From: David Jacobson <djacobs7@xxxxxxxxxxxxxx>
IMA supports file signatures by storing information in a security.ima
extended file attribute. This test ensures that the attribute is
preserved when a file is copied. This test requires root because only
root can write "security." xattrs to files.
Signed-off-by: David Jacobson <djacobs7@xxxxxxxxxxxxxx>
Changelog:
* Clean ups suggested via mailing list
* getfattr used correctly
* more information about which file is created
* added xattr_preserve to test list
* shellcheck compliant
* move from functions to tests
* checkbashisms complaint
* remove begin
* removed long opts
* restructured using functions
---
evmtest/README | 1 +
evmtest/evmtest | 1 +
evmtest/tests/xattr_preserve.sh | 81 +++++++++++++++++++++++++++++++++
3 files changed, 83 insertions(+)
create mode 100755 evmtest/tests/xattr_preserve.sh
diff --git a/evmtest/README b/evmtest/README
index b2d37e2..4dddbc0 100644
--- a/evmtest/README
+++ b/evmtest/README
@@ -42,6 +42,7 @@ TEST NAMES
policy_sig - verify loading IMA policies
kexec_sig - test IMA-appraise on kexec image loading
kmod_sig - test IMA-appraise on kernel module loading
+ xattr_preserve - test metadata preservation on file move
Introduction
diff --git a/evmtest/evmtest b/evmtest/evmtest
index 3c967f9..18cb98d 100755
--- a/evmtest/evmtest
+++ b/evmtest/evmtest
@@ -32,6 +32,7 @@ usage (){
echo "[R] kexec_sig"
echo "[R] kmod_sig"
echo "[R] policy_sig"
+ echo "[R] xattr_preserve"
echo ""
echo "Note: Tests may be run directly from the \"tests\" directory"
diff --git a/evmtest/tests/xattr_preserve.sh b/evmtest/tests/xattr_preserve.sh
new file mode 100755
index 0000000..61f6ded
--- /dev/null
+++ b/evmtest/tests/xattr_preserve.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# Author: David Jacobson <davidj@xxxxxxxxxxxxx>
+TEST="xattr_preserve"
+ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )/.."
+source "$ROOT"/files/common.sh
+
+VERBOSE=0
+# This test ensures that extended file attributes are preserved when a file is
+# moved with the correct flag
+
+usage (){
+ echo ""
+ echo "xattr_preserve [-hv]"
+ echo ""
+ echo "This test requires root privileges to write security xattrs"
+ echo ""
+ echo " This test ensures that extended file attributes (specifically"
+ echo " security.ima labels) are preserved when copying"
+ echo "Options"
+ echo " -h Display this help message"
+ echo " -v Verbose logging"
+}
+
+parse_args () {
+ TEMP=$(getopt -o 'hv' -n 'xattr_preserve' -- "$@")
+ eval set -- "$TEMP"
+
+ while true ; do
+ case "$1" in
+ -h) usage; exit; shift;;
+ -v) VERBOSE=1; shift;;
+ --) shift; break;;
+ *) echo "[*] Unrecognized option $1"; exit 1;;
+ esac
+ done
+}
+
+check_xattr_preserve () {
+ LOCATION_1=$(mktemp)
+ LOCATION_2=$(mktemp -u) # Doesn't create the file
+
+ v_out "Creating and labeling file $LOCATION_1..."
+
+ evmctl ima_hash "$LOCATION_1"
+
+ initial_ima_label=$(getfattr --absolute-names -n security.ima \
+ "$LOCATION_1")
+ initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}')
+ if printf '%s' "$initial_ima_label" | grep -E -q "security.ima"; then
+ v_out "Found hash on initial file... "
+ else
+ fail "Hash not found on initial file"
+ fi
+
+ initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}')
+
+ v_out "Copying file to $LOCATION_2..."
+ cp --preserve=xattr "$LOCATION_1" "$LOCATION_2"
+ v_out "Checking if extended attribute has been preserved..."
+
+
+ second_ima_label=$(getfattr --absolute-names -n security.ima \
+ "$LOCATION_2")
+ second_hash=$(echo "$second_ima_label" | awk -F '=' '{print $2}')
+ if [ "$initial_hash" != "$second_hash" ]; then
+ fail "security.ima xattr was not preserved!"
+ else
+ v_out "Extended attribute was preserved during copy"
+ fi
+}
+
+cleanup () {
+ v_out "Cleaning up..."
+ rm "$LOCATION_1" "$LOCATION_2"
+}
+
+EVMTEST_require_root
+echo "[*] Starting test: $TEST"
+check_xattr_preserve
+cleanup
+passed
--
2.20.1
