Skip to content

Commit

Permalink
tests: add test for signal and ptrace OBJ_PID records
Browse files Browse the repository at this point in the history
See: linux-audit#81

Signed-off-by: Richard Guy Briggs <[email protected]>
  • Loading branch information
rgbriggs committed Sep 29, 2020
1 parent 1e94f53 commit 9fb1770
Show file tree
Hide file tree
Showing 3 changed files with 164 additions and 0 deletions.
1 change: 1 addition & 0 deletions tests/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ TESTS := \
login_tty \
lost_reset \
netfilter_pkt \
signal \
syscalls_file \
syscall_module \
syscall_socketcall \
Expand Down
8 changes: 8 additions & 0 deletions tests/signal/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
TARGETS=$(patsubst %.c,%,$(wildcard *.c))

LDLIBS += -lpthread

all: $(TARGETS)
clean:
rm -f $(TARGETS)

155 changes: 155 additions & 0 deletions tests/signal/test
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
#!/usr/bin/perl

use strict;
use File::Temp qw/ tempdir tempfile /;
use Test;
BEGIN { plan tests => 8 }

###
# functions

sub key_gen {
my @chars = ( "A" .. "Z", "a" .. "z" );
my $key = "testsuite-" . time . "-";
$key .= $chars[ rand @chars ] for 1 .. 8;
return $key;
}

###
# setup

my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) =
localtime(time);
$year += 1900;
$mon += 1;
my $startdate = "$year-$mon-$mday";
my $starttime = "$hour:$min:$sec";

# create stdout/stderr sinks
( my $fh_out, my $stdout ) = tempfile(
TEMPLATE => '/tmp/audit-testsuite-out-XXXX',
UNLINK => 1
);
( my $fh_err, my $stderr ) = tempfile(
TEMPLATE => '/tmp/audit-testsuite-err-XXXX',
UNLINK => 1
);

# clear all rules, turn on auditing
#system("auditctl -D >/dev/null 2>&1");
#system("auditctl -e 1 >/dev/null 2>&1");

# Generate a unique test key
my $key = key_gen();
my $result;

###
# tests
# Test signals
# Add rule to catch signals generated by self
$result =
system(
"auditctl -a exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1"
);
ok( $result, 0 ); # Was the rule accepted?

# Start sleeps to provide target tasks
seek( $fh_out, 0, 0 );
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout");
my $task1_pid = <$fh_out>;
chomp($task1_pid);
seek( $fh_out, 0, 0 );
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout");
my $task2_pid = <$fh_out>;
chomp($task2_pid);

# generate signals
my $count = kill 'HUP', $task1_pid, $task2_pid;
ok( $count, 2 ); # Were two processes signalled?

# Delete audit rule
system(
"auditctl -d exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1"
);

# Test ptrace
# Add rule to catch ptrace
$result =
system(
"auditctl -a exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1"
);
ok( $result, 0 ); # Was the rule accepted?

# Create task to which to attach
seek( $fh_out, 0, 0 );
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout");
my $task3_pid = <$fh_out>;
chomp($task3_pid);

# Generate a ptrace event
$result = system("strace -p $task3_pid >/dev/null 2>&1");
ok( $result, 0 ); # Was the ptrace command successful?

# Delete audit rule
$result =
system(
"auditctl -d exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1"
);

+# make sure the records had a chance to bubble through to the logs
system("auditctl -m syncmarker-$key");
for ( my $i = 0 ; $i < 10 ; $i++ ) {
if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) {
last;
}
sleep(0.2);
}

# find the config change event
seek( $fh_out, 0, 0 );
seek( $fh_err, 0, 0 );
$result = system(
"LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -k $key >$stdout 2>$stderr"
);
ok( $result, 0 ); # Was an event found?

# test if we generate the obj_pid records correctly
my $line;
my $found_signal1 = 0;
my $found_signal2 = 0;
my $found_ptrace = 0;
while ( $line = <$fh_out> ) {

# find the CONFIG_CHANGE record
if ( $line =~ /^type=OBJ_PID / ) {

# find the lost value
if ( $line =~ / opid=([0-9]+) / ) {
if ( $1 == $task1_pid ) {
$found_signal1 = 1;
}
elsif ( $1 == $task2_pid ) {
$found_signal2 = 1;
}
elsif ( $1 == $task3_pid ) {
$found_ptrace = 1;
}
}
}
}
ok( $found_signal1, 1 ); # Was the first signal found?
ok( $found_signal2, 1 ); # Was the second signal found?
ok( $found_ptrace, 1 ); # Was the ptrace found?

if ( defined $ENV{ATS_DEBUG} && $ENV{ATS_DEBUG} == 1 ) {
if ( !$found_signal1 || !$found_signal2 || !$found_ptrace == 2 ) {
print "pid=$!\n";
print "pid=$task1_pid found_signal1=$found_signal1\n";
print "pid=$task2_pid found_signal2=$found_signal2\n";
print "pid=$task3_pid found_ptrace=$found_ptrace\n";
}
}

###
# cleanup
system("service auditd restart 2>/dev/null");

0 comments on commit 9fb1770

Please sign in to comment.