Fixes to rule conversion into display format (#41)

adriansr · andrewkroh · commit 0c842c62c7c0 · 2018-06-20T11:43:49.000-04:00
* Fix parsing of syscall rule with non-specified arch

The new `rule.ToCommandLine` failed when parsing a syscall rule without
an explicit platform.

* Fix test panic when GetStatus returns an error

TestAuditClientSetBacklogWaitTime would panic when fetch of auditd
status fails, for example when run without CAP_AUDIT_READ.

* Fix test build in 32-bit platform

The test was using some constants too big for a 32-bit signed integer.

* Fixes to rule parsing in 32-bit arch

Arch resolution logic was not working properly for 32bit architectures.

Updated the unit tests for 32bit platforms too.

* Tests fixes and exclusions for 32bit platforms

- Fix build error in test
- Exclude golden tests for now (rules not compatible with 32bit)

* Travis: testing round on a 32bit binary
diff --git a/.travis.yml b/.travis.yml
@@ -15,6 +15,7 @@ script:
   find . -name '*.go' | grep -v vendor | xargs gofmt -s -l | read &&
   echo "Code differs from gofmt's style. Run 'gofmt -s -w .'" 1>&2 && exit 1 || true
 - go test -v $(go list ./... | grep -v /vendor/)
+- GOARCH=386 go test -v $(go list ./... | grep -v /vendor/)
 - mkdir -p build/bin
 - go build -o build/bin/audit ./cmd/audit/
 - go build -o build/bin/auparse ./cmd/auparse/
diff --git a/audit_test.go b/audit_test.go
@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"runtime"
 	"syscall"
 	"testing"
 	"time"
@@ -637,6 +638,9 @@ func TestAuditClientSetBacklogWaitTime(t *testing.T) {
 	}
 
 	status, err := getStatus(t)
+	if err != nil || status == nil {
+		t.Skipf("audit status not available: %v", err)
+	}
 	if status.FeatureBitmap&AuditFeatureBitmapBacklogWaitTime == 0 {
 		t.Skip("backlog wait time feature not supported in current kernel")
 	}
@@ -735,21 +739,63 @@ func TestAuditClientGetStatusAsync(t *testing.T) {
 }
 
 func TestRuleParsing(t *testing.T) {
-	for idx, line := range []string{
-		"-a always,exit -F arch=b64 -S execve,execveat -F key=exec",
-		"-a never,exit -F arch=b64 -S connect,accept,bind -F key=external-access",
-		"-w /etc/group -p wa",
-		"-w /etc/passwd -p rx",
-		"-w /etc/gshadow -p rwxa",
-		"-w /tmp/test -p rwa",
-		"-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access",
-		"-a never,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access",
-		"-a always,exit -F arch=b32 -S open -F key=admin -F uid=root -F gid=root -F exit=33 -F path=/tmp -F perm=rwxa",
-		"-a always,exit -F arch=b64 -S open -F key=key -F uid=1111 -F gid=333 -F exit=-151111 -F filetype=fifo",
-		"-a never,exclude -F msgtype=GRP_CHAUTHTOK",
-		"-a always,user -F uid=root",
-		"-a always,task -F uid=root",
-	} {
+	var rules []string
+	switch runtime.GOARCH {
+	case "386":
+		rules = []string{
+			"-a always,exit -F arch=b32 -S execve,execveat -F key=exec",
+			"-a never,exit -F arch=b32 -S bind,connect,accept4 -F key=external-access",
+			"-w /etc/group -p wa",
+			"-w /etc/passwd -p rx",
+			"-w /etc/gshadow -p rwxa",
+			"-w /tmp/test -p rwa",
+			"-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F key=access",
+			"-a never,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F key=access",
+			"-a always,exit -F arch=b32 -S open -F key=admin -F uid=root -F gid=root -F exit=33 -F path=/tmp -F perm=rwxa",
+			"-a always,exit -F arch=b32 -S open -F key=key -F uid=1111 -F gid=333 -F exit=-151111 -F filetype=fifo",
+			"-a never,exclude -F msgtype=GRP_CHAUTHTOK",
+			"-a always,user -F uid=root",
+			"-a always,task -F uid=root",
+			"-a always,exit -S mount -F pid=1234",
+		}
+	case "amd64":
+		rules = []string{
+			"-a always,exit -F arch=b64 -S execve,execveat -F key=exec",
+			"-a never,exit -F arch=b64 -S connect,accept,bind -F key=external-access",
+			"-w /etc/group -p wa",
+			"-w /etc/passwd -p rx",
+			"-w /etc/gshadow -p rwxa",
+			"-w /tmp/test -p rwa",
+			"-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access",
+			"-a never,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access",
+			"-a always,exit -F arch=b32 -S open -F key=admin -F uid=root -F gid=root -F exit=33 -F path=/tmp -F perm=rwxa",
+			"-a always,exit -F arch=b64 -S open -F key=key -F uid=1111 -F gid=333 -F exit=-151111 -F filetype=fifo",
+			"-a never,exclude -F msgtype=GRP_CHAUTHTOK",
+			"-a always,user -F uid=root",
+			"-a always,task -F uid=root",
+			"-a always,exit -S mount -F pid=1234",
+		}
+	default:
+		// Can't have multiple syscall testing as ordering of individual syscalls
+		// will vary between platforms (sorted by syscall id)
+		rules = []string{
+			"-a always,exit -S execve -F key=exec",
+			"-w /etc/group -p wa",
+			"-w /etc/passwd -p rx",
+			"-w /etc/gshadow -p rwxa",
+			"-w /tmp/test -p rwa",
+			"-a always,exit -S all -F exit=-EACCES -F key=access",
+			"-a never,exit -S all -F exit=-EPERM -F key=access",
+			"-a always,exit -S open -F key=admin -F uid=root -F gid=root -F exit=33 -F path=/tmp -F perm=rwxa",
+			"-a always,exit -S open -F key=key -F uid=1111 -F gid=333 -F exit=-151111 -F filetype=fifo",
+			"-a never,exclude -F msgtype=GRP_CHAUTHTOK",
+			"-a always,user -F uid=root",
+			"-a always,task -F uid=root",
+			"-a always,exit -S mount -F pid=1234",
+		}
+	}
+	t.Logf("checking %d rules", len(rules))
+	for idx, line := range rules {
 		msg := fmt.Sprintf("parsing line #%d: `%s`", idx, line)
 		r, err := flags.Parse(line)
 		if err != nil {
diff --git a/reassembler_test.go b/reassembler_test.go
@@ -96,7 +96,7 @@ func TestReassembler(t *testing.T) {
 }
 
 type eventMeta struct {
-	seq   int
+	seq   uint
 	count int
 }
 
diff --git a/rule/gen_testdata_test.go b/rule/gen_testdata_test.go
@@ -15,7 +15,7 @@
 // specific language governing permissions and limitations
 // under the License.
 
-// +build linux
+// +build linux,amd64
 
 package rule_test
 
diff --git a/rule/rule.go b/rule/rule.go
@@ -197,16 +197,17 @@ func ToCommandLine(wf WireFormat, resolveIds bool) (rule string, err error) {
 		}
 		if r.arch == "b32" {
 			switch arch {
+			case "i386", "arm", "ppc":
 			case "aarch64":
 				arch = "arm"
 			case "x86_64":
 				arch = "i386"
 			case "ppc64", "ppc64le":
 				arch = "ppc"
 			default:
-				return "", errors.New("invalid arch for b32")
+				return "", fmt.Errorf("invalid arch for b32: '%s'", arch)
 			}
-		} else if r.arch != "b64" {
+		} else if len(r.arch) > 0 && r.arch != "b64" {
 			arch = r.arch
 		}
 		syscallTable, ok := auparse.AuditSyscalls[arch]
diff --git a/rule/rule_integ_test.go b/rule/rule_integ_test.go
@@ -15,6 +15,8 @@
 // specific language governing permissions and limitations
 // under the License.
 
+// +build linux,amd64
+
 package rule_test
 
 import (
diff --git a/rule/rule_test.go b/rule/rule_test.go
@@ -362,7 +362,7 @@ func TestAddFilter(t *testing.T) {
 		}
 		assert.EqualValues(t, arg3Field, rule.fields[0])
 		assert.EqualValues(t, equalOperator, rule.fieldFlags[0])
-		assert.EqualValues(t, math.MaxUint32, rule.values[0])
+		assert.EqualValues(t, uint32(math.MaxUint32), rule.values[0])
 	})
 
 	t.Run("arg_min_int32", func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func TestReassembler(t *testing.T) {`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`type eventMeta struct {`
`99`		`- seq int`
	`99`	`+ seq uint`
`100`	`100`	`count int`
`101`	`101`	`}`
`102`	`102`
Original file line number	Diff line number	Diff line change
`@@ -362,7 +362,7 @@ func TestAddFilter(t *testing.T) {`
`362`	`362`	`}`
`363`	`363`	`assert.EqualValues(t, arg3Field, rule.fields[0])`
`364`	`364`	`assert.EqualValues(t, equalOperator, rule.fieldFlags[0])`
`365`		`- assert.EqualValues(t, math.MaxUint32, rule.values[0])`
	`365`	`+ assert.EqualValues(t, uint32(math.MaxUint32), rule.values[0])`
`366`	`366`	`})`
`367`	`367`
`368`	`368`	`t.Run("arg_min_int32", func(t *testing.T) {`