|
|
atf_tc_fail("Preselection naflag: %s", strerror(errno));
|
|
|
|
/* Query the maximum possible queue length limit for auditpipe */
|
|
if (ioctl(filedesc, AUDITPIPE_GET_QLIMIT_MAX, &qlimit_max) < 0)
|
|
atf_tc_fail("Query max-limit: %s", strerror(errno));
|
|
|
|
/* Set the queue length limit as obtained from previous step */
|
|
if (ioctl(filedesc, AUDITPIPE_SET_QLIMIT, &qlimit_max) < 0)
|
|
atf_tc_fail("Set max-qlimit: %s", strerror(errno));
|
|
|
|
/* This removes any outstanding record on the auditpipe */
|
|
if (ioctl(filedesc, AUDITPIPE_FLUSH) < 0)
|
|
atf_tc_fail("Auditpipe flush: %s", strerror(errno));
|
|
}
|
|
|
|
/*
|
|
* Get the corresponding audit_mask for class-name "name" then set the
|
|
* success and failure bits for fmask to be used as the ioctl argument
|
|
*/
|
|
static au_mask_t
|
|
get_audit_mask(const char *name)
|
|
{
|
|
au_mask_t fmask;
|
|
au_class_ent_t *class;
|
|
|
|
ATF_REQUIRE((class = getauclassnam(name)) != NULL);
|
|
fmask.am_success = class->ac_class;
|
|
fmask.am_failure = class->ac_class;
|
|
return (fmask);
|
|
}
|
|
|
|
/*
|
|
* Loop until the auditpipe returns something, check if it is what
|
|
* we want, else repeat the procedure until ppoll(2) times out.
|
|
*/
|
|
static void
|
|
check_auditpipe(struct pollfd fd[], const char *auditregex, FILE *pipestream)
|
|
{
|
|
struct timespec currtime, endtime, timeout;
|
|
|
|
/* Set the expire time for poll(2) while waiting for syscall audit */
|
|
ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &endtime));
|
|
/* Set limit to 30 seconds total and ~10s without an event. */
|
|
endtime.tv_sec += 30;
|
|
|
|
for (;;) {
|
|
/* Update the time left for auditpipe to return any event */
|
|
ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &currtime));
|
|
timespecsub(&endtime, &currtime, &timeout);
|
|
timeout.tv_sec = MIN(timeout.tv_sec, 9);
|
|
if (timeout.tv_sec < 0) {
|
|
atf_tc_fail("%s not found in auditpipe within the "
|
|
"time limit", auditregex);
|
|
}
|
|
|
|
switch (ppoll(fd, 1, &timeout, NULL)) {
|
|
/* ppoll(2) returns, check if it's what we want */
|
|
case 1:
|
|
if (fd[0].revents & POLLIN) {
|
|
if (get_records(auditregex, pipestream))
|
|
return;
|
|
} else {
|
|
atf_tc_fail("Auditpipe returned an "
|
|
"unknown event %#x", fd[0].revents);
|
|
}
|
|
break;
|
|
|
|
/* poll(2) timed out */
|
|
case 0:
|
|
atf_tc_fail("%s not found in auditpipe within the "
|
|
"time limit", auditregex);
|
|
break;
|
|
|
|
/* poll(2) standard error */
|
|
case -1:
|
|
atf_tc_fail("Poll: %s", strerror(errno));
|
|
break;
|
|
|
|
default:
|
|
atf_tc_fail("Poll returned too many file descriptors");
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Wrapper functions around static "check_auditpipe"
|
|
*/
|
|
static void
|
|
check_audit_startup(struct pollfd fd[], const char *auditrgx, FILE *pipestream){
|
|
check_auditpipe(fd, auditrgx, pipestream);
|
|
}
|
|
|
|
void
|
|
check_audit(struct pollfd fd[], const char *auditrgx, FILE *pipestream) {
|
|
check_auditpipe(fd, auditrgx, pipestream);
|
|
|
|
/* Teardown: /dev/auditpipe's instance opened for this test-suite */
|
|
ATF_REQUIRE_EQ(0, fclose(pipestream));
|
|
}
|
|
|
|
void
|
|
skip_if_extattr_not_supported(const char *path)
|
|
{
|
|
ssize_t result;
|
|
|
|
/*
|
|
* Some file systems (e.g. tmpfs) do not support extattr, so we need
|
|
* skip tests that use extattrs. To detect this we can check whether
|
|
* the extattr_list_file returns EOPNOTSUPP.
|
|
*/
|
|
result = extattr_list_file(path, EXTATTR_NAMESPACE_USER, NULL, 0);
|
|
if (result == -1 && errno == EOPNOTSUPP) {
|
|
atf_tc_skip("File system does not support extattrs.");
|
|
}
|
|
}
|
|
|
|
static bool
|
|
is_auditd_running(void)
|
|
{
|
|
int trigger;
|
|
int err;
|
|
|
|
/*
|
|
* AUDIT_TRIGGER_INITIALIZE is a no-op message on FreeBSD and can
|
|
* therefore be used to check whether auditd has already been started.
|
|
* This is significantly cheaper than running `service auditd onestatus`
|
|
* for each test case. It is also slightly less racy since it will only
|
|
* return true once auditd() has opened the trigger file rather than
|
|
* just when the pidfile has been created.
|
|
*/
|
|
trigger = AUDIT_TRIGGER_INITIALIZE;
|
|
err = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger));
|
|
if (err == 0) {
|
|
fprintf(stderr, "auditd(8) is running.\n");
|
|
return (true);
|
|
} else {
|
|
/*
|
|
* A_SENDTRIGGER returns ENODEV if auditd isn't listening,
|
|
* all other error codes indicate a fatal error.
|
|
*/
|
|
ATF_REQUIRE_MSG(errno == ENODEV,
|
|
"Unexpected error from auditon(2): %s", strerror(errno));
|
|
return (false);
|
|
}
|
|
|
|
}
|
|
|
|
FILE *
|
|
setup(struct pollfd fd[], const char *name)
|
|
{
|
|
au_mask_t fmask, nomask;
|
|
FILE *pipestream;
|
|
fmask = get_audit_mask(name);
|
|
nomask = get_audit_mask("no");
|
|
|
|
ATF_REQUIRE((fd[0].fd = open("/dev/auditpipe", O_RDONLY)) != -1);
|
|
ATF_REQUIRE((pipestream = fdopen(fd[0].fd, "r")) != NULL);
|
|
fd[0].events = POLLIN;
|
|
|
|
/*
|
|
* Disable stream buffering for read operations from /dev/auditpipe.
|
|
* Otherwise it is possible that fread(3), called via au_read_rec(3),
|
|
* can store buffered data in user-space unbeknown to ppoll(2), which
|
|
* as a result, reports that /dev/auditpipe is empty.
|
|
*/
|
|
ATF_REQUIRE_EQ(0, setvbuf(pipestream, NULL, _IONBF, 0));
|
|
|
|
/* Set local preselection audit_class as "no" for audit startup */
|
|
set_preselect_mode(fd[0].fd, &nomask);
|
|
if (!is_auditd_running()) {
|
|
fprintf(stderr, "Running audit_quick_start() for testing... ");
|
|
/*
|
|
* Previously, this test started auditd using
|
|
* `service auditd onestart`. However, there is a race condition
|
|
* there since service can return before auditd(8) has
|
|
* fully started (once the daemon parent process has forked)
|
|
* and this can cause check_audit_startup() to fail sometimes.
|
|
*
|
|
* In the CheriBSD CI this caused the first test executed by
|
|
* kyua (administrative:acct_failure) to fail every time, but
|
|
* subsequent ones would almost always succeed.
|
|
*
|
|
* To avoid this problem (and as a nice side-effect this speeds
|
|
* up the test quite a bit), we register this process as a
|
|
* "fake" auditd(8) using the audit_quick_start() function from
|
|
* libauditd.
|
|
*/
|
|
atf_utils_create_file("started_fake_auditd", "yes\n");
|
|
ATF_REQUIRE(atf_utils_file_exists("started_fake_auditd"));
|
|
ATF_REQUIRE_EQ_MSG(0, audit_quick_start(),
|
|
"Failed to start fake auditd: %m");
|
|
fprintf(stderr, "done.\n");
|
|
/* audit_quick_start() should log an audit start event. */
|
|
check_audit_startup(fd, "audit startup", pipestream);
|
|
/*
|
|
* If we exit cleanly shutdown audit_quick_start(), if not
|
|
* cleanup() will take care of it.
|
|
* This is not required, but makes it easier to run individual
|
|
* tests outside of kyua.
|
|
*/
|
|
atexit(cleanup);
|
|
}
|
|
|
|
/* Set local preselection parameters specific to "name" audit_class */
|
|
set_preselect_mode(fd[0].fd, &fmask);
|
|
return (pipestream);
|
|
}
|
|
|
|
void
|
|
cleanup(void)
|
|
{
|
|
if (atf_utils_file_exists("started_fake_auditd")) {
|
|
fprintf(stderr, "Running audit_quick_stop()... ");
|
|
if (audit_quick_stop() != 0) {
|
|
fprintf(stderr, "Failed to stop fake auditd: %m\n");
|
|
abort();
|
|
}
|
|
fprintf(stderr, "done.\n");
|
|
unlink("started_fake_auditd");
|
|
}
|
|
}
|