Hi! > +# Verify that measurements are added to the measurement list based on policy. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > + > +TEST_FILE="test.txt" > +HASH_COMMAND="sha1sum" > +POLICY="$IMA_DIR/policy" > > init() > { > - tst_check_cmds sha1sum > - > - # verify using default policy > - if [ ! -f "$IMA_DIR/policy" ]; then > - tst_resm TINFO "not using default policy" > - fi > + grep -q '^CONFIG_IMA_DEFAULT_HASH_SHA256=y' /boot/config-$(uname -r) && \ > + HASH_COMMAND="sha256sum" Grepping /boot/config-$foo is really broken, isn't there some sysfs or ioctl interface where we can figure out this info? > + tst_res TINFO "detected IMA algoritm: ${HASH_COMMAND%sum}" > + tst_check_cmds $HASH_COMMAND > + [ -f "$POLICY" ] || tst_res TINFO "not using default policy" > } > > -# Function: test01 > -# Description - Verify reading a file causes a new measurement to > -# be added to the IMA measurement list. > -test01() > +ima_check() > { > - # Create file test.txt > - cat > test.txt <<-EOF > - $(date) - this is a test file > - EOF > - if [ $? -ne 0 ]; then > - tst_brkm TBROK "Unable to create test file" > - fi > - > - # Calculating the sha1sum of test.txt should add > - # the measurement to the measurement list. > - # (Assumes SHA1 IMA measurements.) > - hash=$(sha1sum "test.txt" | sed 's/ -//') > - > - # Check if the file is measured > - # (i.e. contained in the ascii measurement list.) > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - sleep 1 > - $(grep $hash measurements > /dev/null) > - if [ $? -ne 0 ]; then > - tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum" > - else > - tst_resm TPASS "TPM ascii measurement list contains sha1sum" > - fi > + EXPECT_PASS grep -q $($HASH_COMMAND $TEST_FILE) $ASCII_MEASUREMENTS > } > > -# Function: test02 > -# Description - Verify modifying, then reading, a file causes a new > -# measurement to be added to the IMA measurement list. > -test02() > +test1() > { > - # Modify test.txt > - echo $(date) - file modified >> test.txt > + tst_res TINFO "verify adding record to the IMA measurement list" > + ROD echo "$(date) this is a test file" \> $TEST_FILE > + ima_check > +} > > - # Calculating the sha1sum of test.txt should add > - # the new measurement to the measurement list > - hash=$(sha1sum test.txt | sed 's/ -//') > +test2() > +{ > + local device > > - # Check if the new measurement exists > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - $(grep $hash measurements > /dev/null) > + tst_res TINFO "verify updating record in the IMA measurement list" > > - if [ $? -ne 0 ]; then > - tst_resm TFAIL "Modified file not measured" > - tst_resm TINFO "iversion not supported; or not mounted with iversion" > + device="$(df . | sed -e 1d | cut -f1 -d ' ')" > + if grep -q $device /proc/mounts; then > + if grep -q "${device}.*ext[2-4]" /proc/mounts; then > + grep -q "${device}.*ext[2-4].*i_version" /proc/mounts || \ > + tst_res TINFO "device '$device' is not mounted with iversion" > + fi > else > - tst_resm TPASS "Modified file measured" > + tst_res TWARN "could not find mount info for device '$device'" > fi > + > + ROD echo "$(date) modified file" \> $TEST_FILE > + ima_check > } > > -# Function: test03 > -# Description - Verify files are measured based on policy > -# (Default policy does not measure user files.) > -test03() > +test3() > { > - # create file user-test.txt > - mkdir -m 0700 user > - chown nobody.nobody user > - cd user > - hash=0 > - > - # As user nobody, create and cat the new file > - # (The LTP tests assumes existence of 'nobody'.) > - sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt; > - cat ./test.txt > /dev/null" > - > - # Calculating the hash will add the measurement to the measurement > - # list, so only calc the hash value after getting the measurement > - # list. > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - hash=$(sha1sum test.txt | sed 's/ -//') > - cd - >/dev/null > - > - # Check if the file is measured > - grep $hash measurements > /dev/null > - if [ $? -ne 0 ]; then > - tst_resm TPASS "user file test.txt not measured" > - else > - tst_resm TFAIL "user file test.txt measured" > - fi > -} > + local dir="user" > + local user="nobody" > > -. ima_setup.sh > + tst_res TINFO "verify measuring user files" > > -setup > -TST_CLEANUP=cleanup > + id $user >/dev/null 2>/dev/null || tst_brk TCONF "missing system user $user (wrong installation)" > + tst_check_cmds sudo > > -init > -test01 > -test02 > -test03 > + mkdir -m 0700 $dir > + chown $user $dir > + cd $dir > + > + sudo -n -u $user sh -c "echo $(date) user file > $TEST_FILE; > + cat $TEST_FILE > /dev/null" > > -tst_exit > + ima_check > + cd .. > +} > + > +init ^ Any reason we don't pass this as TST_SETUP ? > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > index ad5900975..162d323a1 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > @@ -1,127 +1,114 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx> > # > -# File : ima_policy.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: This file tests replacing the default integrity measurement > -# policy. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > -################################################################################ > -export TST_TOTAL=3 > -export TCID="ima_policy" > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +# > +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > +# > +# Test replacing the default integrity measurement policy. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > init() > { > - # verify using default policy > - IMA_POLICY=$IMA_DIR/policy > - if [ ! -f $IMA_POLICY ]; then > - tst_resm TINFO "default policy already replaced" > - fi > + IMA_POLICY="$IMA_DIR/policy" > + [ -f $IMA_POLICY ] || \ > + tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" > > - VALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy > - if [ ! -f $VALID_POLICY ]; then > - tst_resm TINFO "missing $VALID_POLICY" > - fi > + VALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy" ^ $TST_DATAROOT > + [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" > > - INVALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy-invalid > - if [ ! -f $INVALID_POLICY ]; then > - tst_resm TINFO "missing $INVALID_POLICY" > - fi > + INVALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy-invalid" > + [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" > } > > load_policy() > { > + local ret > + > exec 2>/dev/null 4>$IMA_POLICY > - if [ $? -ne 0 ]; then > - exit 1 > - fi > + [ $? -eq 0 ] || exit 1 > > cat $1 | > - while read line ; do > - { > - if [ "${line#\#}" = "${line}" ] ; then > - echo $line >&4 2> /dev/null > + while read line; do > + if [ "${line#\#}" = "${line}" ]; then > + echo "$line" >&4 2> /dev/null > if [ $? -ne 0 ]; then > exec 4>&- > return 1 > fi > fi > - } > done > -} > + ret=$? > > + [ $ret -eq 0 ] && \ > + tst_res TINFO "IMA policy updated, please reboot after testing to restore settings" > > -# Function: test01 > -# Description - Verify invalid policy doesn't replace default policy. > -test01() > + return $ret > +} > + > +test1() > { > + tst_res TINFO "verify that invalid policy doesn't replace default policy" > + > + local p1 > + > load_policy $INVALID_POLICY & p1=$! > wait "$p1" > if [ $? -ne 0 ]; then > - tst_resm TPASS "didn't load invalid policy" > + tst_res TPASS "didn't load invalid policy" > else > - tst_resm TFAIL "loaded invalid policy" > + tst_res TFAIL "loaded invalid policy" > fi > } > > -# Function: test02 > -# Description - Verify policy file is opened sequentially, not concurrently > -# and install new policy > -test02() > +test2() > { > + tst_res TINFO "verify that policy file is opened sequentially and installs new policy" > + > + local p1 p2 rc1 rc2 > + > load_policy $VALID_POLICY & p1=$! # forked process 1 > load_policy $VALID_POLICY & p2=$! # forked process 2 > - wait "$p1"; RC1=$? > - wait "$p2"; RC2=$? > - if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then > - tst_resm TFAIL "measurement policy opened concurrently" > - elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then > - tst_resm TPASS "replaced default measurement policy" > + wait "$p1"; rc1=$? > + wait "$p2"; rc2=$? > + if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then > + tst_res TFAIL "measurement policy opened concurrently" > + elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then > + tst_res TPASS "replaced default measurement policy" > else > - tst_resm TFAIL "problems opening measurement policy" > + tst_res TFAIL "problems opening measurement policy" > fi > } > > -# Function: test03 > -# Description - Verify can't load another measurement policy. > -test03() > +test3() > { > + tst_res TINFO "verify that valid policy isn't replaced" > + > + local p1 > + > load_policy $INVALID_POLICY & p1=$! > wait "$p1" > if [ $? -ne 0 ]; then > - tst_resm TPASS "didn't replace valid policy" > + tst_res TPASS "didn't replace valid policy" > else > - tst_resm TFAIL "replaced valid policy" > + tst_res TFAIL "replaced valid policy" > fi > } > > -. ima_setup.sh > - > -setup > -TST_CLEANUP=cleanup > - > init > -test01 > -test02 > -test03 > - > -tst_exit > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > old mode 100755 > new mode 100644 > index 0ff38d23b..7e19e3959 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -1,86 +1,67 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software Foundation, ## > -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx> > # > -# File : ima_setup.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: setup/cleanup routines for the integrity tests. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > -################################################################################ > -. test.sh > -mount_sysfs() > -{ > - SYSFS=$(mount 2>/dev/null | awk '$5 == "sysfs" { print $3 }') > - if [ "x$SYSFS" = x ] ; then > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +# > +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > > - SYSFS=/sys > +TST_CLEANUP="cleanup" > +TST_NEEDS_TMPDIR=1 > +TST_NEEDS_ROOT=1 > +. tst_test.sh > > - test -d $SYSFS || mkdir -p $SYSFS 2>/dev/null > - if [ $? -ne 0 ] ; then > - tst_brkm TBROK "Failed to mkdir $SYSFS" > - fi > - if ! mount -t sysfs sysfs $SYSFS 2>/dev/null ; then > - tst_brkm TBROK "Failed to mount $SYSFS" > - fi > +export TCID="${TCID:-$(basename $0 | cut -d. -f1)}" > > - fi > -} > +UMOUNT= > > -mount_securityfs() > +mount_helper() > { > - SECURITYFS=$(mount 2>/dev/null | awk '$5 == "securityfs" { print $3 }') > - if [ "x$SECURITYFS" = x ] ; then > - > - SECURITYFS="$SYSFS/kernel/security" > + local type="$1" > + local default_dir="$2" > + local dir > > - test -d $SECURITYFS || mkdir -p $SECURITYFS 2>/dev/null > - if [ $? -ne 0 ] ; then > - tst_brkm TBROK "Failed to mkdir $SECURITYFS" > - fi > - if ! mount -t securityfs securityfs $SECURITYFS 2>/dev/null ; then > - tst_brkm TBROK "Failed to mount $SECURITYFS" > - fi > + dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)" > + [ -n "$dir" ] && { echo "$dir"; return; } > > + if ! mkdir -p $default_dir; then > + tst_brk TBROK "Failed to create $default_dir" > + fi > + if ! mount -t $type $type $default_dir; then > + tst_brk TBROK "Failed to mount $type" > fi > + UMOUNT="$default_dir $UMOUNT" > + echo $default_dir > } > > setup() > { > - tst_require_root > + SYSFS="$(mount_helper sysfs /sys)" Do we really still need to mount /sys as far as I can tell it's mounted automatically for more than 10 years now. > + SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" > > - tst_tmpdir > - > - mount_sysfs > - > - # mount securityfs if it is not already mounted > - mount_securityfs > - > - # IMA must be configured in the kernel > - IMA_DIR=$SECURITYFS/ima > - if [ ! -d "$IMA_DIR" ]; then > - tst_brkm TCONF "IMA not enabled in kernel" > - fi > + IMA_DIR="$SECURITYFS/ima" > + [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" > + ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" > + BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" > } > > cleanup() > { > - tst_rmdir > + local dir > + for dir in $UMOUNT; do > + umount $dir > + done > } > + > +setup > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > index 333bf5f8a..a3d1739cd 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > @@ -1,70 +1,61 @@ > #!/bin/sh > - > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx> > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# File : ima_tpm.sh > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Description: This file verifies the boot and PCR aggregates > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > # > -# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > # > -# Return - zero on success > -# - non zero on failure. return value from commands ($RC) > -################################################################################ > -export TST_TOTAL=3 > -export TCID="ima_tpm" > +# Verify the boot and PCR aggregates. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > init() > { > tst_check_cmds ima_boot_aggregate ima_measure > } > > -# Function: test01 > -# Description - Verify boot aggregate value is correct > -test01() > +test1() > { > - zero="0000000000000000000000000000000000000000" > + tst_res TINFO "verify boot aggregate" > + > + local zero="0000000000000000000000000000000000000000" > + local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" > + local ima_measurements="$ASCII_MEASUREMENTS" > + local ima_aggr line > > # IMA boot aggregate > - ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements > read line < $ima_measurements > ima_aggr=$(expr substr "${line}" 49 40) > > - # verify TPM is available and enabled. > - tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements > if [ ! -f "$tpm_bios" ]; then > - tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled" > + tst_brk TCONF "TPM not builtin kernel, or TPM not enabled" > > if [ "${ima_aggr}" = "${zero}" ]; then > - tst_resm TPASS "bios boot aggregate is 0." > + tst_res TPASS "bios boot aggregate is 0" > else > - tst_resm TFAIL "bios boot aggregate is not 0." > + tst_res TFAIL "bios boot aggregate is not 0" > fi > else > boot_aggregate=$(ima_boot_aggregate $tpm_bios) > boot_aggr=$(expr substr $boot_aggregate 16 40) > if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then > - tst_resm TPASS "bios aggregate matches IMA boot aggregate." > + tst_res TPASS "bios aggregate matches IMA boot aggregate" > else > - tst_resm TFAIL "bios aggregate does not match IMA boot aggregate." > + tst_res TFAIL "bios aggregate does not match IMA boot aggregate" > fi > fi > } > @@ -74,64 +65,54 @@ test01() > # the PCR values from /sys/devices. > validate_pcr() > { > - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements > - aggregate_pcr=$(ima_measure $ima_measurements --validate) > - dev_pcrs=$1 > - RC=0 > + tst_res TINFO "verify PCR (Process Control Register)" > > - while read line ; do > + local ima_measurements="$BINARY_MEASUREMENTS" > + local aggregate_pcr="$(ima_measure $ima_measurements --validate)" > + local dev_pcrs="$1" > + local ret=0 > + > + while read line; do > pcr=$(expr substr "${line}" 1 6) > if [ "${pcr}" = "PCR-10" ]; then > aggr=$(expr substr "${aggregate_pcr}" 26 59) > pcr=$(expr substr "${line}" 9 59) > - [ "${pcr}" = "${aggr}" ] || RC=$? > + [ "${pcr}" = "${aggr}" ] || ret=$? > fi > done < $dev_pcrs > - return $RC > + return $ret > } > > -# Function: test02 > -# Description - Verify ima calculated aggregate PCR values matches > -# actual PCR value. > -test02() > +test2() > { > + tst_res TINFO "verify PCR values" > > - # Would be nice to know where the PCRs are located. Is this safe? > - PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs) > + # Would be nice to know where the PCRs are located. Is this safe? > + local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)" > if [ $? -eq 0 ]; then > - validate_pcr $PCRS_PATH > + validate_pcr $pcrs_path > if [ $? -eq 0 ]; then > - tst_resm TPASS "aggregate PCR value matches real PCR value." > + tst_res TPASS "aggregate PCR value matches real PCR value" > else > - tst_resm TFAIL "aggregate PCR value does not match real PCR value." > + tst_res TFAIL "aggregate PCR value does not match real PCR value" > fi > else > - tst_resm TFAIL "TPM not enabled, no PCR value to validate" > + tst_res TFAIL "TPM not enabled, no PCR value to validate" > fi > } > > -# Function: test03 > -# Description - Verify template hash value for IMA entry is correct. > -test03() > +test3() > { > + tst_res TINFO "verify template hash value" > > - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements > - aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null > + local ima_measurements="$BINARY_MEASUREMENTS" > + ima_measure $ima_measurements --verify --validate > if [ $? -eq 0 ]; then > - tst_resm TPASS "verified IMA template hash values." > + tst_res TPASS "verified IMA template hash values" > else > - tst_resm TFAIL "error verifing IMA template hash values." > + tst_res TFAIL "error verifing IMA template hash values" > fi > } > > -. ima_setup.sh > - > -setup > -TST_CLEANUP=cleanup > - > init Here as well. > -test01 > -test02 > -test03 > - > -tst_exit > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 1b86b5f1a..80a01a546 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -1,44 +1,45 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@xxxxxxx> > # > -# File : ima_violations.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: This file tests ToMToU and open_writer violations invalidate > -# the PCR and are logged. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > # > -# Return - zero on success > -# - non zero on failure. return value from commands ($RC) > -################################################################################ > +# Author: Mimi Zohar, zohar@xxxxxxxxxxxxxxxx > +# > +# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. > > -export TST_TOTAL=3 > -export TCID="ima_violations" > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > -open_file_read() > +FILE="test.txt" > +IMA_VIOLATIONS="$SECURITYFS/ima/violations" > + > +init() > { > - exec 3< $1 > - if [ $? -ne 0 ]; then > - exit 1 > + LOG="/var/log/messages" > + SLEEP="500ms" > + if service auditd status > /dev/null 2>&1; then Here we depend on service being installed, which unfortunately is not the case for all currently supported distributions. Have a look at testcases/lib/daemonlib.sh and status_daemon() function there. > + LOG="/var/log/audit/audit.log" > + tst_res TINFO "requires integrity auditd patch" > fi > + tst_res TINFO "using log $LOG" > +} > + > +open_file_read() > +{ > + exec 3< $FILE || exit 1 > } > > close_file_read() > @@ -48,11 +49,8 @@ close_file_read() > > open_file_write() > { > - exec 4> $1 > - if [ $? -ne 0 ]; then > - exit 1 > - echo 'testing, testing, ' >&4 > - fi > + exec 4> $FILE || exit 1 > + echo 'test writing' >&4 > } > > close_file_write() > @@ -60,103 +58,89 @@ close_file_write() > exec 4>&- > } > > -init() > +get_count() > { > - service auditd status > /dev/null 2>&1 > - if [ $? -ne 0 ]; then > - log=/var/log/messages > - else > - log=/var/log/audit/audit.log > - tst_resm TINFO "requires integrity auditd patch" > - fi > - > - ima_violations=$SECURITYFS/ima/violations > + local search="$1" > + echo $(grep -c "${search}.*${FILE}" $LOG) > } > > -# Function: test01 > -# Description - Verify open writers violation > -test01() > +validate() > { > - read num_violations < $ima_violations > - > - TMPFN=test.txt > - open_file_write $TMPFN > - open_file_read $TMPFN > - close_file_read > - close_file_write > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txt | grep -q 'open_writers' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "open_writers violation added(test.txt)" > + local num_violations="$1" > + local count="$2" > + local search="$3" > + local count2="$(get_count $search)" > + local num_violations_new > + > + [ -n "$SLEEP" ] && tst_sleep $SLEEP > + > + read num_violations_new < $IMA_VIOLATIONS > + if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then > + if [ $count2 -gt $count ]; then > + tst_res TPASS "$search violation added" > else > - tst_resm TFAIL "(message ratelimiting?)" > + tst_res TFAIL "$search not found in $LOG" > fi > else > - tst_resm TFAIL "open_writers violation not added(test.txt)" > + tst_res TFAIL "$search violation not added" > fi > } > > -# Function: test02 > -# Description - Verify ToMToU violation > -test02() > +test1() > { > - read num_violations < $ima_violations > + tst_res TINFO "verify open writers violation" > > - TMPFN=test.txt > - open_file_read $TMPFN > - open_file_write $TMPFN > - close_file_write > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > close_file_read > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txt | grep -q 'ToMToU' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "ToMToU violation added(test.txt)" > - else > - tst_resm TFAIL "(message ratelimiting?)" > - fi > - else > - tst_resm TFAIL "ToMToU violation not added(test.txt)" > - fi > + close_file_write > + > + validate $num_violations $count $search > } > > -# Function: test03 > -# Description - verify open_writers using mmapped files > -test03() > +test2() > { > - read num_violations < $ima_violations > - > - TMPFN=test.txtb > - echo 'testing testing ' > $TMPFN > - ima_mmap $TMPFN & p1=$! > - sleep 1 # got to wait for ima_mmap to mmap the file > - open_file_read $TMPFN > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txtb | grep -q 'open_writers' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "mmapped open_writers violation added(test.txtb)" > - else > - tst_resm TFAIL "(message ratelimiting?)" > - fi > - else > - tst_resm TFAIL "mmapped open_writers violation not added(test.txtb)" > - fi > + tst_res TINFO "verify ToMToU violation" > + > + local search="ToMToU" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_read > + open_file_write > + close_file_write > close_file_read > + > + validate $num_violations $count $search > } > > -. ima_setup.sh > +test3() > +{ > + tst_res TINFO "verify open_writers using mmapped files" > > -setup > -TST_CLEANUP=cleanup > + local search="open_writers" > + local count num_violations > > -init > -test01 > -test02 > -test03 > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + echo 'testing testing ' > $FILE > + ima_mmap $FILE & > + sleep 1 What do we sleep here for? > + open_file_read > + close_file_read > + > + validate $num_violations $count $search > +} > + > +init > +tst_run > -- > 2.15.1 > > > -- > Mailing list info: https://lists.linux.it/listinfo/ltp -- Cyril Hrubis chrubis@xxxxxxx