syzkaller icon indicating copy to clipboard operation
syzkaller copied to clipboard
verified publisher icon google

dashboard/config/linux: enable audit at runtime

Open l0kod opened this issue 7 months ago • 5 comments

CONFIG_AUDIT is enabled but most of the audit code is not tested by syzbot as we can see with security/landlock/audit.c coverage (cf. #5851).

For Landlock, this led to a test coverage shrinking from 92% (2025-02-28) to 87% (2025-03-31).

The issue is that auditd is not enabled in the test VMs, so the kernel's audit_enabled variable is always false and the code gated by this runtime config is not tested.

Enabling auditd at boot time would solve this issue.

l0kod avatar May 14 '25 13:05 l0kod

It would be better to figure out why syzkaller is unable to do what auditd does - in the end, these are just some netlink operations/syscalls that must be executed, right?

If the required sequence of operations is a bit tricky to construct automatically, we may add some seed program that does the setup.

a-nogikh avatar May 14 '25 16:05 a-nogikh

It would be better to figure out why syzkaller is unable to do what auditd does - in the end, these are just some netlink operations/syscalls that must be executed, right?

That would be better indeed.

If the required sequence of operations is a bit tricky to construct automatically, we may add some seed program that does the setup.

Here is the C code I'm using to enable audit: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/landlock/audit.h#n374

That might be a bit tricky in Go though.

l0kod avatar May 15 '25 19:05 l0kod

Thanks for sharing the example!

I've skimmed through the file. If we just need to do what audit_init() does, I think it can well be a seed program (we keep these in the sys/linux/test folder).

Yes, the part that receives the replies and checks them for errors (most of audit_request) cannot be expressed in syzlang in a natural way, but everything else is quite straightforward: socket/sendto with the right message/setsockopt. And correct error handling is anyway not something of big importance for a program executed by the fuzzer :)

a-nogikh avatar May 15 '25 21:05 a-nogikh

I tried this but sendmsg(2) returns ENODATA:

r0 = socket$nl_audit(AUTO, AUTO, AUTO)
sendmsg$AUDIT_SET(r0, &AUTO = {@audit_status={AUDIT_STATUS_ENABLED, 1}}, 0x0)

I'm not sure how to create a valid Netlink header+message.

l0kod avatar May 19 '25 12:05 l0kod

The existing descriptions for sendmsg$AUDIT_SET are actually quite good and must have been enough for syzkaller to come up with something as simple as setting AUDIT_STATUS_ENABLED:

https://github.com/google/syzkaller/blob/master/sys/linux/socket_netlink_audit.txt

I've looked at the coverage reports, and it seems that syzkaller doesn't set audit_enabled only because it cannot go past this condition:

if (task_active_pid_ns(current) != &init_pid_ns) https://elixir.bootlin.com/linux/v6.15.1/source/kernel/audit.c#L1065

Syzkaller does create a separate pid namespace in its executor: https://github.com/google/syzkaller/blob/0e8da31f2d4312fc3ad5c1e2e221075831885e0e/executor/common_linux.h#L4187

For the net namespace, we have a hacky pseudo syscall to call socket from the init net namespace even though we also do unshare(CLONE_NEWNET) https://github.com/google/syzkaller/blob/0e8da31f2d4312fc3ad5c1e2e221075831885e0e/executor/common_linux.h#L2482-L2484

Something similar might be done for pid ns + sendmsg, but going on like this does't really seem sustainable..

a-nogikh avatar Jun 13 '25 17:06 a-nogikh