tests: add support for session ID user filter

rgbriggs · rgbriggs · commit 1a3029170fc0 · 2016-05-12T08:31:00.000-04:00
test: RFE: add a session ID filter to the kernel's user filter linux-audit/audit-kernel#4 Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
diff --git a/tests/sessionid_filter/Makefile b/tests/sessionid_filter/Makefile
@@ -0,0 +1,8 @@
+TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+
+LDLIBS += -lpthread
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
+
diff --git a/tests/sessionid_filter/test b/tests/sessionid_filter/test
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+
+use strict;
+
+use Test;
+BEGIN { plan tests => 3 }
+
+use File::Temp qw/ tempdir tempfile /;
+
+###
+# functions
+
+sub key_gen {
+	my @chars = ("A".."Z", "a".."z");
+	my $key = "testsuite-" . time . "-";
+	$key .= $chars[rand @chars] for 1..8;
+	return $key;
+}
+
+###
+# setup
+
+# reset audit
+system("auditctl -D >& /dev/null");
+
+# create stdout/stderr sinks
+(my $fh_out, my $stdout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-out-XXXX',
+				    UNLINK => 1);
+(my $fh_err, my $stderr) = tempfile(TEMPLATE => '/tmp/audit-testsuite-err-XXXX',
+				    UNLINK => 1);
+(my $fh_ses, my $sesout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-tmp-XXXX',
+                                    UNLINK => 1);
+(my $fh_pid, my $pidout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-tmp-XXXX',
+                                    UNLINK => 1);
+
+###
+# tests
+
+my $result;
+
+# discover our sesssion ID
+system("cat /proc/self/sessionid > $sesout");
+my $sessionid = <$fh_ses>;
+chomp($sessionid);
+
+# create a key and rule
+my $key = key_gen();
+$result = system("auditctl -a always,exit -F arch=b64 -F path=/tmp/$key -F sessionid=$sessionid -k $key");
+ok($result, 0);
+
+# send the userspace message (NOTE: requires bash)
+system("echo \$\$ > $pidout; exec touch /tmp/$key");
+my $pid = <$fh_pid>;
+chomp($pid);
+
+# test for the SYSCALL message
+$result = system("ausearch -i -m SYSCALL -sc open -p $pid --session $sessionid -k $key > $stdout 2> $stderr");
+ok($result, 0);
+
+# test if we generate the PATH record correctly
+my $line;
+my $found_path_msg = 0;
+my $syscall_msg_match = 0;
+while ($line = <$fh_out>) {
+	# test if we generate a PATH record
+	if ($line =~ m?^type=PATH ? and
+	    $line =~ m? name=/tmp/$key ? and
+	    $line =~ m? nametype=CREATE ?) {
+			$found_path_msg = 1;
+	}
+	# test if SYSCALL record matches
+	if ($line =~ m?^type=SYSCALL ? and
+	    $line =~ m? pid=$pid ? and
+	    $line =~ m? ses=$sessionid ? and
+	    $line =~ m? key=$key ?) {
+			$syscall_msg_match = 1;
+	}
+}
+ok($found_path_msg && $syscall_msg_match);
+
+###
+# cleanup
+
+system("auditctl -D >& /dev/null");
+
