audit-testsuite
audit-testsuite copied to clipboard
linux-audit
BUG: filter_exclude fails to check SYSCALL message provoked by unlink
When I log in to the test machine using my user and then switch to root user, filter_exclude test fails on tests 20 and 21, specifically where it's checking for the syscall message related to unlink operation.
# TESTS="filter_exclude" make -e test
make -C tests test
make[1]: Entering directory '/home/rrobaina/src/audit/audit-testsuite/tests'
make[2]: Entering directory '/home/rrobaina/src/audit/audit-testsuite/tests/filter_exclude'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/rrobaina/src/audit/audit-testsuite/tests/filter_exclude'
chmod +x */test
Running as user root
with context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
on system Fedora
filter_exclude/test .. 1/21 # Test 20 got: "256" (filter_exclude/test at line 167)
# Expected: "0"
# filter_exclude/test line 167 is: ok( $result, 0 );
# Test 21 got: "0" (filter_exclude/test at line 179)
# Expected: "1"
# filter_exclude/test line 179 is: ok( $found_msg, 1 );
filter_exclude/test .. Failed 2/21 subtests
Test Summary Report
-------------------
filter_exclude/test (Wstat: 0 Tests: 21 Failed: 2)
Failed tests: 20-21
Files=1, Tests=21, 0 wallclock secs ( 0.01 usr 0.00 sys + 0.15 cusr 0.04 csys = 0.20 CPU)
Result: FAIL
Failed 1/1 test programs. 2/21 subtests failed.
make[1]: *** [Makefile:61: test] Error 255
make[1]: Leaving directory '/home/rrobaina/src/audit/audit-testsuite/tests'
make: *** [Makefile:10: test] Error 2
Doing some preliminary debugging, I noticed that this failure is related to auid mismatch.
# TESTS="filter_exclude" make -e test
not ok 20
# Test 20 got: "256" (./test at line 167)
# Expected: "0"
# ./test line 167 is: ok( $result, 0 );
not ok 21
# Test 21 got: "0" (./test at line 180)
# Expected: "1"
# ./test line 180 is: ok( $found_msg, 1 );
DEBUG:
-----
pid: 3204799, uid: 0, gid: 0, auid: 0, subject: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
line:
-----
# ausearch -i -m SYSCALL -ts recent |grep unlink |tail -n1
type=SYSCALL msg=audit(02/11/2025 15:50:50.387:128412) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x5637106c3b10 a1=0x5637106c3b10 a2=0x7ffc280bc7f0
a3=0x100 items=2 ppid=3204798 pid=3204799 auid=rrobaina uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3
comm=test exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Do we really need to check for the auid in this context? If not, a quick fix would be as simple as:
diff --git a/tests/filter_exclude/test b/tests/filter_exclude/test
index 248fc54..00b9289 100755
--- a/tests/filter_exclude/test
+++ b/tests/filter_exclude/test
@@ -162,7 +162,7 @@ for ( my $i = 0 ; $i < 10 ; $i++ ) {
# test for the SYSCALL message provoked by unlink
$result = system(
-"ausearch -i -m SYSCALL -p $pid -ui $uid -gi $gid -ul $auid -su $subj -ts recent > $stdout2 2> /dev/null"
+"ausearch -i -m SYSCALL -p $pid -ui $uid -gi $gid -su $subj -ts recent > $stdout2 2> /dev/null"
);
ok( $result, 0 );
