This revision introduces atf-c(3) test cases to check the proper auditability of network-
related syscalls which are used to send/receive messages through a socket.
Syscalls are:
- send(2)
- recv(2)
- sendto(2)
- recvfrom(2)
Details
Details
Execute make && make install from test/sys/audit.
Execute kyua test from /usr/tests/sys/audit. All testcases should succeed.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
| tests/sys/audit/network.c | ||
|---|---|---|
| 51 ↗ | (On Diff #43964) | How meta ... |
| 93 ↗ | (On Diff #43964) | MACRO is not an ACRONYM |
| 94 ↗ | (On Diff #43964) | style(9) says to declare variables in one block at the top of the function, then have a blank line, then do everything else. So you should move fd_set readfds up above. |
| 96 ↗ | (On Diff #43964) | There's an errant space at the beginning of this line. |
| 99 ↗ | (On Diff #43964) | This is wrong. select's first argument is the number of file descriptors in the fd_set, not the number in the program. So in this case select is going to be reading stack garbage. Set nfds=1. |
| 616 ↗ | (On Diff #43964) | clientfd is a confusing name, because this socket actually belongs to the server. It's really the connected server socket. |
| 617 ↗ | (On Diff #43964) | The client variable is unused. Better just to pass NULL to accept. |
| 688 ↗ | (On Diff #43964) | What happens if you skip the check_readfs step? If the server's socket were blocking, then the following recv call would block, which is probably what you want. |
| 747 ↗ | (On Diff #43964) | The whole point of sendto is that you can skip the connect step. sendto is normally used with datagram sockets, not stream sockets. So you should do something like: sockfd = socket(PF_UNIX, SOCK_DGRAM, 0); bind(sockfd, ...); sockfd2 = socket(PF_UNIX, SOCK_DGRAM, 0); pipfd = setup(fds, auclass); data_bytes = sendto(sockfd2, msgbuff, strlen(msgbuf), 0, &server, len); check_audit(...); |
| 754 ↗ | (On Diff #43964) | You're sending to the wrong address. This is the client's address, not the server's. If this test works, it's because the socket is connected and is ignoring the address you pass in. |
| 784 ↗ | (On Diff #43964) | client is uninitialized here. |
| 822 ↗ | (On Diff #43964) | recvfrom, like sendto is normally used by datagram sockets, not stream sockets. |
Comment Actions
Lots of changes
- Non-blocking sockets not needed anymore, make them all default
- Remove check_readfs() functions [Since socket is blocking by default, read() will actually block till it receives a message]
- Eliminate client from the whole test program, since I never actually need it.
- Remove all unused, uninitialized variables, specially from failure test cases
- Improvements in comments an formatting
- Remove redundant header imports
| tests/sys/audit/network.c | ||
|---|---|---|
| 99 ↗ | (On Diff #43964) | No, nfds is the maximum limit of file descriptor to be checked. select(2) checks the status of descriptors from 0 to nfds -1. Besides, setting it as 1 will result in this: network:recv_success -> failed: /root/head/tests/sys/audit/network.c:100: select(1, &readfs, NULL, NULL, &timeout) > 0 not met [5.177s] network:recvfrom_success -> failed: /root/head/tests/sys/audit/network.c:100: select(1, &readfs, NULL, NULL, &timeout) > 0 not met [5.064s] In my case, I want select(2) to check the status of clientd, so I'll have to set the nfds as clientd + 1 Note: This function is not used anymore. |
| 747 ↗ | (On Diff #43964) | Yeah, this makes more sense. While creating the tests I wondered why am I using sendto(2) with stream socket and that too when it is connected (after which no point in specifying the address ). But I didn't know the exact steps so I went along with what I had been doing earlier. Thanks! |
| tests/sys/audit/network.c | ||
|---|---|---|
| 99 ↗ | (On Diff #43964) | Oh, you're right. I forgot that select used bitsets. |