Esempio n. 1
0
func TestResolver_SyscallEntry(t *testing.T) {
	r := syscallinfo.NewResolver(linux_386.SyscallTable)
	for _, check := range checksResolution {
		sc, err := r.SyscallEntry(check.entry)
		if err != nil {
			if check.nilError {
				t.Errorf("wrong error (want=nil, get=%v)", err)
			}
			continue
		}
		if sc.Num != check.num {
			t.Errorf("wrong number (want=%v, get=%v)", check.num, sc.Num)
		}
		if len(sc.Args) != len(check.context) {
			t.Errorf("wrong number of arguments (want=%v, get=%v)",
				len(check.context), len(sc.Args))
			continue
		}
		for i := range sc.Args {
			if sc.Args[i].Context != check.context[i] {
				t.Errorf("wrong context (want=%v, get=%v)",
					check.context[i], sc.Args[i].Context)
			}
		}
	}
}
Esempio n. 2
0
func TestSyscallCall_Output(t *testing.T) {
	r := syscallinfo.NewResolver(linux_386.SyscallTable)

	for _, check := range checksOutputs {
		sc, err := r.SyscallN(check.num)
		if err != nil {
			if check.nilError {
				t.Errorf("wrong error (want=nil, get=%v)", err)
			}
			continue
		}
		scc, err := syscallinfo.NewSyscallCall(sc, check.retval, check.args...)
		if err != nil {
			return
		}
		str, err := scc.Output(0)
		if err != nil {
			if check.nilError {
				t.Errorf("wrong error (want=nil, get=%v)", err)
			}
			continue
		}
		if str != check.outputCall {
			t.Errorf("wrong string (want=%v, get=%v)", check.outputCall, str)
		}
	}
}
Esempio n. 3
0
func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) {
	at, _ := args[0].(*Atrace)

	pid, _ := ae.GetValueInt("pid", 10)
	scNR, _ := ae.GetValueInt("syscall", 10)
	a0, _ := ae.GetValueInt("a0", 16)
	a1, _ := ae.GetValueInt("a1", 16)
	a2, _ := ae.GetValueInt("a2", 16)
	a3, _ := ae.GetValueInt("a3", 16)
	a4, _ := ae.GetValueInt("a4", 16)
	a5, _ := ae.GetValueInt("a5", 16)
	exit, _ := ae.GetValueInt("exit", 10)

	r := syscallinfo.NewResolver(linux_amd64.SyscallTable)
	sc, err := r.SyscallN(scNR)
	if err != nil {
		return
	}

	scc, err := syscallinfo.NewSyscallCall(sc, uint64(exit), uint64(a0), uint64(a1), uint64(a2), uint64(a3), uint64(a4), uint64(a5))
	if err != nil {
		return
	}

	at.l_processes.Lock()
	process := at.processes[pid]
	process.sccList = append(process.sccList, scc)
	//fmt.Println(">", process.sccList)
	at.l_processes.Unlock()

	switch scNR {
	case syscall.SYS_EXIT:
		at.l_processes.Lock()
		//delete(at.processes, pid)
		at.l_processes.Unlock()
	case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK:
		//if process.recursive {
		at.AddProcess(exit, process.scList, process.recursive)
		//}
	}

	fmt.Printf("[%v] %v\n", pid, scc)
	os.Stdout.Sync()
}
Esempio n. 4
0
func TestContextHandler_Handle(t *testing.T) {
	ch := syscallinfo.ContextHandler{}
	ch.Handle(syscallinfo.CtxFD, func(n uint64) (string, error) {
		return fmt.Sprintf("test-%d", n), nil
	})

	r := syscallinfo.NewResolver(linux_386.SyscallTable)
	sc, err := r.SyscallN(checkHandle.num)
	if err != nil {
		t.Errorf("wrong error (want=nil, get=%v)", err)
		return
	}
	scc, err := syscallinfo.NewSyscallCall(sc, checkHandle.retval, checkHandle.args...)
	if err != nil {
		return
	}
	scc.SetContextHandler(ch)
	str := scc.String()
	if str != checkHandle.outputCall {
		t.Errorf("wrong string (want=%v, get=%v)", checkHandle.outputCall, str)
	}
}
Esempio n. 5
0
func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) {
	pid, _ := ae.GetValueInt("pid", 10)
	syscallid, _ := ae.GetValueInt("syscall", 10)
	a0, _ := ae.GetValueInt("a0", 16)
	a1, _ := ae.GetValueInt("a1", 16)
	a2, _ := ae.GetValueInt("a2", 16)
	a3, _ := ae.GetValueInt("a3", 16)
	a4, _ := ae.GetValueInt("a4", 16)
	a5, _ := ae.GetValueInt("a5", 16)
	exit, _ := ae.GetValueInt("exit", 10)

	at, _ := args[0].(*Atrace)

	at.l_processes.Lock()
	process := at.processes[pid]
	at.l_processes.Unlock()

	// TODO: Review "task" auditd messages.
	switch syscallid {
	case syscall.SYS_EXIT:
		at.l_processes.Lock()
		delete(at.processes, pid)
		at.l_processes.Unlock()
	case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK:
		fmt.Println(process)
		if process.recursive {
			at.AddProcess(exit, process.syscalls, process.recursive)
		}
	}

	scRes := syscallinfo.NewResolver(linux_amd64.SyscallTable)
	sc, _ := scRes.SyscallN(syscallid)
	scc, _ := syscallinfo.NewSyscallCall(sc, exit, a0, a1, a2, a3, a4, a5)
	fmt.Printf("[%d] %s\n", pid, scc)
	fmt.Printf("[%d] %s\n", pid, str)
	os.Stdout.Sync()
}