Skip to content

Commit

Permalink
Handle ppc64 and ppc64le syscall lookups (elastic#72)
Browse files Browse the repository at this point in the history
ppc64 and ppc64le use the same syscall table as ppc. But we were missing an entry
in the syscall table for these two architectures so lookups would fail if you tried to install
an audit rule with `-F arch=ppc64le` or if go-libaudit tried to enrich messages with
the syscall names while running on those arches.
  • Loading branch information
andrewkroh authored Jul 20, 2020
1 parent d278c96 commit dd5141d
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).

### Changed

- Fixed syscall lookup for ppc64 and ppc64le. [#71](https://github.com/elastic/go-libaudit/pull/71)

### Removed

### Deprecated
Expand Down
10 changes: 10 additions & 0 deletions auparse/mk_audit_syscalls.pl
Original file line number Diff line number Diff line change
Expand Up @@ -100,4 +100,14 @@ package auparse
print <<EOF;
}
func init() {
// Add "aliases" to ppc for ppc64 and ppc64le. They share the same tables.
ppcTable, found := AuditSyscalls["ppc"]
if !found {
panic("missing ppc syscall table")
}
AuditSyscalls["ppc64"] = ppcTable
AuditSyscalls["ppc64le"] = ppcTable
}
EOF
2 changes: 1 addition & 1 deletion auparse/zaudit_arches.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions auparse/zaudit_syscalls.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 23 additions & 0 deletions rule/rule_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,19 @@ func TestAddSyscall(t *testing.T) {
assert.EqualValues(t, openSyscallNum, rule.syscalls[0])
}
})

t.Run("open", func(t *testing.T) {
rule := &ruleData{
arch: "ppc64le",
}
if err := addSyscall(rule, "open"); err != nil {
t.Fatal(err)
}
if assert.Len(t, rule.syscalls, 1) {
const openSyscallNum = 5
assert.EqualValues(t, openSyscallNum, rule.syscalls[0])
}
})
}

func TestAddFilter(t *testing.T) {
Expand Down Expand Up @@ -335,6 +348,16 @@ func TestAddFilter(t *testing.T) {
assert.EqualValues(t, auparse.AUDIT_ARCH_X86_64, rule.values[0])
})

t.Run("arch_ppc64le", func(t *testing.T) {
rule := &ruleData{}
if err := addFilter(rule, "arch", "=", "ppc64le"); err != nil {
t.Fatalf("%+v", err)
}
assert.EqualValues(t, archField, rule.fields[0])
assert.EqualValues(t, equalOperator, rule.fieldFlags[0])
assert.EqualValues(t, auparse.AUDIT_ARCH_PPC64LE, rule.values[0])
})

t.Run("perm", func(t *testing.T) {
rule := &ruleData{flags: exitFilter}
if err := addFilter(rule, "perm", "=", "wa"); err != nil {
Expand Down

0 comments on commit dd5141d

Please sign in to comment.