xref: /freebsd/tests/sys/audit/utils.c (revision cc426dd31990b8b50b210efc450e404596548ca1)
1 /*-
2  * Copyright 2018 Aniket Pandey
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * SUCH DAMAGE.
24  *
25  * $FreeBSD$
26  */
27 
28 #include <sys/ioctl.h>
29 
30 #include <bsm/libbsm.h>
31 #include <security/audit/audit_ioctl.h>
32 
33 #include <atf-c.h>
34 #include <errno.h>
35 #include <fcntl.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <time.h>
39 #include <unistd.h>
40 
41 #include "utils.h"
42 
43 /*
44  * Checks the presence of "auditregex" in auditpipe(4) after the
45  * corresponding system call has been triggered.
46  */
47 static bool
48 get_records(const char *auditregex, FILE *pipestream)
49 {
50 	uint8_t *buff;
51 	tokenstr_t token;
52 	ssize_t size = 1024;
53 	char membuff[size];
54 	char del[] = ",";
55 	int reclen, bytes = 0;
56 	FILE *memstream;
57 
58 	/*
59 	 * Open a stream on 'membuff' (address to memory buffer) for storing
60 	 * the audit records in the default mode.'reclen' is the length of the
61 	 * available records from auditpipe which is passed to the functions
62 	 * au_fetch_tok(3) and au_print_flags_tok(3) for further use.
63 	 */
64 	ATF_REQUIRE((memstream = fmemopen(membuff, size, "w")) != NULL);
65 	ATF_REQUIRE((reclen = au_read_rec(pipestream, &buff)) != -1);
66 
67 	/*
68 	 * Iterate through each BSM token, extracting the bits that are
69 	 * required to start processing the token sequences.
70 	 */
71 	while (bytes < reclen) {
72 		if (au_fetch_tok(&token, buff + bytes, reclen - bytes) == -1) {
73 			perror("au_read_rec");
74 			atf_tc_fail("Incomplete Audit Record");
75 		}
76 
77 		/* Print the tokens as they are obtained, in the default form */
78 		au_print_flags_tok(memstream, &token, del, AU_OFLAG_NONE);
79 		bytes += token.len;
80 	}
81 
82 	free(buff);
83 	ATF_REQUIRE_EQ(0, fclose(memstream));
84 	return (atf_utils_grep_string("%s", membuff, auditregex));
85 }
86 
87 /*
88  * Override the system-wide audit mask settings in /etc/security/audit_control
89  * and set the auditpipe's maximum allowed queue length limit
90  */
91 static void
92 set_preselect_mode(int filedesc, au_mask_t *fmask)
93 {
94 	int qlimit_max;
95 	int fmode = AUDITPIPE_PRESELECT_MODE_LOCAL;
96 
97 	/* Set local preselection mode for auditing */
98 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_MODE, &fmode) < 0)
99 		atf_tc_fail("Preselection mode: %s", strerror(errno));
100 
101 	/* Set local preselection flag corresponding to the audit_event */
102 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_FLAGS, fmask) < 0)
103 		atf_tc_fail("Preselection flag: %s", strerror(errno));
104 
105 	/* Set local preselection flag for non-attributable audit_events */
106 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_NAFLAGS, fmask) < 0)
107 		atf_tc_fail("Preselection naflag: %s", strerror(errno));
108 
109 	/* Query the maximum possible queue length limit for auditpipe */
110 	if (ioctl(filedesc, AUDITPIPE_GET_QLIMIT_MAX, &qlimit_max) < 0)
111 		atf_tc_fail("Query max-limit: %s", strerror(errno));
112 
113 	/* Set the queue length limit as obtained from previous step */
114 	if (ioctl(filedesc, AUDITPIPE_SET_QLIMIT, &qlimit_max) < 0)
115 		atf_tc_fail("Set max-qlimit: %s", strerror(errno));
116 
117 	/* This removes any outstanding record on the auditpipe */
118 	if (ioctl(filedesc, AUDITPIPE_FLUSH) < 0)
119 		atf_tc_fail("Auditpipe flush: %s", strerror(errno));
120 }
121 
122 /*
123  * Get the corresponding audit_mask for class-name "name" then set the
124  * success and failure bits for fmask to be used as the ioctl argument
125  */
126 static au_mask_t
127 get_audit_mask(const char *name)
128 {
129 	au_mask_t fmask;
130 	au_class_ent_t *class;
131 
132 	ATF_REQUIRE((class = getauclassnam(name)) != NULL);
133 	fmask.am_success = class->ac_class;
134 	fmask.am_failure = class->ac_class;
135 	return (fmask);
136 }
137 
138 /*
139  * Loop until the auditpipe returns something, check if it is what
140  * we want, else repeat the procedure until ppoll(2) times out.
141  */
142 static void
143 check_auditpipe(struct pollfd fd[], const char *auditregex, FILE *pipestream)
144 {
145 	struct timespec currtime, endtime, timeout;
146 
147 	/* Set the expire time for poll(2) while waiting for syscall audit */
148 	ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &endtime));
149 	endtime.tv_sec += 10;
150 	timeout.tv_nsec = endtime.tv_nsec;
151 
152 	for (;;) {
153 		/* Update the time left for auditpipe to return any event */
154 		ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &currtime));
155 		timeout.tv_sec = endtime.tv_sec - currtime.tv_sec;
156 
157 		switch (ppoll(fd, 1, &timeout, NULL)) {
158 		/* ppoll(2) returns, check if it's what we want */
159 		case 1:
160 			if (fd[0].revents & POLLIN) {
161 				if (get_records(auditregex, pipestream))
162 					return;
163 			} else {
164 				atf_tc_fail("Auditpipe returned an "
165 				"unknown event %#x", fd[0].revents);
166 			}
167 			break;
168 
169 		/* poll(2) timed out */
170 		case 0:
171 			atf_tc_fail("%s not found in auditpipe within the "
172 					"time limit", auditregex);
173 			break;
174 
175 		/* poll(2) standard error */
176 		case -1:
177 			atf_tc_fail("Poll: %s", strerror(errno));
178 			break;
179 
180 		default:
181 			atf_tc_fail("Poll returned too many file descriptors");
182 		}
183 	}
184 }
185 
186 /*
187  * Wrapper functions around static "check_auditpipe"
188  */
189 static void
190 check_audit_startup(struct pollfd fd[], const char *auditrgx, FILE *pipestream){
191 	check_auditpipe(fd, auditrgx, pipestream);
192 }
193 
194 void
195 check_audit(struct pollfd fd[], const char *auditrgx, FILE *pipestream) {
196 	check_auditpipe(fd, auditrgx, pipestream);
197 
198 	/* Teardown: /dev/auditpipe's instance opened for this test-suite */
199 	ATF_REQUIRE_EQ(0, fclose(pipestream));
200 }
201 
202 FILE
203 *setup(struct pollfd fd[], const char *name)
204 {
205 	au_mask_t fmask, nomask;
206 	fmask = get_audit_mask(name);
207 	nomask = get_audit_mask("no");
208 	FILE *pipestream;
209 
210 	ATF_REQUIRE((fd[0].fd = open("/dev/auditpipe", O_RDONLY)) != -1);
211 	ATF_REQUIRE((pipestream = fdopen(fd[0].fd, "r")) != NULL);
212 	fd[0].events = POLLIN;
213 
214 	/*
215 	 * Disable stream buffering for read operations from /dev/auditpipe.
216 	 * Otherwise it is possible that fread(3), called via au_read_rec(3),
217 	 * can store buffered data in user-space unbeknown to ppoll(2), which
218 	 * as a result, reports that /dev/auditpipe is empty.
219 	 */
220 	ATF_REQUIRE_EQ(0, setvbuf(pipestream, NULL, _IONBF, 0));
221 
222 	/* Set local preselection audit_class as "no" for audit startup */
223 	set_preselect_mode(fd[0].fd, &nomask);
224 	ATF_REQUIRE_EQ(0, system("service auditd onestatus || \
225 	{ service auditd onestart && touch started_auditd ; }"));
226 
227 	/* If 'started_auditd' exists, that means we started auditd(8) */
228 	if (atf_utils_file_exists("started_auditd"))
229 		check_audit_startup(fd, "audit startup", pipestream);
230 
231 	/* Set local preselection parameters specific to "name" audit_class */
232 	set_preselect_mode(fd[0].fd, &fmask);
233 	return (pipestream);
234 }
235 
236 void
237 cleanup(void)
238 {
239 	if (atf_utils_file_exists("started_auditd"))
240 		system("service auditd onestop > /dev/null 2>&1");
241 }
242