Re: [LTP] [RFC PATCH 1/2] security/ima: Rewrite tests into new API + fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!
> +# Verify that measurements are added to the measurement list based on policy.
> +
> +TST_TESTFUNC="test"
> +TST_CNT=3
> +. ima_setup.sh
> +
> +TEST_FILE="test.txt"
> +HASH_COMMAND="sha1sum"
> +POLICY="$IMA_DIR/policy"
>  
>  init()
>  {
> -	tst_check_cmds sha1sum
> -
> -	# verify using default policy
> -	if [ ! -f "$IMA_DIR/policy" ]; then
> -		tst_resm TINFO "not using default policy"
> -	fi
> +	grep -q '^CONFIG_IMA_DEFAULT_HASH_SHA256=y' /boot/config-$(uname -r) && \
> +		HASH_COMMAND="sha256sum"

Grepping /boot/config-$foo is really broken, isn't there some sysfs
or ioctl interface where we can figure out this info?

> +	tst_res TINFO "detected IMA algoritm: ${HASH_COMMAND%sum}"
> +	tst_check_cmds $HASH_COMMAND
> +	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
>  }
>  
> -# Function:     test01
> -# Description   - Verify reading a file causes a new measurement to
> -#		  be added to the IMA measurement list.
> -test01()
> +ima_check()
>  {
> -	# Create file test.txt
> -	cat > test.txt <<-EOF
> -	$(date) - this is a test file
> -	EOF
> -	if [ $? -ne 0 ]; then
> -		tst_brkm TBROK "Unable to create test file"
> -	fi
> -
> -	# Calculating the sha1sum of test.txt should add
> -	# the measurement to the measurement list.
> -	# (Assumes SHA1 IMA measurements.)
> -	hash=$(sha1sum "test.txt" | sed 's/  -//')
> -
> -	# Check if the file is measured
> -	# (i.e. contained in the ascii measurement list.)
> -	cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> -	sleep 1
> -	$(grep $hash measurements > /dev/null)
> -	if [ $? -ne 0 ]; then
> -		tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum"
> -	else
> -		tst_resm TPASS "TPM ascii measurement list contains sha1sum"
> -	fi
> +	EXPECT_PASS grep -q $($HASH_COMMAND $TEST_FILE) $ASCII_MEASUREMENTS
>  }
>  
> -# Function:     test02
> -# Description	- Verify modifying, then reading, a file causes a new
> -# 		  measurement to be added to the IMA measurement list.
> -test02()
> +test1()
>  {
> -	# Modify test.txt
> -	echo $(date) - file modified >> test.txt
> +	tst_res TINFO "verify adding record to the IMA measurement list"
> +	ROD echo "$(date) this is a test file" \> $TEST_FILE
> +	ima_check
> +}
>  
> -	# Calculating the sha1sum of test.txt should add
> -	# the new measurement to the measurement list
> -	hash=$(sha1sum test.txt | sed 's/  -//')
> +test2()
> +{
> +	local device
>  
> -	# Check if the new measurement exists
> -	cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> -	$(grep $hash measurements > /dev/null)
> +	tst_res TINFO "verify updating record in the IMA measurement list"
>  
> -	if [ $? -ne 0 ]; then
> -		tst_resm TFAIL "Modified file not measured"
> -		tst_resm TINFO "iversion not supported; or not mounted with iversion"
> +	device="$(df . | sed -e 1d | cut -f1 -d ' ')"
> +	if grep -q $device /proc/mounts; then
> +		if grep -q "${device}.*ext[2-4]" /proc/mounts; then
> +			grep -q "${device}.*ext[2-4].*i_version" /proc/mounts || \
> +				tst_res TINFO "device '$device' is not mounted with iversion"
> +		fi
>  	else
> -		tst_resm TPASS "Modified file measured"
> +		tst_res TWARN "could not find mount info for device '$device'"
>  	fi
> +
> +	ROD echo "$(date) modified file" \> $TEST_FILE
> +	ima_check
>  }
>  
> -# Function:     test03
> -# Description 	- Verify files are measured based on policy
> -#		(Default policy does not measure user files.)
> -test03()
> +test3()
>  {
> -	# create file user-test.txt
> -	mkdir -m 0700 user
> -	chown nobody.nobody user
> -	cd user
> -	hash=0
> -
> -	# As user nobody, create and cat the new file
> -	# (The LTP tests assumes existence of 'nobody'.)
> -	sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt;
> -				 cat ./test.txt > /dev/null"
> -
> -	# Calculating the hash will add the measurement to the measurement
> -	# list, so only calc the hash value after getting the measurement
> -	# list.
> -	cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> -	hash=$(sha1sum test.txt | sed 's/  -//')
> -	cd - >/dev/null
> -
> -	# Check if the file is measured
> -	grep $hash measurements > /dev/null
> -	if [ $? -ne 0 ]; then
> -		tst_resm TPASS "user file test.txt not measured"
> -	else
> -		tst_resm TFAIL "user file test.txt measured"
> -	fi
> -}
> +	local dir="user"
> +	local user="nobody"
>  
> -. ima_setup.sh
> +	tst_res TINFO "verify measuring user files"
>  
> -setup
> -TST_CLEANUP=cleanup
> +	id $user >/dev/null 2>/dev/null || tst_brk TCONF "missing system user $user (wrong installation)"
> +	tst_check_cmds sudo
>  
> -init
> -test01
> -test02
> -test03
> +	mkdir -m 0700 $dir
> +	chown $user $dir
> +	cd $dir
> +
> +	sudo -n -u $user sh -c "echo $(date) user file > $TEST_FILE;
> +		cat $TEST_FILE > /dev/null"
>  
> -tst_exit
> +	ima_check
> +	cd ..
> +}
> +
> +init
   ^
   Any reason we don't pass this as TST_SETUP ?
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> index ad5900975..162d323a1 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> @@ -1,127 +1,114 @@
>  #!/bin/sh
> -################################################################################
> -##                                                                            ##
> -## Copyright (C) 2009 IBM Corporation                                         ##
> -##                                                                            ##
> -## This program is free software;  you can redistribute it and#or modify      ##
> -## it under the terms of the GNU General Public License as published by       ##
> -## the Free Software Foundation; either version 2 of the License, or          ##
> -## (at your option) any later version.                                        ##
> -##                                                                            ##
> -## This program is distributed in the hope that it will be useful, but        ##
> -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> -## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
> -## for more details.                                                          ##
> -##                                                                            ##
> -## You should have received a copy of the GNU General Public License          ##
> -## along with this program;  if not, write to the Free Software               ##
> -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    ##
> -##                                                                            ##
> -################################################################################
> +# Copyright (c) 2009 IBM Corporation
> +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx>
>  #
> -# File :        ima_policy.sh
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2 of
> +# the License, or (at your option) any later version.
>  #
> -# Description:  This file tests replacing the default integrity measurement
> -#		policy.
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
>  #
> -# Author:       Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> -################################################################################
> -export TST_TOTAL=3
> -export TCID="ima_policy"
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> +#
> +# Test replacing the default integrity measurement policy.
> +
> +TST_TESTFUNC="test"
> +TST_CNT=3
> +. ima_setup.sh
>  
>  init()
>  {
> -	# verify using default policy
> -	IMA_POLICY=$IMA_DIR/policy
> -	if [ ! -f $IMA_POLICY ]; then
> -		tst_resm TINFO "default policy already replaced"
> -	fi
> +	IMA_POLICY="$IMA_DIR/policy"
> +	[ -f $IMA_POLICY ] || \
> +		tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it"
>  
> -	VALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy
> -	if [ ! -f $VALID_POLICY ]; then
> -		tst_resm TINFO "missing $VALID_POLICY"
> -	fi
> +	VALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy"
                               ^
			       $TST_DATAROOT
> +	[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
>  
> -	INVALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy-invalid
> -	if [ ! -f $INVALID_POLICY ]; then
> -		tst_resm TINFO "missing $INVALID_POLICY"
> -	fi
> +	INVALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy-invalid"
> +	[ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY"
>  }
>  
>  load_policy()
>  {
> +	local ret
> +
>  	exec 2>/dev/null 4>$IMA_POLICY
> -	if [ $? -ne 0 ]; then
> -		exit 1
> -	fi
> +	[ $? -eq 0 ] || exit 1
>  
>  	cat $1 |
> -	while read line ; do
> -	{
> -		if [ "${line#\#}" = "${line}" ] ; then
> -			echo $line >&4 2> /dev/null
> +	while read line; do
> +		if [ "${line#\#}" = "${line}" ]; then
> +			echo "$line" >&4 2> /dev/null
>  			if [ $? -ne 0 ]; then
>  				exec 4>&-
>  				return 1
>  			fi
>  		fi
> -	}
>  	done
> -}
> +	ret=$?
>  
> +	[ $ret -eq 0 ] && \
> +		tst_res TINFO "IMA policy updated, please reboot after testing to restore settings"
>  
> -# Function:     test01
> -# Description   - Verify invalid policy doesn't replace default policy.
> -test01()
> +	return $ret
> +}
> +
> +test1()
>  {
> +	tst_res TINFO "verify that invalid policy doesn't replace default policy"
> +
> +	local p1
> +
>  	load_policy $INVALID_POLICY & p1=$!
>  	wait "$p1"
>  	if [ $? -ne 0 ]; then
> -		tst_resm TPASS "didn't load invalid policy"
> +		tst_res TPASS "didn't load invalid policy"
>  	else
> -		tst_resm TFAIL "loaded invalid policy"
> +		tst_res TFAIL "loaded invalid policy"
>  	fi
>  }
>  
> -# Function:     test02
> -# Description	- Verify policy file is opened sequentially, not concurrently
> -#		  and install new policy
> -test02()
> +test2()
>  {
> +	tst_res TINFO "verify that policy file is opened sequentially and installs new policy"
> +
> +	local p1 p2 rc1 rc2
> +
>  	load_policy $VALID_POLICY & p1=$!  # forked process 1
>  	load_policy $VALID_POLICY & p2=$!  # forked process 2
> -	wait "$p1"; RC1=$?
> -	wait "$p2"; RC2=$?
> -	if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then
> -		tst_resm TFAIL "measurement policy opened concurrently"
> -	elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then
> -		tst_resm TPASS "replaced default measurement policy"
> +	wait "$p1"; rc1=$?
> +	wait "$p2"; rc2=$?
> +	if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then
> +		tst_res TFAIL "measurement policy opened concurrently"
> +	elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then
> +		tst_res TPASS "replaced default measurement policy"
>  	else
> -		tst_resm TFAIL "problems opening measurement policy"
> +		tst_res TFAIL "problems opening measurement policy"
>  	fi
>  }
>  
> -# Function:     test03
> -# Description 	- Verify can't load another measurement policy.
> -test03()
> +test3()
>  {
> +	tst_res TINFO "verify that valid policy isn't replaced"
> +
> +	local p1
> +
>  	load_policy $INVALID_POLICY & p1=$!
>  	wait "$p1"
>  	if [ $? -ne 0 ]; then
> -		tst_resm TPASS "didn't replace valid policy"
> +		tst_res TPASS "didn't replace valid policy"
>  	else
> -		tst_resm TFAIL "replaced valid policy"
> +		tst_res TFAIL "replaced valid policy"
>  	fi
>  }
>  
> -. ima_setup.sh
> -
> -setup
> -TST_CLEANUP=cleanup
> -
>  init
> -test01
> -test02
> -test03
> -
> -tst_exit
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> old mode 100755
> new mode 100644
> index 0ff38d23b..7e19e3959
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,86 +1,67 @@
>  #!/bin/sh
> -################################################################################
> -##                                                                            ##
> -## Copyright (C) 2009 IBM Corporation                                         ##
> -##                                                                            ##
> -## This program is free software;  you can redistribute it and#or modify      ##
> -## it under the terms of the GNU General Public License as published by       ##
> -## the Free Software Foundation; either version 2 of the License, or          ##
> -## (at your option) any later version.                                        ##
> -##                                                                            ##
> -## This program is distributed in the hope that it will be useful, but        ##
> -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> -## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
> -## for more details.                                                          ##
> -##                                                                            ##
> -## You should have received a copy of the GNU General Public License          ##
> -## along with this program;  if not, write to the Free Software Foundation,   ##
> -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA           ##
> -##                                                                            ##
> -################################################################################
> +# Copyright (c) 2009 IBM Corporation
> +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx>
>  #
> -# File :        ima_setup.sh
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2 of
> +# the License, or (at your option) any later version.
>  #
> -# Description:  setup/cleanup routines for the integrity tests.
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
>  #
> -# Author:       Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> -################################################################################
> -. test.sh
> -mount_sysfs()
> -{
> -	SYSFS=$(mount 2>/dev/null | awk '$5 == "sysfs" { print $3 }')
> -	if [ "x$SYSFS" = x ] ; then
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
>  
> -		SYSFS=/sys
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_TMPDIR=1
> +TST_NEEDS_ROOT=1
> +. tst_test.sh
>  
> -		test -d $SYSFS || mkdir -p $SYSFS 2>/dev/null
> -		if [ $? -ne 0 ] ; then
> -			tst_brkm TBROK "Failed to mkdir $SYSFS"
> -		fi
> -		if ! mount -t sysfs sysfs $SYSFS 2>/dev/null ; then
> -			tst_brkm TBROK "Failed to mount $SYSFS"
> -		fi
> +export TCID="${TCID:-$(basename $0 | cut -d. -f1)}"
>  
> -	fi
> -}
> +UMOUNT=
>  
> -mount_securityfs()
> +mount_helper()
>  {
> -	SECURITYFS=$(mount 2>/dev/null | awk '$5 == "securityfs" { print $3 }')
> -	if [ "x$SECURITYFS" = x ] ; then
> -
> -		SECURITYFS="$SYSFS/kernel/security"
> +	local type="$1"
> +	local default_dir="$2"
> +	local dir
>  
> -		test -d $SECURITYFS || mkdir -p $SECURITYFS 2>/dev/null
> -		if [ $? -ne 0 ] ; then
> -			tst_brkm TBROK "Failed to mkdir $SECURITYFS"
> -		fi
> -		if ! mount -t securityfs securityfs $SECURITYFS 2>/dev/null ; then
> -			tst_brkm TBROK "Failed to mount $SECURITYFS"
> -		fi
> +	dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)"
> +	[ -n "$dir" ] && { echo "$dir"; return; }
>  
> +	if ! mkdir -p $default_dir; then
> +		tst_brk TBROK "Failed to create $default_dir"
> +	fi
> +	if ! mount -t $type $type $default_dir; then
> +		tst_brk TBROK "Failed to mount $type"
>  	fi
> +	UMOUNT="$default_dir $UMOUNT"
> +	echo $default_dir
>  }
>  
>  setup()
>  {
> -	tst_require_root
> +	SYSFS="$(mount_helper sysfs /sys)"

Do we really still need to mount /sys as far as I can tell it's
mounted automatically for more than 10 years now.

> +	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
>  
> -	tst_tmpdir
> -
> -	mount_sysfs
> -
> -	# mount securityfs if it is not already mounted
> -	mount_securityfs
> -
> -	# IMA must be configured in the kernel
> -	IMA_DIR=$SECURITYFS/ima
> -	if [ ! -d "$IMA_DIR" ]; then
> -		tst_brkm TCONF "IMA not enabled in kernel"
> -	fi
> +	IMA_DIR="$SECURITYFS/ima"
> +	[ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel"
> +	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
> +	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>  }
>  
>  cleanup()
>  {
> -	tst_rmdir
> +	local dir
> +	for dir in $UMOUNT; do
> +		umount $dir
> +	done
>  }
> +
> +setup
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> index 333bf5f8a..a3d1739cd 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> @@ -1,70 +1,61 @@
>  #!/bin/sh
> -
> -################################################################################
> -##                                                                            ##
> -## Copyright (C) 2009 IBM Corporation                                         ##
> -##                                                                            ##
> -## This program is free software;  you can redistribute it and#or modify      ##
> -## it under the terms of the GNU General Public License as published by       ##
> -## the Free Software Foundation; either version 2 of the License, or          ##
> -## (at your option) any later version.                                        ##
> -##                                                                            ##
> -## This program is distributed in the hope that it will be useful, but        ##
> -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> -## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
> -## for more details.                                                          ##
> -##                                                                            ##
> -## You should have received a copy of the GNU General Public License          ##
> -## along with this program;  if not, write to the Free Software               ##
> -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    ##
> -##                                                                            ##
> -################################################################################
> +# Copyright (c) 2009 IBM Corporation
> +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx>
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2 of
> +# the License, or (at your option) any later version.
>  #
> -# File :        ima_tpm.sh
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
>  #
> -# Description:  This file verifies the boot and PCR aggregates
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
>  #
> -# Author:       Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
>  #
> -# Return        - zero on success
> -#               - non zero on failure. return value from commands ($RC)
> -################################################################################
> -export TST_TOTAL=3
> -export TCID="ima_tpm"
> +# Verify the boot and PCR aggregates.
> +
> +TST_TESTFUNC="test"
> +TST_CNT=3
> +. ima_setup.sh
>  
>  init()
>  {
>  	tst_check_cmds ima_boot_aggregate ima_measure
>  }
>  
> -# Function:     test01
> -# Description   - Verify boot aggregate value is correct
> -test01()
> +test1()
>  {
> -	zero="0000000000000000000000000000000000000000"
> +	tst_res TINFO "verify boot aggregate"
> +
> +	local zero="0000000000000000000000000000000000000000"
> +	local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements"
> +	local ima_measurements="$ASCII_MEASUREMENTS"
> +	local ima_aggr line
>  
>  	# IMA boot aggregate
> -	ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements
>  	read line < $ima_measurements
>  	ima_aggr=$(expr substr "${line}" 49 40)
>  
> -	# verify TPM is available and enabled.
> -	tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements
>  	if [ ! -f "$tpm_bios" ]; then
> -		tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled"
> +		tst_brk TCONF "TPM not builtin kernel, or TPM not enabled"
>  
>  		if [ "${ima_aggr}" = "${zero}" ]; then
> -			tst_resm TPASS "bios boot aggregate is 0."
> +			tst_res TPASS "bios boot aggregate is 0"
>  		else
> -			tst_resm TFAIL "bios boot aggregate is not 0."
> +			tst_res TFAIL "bios boot aggregate is not 0"
>  		fi
>  	else
>  		boot_aggregate=$(ima_boot_aggregate $tpm_bios)
>  		boot_aggr=$(expr substr $boot_aggregate 16 40)
>  		if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then
> -			tst_resm TPASS "bios aggregate matches IMA boot aggregate."
> +			tst_res TPASS "bios aggregate matches IMA boot aggregate"
>  		else
> -			tst_resm TFAIL "bios aggregate does not match IMA boot aggregate."
> +			tst_res TFAIL "bios aggregate does not match IMA boot aggregate"
>  		fi
>  	fi
>  }
> @@ -74,64 +65,54 @@ test01()
>  # the PCR values from /sys/devices.
>  validate_pcr()
>  {
> -	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
> -	aggregate_pcr=$(ima_measure $ima_measurements --validate)
> -	dev_pcrs=$1
> -	RC=0
> +	tst_res TINFO "verify PCR (Process Control Register)"
>  
> -	while read line ; do
> +	local ima_measurements="$BINARY_MEASUREMENTS"
> +	local aggregate_pcr="$(ima_measure $ima_measurements --validate)"
> +	local dev_pcrs="$1"
> +	local ret=0
> +
> +	while read line; do
>  		pcr=$(expr substr "${line}" 1 6)
>  		if [ "${pcr}" = "PCR-10" ]; then
>  			aggr=$(expr substr "${aggregate_pcr}" 26 59)
>  			pcr=$(expr substr "${line}" 9 59)
> -			[ "${pcr}" = "${aggr}" ] || RC=$?
> +			[ "${pcr}" = "${aggr}" ] || ret=$?
>  		fi
>  	done < $dev_pcrs
> -	return $RC
> +	return $ret
>  }
>  
> -# Function:     test02
> -# Description	- Verify ima calculated aggregate PCR values matches
> -#		  actual PCR value.
> -test02()
> +test2()
>  {
> +	tst_res TINFO "verify PCR values"
>  
> -	# Would be nice to know where the PCRs are located.  Is this safe?
> -	PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs)
> +	# Would be nice to know where the PCRs are located. Is this safe?
> +	local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)"
>  	if [ $? -eq 0 ]; then
> -		validate_pcr $PCRS_PATH
> +		validate_pcr $pcrs_path
>  		if [ $? -eq 0 ]; then
> -			tst_resm TPASS "aggregate PCR value matches real PCR value."
> +			tst_res TPASS "aggregate PCR value matches real PCR value"
>  		else
> -			tst_resm TFAIL "aggregate PCR value does not match real PCR value."
> +			tst_res TFAIL "aggregate PCR value does not match real PCR value"
>  		fi
>  	else
> -		tst_resm TFAIL "TPM not enabled, no PCR value to validate"
> +		tst_res TFAIL "TPM not enabled, no PCR value to validate"
>  	fi
>  }
>  
> -# Function:     test03
> -# Description 	- Verify template hash value for IMA entry is correct.
> -test03()
> +test3()
>  {
> +	tst_res TINFO "verify template hash value"
>  
> -	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
> -	aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null
> +	local ima_measurements="$BINARY_MEASUREMENTS"
> +	ima_measure $ima_measurements --verify --validate
>  	if [ $? -eq 0 ]; then
> -		tst_resm TPASS "verified IMA template hash values."
> +		tst_res TPASS "verified IMA template hash values"
>  	else
> -		tst_resm TFAIL "error verifing IMA template hash values."
> +		tst_res TFAIL "error verifing IMA template hash values"
>  	fi
>  }
>  
> -. ima_setup.sh
> -
> -setup
> -TST_CLEANUP=cleanup
> -
>  init

Here as well.

> -test01
> -test02
> -test03
> -
> -tst_exit
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 1b86b5f1a..80a01a546 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -1,44 +1,45 @@
>  #!/bin/sh
> -################################################################################
> -##                                                                            ##
> -## Copyright (C) 2009 IBM Corporation                                         ##
> -##                                                                            ##
> -## This program is free software;  you can redistribute it and#or modify      ##
> -## it under the terms of the GNU General Public License as published by       ##
> -## the Free Software Foundation; either version 2 of the License, or          ##
> -## (at your option) any later version.                                        ##
> -##                                                                            ##
> -## This program is distributed in the hope that it will be useful, but        ##
> -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
> -## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
> -## for more details.                                                          ##
> -##                                                                            ##
> -## You should have received a copy of the GNU General Public License          ##
> -## along with this program;  if not, write to the Free Software               ##
> -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    ##
> -##                                                                            ##
> -################################################################################
> +# Copyright (c) 2009 IBM Corporation
> +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx>
>  #
> -# File :        ima_violations.sh
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2 of
> +# the License, or (at your option) any later version.
>  #
> -# Description:  This file tests ToMToU and open_writer violations invalidate
> -#		the PCR and are logged.
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
>  #
> -# Author:       Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
>  #
> -# Return        - zero on success
> -#               - non zero on failure. return value from commands ($RC)
> -################################################################################
> +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx
> +#
> +# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged.
>  
> -export TST_TOTAL=3
> -export TCID="ima_violations"
> +TST_TESTFUNC="test"
> +TST_CNT=3
> +. ima_setup.sh
>  
> -open_file_read()
> +FILE="test.txt"
> +IMA_VIOLATIONS="$SECURITYFS/ima/violations"
> +
> +init()
>  {
> -	exec 3< $1
> -	if [ $? -ne 0 ]; then
> -		exit 1
> +	LOG="/var/log/messages"
> +	SLEEP="500ms"
> +	if service auditd status > /dev/null 2>&1; then

Here we depend on service being installed, which unfortunately is not
the case for all currently supported distributions. Have a look at
testcases/lib/daemonlib.sh and status_daemon() function there.

> +		LOG="/var/log/audit/audit.log"
> +		tst_res TINFO "requires integrity auditd patch"
>  	fi
> +	tst_res TINFO "using log $LOG"
> +}
> +
> +open_file_read()
> +{
> +	exec 3< $FILE || exit 1
>  }
>  
>  close_file_read()
> @@ -48,11 +49,8 @@ close_file_read()
>  
>  open_file_write()
>  {
> -	exec 4> $1
> -	if [ $? -ne 0 ]; then
> -		exit 1
> -	echo 'testing, testing, ' >&4
> -	fi
> +	exec 4> $FILE || exit 1
> +	echo 'test writing' >&4
>  }
>  
>  close_file_write()
> @@ -60,103 +58,89 @@ close_file_write()
>  	exec 4>&-
>  }
>  
> -init()
> +get_count()
>  {
> -	service auditd status > /dev/null 2>&1
> -	if [ $? -ne 0 ]; then
> -		log=/var/log/messages
> -	else
> -		log=/var/log/audit/audit.log
> -		tst_resm TINFO "requires integrity auditd patch"
> -	fi
> -
> -	ima_violations=$SECURITYFS/ima/violations
> +	local search="$1"
> +	echo $(grep -c "${search}.*${FILE}" $LOG)
>  }
>  
> -# Function:     test01
> -# Description	- Verify open writers violation
> -test01()
> +validate()
>  {
> -	read num_violations < $ima_violations
> -
> -	TMPFN=test.txt
> -	open_file_write $TMPFN
> -	open_file_read $TMPFN
> -	close_file_read
> -	close_file_write
> -	read num_violations_new < $ima_violations
> -	num=$(($(expr $num_violations_new - $num_violations)))
> -	if [ $num -gt 0 ]; then
> -		tail $log | grep test.txt | grep -q 'open_writers'
> -		if [ $? -eq 0 ]; then
> -			tst_resm TPASS "open_writers violation added(test.txt)"
> +	local num_violations="$1"
> +	local count="$2"
> +	local search="$3"
> +	local count2="$(get_count $search)"
> +	local num_violations_new
> +
> +	[ -n "$SLEEP" ] && tst_sleep $SLEEP
> +
> +	read num_violations_new < $IMA_VIOLATIONS
> +	if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
> +		if [ $count2 -gt $count ]; then
> +			tst_res TPASS "$search violation added"
>  		else
> -			tst_resm TFAIL "(message ratelimiting?)"
> +			tst_res TFAIL "$search not found in $LOG"
>  		fi
>  	else
> -		tst_resm TFAIL "open_writers violation not added(test.txt)"
> +		tst_res TFAIL "$search violation not added"
>  	fi
>  }
>  
> -# Function:     test02
> -# Description   - Verify ToMToU violation
> -test02()
> +test1()
>  {
> -	read num_violations < $ima_violations
> +	tst_res TINFO "verify open writers violation"
>  
> -	TMPFN=test.txt
> -	open_file_read $TMPFN
> -	open_file_write $TMPFN
> -	close_file_write
> +	local search="open_writers"
> +	local count num_violations
> +
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	open_file_write
> +	open_file_read
>  	close_file_read
> -	read num_violations_new < $ima_violations
> -	num=$(($(expr $num_violations_new - $num_violations)))
> -	if [ $num -gt 0 ]; then
> -		tail $log | grep test.txt | grep -q 'ToMToU'
> -		if [ $? -eq 0 ]; then
> -			tst_resm TPASS "ToMToU violation added(test.txt)"
> -		else
> -			tst_resm TFAIL "(message ratelimiting?)"
> -		fi
> -	else
> -		tst_resm TFAIL "ToMToU violation not added(test.txt)"
> -	fi
> +	close_file_write
> +
> +	validate $num_violations $count $search
>  }
>  
> -# Function:     test03
> -# Description 	- verify open_writers using mmapped files
> -test03()
> +test2()
>  {
> -	read num_violations < $ima_violations
> -
> -	TMPFN=test.txtb
> -	echo 'testing testing ' > $TMPFN
> -	ima_mmap $TMPFN & p1=$!
> -	sleep 1		# got to wait for ima_mmap to mmap the file
> -	open_file_read $TMPFN
> -	read num_violations_new < $ima_violations
> -	num=$(($(expr $num_violations_new - $num_violations)))
> -	if [ $num -gt 0 ]; then
> -		tail $log | grep test.txtb | grep -q 'open_writers'
> -		if [ $? -eq 0 ]; then
> -			tst_resm TPASS "mmapped open_writers violation added(test.txtb)"
> -		else
> -			tst_resm TFAIL "(message ratelimiting?)"
> -		fi
> -	else
> -		tst_resm TFAIL "mmapped open_writers violation not added(test.txtb)"
> -	fi
> +	tst_res TINFO "verify ToMToU violation"
> +
> +	local search="ToMToU"
> +	local count num_violations
> +
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	open_file_read
> +	open_file_write
> +	close_file_write
>  	close_file_read
> +
> +	validate $num_violations $count $search
>  }
>  
> -. ima_setup.sh
> +test3()
> +{
> +	tst_res TINFO "verify open_writers using mmapped files"
>  
> -setup
> -TST_CLEANUP=cleanup
> +	local search="open_writers"
> +	local count num_violations
>  
> -init
> -test01
> -test02
> -test03
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	echo 'testing testing ' > $FILE
> +	ima_mmap $FILE &
> +	sleep 1

What do we sleep here for?

> +	open_file_read
> +	close_file_read
> +
> +	validate $num_violations $count $search
> +}
> +
> +init
> +tst_run
> -- 
> 2.15.1
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@xxxxxxx



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux