| Message ID | 1547607461-11233-7-git-send-email-zhang.jia@linux.alibaba.com |
|---|---|
| State | Accepted |
| Delegated to: | Petr Vorel |
| Headers | show |
| Series | [v3,1/6] ima/ima_boot_aggregate: Fix the definition of event log | expand |
On Wed, 2019-01-16 at 10:57 +0800, Jia Zhang wrote: > The output frequency of audit log is limited by printk_ratelimit() > in kernel if auditd not used. Thus, the test cases heavily depending > on searching certain keywords in log file may fail if the matching > patterns are exactly suppressed by printk_ratelimit(). > > In order to fix such a sort of failure, just temporarily remove the > printk rate limit, and restore its original setting when doing > cleanup. > > Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> Thanks, I wasn't aware of the sysctl. If the message isn't in /var/log/messages or /var/log/audit/audit.log, do we now need to also check journalctl? Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- > .../kernel/security/integrity/ima/tests/ima_violations.sh | 15 +++++++++++++++ > 2 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > index 6dfb4d2..fe60981 100644 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -20,7 +20,7 @@ > TST_TESTFUNC="test" > TST_SETUP_CALLER="$TST_SETUP" > TST_SETUP="ima_setup" > -TST_CLEANUP="ima_cleanup" > +TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}" > TST_NEEDS_TMPDIR=1 > TST_NEEDS_ROOT=1 > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index f3f40d4..74223c2 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -20,6 +20,7 @@ > # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. > > TST_SETUP="setup" > +TST_CLEANUP="cleanup" > TST_CNT=3 > TST_NEEDS_DEVICE=1 > > @@ -31,15 +32,29 @@ setup() > FILE="test.txt" > IMA_VIOLATIONS="$SECURITYFS/ima/violations" > LOG="/var/log/messages" > + PRINTK_RATE_LIMIT="0" > > if status_daemon auditd; then > LOG="/var/log/audit/audit.log" > + else > + tst_check_cmds sysctl > + > + PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` > + sysctl -wq kernel.printk_ratelimit=0 > fi > [ -f "$LOG" ] || \ > tst_brk TBROK "log $LOG does not exist (bug in detection?)" > tst_res TINFO "using log $LOG" > } > > +cleanup() > +{ > + [ "$PRINTK_RATE_LIMIT" != "0" ] && \ > + sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT > + > + ima_cleanup > +} > + > open_file_read() > { > exec 3< $FILE || exit 1
On 2019/1/21 上午2:38, Mimi Zohar wrote: > On Wed, 2019-01-16 at 10:57 +0800, Jia Zhang wrote: >> The output frequency of audit log is limited by printk_ratelimit() >> in kernel if auditd not used. Thus, the test cases heavily depending >> on searching certain keywords in log file may fail if the matching >> patterns are exactly suppressed by printk_ratelimit(). >> >> In order to fix such a sort of failure, just temporarily remove the >> printk rate limit, and restore its original setting when doing >> cleanup. >> >> Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> > > Thanks, I wasn't aware of the sysctl. If the message isn't in > /var/log/messages or /var/log/audit/audit.log, do we now need to also > check journalctl? Not necessary. If user land's auditd is not used, kauditd will send the log to /var/log/message with printk rate limit: static void kauditd_printk_skb(struct sk_buff *skb) { struct nlmsghdr *nlh = nlmsg_hdr(skb); char *data = nlmsg_data(nlh); if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit()) pr_notice("type=%d %s\n", nlh->nlmsg_type, data); } So just work around the potential loss with sysctl to temporarily disable the limit. Jia > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > >> --- >> .../kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- >> .../kernel/security/integrity/ima/tests/ima_violations.sh | 15 +++++++++++++++ >> 2 files changed, 16 insertions(+), 1 deletion(-) >> >> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh >> index 6dfb4d2..fe60981 100644 >> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh >> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh >> @@ -20,7 +20,7 @@ >> TST_TESTFUNC="test" >> TST_SETUP_CALLER="$TST_SETUP" >> TST_SETUP="ima_setup" >> -TST_CLEANUP="ima_cleanup" >> +TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}" >> TST_NEEDS_TMPDIR=1 >> TST_NEEDS_ROOT=1 >> >> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh >> index f3f40d4..74223c2 100755 >> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh >> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh >> @@ -20,6 +20,7 @@ >> # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. >> >> TST_SETUP="setup" >> +TST_CLEANUP="cleanup" >> TST_CNT=3 >> TST_NEEDS_DEVICE=1 >> >> @@ -31,15 +32,29 @@ setup() >> FILE="test.txt" >> IMA_VIOLATIONS="$SECURITYFS/ima/violations" >> LOG="/var/log/messages" >> + PRINTK_RATE_LIMIT="0" >> >> if status_daemon auditd; then >> LOG="/var/log/audit/audit.log" >> + else >> + tst_check_cmds sysctl >> + >> + PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` >> + sysctl -wq kernel.printk_ratelimit=0 >> fi >> [ -f "$LOG" ] || \ >> tst_brk TBROK "log $LOG does not exist (bug in detection?)" >> tst_res TINFO "using log $LOG" >> } >> >> +cleanup() >> +{ >> + [ "$PRINTK_RATE_LIMIT" != "0" ] && \ >> + sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT >> + >> + ima_cleanup >> +} >> + >> open_file_read() >> { >> exec 3< $FILE || exit 1
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 6dfb4d2..fe60981 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,7 +20,7 @@ TST_TESTFUNC="test" TST_SETUP_CALLER="$TST_SETUP" TST_SETUP="ima_setup" -TST_CLEANUP="ima_cleanup" +TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}" TST_NEEDS_TMPDIR=1 TST_NEEDS_ROOT=1 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index f3f40d4..74223c2 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -20,6 +20,7 @@ # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. TST_SETUP="setup" +TST_CLEANUP="cleanup" TST_CNT=3 TST_NEEDS_DEVICE=1 @@ -31,15 +32,29 @@ setup() FILE="test.txt" IMA_VIOLATIONS="$SECURITYFS/ima/violations" LOG="/var/log/messages" + PRINTK_RATE_LIMIT="0" if status_daemon auditd; then LOG="/var/log/audit/audit.log" + else + tst_check_cmds sysctl + + PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` + sysctl -wq kernel.printk_ratelimit=0 fi [ -f "$LOG" ] || \ tst_brk TBROK "log $LOG does not exist (bug in detection?)" tst_res TINFO "using log $LOG" } +cleanup() +{ + [ "$PRINTK_RATE_LIMIT" != "0" ] && \ + sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT + + ima_cleanup +} + open_file_read() { exec 3< $FILE || exit 1
The output frequency of audit log is limited by printk_ratelimit() in kernel if auditd not used. Thus, the test cases heavily depending on searching certain keywords in log file may fail if the matching patterns are exactly suppressed by printk_ratelimit(). In order to fix such a sort of failure, just temporarily remove the printk rate limit, and restore its original setting when doing cleanup. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> --- .../kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- .../kernel/security/integrity/ima/tests/ima_violations.sh | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-)