[PATCH v3 23/23] selftests/landlock: Add audit tests for ptrace
Mickaël Salaün
mic at digikod.net
Fri Nov 22 14:33:53 UTC 2024
Add tests for all ptrace actions. This improve all the ptrace tests by
making sure that the restrictions comes from Landlock, and with the
expected objects. These are like enhanced errno checks.
Test coverage for security/landlock is 93.3% of 1604 lines according to
gcc/gcov-14.
Cc: Günther Noack <gnoack at google.com>
Cc: Paul Moore <paul at paul-moore.com>
Signed-off-by: Mickaël Salaün <mic at digikod.net>
Link: https://lore.kernel.org/r/20241122143353.59367-24-mic@digikod.net
---
Changes since v2:
- New patch.
---
.../testing/selftests/landlock/ptrace_test.c | 62 +++++++++++++++++--
1 file changed, 58 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c
index a19db4d0b3bd..592927059cc3 100644
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -4,6 +4,7 @@
*
* Copyright © 2017-2020 Mickaël Salaün <mic at digikod.net>
* Copyright © 2019-2020 ANSSI
+ * Copyright © 2024 Microsoft Corporation
*/
#define _GNU_SOURCE
@@ -17,6 +18,7 @@
#include <sys/wait.h>
#include <unistd.h>
+#include "audit.h"
#include "common.h"
/* Copied from security/yama/yama_lsm.c */
@@ -85,9 +87,27 @@ static int get_yama_ptrace_scope(void)
return ret;
}
-/* clang-format off */
-FIXTURE(hierarchy) {};
-/* clang-format on */
+static int matches_log_ptrace(struct __test_metadata *const _metadata,
+ struct audit_state *const state, const pid_t opid)
+{
+ static const char log_template[] = REGEX_LANDLOCK_PREFIX
+ " blockers=ptrace opid=%d ocomm=\"ptrace_test\"$";
+ char log_match[sizeof(log_template) + 10];
+ int log_match_len;
+
+ log_match_len =
+ snprintf(log_match, sizeof(log_match), log_template, opid);
+ if (log_match_len > sizeof(log_match))
+ return -E2BIG;
+
+ // TODO: return -errno with AUDIT_SYSCALL
+ return !audit_match_record(state, AUDIT_LANDLOCK_DENY, log_match);
+}
+
+FIXTURE(hierarchy)
+{
+ struct audit_state state;
+};
FIXTURE_VARIANT(hierarchy)
{
@@ -245,10 +265,15 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) {
FIXTURE_SETUP(hierarchy)
{
+ disable_caps(_metadata);
+ set_cap(_metadata, CAP_AUDIT_CONTROL);
+ EXPECT_EQ(0, audit_init(&self->state));
+ clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
-FIXTURE_TEARDOWN(hierarchy)
+FIXTURE_TEARDOWN_PARENT(hierarchy)
{
+ EXPECT_EQ(0, audit_cleanup(NULL));
}
/* Test PTRACE_TRACEME and PTRACE_ATTACH for parent and child. */
@@ -261,6 +286,7 @@ TEST_F(hierarchy, trace)
char buf_parent;
long ret;
bool can_read_child, can_trace_child, can_read_parent, can_trace_parent;
+ struct audit_records records;
yama_ptrace_scope = get_yama_ptrace_scope();
ASSERT_LE(0, yama_ptrace_scope);
@@ -336,17 +362,26 @@ TEST_F(hierarchy, trace)
err_proc_read = test_ptrace_read(parent);
if (can_read_parent) {
EXPECT_EQ(0, err_proc_read);
+ EXPECT_EQ(0, matches_log_ptrace(_metadata, &self->state,
+ parent));
} else {
EXPECT_EQ(EACCES, err_proc_read);
+ EXPECT_EQ(1, matches_log_ptrace(_metadata, &self->state,
+ parent));
}
/* Tests PTRACE_ATTACH on the parent. */
ret = ptrace(PTRACE_ATTACH, parent, NULL, 0);
if (can_trace_parent) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(0, matches_log_ptrace(_metadata, &self->state,
+ parent));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ EXPECT_EQ(!can_read_parent,
+ matches_log_ptrace(_metadata, &self->state,
+ parent));
}
if (ret == 0) {
ASSERT_EQ(parent, waitpid(parent, &status, 0));
@@ -358,9 +393,15 @@ TEST_F(hierarchy, trace)
ret = ptrace(PTRACE_TRACEME);
if (can_trace_child) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(0, matches_log_ptrace(_metadata, &self->state,
+ parent));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ /* We should indeed see the parent process. */
+ EXPECT_EQ(!can_read_child,
+ matches_log_ptrace(_metadata, &self->state,
+ parent));
}
/*
@@ -408,17 +449,25 @@ TEST_F(hierarchy, trace)
err_proc_read = test_ptrace_read(child);
if (can_read_child) {
EXPECT_EQ(0, err_proc_read);
+ EXPECT_EQ(0,
+ matches_log_ptrace(_metadata, &self->state, child));
} else {
EXPECT_EQ(EACCES, err_proc_read);
+ EXPECT_EQ(1,
+ matches_log_ptrace(_metadata, &self->state, child));
}
/* Tests PTRACE_ATTACH on the child. */
ret = ptrace(PTRACE_ATTACH, child, NULL, 0);
if (can_trace_child) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(0,
+ matches_log_ptrace(_metadata, &self->state, child));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ EXPECT_EQ(!can_read_child,
+ matches_log_ptrace(_metadata, &self->state, child));
}
if (ret == 0) {
@@ -434,6 +483,11 @@ TEST_F(hierarchy, trace)
if (WIFSIGNALED(status) || !WIFEXITED(status) ||
WEXITSTATUS(status) != EXIT_SUCCESS)
_metadata->exit_code = KSFT_FAIL;
+
+ /* Makes sure there is no superfluous logged records. */
+ audit_count_records(&self->state, &records);
+ EXPECT_EQ(0, records.deny);
+ EXPECT_EQ(0, records.info);
}
TEST_HARNESS_MAIN
--
2.47.0
More information about the Linux-security-module-archive
mailing list