1 /*- 2 * Copyright 2018 Aniket Pandey 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * SUCH DAMAGE. 24 * 25 * $FreeBSD$ 26 */ 27 28 #include <sys/ioctl.h> 29 30 #include <bsm/libbsm.h> 31 #include <security/audit/audit_ioctl.h> 32 33 #include <atf-c.h> 34 #include <errno.h> 35 #include <fcntl.h> 36 #include <stdlib.h> 37 #include <string.h> 38 #include <time.h> 39 #include <unistd.h> 40 41 #include "utils.h" 42 43 /* 44 * Checks the presence of "auditregex" in auditpipe(4) after the 45 * corresponding system call has been triggered. 46 */ 47 static bool 48 get_records(const char *auditregex, FILE *pipestream) 49 { 50 uint8_t *buff; 51 tokenstr_t token; 52 ssize_t size = 1024; 53 char membuff[size]; 54 char del[] = ","; 55 int reclen, bytes = 0; 56 FILE *memstream; 57 58 /* 59 * Open a stream on 'membuff' (address to memory buffer) for storing 60 * the audit records in the default mode.'reclen' is the length of the 61 * available records from auditpipe which is passed to the functions 62 * au_fetch_tok(3) and au_print_flags_tok(3) for further use. 63 */ 64 ATF_REQUIRE((memstream = fmemopen(membuff, size, "w")) != NULL); 65 ATF_REQUIRE((reclen = au_read_rec(pipestream, &buff)) != -1); 66 67 /* 68 * Iterate through each BSM token, extracting the bits that are 69 * required to start processing the token sequences. 70 */ 71 while (bytes < reclen) { 72 if (au_fetch_tok(&token, buff + bytes, reclen - bytes) == -1) { 73 perror("au_read_rec"); 74 atf_tc_fail("Incomplete Audit Record"); 75 } 76 77 /* Print the tokens as they are obtained, in the default form */ 78 au_print_flags_tok(memstream, &token, del, AU_OFLAG_NONE); 79 bytes += token.len; 80 } 81 82 free(buff); 83 ATF_REQUIRE_EQ(0, fclose(memstream)); 84 return (atf_utils_grep_string("%s", membuff, auditregex)); 85 } 86 87 /* 88 * Override the system-wide audit mask settings in /etc/security/audit_control 89 * and set the auditpipe's maximum allowed queue length limit 90 */ 91 static void 92 set_preselect_mode(int filedesc, au_mask_t *fmask) 93 { 94 int qlimit_max; 95 int fmode = AUDITPIPE_PRESELECT_MODE_LOCAL; 96 97 /* Set local preselection mode for auditing */ 98 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_MODE, &fmode) < 0) 99 atf_tc_fail("Preselection mode: %s", strerror(errno)); 100 101 /* Set local preselection flag corresponding to the audit_event */ 102 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_FLAGS, fmask) < 0) 103 atf_tc_fail("Preselection flag: %s", strerror(errno)); 104 105 /* Set local preselection flag for non-attributable audit_events */ 106 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_NAFLAGS, fmask) < 0) 107 atf_tc_fail("Preselection naflag: %s", strerror(errno)); 108 109 /* Query the maximum possible queue length limit for auditpipe */ 110 if (ioctl(filedesc, AUDITPIPE_GET_QLIMIT_MAX, &qlimit_max) < 0) 111 atf_tc_fail("Query max-limit: %s", strerror(errno)); 112 113 /* Set the queue length limit as obtained from previous step */ 114 if (ioctl(filedesc, AUDITPIPE_SET_QLIMIT, &qlimit_max) < 0) 115 atf_tc_fail("Set max-qlimit: %s", strerror(errno)); 116 117 /* This removes any outstanding record on the auditpipe */ 118 if (ioctl(filedesc, AUDITPIPE_FLUSH) < 0) 119 atf_tc_fail("Auditpipe flush: %s", strerror(errno)); 120 } 121 122 /* 123 * Get the corresponding audit_mask for class-name "name" then set the 124 * success and failure bits for fmask to be used as the ioctl argument 125 */ 126 static au_mask_t 127 get_audit_mask(const char *name) 128 { 129 au_mask_t fmask; 130 au_class_ent_t *class; 131 132 ATF_REQUIRE((class = getauclassnam(name)) != NULL); 133 fmask.am_success = class->ac_class; 134 fmask.am_failure = class->ac_class; 135 return (fmask); 136 } 137 138 /* 139 * Loop until the auditpipe returns something, check if it is what 140 * we want, else repeat the procedure until ppoll(2) times out. 141 */ 142 static void 143 check_auditpipe(struct pollfd fd[], const char *auditregex, FILE *pipestream) 144 { 145 struct timespec currtime, endtime, timeout; 146 147 /* Set the expire time for poll(2) while waiting for syscall audit */ 148 ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &endtime)); 149 endtime.tv_sec += 10; 150 timeout.tv_nsec = endtime.tv_nsec; 151 152 for (;;) { 153 /* Update the time left for auditpipe to return any event */ 154 ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &currtime)); 155 timeout.tv_sec = endtime.tv_sec - currtime.tv_sec; 156 157 switch (ppoll(fd, 1, &timeout, NULL)) { 158 /* ppoll(2) returns, check if it's what we want */ 159 case 1: 160 if (fd[0].revents & POLLIN) { 161 if (get_records(auditregex, pipestream)) 162 return; 163 } else { 164 atf_tc_fail("Auditpipe returned an " 165 "unknown event %#x", fd[0].revents); 166 } 167 break; 168 169 /* poll(2) timed out */ 170 case 0: 171 atf_tc_fail("%s not found in auditpipe within the " 172 "time limit", auditregex); 173 break; 174 175 /* poll(2) standard error */ 176 case -1: 177 atf_tc_fail("Poll: %s", strerror(errno)); 178 break; 179 180 default: 181 atf_tc_fail("Poll returned too many file descriptors"); 182 } 183 } 184 } 185 186 /* 187 * Wrapper functions around static "check_auditpipe" 188 */ 189 static void 190 check_audit_startup(struct pollfd fd[], const char *auditrgx, FILE *pipestream){ 191 check_auditpipe(fd, auditrgx, pipestream); 192 } 193 194 void 195 check_audit(struct pollfd fd[], const char *auditrgx, FILE *pipestream) { 196 check_auditpipe(fd, auditrgx, pipestream); 197 198 /* Teardown: /dev/auditpipe's instance opened for this test-suite */ 199 ATF_REQUIRE_EQ(0, fclose(pipestream)); 200 } 201 202 FILE 203 *setup(struct pollfd fd[], const char *name) 204 { 205 au_mask_t fmask, nomask; 206 fmask = get_audit_mask(name); 207 nomask = get_audit_mask("no"); 208 FILE *pipestream; 209 210 ATF_REQUIRE((fd[0].fd = open("/dev/auditpipe", O_RDONLY)) != -1); 211 ATF_REQUIRE((pipestream = fdopen(fd[0].fd, "r")) != NULL); 212 fd[0].events = POLLIN; 213 214 /* 215 * Disable stream buffering for read operations from /dev/auditpipe. 216 * Otherwise it is possible that fread(3), called via au_read_rec(3), 217 * can store buffered data in user-space unbeknown to ppoll(2), which 218 * as a result, reports that /dev/auditpipe is empty. 219 */ 220 ATF_REQUIRE_EQ(0, setvbuf(pipestream, NULL, _IONBF, 0)); 221 222 /* Set local preselection audit_class as "no" for audit startup */ 223 set_preselect_mode(fd[0].fd, &nomask); 224 ATF_REQUIRE_EQ(0, system("service auditd onestatus || \ 225 { service auditd onestart && touch started_auditd ; }")); 226 227 /* If 'started_auditd' exists, that means we started auditd(8) */ 228 if (atf_utils_file_exists("started_auditd")) 229 check_audit_startup(fd, "audit startup", pipestream); 230 231 /* Set local preselection parameters specific to "name" audit_class */ 232 set_preselect_mode(fd[0].fd, &fmask); 233 return (pipestream); 234 } 235 236 void 237 cleanup(void) 238 { 239 if (atf_utils_file_exists("started_auditd")) 240 system("service auditd onestop > /dev/null 2>&1"); 241 } 242