diff mbox series

[v6,3/3] IMA: Add tests for uid, gid, fowner, and fgroup options

Message ID 20210922115310.5927-4-pvorel@suse.cz (mailing list archive)
State New, archived
Headers show
Series IMA: Add tests for uid, gid, fowner, and fgroup options | expand

Commit Message

Petr Vorel Sept. 22, 2021, 11:53 a.m. UTC
From: Alex Henrie <alexh@vpitech.com>

Requires "ima: add gid support".

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
[ pvorel: add test_file parameter to ima_check(), add
verify_measurement() (DRY) ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  1 +
 .../integrity/ima/tests/ima_conditionals.sh   | 62 +++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh

Comments

Alex Henrie Sept. 22, 2021, 5:06 p.m. UTC | #1
On Wed, 22 Sep 2021 13:53:10 +0200
Petr Vorel <pvorel@suse.cz> wrote:

> From: Alex Henrie <alexh@vpitech.com>
> 
> Requires "ima: add gid support".
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Alex Henrie <alexh@vpitech.com>
> [ pvorel: add test_file parameter to ima_check(), add
> verify_measurement() (DRY) ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks Petr for taking over and making the changes you want directly,
that makes my life much easier.

-Alex
Petr Vorel Sept. 23, 2021, 9:14 a.m. UTC | #2
> On Wed, 22 Sep 2021 13:53:10 +0200
> Petr Vorel <pvorel@suse.cz> wrote:

> > From: Alex Henrie <alexh@vpitech.com>

> > Requires "ima: add gid support".

> > Reviewed-by: Petr Vorel <pvorel@suse.cz>
> > Signed-off-by: Alex Henrie <alexh@vpitech.com>
> > [ pvorel: add test_file parameter to ima_check(), add
> > verify_measurement() (DRY) ]
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>

> Thanks Petr for taking over and making the changes you want directly,
> that makes my life much easier.
yw. FYI I'll merge v7 after it's merged into mainline, I expect it'll be in v5.16-rc1.
Could you please notify me if I forget?

I'll try to have look into kernel patch itself.

Kind regards,
Petr

> -Alex
diff mbox series

Patch

diff --git a/runtest/ima b/runtest/ima
index 29caa034a..01942eefa 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -6,4 +6,5 @@  ima_violations ima_violations.sh
 ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
 ima_selinux ima_selinux.sh
+ima_conditionals ima_conditionals.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
new file mode 100755
index 000000000..102d29756
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -0,0 +1,62 @@ 
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2021 VPI Technology
+# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Author: Alex Henrie <alexh@vpitech.com>
+#
+# Verify that conditional rules work.
+
+TST_NEEDS_CMDS="chgrp chown id sg sudo"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+verify_measurement()
+{
+	local request="$1"
+	local user="nobody"
+	local test_file="$PWD/test.txt"
+	local cmd="cat $test_file > /dev/null"
+
+	local value="$(id -u $user)"
+	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+
+	require_policy_writable
+
+	ROD rm -f $test_file
+
+	tst_res TINFO "verify measuring user files when requested via $request"
+	ROD echo "measure $request=$value" \> $IMA_POLICY
+	ROD echo "$(date) $request test" \> $test_file
+
+	case "$request" in
+	fgroup)
+		chgrp $user $test_file
+		$cmd
+	fowner)
+		chown $user $test_file
+		$cmd
+		;;
+	gid) sudo sg $user "sh -c '$cmd'";;
+	uid) sudo -n -u $user sh -c "$cmd";;
+	*) tst_brk TBROK "Invalid res type '$1'";;
+	esac
+
+	ima_check $test_file
+}
+
+test1()
+{
+	verify_measurement uid
+	verify_measurement fowner
+
+	if tst_kvcmp -lt 5.16; then
+		tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+	fi
+
+	verify_measurement gid
+	verify_measurement fgroup
+}
+
+tst_run