This is an automated email from the git hooks/post-receive script.
jforbes pushed a commit to branch master
in repository kernel-tests.
commit 23f0a08bf93d7a3d3df67c97a522ac117cd32154
Author: Josh Boyer <jwboyer@xxxxxxxxxx>
Date: Thu Oct 4 16:22:22 2012 -0400
Add initial modsign tests
---
default/modsign/modsign_tests.sh | 144 +++++++++++++++++++++++++++++++++++++++
default/modsign/runtest.sh | 16 +++++
2 files changed, 160 insertions(+)
diff --git a/default/modsign/modsign_tests.sh b/default/modsign/modsign_tests.sh
new file mode 100755
index 0000000..c29124f
--- /dev/null
+++ b/default/modsign/modsign_tests.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+
+modsign_check_modules()
+{
+
+ # Grab a module to mess around with. We'll pick one that is fairly
+ # stand-alone and rarely used.
+ cp /lib/modules/`uname -r`/kernel/fs/minix/minix.ko .
+
+ # Make sure we have the signed module marker
+ cat ./minix.ko | strings | grep "~Module signature appended~" &> /dev/null
+ if [ "$?" -ne "0" ]
+ then
+ echo "Module not signed"
+ return 1
+ fi
+
+ # Now check to see if it's signed with a Fedora cert
+ # FIXME: This isn't actually an exhaustive check. It doesn't verify
+ # the signature embedded is for the key that is loaded into the
+ # running kernel. A module from some other signed kernel would still
+ # pass here, but would fail to load later, etc.
+ #
+ # Need to write some code to actually extract the sig itself and
+ # compare.
+ cat ./minix.ko | strings | grep "Fedora kernel signing key" &> /dev/null
+ if [ "$?" -ne "0" ]
+ then
+ echo "Module not signed"
+ return 1
+ fi
+
+ # Make sure it isn't already loaded
+ lsmod | grep minix
+ if [ $? == "0" ]
+ then
+ "Module already in use. Skipping"
+ return 3
+ fi
+
+ fail=0
+ insmod ./minix.ko
+ if [ "$?" -ne "0" ]
+ then
+ echo "Signed module failed to load"
+ fail=1
+ else
+ echo "Successfully loaded signed module"
+ fi
+
+ rmmod minix
+ rm ./minix.ko
+ return ${fail}
+}
+
+modsign_unsigned()
+{
+ # Grab a module to mess around with. We'll pick one that is fairly
+ # stand-alone and rarely used.
+ cp /lib/modules/`uname -r`/kernel/fs/minix/minix.ko .
+ strip -g ./minix.ko
+
+ # Make sure it isn't already loaded
+ lsmod | grep minix
+ if [ $? == "0" ]
+ then
+ "Module already in use. Skipping"
+ return 3
+ fi
+ insmod ./minix.ko
+ loaded=$?
+
+ fail=0
+ if [ "$1" == "N" ]
+ then
+ if [ ${loaded} -ne "0" ]
+ then
+ echo "Unsigned module load failed"
+ fail=1
+ else
+ echo "Successfully loaded unsigned module"
+ rmmod minix
+ fi
+ else
+ if [ ${loaded} -ne "0" ]
+ then
+ echo "Successfully enforced signed module"
+ else
+ echo "Unsigned module loaded in enforcing mode"
+ rmmod minix
+ fail=1
+ fi
+ fi
+
+ # cleanup
+ rm ./minix.ko
+
+ return ${pass}
+}
+
+modsign_third_party()
+{
+ return 0
+}
+
+# Figure out if modsign is enabled in this kernel
+modsign=0
+if [ -f /proc/keys ]
+then
+ cat /proc/keys | grep module_sign &> /dev/null
+ if [ $? -ne "0" ]
+ then
+ echo Module signing not enabled
+ exit 3
+ fi
+ keyring=`cat /proc/keys | grep module_sign | cut -f 1 -d " "`
+ keyctl list 0x${keyring} | grep "Fedora kernel signing key" &> /dev/null
+ if [ $? == "0" ]
+ then
+ modsign=1
+ else
+ echo "Module signing enabled but no key listed"
+ exit 1
+ fi
+fi
+
+if [ ${modsign} -ne "1" ]
+then
+ echo "Module signing not enabled. I have no idea why but whatever"
+ exit 1
+fi
+
+# OK, now for some fun stuff.
+
+# Are we in enforcing?
+
+enforcing=`cat /sys/module/module/parameters/sig_enforce`
+
+# Make sure we actually have signed modules and that they load
+modsign_check_modules
+
+# Run some tests to see if we let unsigned modules load, etc
+modsign_unsigned ${enforcing}
+modsign_third_party ${enforcing}
diff --git a/default/modsign/runtest.sh b/default/modsign/runtest.sh
new file mode 100755
index 0000000..ea87a07
--- /dev/null
+++ b/default/modsign/runtest.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+source ../../utils/root-check.sh
+
+check_root
+is_root=$?
+if [ "$is_root" -ne "0" ]; then
+ exit 3
+fi
+
+# Run
+./modsign_tests.sh
+if [ "$?" -ne "0" ]; then
+ echo "Could not run tests"
+ exit -1
+fi
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
