From 8762d2bab3cea615a0c2401ae1cf519f5ce3e90c Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs <rgb@redhat.com>
Date: Wed, 8 May 2019 06:57:57 -0400
Subject: [PATCH] tests: add filter_saddr_fam test

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 tests/Makefile                  |   1 +
 tests/filter_saddr_fam/Makefile |   8 ++
 tests/filter_saddr_fam/test     | 140 ++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+)
 create mode 100644 tests/filter_saddr_fam/Makefile
 create mode 100755 tests/filter_saddr_fam/test

diff --git a/tests/Makefile b/tests/Makefile
index 1945db4..48661c2 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -19,6 +19,7 @@ TESTS := \
 	file_delete \
 	file_rename \
 	filter_exclude \
+	filter_saddr_fam \
 	filter_sessionid \
 	login_tty \
 	lost_reset \
diff --git a/tests/filter_saddr_fam/Makefile b/tests/filter_saddr_fam/Makefile
new file mode 100644
index 0000000..7ade09a
--- /dev/null
+++ b/tests/filter_saddr_fam/Makefile
@@ -0,0 +1,8 @@
+TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+
+LDLIBS += -lpthread
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
+
diff --git a/tests/filter_saddr_fam/test b/tests/filter_saddr_fam/test
new file mode 100755
index 0000000..8153aef
--- /dev/null
+++ b/tests/filter_saddr_fam/test
@@ -0,0 +1,140 @@
+#!/usr/bin/perl
+
+use strict;
+use File::Temp qw/ tempdir tempfile /;
+use Test;
+BEGIN { plan tests => 5 }
+
+###
+# functions
+
+sub key_gen {
+    my @chars = ( "A" .. "Z", "a" .. "z" );
+    my $key   = "testsuite-" . time . "-";
+    $key .= $chars[ rand @chars ] for 1 .. 8;
+    return $key;
+}
+
+###
+# setup
+
+# reset audit
+system("auditctl -D >/dev/null 2>&1");
+
+# limit ausearch to this test's events
+my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) =
+  localtime(time);
+$year += 1900;
+$mon  += 1;
+my $startdate = "$year-$mon-$mday";
+my $starttime = "$hour:$min:$sec";
+
+# create temp directory
+my $dir = tempdir( TEMPLATE => '/tmp/audit-testsuite-XXXX', CLEANUP => 1 );
+
+# create stdout/stderr sinks
+( my $fh_out, my $stdout ) = tempfile(
+    TEMPLATE => '/tmp/audit-testsuite-out-XXXX',
+    UNLINK   => 1
+);
+( my $fh_err, my $stderr ) = tempfile(
+    TEMPLATE => '/tmp/audit-testsuite-err-XXXX',
+    UNLINK   => 1
+);
+
+# set test rule key
+my $key = key_gen();
+
+my $result;
+my $rule;
+
+# set bad test rule
+$rule   = "always,exit -F arch=b$ENV{MODE} -S all -F saddr_fam=100 -F key=$key";
+$result = system("auditctl -a $rule >/dev/null 2>&1");
+ok( $result ne 0 );
+
+# set test rule
+$rule   = "always,exit -F arch=b$ENV{MODE} -S all -F saddr_fam=2 -F key=$key";
+$result = system("auditctl -a $rule >/dev/null 2>&1");
+ok( $result, 0 );
+
+# issue command to generate non-inet SOCKADDR traffic
+system("auditctl -s >/dev/null 2>&1");
+
+# issue test command to generate inet SOCKADDR record event
+my $port = 24242;
+system("exec 3<>/dev/udp/127.0.0.1/$port >/dev/null 2>&1;echo hi >&3");
+
+# delete test rule
+system("auditctl -d $rule >/dev/null 2>&1");
+
+# create marker event and wait for it to ensure our events are in the log
+system("auditctl -m syncmarker-$key >/dev/null 2>&1");
+for ( my $i = 0 ; $i < 10 ; $i++ ) {
+    if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) {
+        last;
+    }
+    sleep(0.2);
+}
+
+# find the event
+seek( $fh_out, 0, 0 );
+seek( $fh_err, 0, 0 );
+$result = system(
+"LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -m sockaddr -k $key >$stdout 2>$stderr"
+);
+ok( $result, 0 );    # Was an event found?
+
+# find the message ids of the records for that key
+my $line;
+my $id        = "";
+my $found_msg = 0;
+my %ids;
+while ( $line = <$fh_out> ) {
+    if ( $line =~ /^type=/ ) {
+        ($id) = ( $line =~ / msg=audit\(.+:([0-9]+)\).* / );
+        if ( !( exists $ids{$id} ) ) {
+            $ids{$id} = 0;
+        }
+        if ( $line =~ /^type=CONFIG_CHANGE / ) {
+            $ids{$id} = 1;
+        }
+    }
+}
+
+# verify all records are only inet (filter out rule commands)
+my $found_unfilt = "";
+foreach $id ( sort( keys %ids ) ) {
+    if ( $ids{$id} eq 0 ) {
+        seek( $fh_out, 0, 0 );
+        seek( $fh_err, 0, 0 );
+        system(
+"LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -a $id > $stdout 2> $stderr"
+        );
+        while ( $line = <$fh_out> ) {
+            if ( $line =~ /^type=SOCKADDR / ) {    # find the sockaddr record
+                $line =~ / saddr_fam=([a-z]+) /;
+                if ( $1 eq "inet" ) {
+                    $found_msg = 1;
+                }
+                else {
+                    $found_unfilt = $1;
+                }
+            }
+        }
+    }
+}
+ok( $found_msg,    1 );     # Was the inet message found?
+ok( $found_unfilt, "" );    # Were non-inet messages filtered?
+
+# print any debug info if the test fails
+if ( defined $ENV{ATS_DEBUG} && $ENV{ATS_DEBUG} == 1 ) {
+    if ($found_unfilt) {
+        print "found_unfilt=$found_unfilt\n";
+    }
+}
+
+###
+# cleanup
+system("auditctl -D >/dev/null 2>&1");
+system("service auditd restart 2>/dev/null");