xref: /freebsd/tests/sys/audit/utils.c (revision d485c77f203fb0f4cdc08dea5ff81631b51d8809) 
1 /*-
2  * Copyright 2018 Aniket Pandey
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * SUCH DAMAGE.
24  *
25  * $FreeBSD$
26  */
27 
28 #include <sys/types.h>
29 #include <sys/extattr.h>
30 #include <sys/ioctl.h>
31 
32 #include <bsm/libbsm.h>
33 #include <bsm/auditd_lib.h>
34 #include <security/audit/audit_ioctl.h>
35 
36 #include <atf-c.h>
37 #include <errno.h>
38 #include <fcntl.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <time.h>
42 #include <unistd.h>
43 
44 #include "utils.h"
45 
46 /*
47  * Checks the presence of "auditregex" in auditpipe(4) after the
48  * corresponding system call has been triggered.
49  */
50 static bool
51 get_records(const char *auditregex, FILE *pipestream)
52 {
53 	uint8_t *buff;
54 	tokenstr_t token;
55 	ssize_t size = 1024;
56 	char membuff[size];
57 	char del[] = ",";
58 	int reclen, bytes = 0;
59 	FILE *memstream;
60 
61 	/*
62 	 * Open a stream on 'membuff' (address to memory buffer) for storing
63 	 * the audit records in the default mode.'reclen' is the length of the
64 	 * available records from auditpipe which is passed to the functions
65 	 * au_fetch_tok(3) and au_print_flags_tok(3) for further use.
66 	 */
67 	ATF_REQUIRE((memstream = fmemopen(membuff, size, "w")) != NULL);
68 	ATF_REQUIRE((reclen = au_read_rec(pipestream, &buff)) != -1);
69 
70 	/*
71 	 * Iterate through each BSM token, extracting the bits that are
72 	 * required to start processing the token sequences.
73 	 */
74 	while (bytes < reclen) {
75 		if (au_fetch_tok(&token, buff + bytes, reclen - bytes) == -1) {
76 			perror("au_read_rec");
77 			atf_tc_fail("Incomplete Audit Record");
78 		}
79 
80 		/* Print the tokens as they are obtained, in the default form */
81 		au_print_flags_tok(memstream, &token, del, AU_OFLAG_NONE);
82 		bytes += token.len;
83 	}
84 
85 	free(buff);
86 	ATF_REQUIRE_EQ(0, fclose(memstream));
87 	return (atf_utils_grep_string("%s", membuff, auditregex));
88 }
89 
90 /*
91  * Override the system-wide audit mask settings in /etc/security/audit_control
92  * and set the auditpipe's maximum allowed queue length limit
93  */
94 static void
95 set_preselect_mode(int filedesc, au_mask_t *fmask)
96 {
97 	int qlimit_max;
98 	int fmode = AUDITPIPE_PRESELECT_MODE_LOCAL;
99 
100 	/* Set local preselection mode for auditing */
101 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_MODE, &fmode) < 0)
102 		atf_tc_fail("Preselection mode: %s", strerror(errno));
103 
104 	/* Set local preselection flag corresponding to the audit_event */
105 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_FLAGS, fmask) < 0)
106 		atf_tc_fail("Preselection flag: %s", strerror(errno));
107 
108 	/* Set local preselection flag for non-attributable audit_events */
109 	if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_NAFLAGS, fmask) < 0)
110 		atf_tc_fail("Preselection naflag: %s", strerror(errno));
111 
112 	/* Query the maximum possible queue length limit for auditpipe */
113 	if (ioctl(filedesc, AUDITPIPE_GET_QLIMIT_MAX, &qlimit_max) < 0)
114 		atf_tc_fail("Query max-limit: %s", strerror(errno));
115 
116 	/* Set the queue length limit as obtained from previous step */
117 	if (ioctl(filedesc, AUDITPIPE_SET_QLIMIT, &qlimit_max) < 0)
118 		atf_tc_fail("Set max-qlimit: %s", strerror(errno));
119 
120 	/* This removes any outstanding record on the auditpipe */
121 	if (ioctl(filedesc, AUDITPIPE_FLUSH) < 0)
122 		atf_tc_fail("Auditpipe flush: %s", strerror(errno));
123 }
124 
125 /*
126  * Get the corresponding audit_mask for class-name "name" then set the
127  * success and failure bits for fmask to be used as the ioctl argument
128  */
129 static au_mask_t
130 get_audit_mask(const char *name)
131 {
132 	au_mask_t fmask;
133 	au_class_ent_t *class;
134 
135 	ATF_REQUIRE((class = getauclassnam(name)) != NULL);
136 	fmask.am_success = class->ac_class;
137 	fmask.am_failure = class->ac_class;
138 	return (fmask);
139 }
140 
141 /*
142  * Loop until the auditpipe returns something, check if it is what
143  * we want, else repeat the procedure until ppoll(2) times out.
144  */
145 static void
146 check_auditpipe(struct pollfd fd[], const char *auditregex, FILE *pipestream)
147 {
148 	struct timespec currtime, endtime, timeout;
149 
150 	/* Set the expire time for poll(2) while waiting for syscall audit */
151 	ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &endtime));
152 	/* Set limit to 30 seconds total and ~10s without an event. */
153 	endtime.tv_sec += 30;
154 
155 	for (;;) {
156 		/* Update the time left for auditpipe to return any event */
157 		ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &currtime));
158 		timespecsub(&endtime, &currtime, &timeout);
159 		timeout.tv_sec = MIN(timeout.tv_sec, 9);
160 		if (timeout.tv_sec < 0) {
161 			atf_tc_fail("%s not found in auditpipe within the "
162 			    "time limit", auditregex);
163 		}
164 
165 		switch (ppoll(fd, 1, &timeout, NULL)) {
166 		/* ppoll(2) returns, check if it's what we want */
167 		case 1:
168 			if (fd[0].revents & POLLIN) {
169 				if (get_records(auditregex, pipestream))
170 					return;
171 			} else {
172 				atf_tc_fail("Auditpipe returned an "
173 				"unknown event %#x", fd[0].revents);
174 			}
175 			break;
176 
177 		/* poll(2) timed out */
178 		case 0:
179 			atf_tc_fail("%s not found in auditpipe within the "
180 					"time limit", auditregex);
181 			break;
182 
183 		/* poll(2) standard error */
184 		case -1:
185 			atf_tc_fail("Poll: %s", strerror(errno));
186 			break;
187 
188 		default:
189 			atf_tc_fail("Poll returned too many file descriptors");
190 		}
191 	}
192 }
193 
194 /*
195  * Wrapper functions around static "check_auditpipe"
196  */
197 static void
198 check_audit_startup(struct pollfd fd[], const char *auditrgx, FILE *pipestream){
199 	check_auditpipe(fd, auditrgx, pipestream);
200 }
201 
202 void
203 check_audit(struct pollfd fd[], const char *auditrgx, FILE *pipestream) {
204 	check_auditpipe(fd, auditrgx, pipestream);
205 
206 	/* Teardown: /dev/auditpipe's instance opened for this test-suite */
207 	ATF_REQUIRE_EQ(0, fclose(pipestream));
208 }
209 
210 void
211 skip_if_extattr_not_supported(const char *path)
212 {
213 	ssize_t result;
214 
215 	/*
216 	 * Some file systems (e.g. tmpfs) do not support extattr, so we need
217 	 * skip tests that use extattrs. To detect this we can check whether
218 	 * the extattr_list_file returns EOPNOTSUPP.
219 	 */
220 	result = extattr_list_file(path, EXTATTR_NAMESPACE_USER, NULL, 0);
221 	if (result == -1 && errno == EOPNOTSUPP) {
222 		atf_tc_skip("File system does not support extattrs.");
223 	}
224 }
225 
226 static bool
227 is_auditd_running(void)
228 {
229 	int trigger;
230 	int err;
231 
232 	/*
233 	 * AUDIT_TRIGGER_INITIALIZE is a no-op message on FreeBSD and can
234 	 * therefore be used to check whether auditd has already been started.
235 	 * This is significantly cheaper than running `service auditd onestatus`
236 	 * for each test case. It is also slightly less racy since it will only
237 	 * return true once auditd() has opened the trigger file rather than
238 	 * just when the pidfile has been created.
239 	 */
240 	trigger = AUDIT_TRIGGER_INITIALIZE;
241 	err = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger));
242 	if (err == 0) {
243 		fprintf(stderr, "auditd(8) is running.\n");
244 		return (true);
245 	} else {
246 		/*
247 		 * A_SENDTRIGGER returns ENODEV if auditd isn't listening,
248 		 * all other error codes indicate a fatal error.
249 		 */
250 		ATF_REQUIRE_MSG(errno == ENODEV,
251 		    "Unexpected error from auditon(2): %s", strerror(errno));
252 		return (false);
253 	}
254 
255 }
256 
257 FILE *
258 setup(struct pollfd fd[], const char *name)
259 {
260 	au_mask_t fmask, nomask;
261 	FILE *pipestream;
262 	fmask = get_audit_mask(name);
263 	nomask = get_audit_mask("no");
264 
265 	ATF_REQUIRE((fd[0].fd = open("/dev/auditpipe", O_RDONLY)) != -1);
266 	ATF_REQUIRE((pipestream = fdopen(fd[0].fd, "r")) != NULL);
267 	fd[0].events = POLLIN;
268 
269 	/*
270 	 * Disable stream buffering for read operations from /dev/auditpipe.
271 	 * Otherwise it is possible that fread(3), called via au_read_rec(3),
272 	 * can store buffered data in user-space unbeknown to ppoll(2), which
273 	 * as a result, reports that /dev/auditpipe is empty.
274 	 */
275 	ATF_REQUIRE_EQ(0, setvbuf(pipestream, NULL, _IONBF, 0));
276 
277 	/* Set local preselection audit_class as "no" for audit startup */
278 	set_preselect_mode(fd[0].fd, &nomask);
279 	if (!is_auditd_running()) {
280 		fprintf(stderr, "Running audit_quick_start() for testing... ");
281 		/*
282 		 * Previously, this test started auditd using
283 		 * `service auditd onestart`. However, there is a race condition
284 		 * there since service can return before auditd(8) has
285 		 * fully started (once the daemon parent process has forked)
286 		 * and this can cause check_audit_startup() to fail sometimes.
287 		 *
288 		 * In the CheriBSD CI this caused the first test executed by
289 		 * kyua (administrative:acct_failure) to fail every time, but
290 		 * subsequent ones would almost always succeed.
291 		 *
292 		 * To avoid this problem (and as a nice side-effect this speeds
293 		 * up the test quite a bit), we register this process as a
294 		 * "fake" auditd(8) using the audit_quick_start() function from
295 		 * libauditd.
296 		 */
297 		atf_utils_create_file("started_fake_auditd", "yes\n");
298 		ATF_REQUIRE(atf_utils_file_exists("started_fake_auditd"));
299 		ATF_REQUIRE_EQ_MSG(0, audit_quick_start(),
300 		    "Failed to start fake auditd: %m");
301 		fprintf(stderr, "done.\n");
302 		/* audit_quick_start() should log an audit start event. */
303 		check_audit_startup(fd, "audit startup", pipestream);
304 		/*
305 		 * If we exit cleanly shutdown audit_quick_start(), if not
306 		 * cleanup() will take care of it.
307 		 * This is not required, but makes it easier to run individual
308 		 * tests outside of kyua.
309 		 */
310 		atexit(cleanup);
311 	}
312 
313 	/* Set local preselection parameters specific to "name" audit_class */
314 	set_preselect_mode(fd[0].fd, &fmask);
315 	return (pipestream);
316 }
317 
318 void
319 cleanup(void)
320 {
321 	if (atf_utils_file_exists("started_fake_auditd")) {
322 		fprintf(stderr, "Running audit_quick_stop()... ");
323 		if (audit_quick_stop() != 0) {
324 			fprintf(stderr, "Failed to stop fake auditd: %m\n");
325 			abort();
326 		}
327 		fprintf(stderr, "done.\n");
328 		unlink("started_fake_auditd");
329 	}
330 }
331