| Message ID | 20180111202821.31639-2-pvorel@suse.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi! > +# Verify that measurements are added to the measurement list based on policy. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > + > +TEST_FILE="test.txt" > +HASH_COMMAND="sha1sum" > +POLICY="$IMA_DIR/policy" > > init() > { > - tst_check_cmds sha1sum > - > - # verify using default policy > - if [ ! -f "$IMA_DIR/policy" ]; then > - tst_resm TINFO "not using default policy" > - fi > + grep -q '^CONFIG_IMA_DEFAULT_HASH_SHA256=y' /boot/config-$(uname -r) && \ > + HASH_COMMAND="sha256sum" Grepping /boot/config-$foo is really broken, isn't there some sysfs or ioctl interface where we can figure out this info? > + tst_res TINFO "detected IMA algoritm: ${HASH_COMMAND%sum}" > + tst_check_cmds $HASH_COMMAND > + [ -f "$POLICY" ] || tst_res TINFO "not using default policy" > } > > -# Function: test01 > -# Description - Verify reading a file causes a new measurement to > -# be added to the IMA measurement list. > -test01() > +ima_check() > { > - # Create file test.txt > - cat > test.txt <<-EOF > - $(date) - this is a test file > - EOF > - if [ $? -ne 0 ]; then > - tst_brkm TBROK "Unable to create test file" > - fi > - > - # Calculating the sha1sum of test.txt should add > - # the measurement to the measurement list. > - # (Assumes SHA1 IMA measurements.) > - hash=$(sha1sum "test.txt" | sed 's/ -//') > - > - # Check if the file is measured > - # (i.e. contained in the ascii measurement list.) > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - sleep 1 > - $(grep $hash measurements > /dev/null) > - if [ $? -ne 0 ]; then > - tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum" > - else > - tst_resm TPASS "TPM ascii measurement list contains sha1sum" > - fi > + EXPECT_PASS grep -q $($HASH_COMMAND $TEST_FILE) $ASCII_MEASUREMENTS > } > > -# Function: test02 > -# Description - Verify modifying, then reading, a file causes a new > -# measurement to be added to the IMA measurement list. > -test02() > +test1() > { > - # Modify test.txt > - echo $(date) - file modified >> test.txt > + tst_res TINFO "verify adding record to the IMA measurement list" > + ROD echo "$(date) this is a test file" \> $TEST_FILE > + ima_check > +} > > - # Calculating the sha1sum of test.txt should add > - # the new measurement to the measurement list > - hash=$(sha1sum test.txt | sed 's/ -//') > +test2() > +{ > + local device > > - # Check if the new measurement exists > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - $(grep $hash measurements > /dev/null) > + tst_res TINFO "verify updating record in the IMA measurement list" > > - if [ $? -ne 0 ]; then > - tst_resm TFAIL "Modified file not measured" > - tst_resm TINFO "iversion not supported; or not mounted with iversion" > + device="$(df . | sed -e 1d | cut -f1 -d ' ')" > + if grep -q $device /proc/mounts; then > + if grep -q "${device}.*ext[2-4]" /proc/mounts; then > + grep -q "${device}.*ext[2-4].*i_version" /proc/mounts || \ > + tst_res TINFO "device '$device' is not mounted with iversion" > + fi > else > - tst_resm TPASS "Modified file measured" > + tst_res TWARN "could not find mount info for device '$device'" > fi > + > + ROD echo "$(date) modified file" \> $TEST_FILE > + ima_check > } > > -# Function: test03 > -# Description - Verify files are measured based on policy > -# (Default policy does not measure user files.) > -test03() > +test3() > { > - # create file user-test.txt > - mkdir -m 0700 user > - chown nobody.nobody user > - cd user > - hash=0 > - > - # As user nobody, create and cat the new file > - # (The LTP tests assumes existence of 'nobody'.) > - sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt; > - cat ./test.txt > /dev/null" > - > - # Calculating the hash will add the measurement to the measurement > - # list, so only calc the hash value after getting the measurement > - # list. > - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements > - hash=$(sha1sum test.txt | sed 's/ -//') > - cd - >/dev/null > - > - # Check if the file is measured > - grep $hash measurements > /dev/null > - if [ $? -ne 0 ]; then > - tst_resm TPASS "user file test.txt not measured" > - else > - tst_resm TFAIL "user file test.txt measured" > - fi > -} > + local dir="user" > + local user="nobody" > > -. ima_setup.sh > + tst_res TINFO "verify measuring user files" > > -setup > -TST_CLEANUP=cleanup > + id $user >/dev/null 2>/dev/null || tst_brk TCONF "missing system user $user (wrong installation)" > + tst_check_cmds sudo > > -init > -test01 > -test02 > -test03 > + mkdir -m 0700 $dir > + chown $user $dir > + cd $dir > + > + sudo -n -u $user sh -c "echo $(date) user file > $TEST_FILE; > + cat $TEST_FILE > /dev/null" > > -tst_exit > + ima_check > + cd .. > +} > + > +init ^ Any reason we don't pass this as TST_SETUP ? > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > index ad5900975..162d323a1 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > @@ -1,127 +1,114 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> > # > -# File : ima_policy.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: This file tests replacing the default integrity measurement > -# policy. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > -################################################################################ > -export TST_TOTAL=3 > -export TCID="ima_policy" > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +# > +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > +# > +# Test replacing the default integrity measurement policy. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > init() > { > - # verify using default policy > - IMA_POLICY=$IMA_DIR/policy > - if [ ! -f $IMA_POLICY ]; then > - tst_resm TINFO "default policy already replaced" > - fi > + IMA_POLICY="$IMA_DIR/policy" > + [ -f $IMA_POLICY ] || \ > + tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" > > - VALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy > - if [ ! -f $VALID_POLICY ]; then > - tst_resm TINFO "missing $VALID_POLICY" > - fi > + VALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy" ^ $TST_DATAROOT > + [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" > > - INVALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy-invalid > - if [ ! -f $INVALID_POLICY ]; then > - tst_resm TINFO "missing $INVALID_POLICY" > - fi > + INVALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy-invalid" > + [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" > } > > load_policy() > { > + local ret > + > exec 2>/dev/null 4>$IMA_POLICY > - if [ $? -ne 0 ]; then > - exit 1 > - fi > + [ $? -eq 0 ] || exit 1 > > cat $1 | > - while read line ; do > - { > - if [ "${line#\#}" = "${line}" ] ; then > - echo $line >&4 2> /dev/null > + while read line; do > + if [ "${line#\#}" = "${line}" ]; then > + echo "$line" >&4 2> /dev/null > if [ $? -ne 0 ]; then > exec 4>&- > return 1 > fi > fi > - } > done > -} > + ret=$? > > + [ $ret -eq 0 ] && \ > + tst_res TINFO "IMA policy updated, please reboot after testing to restore settings" > > -# Function: test01 > -# Description - Verify invalid policy doesn't replace default policy. > -test01() > + return $ret > +} > + > +test1() > { > + tst_res TINFO "verify that invalid policy doesn't replace default policy" > + > + local p1 > + > load_policy $INVALID_POLICY & p1=$! > wait "$p1" > if [ $? -ne 0 ]; then > - tst_resm TPASS "didn't load invalid policy" > + tst_res TPASS "didn't load invalid policy" > else > - tst_resm TFAIL "loaded invalid policy" > + tst_res TFAIL "loaded invalid policy" > fi > } > > -# Function: test02 > -# Description - Verify policy file is opened sequentially, not concurrently > -# and install new policy > -test02() > +test2() > { > + tst_res TINFO "verify that policy file is opened sequentially and installs new policy" > + > + local p1 p2 rc1 rc2 > + > load_policy $VALID_POLICY & p1=$! # forked process 1 > load_policy $VALID_POLICY & p2=$! # forked process 2 > - wait "$p1"; RC1=$? > - wait "$p2"; RC2=$? > - if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then > - tst_resm TFAIL "measurement policy opened concurrently" > - elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then > - tst_resm TPASS "replaced default measurement policy" > + wait "$p1"; rc1=$? > + wait "$p2"; rc2=$? > + if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then > + tst_res TFAIL "measurement policy opened concurrently" > + elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then > + tst_res TPASS "replaced default measurement policy" > else > - tst_resm TFAIL "problems opening measurement policy" > + tst_res TFAIL "problems opening measurement policy" > fi > } > > -# Function: test03 > -# Description - Verify can't load another measurement policy. > -test03() > +test3() > { > + tst_res TINFO "verify that valid policy isn't replaced" > + > + local p1 > + > load_policy $INVALID_POLICY & p1=$! > wait "$p1" > if [ $? -ne 0 ]; then > - tst_resm TPASS "didn't replace valid policy" > + tst_res TPASS "didn't replace valid policy" > else > - tst_resm TFAIL "replaced valid policy" > + tst_res TFAIL "replaced valid policy" > fi > } > > -. ima_setup.sh > - > -setup > -TST_CLEANUP=cleanup > - > init > -test01 > -test02 > -test03 > - > -tst_exit > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > old mode 100755 > new mode 100644 > index 0ff38d23b..7e19e3959 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -1,86 +1,67 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software Foundation, ## > -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> > # > -# File : ima_setup.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: setup/cleanup routines for the integrity tests. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > -################################################################################ > -. test.sh > -mount_sysfs() > -{ > - SYSFS=$(mount 2>/dev/null | awk '$5 == "sysfs" { print $3 }') > - if [ "x$SYSFS" = x ] ; then > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +# > +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > > - SYSFS=/sys > +TST_CLEANUP="cleanup" > +TST_NEEDS_TMPDIR=1 > +TST_NEEDS_ROOT=1 > +. tst_test.sh > > - test -d $SYSFS || mkdir -p $SYSFS 2>/dev/null > - if [ $? -ne 0 ] ; then > - tst_brkm TBROK "Failed to mkdir $SYSFS" > - fi > - if ! mount -t sysfs sysfs $SYSFS 2>/dev/null ; then > - tst_brkm TBROK "Failed to mount $SYSFS" > - fi > +export TCID="${TCID:-$(basename $0 | cut -d. -f1)}" > > - fi > -} > +UMOUNT= > > -mount_securityfs() > +mount_helper() > { > - SECURITYFS=$(mount 2>/dev/null | awk '$5 == "securityfs" { print $3 }') > - if [ "x$SECURITYFS" = x ] ; then > - > - SECURITYFS="$SYSFS/kernel/security" > + local type="$1" > + local default_dir="$2" > + local dir > > - test -d $SECURITYFS || mkdir -p $SECURITYFS 2>/dev/null > - if [ $? -ne 0 ] ; then > - tst_brkm TBROK "Failed to mkdir $SECURITYFS" > - fi > - if ! mount -t securityfs securityfs $SECURITYFS 2>/dev/null ; then > - tst_brkm TBROK "Failed to mount $SECURITYFS" > - fi > + dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)" > + [ -n "$dir" ] && { echo "$dir"; return; } > > + if ! mkdir -p $default_dir; then > + tst_brk TBROK "Failed to create $default_dir" > + fi > + if ! mount -t $type $type $default_dir; then > + tst_brk TBROK "Failed to mount $type" > fi > + UMOUNT="$default_dir $UMOUNT" > + echo $default_dir > } > > setup() > { > - tst_require_root > + SYSFS="$(mount_helper sysfs /sys)" Do we really still need to mount /sys as far as I can tell it's mounted automatically for more than 10 years now. > + SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" > > - tst_tmpdir > - > - mount_sysfs > - > - # mount securityfs if it is not already mounted > - mount_securityfs > - > - # IMA must be configured in the kernel > - IMA_DIR=$SECURITYFS/ima > - if [ ! -d "$IMA_DIR" ]; then > - tst_brkm TCONF "IMA not enabled in kernel" > - fi > + IMA_DIR="$SECURITYFS/ima" > + [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" > + ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" > + BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" > } > > cleanup() > { > - tst_rmdir > + local dir > + for dir in $UMOUNT; do > + umount $dir > + done > } > + > +setup > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > index 333bf5f8a..a3d1739cd 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > @@ -1,70 +1,61 @@ > #!/bin/sh > - > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# File : ima_tpm.sh > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Description: This file verifies the boot and PCR aggregates > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > # > -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > # > -# Return - zero on success > -# - non zero on failure. return value from commands ($RC) > -################################################################################ > -export TST_TOTAL=3 > -export TCID="ima_tpm" > +# Verify the boot and PCR aggregates. > + > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > init() > { > tst_check_cmds ima_boot_aggregate ima_measure > } > > -# Function: test01 > -# Description - Verify boot aggregate value is correct > -test01() > +test1() > { > - zero="0000000000000000000000000000000000000000" > + tst_res TINFO "verify boot aggregate" > + > + local zero="0000000000000000000000000000000000000000" > + local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" > + local ima_measurements="$ASCII_MEASUREMENTS" > + local ima_aggr line > > # IMA boot aggregate > - ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements > read line < $ima_measurements > ima_aggr=$(expr substr "${line}" 49 40) > > - # verify TPM is available and enabled. > - tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements > if [ ! -f "$tpm_bios" ]; then > - tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled" > + tst_brk TCONF "TPM not builtin kernel, or TPM not enabled" > > if [ "${ima_aggr}" = "${zero}" ]; then > - tst_resm TPASS "bios boot aggregate is 0." > + tst_res TPASS "bios boot aggregate is 0" > else > - tst_resm TFAIL "bios boot aggregate is not 0." > + tst_res TFAIL "bios boot aggregate is not 0" > fi > else > boot_aggregate=$(ima_boot_aggregate $tpm_bios) > boot_aggr=$(expr substr $boot_aggregate 16 40) > if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then > - tst_resm TPASS "bios aggregate matches IMA boot aggregate." > + tst_res TPASS "bios aggregate matches IMA boot aggregate" > else > - tst_resm TFAIL "bios aggregate does not match IMA boot aggregate." > + tst_res TFAIL "bios aggregate does not match IMA boot aggregate" > fi > fi > } > @@ -74,64 +65,54 @@ test01() > # the PCR values from /sys/devices. > validate_pcr() > { > - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements > - aggregate_pcr=$(ima_measure $ima_measurements --validate) > - dev_pcrs=$1 > - RC=0 > + tst_res TINFO "verify PCR (Process Control Register)" > > - while read line ; do > + local ima_measurements="$BINARY_MEASUREMENTS" > + local aggregate_pcr="$(ima_measure $ima_measurements --validate)" > + local dev_pcrs="$1" > + local ret=0 > + > + while read line; do > pcr=$(expr substr "${line}" 1 6) > if [ "${pcr}" = "PCR-10" ]; then > aggr=$(expr substr "${aggregate_pcr}" 26 59) > pcr=$(expr substr "${line}" 9 59) > - [ "${pcr}" = "${aggr}" ] || RC=$? > + [ "${pcr}" = "${aggr}" ] || ret=$? > fi > done < $dev_pcrs > - return $RC > + return $ret > } > > -# Function: test02 > -# Description - Verify ima calculated aggregate PCR values matches > -# actual PCR value. > -test02() > +test2() > { > + tst_res TINFO "verify PCR values" > > - # Would be nice to know where the PCRs are located. Is this safe? > - PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs) > + # Would be nice to know where the PCRs are located. Is this safe? > + local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)" > if [ $? -eq 0 ]; then > - validate_pcr $PCRS_PATH > + validate_pcr $pcrs_path > if [ $? -eq 0 ]; then > - tst_resm TPASS "aggregate PCR value matches real PCR value." > + tst_res TPASS "aggregate PCR value matches real PCR value" > else > - tst_resm TFAIL "aggregate PCR value does not match real PCR value." > + tst_res TFAIL "aggregate PCR value does not match real PCR value" > fi > else > - tst_resm TFAIL "TPM not enabled, no PCR value to validate" > + tst_res TFAIL "TPM not enabled, no PCR value to validate" > fi > } > > -# Function: test03 > -# Description - Verify template hash value for IMA entry is correct. > -test03() > +test3() > { > + tst_res TINFO "verify template hash value" > > - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements > - aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null > + local ima_measurements="$BINARY_MEASUREMENTS" > + ima_measure $ima_measurements --verify --validate > if [ $? -eq 0 ]; then > - tst_resm TPASS "verified IMA template hash values." > + tst_res TPASS "verified IMA template hash values" > else > - tst_resm TFAIL "error verifing IMA template hash values." > + tst_res TFAIL "error verifing IMA template hash values" > fi > } > > -. ima_setup.sh > - > -setup > -TST_CLEANUP=cleanup > - > init Here as well. > -test01 > -test02 > -test03 > - > -tst_exit > +tst_run > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 1b86b5f1a..80a01a546 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -1,44 +1,45 @@ > #!/bin/sh > -################################################################################ > -## ## > -## Copyright (C) 2009 IBM Corporation ## > -## ## > -## This program is free software; you can redistribute it and#or modify ## > -## it under the terms of the GNU General Public License as published by ## > -## the Free Software Foundation; either version 2 of the License, or ## > -## (at your option) any later version. ## > -## ## > -## This program is distributed in the hope that it will be useful, but ## > -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## > -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## > -## for more details. ## > -## ## > -## You should have received a copy of the GNU General Public License ## > -## along with this program; if not, write to the Free Software ## > -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## > -## ## > -################################################################################ > +# Copyright (c) 2009 IBM Corporation > +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> > # > -# File : ima_violations.sh > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; either version 2 of > +# the License, or (at your option) any later version. > # > -# Description: This file tests ToMToU and open_writer violations invalidate > -# the PCR and are logged. > +# This program is distributed in the hope that it would be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > # > -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > # > -# Return - zero on success > -# - non zero on failure. return value from commands ($RC) > -################################################################################ > +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com > +# > +# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. > > -export TST_TOTAL=3 > -export TCID="ima_violations" > +TST_TESTFUNC="test" > +TST_CNT=3 > +. ima_setup.sh > > -open_file_read() > +FILE="test.txt" > +IMA_VIOLATIONS="$SECURITYFS/ima/violations" > + > +init() > { > - exec 3< $1 > - if [ $? -ne 0 ]; then > - exit 1 > + LOG="/var/log/messages" > + SLEEP="500ms" > + if service auditd status > /dev/null 2>&1; then Here we depend on service being installed, which unfortunately is not the case for all currently supported distributions. Have a look at testcases/lib/daemonlib.sh and status_daemon() function there. > + LOG="/var/log/audit/audit.log" > + tst_res TINFO "requires integrity auditd patch" > fi > + tst_res TINFO "using log $LOG" > +} > + > +open_file_read() > +{ > + exec 3< $FILE || exit 1 > } > > close_file_read() > @@ -48,11 +49,8 @@ close_file_read() > > open_file_write() > { > - exec 4> $1 > - if [ $? -ne 0 ]; then > - exit 1 > - echo 'testing, testing, ' >&4 > - fi > + exec 4> $FILE || exit 1 > + echo 'test writing' >&4 > } > > close_file_write() > @@ -60,103 +58,89 @@ close_file_write() > exec 4>&- > } > > -init() > +get_count() > { > - service auditd status > /dev/null 2>&1 > - if [ $? -ne 0 ]; then > - log=/var/log/messages > - else > - log=/var/log/audit/audit.log > - tst_resm TINFO "requires integrity auditd patch" > - fi > - > - ima_violations=$SECURITYFS/ima/violations > + local search="$1" > + echo $(grep -c "${search}.*${FILE}" $LOG) > } > > -# Function: test01 > -# Description - Verify open writers violation > -test01() > +validate() > { > - read num_violations < $ima_violations > - > - TMPFN=test.txt > - open_file_write $TMPFN > - open_file_read $TMPFN > - close_file_read > - close_file_write > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txt | grep -q 'open_writers' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "open_writers violation added(test.txt)" > + local num_violations="$1" > + local count="$2" > + local search="$3" > + local count2="$(get_count $search)" > + local num_violations_new > + > + [ -n "$SLEEP" ] && tst_sleep $SLEEP > + > + read num_violations_new < $IMA_VIOLATIONS > + if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then > + if [ $count2 -gt $count ]; then > + tst_res TPASS "$search violation added" > else > - tst_resm TFAIL "(message ratelimiting?)" > + tst_res TFAIL "$search not found in $LOG" > fi > else > - tst_resm TFAIL "open_writers violation not added(test.txt)" > + tst_res TFAIL "$search violation not added" > fi > } > > -# Function: test02 > -# Description - Verify ToMToU violation > -test02() > +test1() > { > - read num_violations < $ima_violations > + tst_res TINFO "verify open writers violation" > > - TMPFN=test.txt > - open_file_read $TMPFN > - open_file_write $TMPFN > - close_file_write > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > close_file_read > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txt | grep -q 'ToMToU' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "ToMToU violation added(test.txt)" > - else > - tst_resm TFAIL "(message ratelimiting?)" > - fi > - else > - tst_resm TFAIL "ToMToU violation not added(test.txt)" > - fi > + close_file_write > + > + validate $num_violations $count $search > } > > -# Function: test03 > -# Description - verify open_writers using mmapped files > -test03() > +test2() > { > - read num_violations < $ima_violations > - > - TMPFN=test.txtb > - echo 'testing testing ' > $TMPFN > - ima_mmap $TMPFN & p1=$! > - sleep 1 # got to wait for ima_mmap to mmap the file > - open_file_read $TMPFN > - read num_violations_new < $ima_violations > - num=$(($(expr $num_violations_new - $num_violations))) > - if [ $num -gt 0 ]; then > - tail $log | grep test.txtb | grep -q 'open_writers' > - if [ $? -eq 0 ]; then > - tst_resm TPASS "mmapped open_writers violation added(test.txtb)" > - else > - tst_resm TFAIL "(message ratelimiting?)" > - fi > - else > - tst_resm TFAIL "mmapped open_writers violation not added(test.txtb)" > - fi > + tst_res TINFO "verify ToMToU violation" > + > + local search="ToMToU" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_read > + open_file_write > + close_file_write > close_file_read > + > + validate $num_violations $count $search > } > > -. ima_setup.sh > +test3() > +{ > + tst_res TINFO "verify open_writers using mmapped files" > > -setup > -TST_CLEANUP=cleanup > + local search="open_writers" > + local count num_violations > > -init > -test01 > -test02 > -test03 > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + echo 'testing testing ' > $FILE > + ima_mmap $FILE & > + sleep 1 What do we sleep here for? > + open_file_read > + close_file_read > + > + validate $num_violations $count $search > +} > + > +init > +tst_run > -- > 2.15.1 > > > -- > Mailing list info: https://lists.linux.it/listinfo/ltp
diff --git a/runtest/ima b/runtest/ima index 251458af4..20d2e0810 100644 --- a/runtest/ima +++ b/runtest/ima @@ -1,5 +1,5 @@ #DESCRIPTION:Integrity Measurement Architecture (IMA) -ima01 ima_measurements.sh -ima02 ima_policy.sh -ima03 ima_tpm.sh -ima04 ima_violations.sh +ima01 ima_measurements.sh +ima02 ima_policy.sh +ima03 ima_tpm.sh +ima04 ima_violations.sh diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index a3c357c8b..3993a575d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,139 +1,93 @@ #!/bin/sh - -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software Foundation, ## -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# File : ima_measurements.sh +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # -# Description: This file verifies measurements are added to the measurement -# list based on policy. +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -export TST_TOTAL=3 -export TCID="ima_measurements" +# Verify that measurements are added to the measurement list based on policy. + +TST_TESTFUNC="test" +TST_CNT=3 +. ima_setup.sh + +TEST_FILE="test.txt" +HASH_COMMAND="sha1sum" +POLICY="$IMA_DIR/policy" init() { - tst_check_cmds sha1sum - - # verify using default policy - if [ ! -f "$IMA_DIR/policy" ]; then - tst_resm TINFO "not using default policy" - fi + grep -q '^CONFIG_IMA_DEFAULT_HASH_SHA256=y' /boot/config-$(uname -r) && \ + HASH_COMMAND="sha256sum" + tst_res TINFO "detected IMA algoritm: ${HASH_COMMAND%sum}" + tst_check_cmds $HASH_COMMAND + [ -f "$POLICY" ] || tst_res TINFO "not using default policy" } -# Function: test01 -# Description - Verify reading a file causes a new measurement to -# be added to the IMA measurement list. -test01() +ima_check() { - # Create file test.txt - cat > test.txt <<-EOF - $(date) - this is a test file - EOF - if [ $? -ne 0 ]; then - tst_brkm TBROK "Unable to create test file" - fi - - # Calculating the sha1sum of test.txt should add - # the measurement to the measurement list. - # (Assumes SHA1 IMA measurements.) - hash=$(sha1sum "test.txt" | sed 's/ -//') - - # Check if the file is measured - # (i.e. contained in the ascii measurement list.) - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - sleep 1 - $(grep $hash measurements > /dev/null) - if [ $? -ne 0 ]; then - tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum" - else - tst_resm TPASS "TPM ascii measurement list contains sha1sum" - fi + EXPECT_PASS grep -q $($HASH_COMMAND $TEST_FILE) $ASCII_MEASUREMENTS } -# Function: test02 -# Description - Verify modifying, then reading, a file causes a new -# measurement to be added to the IMA measurement list. -test02() +test1() { - # Modify test.txt - echo $(date) - file modified >> test.txt + tst_res TINFO "verify adding record to the IMA measurement list" + ROD echo "$(date) this is a test file" \> $TEST_FILE + ima_check +} - # Calculating the sha1sum of test.txt should add - # the new measurement to the measurement list - hash=$(sha1sum test.txt | sed 's/ -//') +test2() +{ + local device - # Check if the new measurement exists - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - $(grep $hash measurements > /dev/null) + tst_res TINFO "verify updating record in the IMA measurement list" - if [ $? -ne 0 ]; then - tst_resm TFAIL "Modified file not measured" - tst_resm TINFO "iversion not supported; or not mounted with iversion" + device="$(df . | sed -e 1d | cut -f1 -d ' ')" + if grep -q $device /proc/mounts; then + if grep -q "${device}.*ext[2-4]" /proc/mounts; then + grep -q "${device}.*ext[2-4].*i_version" /proc/mounts || \ + tst_res TINFO "device '$device' is not mounted with iversion" + fi else - tst_resm TPASS "Modified file measured" + tst_res TWARN "could not find mount info for device '$device'" fi + + ROD echo "$(date) modified file" \> $TEST_FILE + ima_check } -# Function: test03 -# Description - Verify files are measured based on policy -# (Default policy does not measure user files.) -test03() +test3() { - # create file user-test.txt - mkdir -m 0700 user - chown nobody.nobody user - cd user - hash=0 - - # As user nobody, create and cat the new file - # (The LTP tests assumes existence of 'nobody'.) - sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt; - cat ./test.txt > /dev/null" - - # Calculating the hash will add the measurement to the measurement - # list, so only calc the hash value after getting the measurement - # list. - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - hash=$(sha1sum test.txt | sed 's/ -//') - cd - >/dev/null - - # Check if the file is measured - grep $hash measurements > /dev/null - if [ $? -ne 0 ]; then - tst_resm TPASS "user file test.txt not measured" - else - tst_resm TFAIL "user file test.txt measured" - fi -} + local dir="user" + local user="nobody" -. ima_setup.sh + tst_res TINFO "verify measuring user files" -setup -TST_CLEANUP=cleanup + id $user >/dev/null 2>/dev/null || tst_brk TCONF "missing system user $user (wrong installation)" + tst_check_cmds sudo -init -test01 -test02 -test03 + mkdir -m 0700 $dir + chown $user $dir + cd $dir + + sudo -n -u $user sh -c "echo $(date) user file > $TEST_FILE; + cat $TEST_FILE > /dev/null" -tst_exit + ima_check + cd .. +} + +init +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index ad5900975..162d323a1 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -1,127 +1,114 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> # -# File : ima_policy.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: This file tests replacing the default integrity measurement -# policy. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -export TST_TOTAL=3 -export TCID="ima_policy" +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# +# Test replacing the default integrity measurement policy. + +TST_TESTFUNC="test" +TST_CNT=3 +. ima_setup.sh init() { - # verify using default policy - IMA_POLICY=$IMA_DIR/policy - if [ ! -f $IMA_POLICY ]; then - tst_resm TINFO "default policy already replaced" - fi + IMA_POLICY="$IMA_DIR/policy" + [ -f $IMA_POLICY ] || \ + tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" - VALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy - if [ ! -f $VALID_POLICY ]; then - tst_resm TINFO "missing $VALID_POLICY" - fi + VALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy" + [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" - INVALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy-invalid - if [ ! -f $INVALID_POLICY ]; then - tst_resm TINFO "missing $INVALID_POLICY" - fi + INVALID_POLICY="$LTPROOT/testcases/data/ima_policy/measure.policy-invalid" + [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" } load_policy() { + local ret + exec 2>/dev/null 4>$IMA_POLICY - if [ $? -ne 0 ]; then - exit 1 - fi + [ $? -eq 0 ] || exit 1 cat $1 | - while read line ; do - { - if [ "${line#\#}" = "${line}" ] ; then - echo $line >&4 2> /dev/null + while read line; do + if [ "${line#\#}" = "${line}" ]; then + echo "$line" >&4 2> /dev/null if [ $? -ne 0 ]; then exec 4>&- return 1 fi fi - } done -} + ret=$? + [ $ret -eq 0 ] && \ + tst_res TINFO "IMA policy updated, please reboot after testing to restore settings" -# Function: test01 -# Description - Verify invalid policy doesn't replace default policy. -test01() + return $ret +} + +test1() { + tst_res TINFO "verify that invalid policy doesn't replace default policy" + + local p1 + load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then - tst_resm TPASS "didn't load invalid policy" + tst_res TPASS "didn't load invalid policy" else - tst_resm TFAIL "loaded invalid policy" + tst_res TFAIL "loaded invalid policy" fi } -# Function: test02 -# Description - Verify policy file is opened sequentially, not concurrently -# and install new policy -test02() +test2() { + tst_res TINFO "verify that policy file is opened sequentially and installs new policy" + + local p1 p2 rc1 rc2 + load_policy $VALID_POLICY & p1=$! # forked process 1 load_policy $VALID_POLICY & p2=$! # forked process 2 - wait "$p1"; RC1=$? - wait "$p2"; RC2=$? - if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then - tst_resm TFAIL "measurement policy opened concurrently" - elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then - tst_resm TPASS "replaced default measurement policy" + wait "$p1"; rc1=$? + wait "$p2"; rc2=$? + if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then + tst_res TFAIL "measurement policy opened concurrently" + elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then + tst_res TPASS "replaced default measurement policy" else - tst_resm TFAIL "problems opening measurement policy" + tst_res TFAIL "problems opening measurement policy" fi } -# Function: test03 -# Description - Verify can't load another measurement policy. -test03() +test3() { + tst_res TINFO "verify that valid policy isn't replaced" + + local p1 + load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then - tst_resm TPASS "didn't replace valid policy" + tst_res TPASS "didn't replace valid policy" else - tst_resm TFAIL "replaced valid policy" + tst_res TFAIL "replaced valid policy" fi } -. ima_setup.sh - -setup -TST_CLEANUP=cleanup - init -test01 -test02 -test03 - -tst_exit +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh old mode 100755 new mode 100644 index 0ff38d23b..7e19e3959 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,86 +1,67 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software Foundation, ## -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> # -# File : ima_setup.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: setup/cleanup routines for the integrity tests. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -. test.sh -mount_sysfs() -{ - SYSFS=$(mount 2>/dev/null | awk '$5 == "sysfs" { print $3 }') - if [ "x$SYSFS" = x ] ; then +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com - SYSFS=/sys +TST_CLEANUP="cleanup" +TST_NEEDS_TMPDIR=1 +TST_NEEDS_ROOT=1 +. tst_test.sh - test -d $SYSFS || mkdir -p $SYSFS 2>/dev/null - if [ $? -ne 0 ] ; then - tst_brkm TBROK "Failed to mkdir $SYSFS" - fi - if ! mount -t sysfs sysfs $SYSFS 2>/dev/null ; then - tst_brkm TBROK "Failed to mount $SYSFS" - fi +export TCID="${TCID:-$(basename $0 | cut -d. -f1)}" - fi -} +UMOUNT= -mount_securityfs() +mount_helper() { - SECURITYFS=$(mount 2>/dev/null | awk '$5 == "securityfs" { print $3 }') - if [ "x$SECURITYFS" = x ] ; then - - SECURITYFS="$SYSFS/kernel/security" + local type="$1" + local default_dir="$2" + local dir - test -d $SECURITYFS || mkdir -p $SECURITYFS 2>/dev/null - if [ $? -ne 0 ] ; then - tst_brkm TBROK "Failed to mkdir $SECURITYFS" - fi - if ! mount -t securityfs securityfs $SECURITYFS 2>/dev/null ; then - tst_brkm TBROK "Failed to mount $SECURITYFS" - fi + dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)" + [ -n "$dir" ] && { echo "$dir"; return; } + if ! mkdir -p $default_dir; then + tst_brk TBROK "Failed to create $default_dir" + fi + if ! mount -t $type $type $default_dir; then + tst_brk TBROK "Failed to mount $type" fi + UMOUNT="$default_dir $UMOUNT" + echo $default_dir } setup() { - tst_require_root + SYSFS="$(mount_helper sysfs /sys)" + SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" - tst_tmpdir - - mount_sysfs - - # mount securityfs if it is not already mounted - mount_securityfs - - # IMA must be configured in the kernel - IMA_DIR=$SECURITYFS/ima - if [ ! -d "$IMA_DIR" ]; then - tst_brkm TCONF "IMA not enabled in kernel" - fi + IMA_DIR="$SECURITYFS/ima" + [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" + ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" + BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" } cleanup() { - tst_rmdir + local dir + for dir in $UMOUNT; do + umount $dir + done } + +setup diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh index 333bf5f8a..a3d1739cd 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh @@ -1,70 +1,61 @@ #!/bin/sh - -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# File : ima_tpm.sh +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Description: This file verifies the boot and PCR aggregates +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com # -# Return - zero on success -# - non zero on failure. return value from commands ($RC) -################################################################################ -export TST_TOTAL=3 -export TCID="ima_tpm" +# Verify the boot and PCR aggregates. + +TST_TESTFUNC="test" +TST_CNT=3 +. ima_setup.sh init() { tst_check_cmds ima_boot_aggregate ima_measure } -# Function: test01 -# Description - Verify boot aggregate value is correct -test01() +test1() { - zero="0000000000000000000000000000000000000000" + tst_res TINFO "verify boot aggregate" + + local zero="0000000000000000000000000000000000000000" + local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" + local ima_measurements="$ASCII_MEASUREMENTS" + local ima_aggr line # IMA boot aggregate - ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements read line < $ima_measurements ima_aggr=$(expr substr "${line}" 49 40) - # verify TPM is available and enabled. - tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements if [ ! -f "$tpm_bios" ]; then - tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled" + tst_brk TCONF "TPM not builtin kernel, or TPM not enabled" if [ "${ima_aggr}" = "${zero}" ]; then - tst_resm TPASS "bios boot aggregate is 0." + tst_res TPASS "bios boot aggregate is 0" else - tst_resm TFAIL "bios boot aggregate is not 0." + tst_res TFAIL "bios boot aggregate is not 0" fi else boot_aggregate=$(ima_boot_aggregate $tpm_bios) boot_aggr=$(expr substr $boot_aggregate 16 40) if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then - tst_resm TPASS "bios aggregate matches IMA boot aggregate." + tst_res TPASS "bios aggregate matches IMA boot aggregate" else - tst_resm TFAIL "bios aggregate does not match IMA boot aggregate." + tst_res TFAIL "bios aggregate does not match IMA boot aggregate" fi fi } @@ -74,64 +65,54 @@ test01() # the PCR values from /sys/devices. validate_pcr() { - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements - aggregate_pcr=$(ima_measure $ima_measurements --validate) - dev_pcrs=$1 - RC=0 + tst_res TINFO "verify PCR (Process Control Register)" - while read line ; do + local ima_measurements="$BINARY_MEASUREMENTS" + local aggregate_pcr="$(ima_measure $ima_measurements --validate)" + local dev_pcrs="$1" + local ret=0 + + while read line; do pcr=$(expr substr "${line}" 1 6) if [ "${pcr}" = "PCR-10" ]; then aggr=$(expr substr "${aggregate_pcr}" 26 59) pcr=$(expr substr "${line}" 9 59) - [ "${pcr}" = "${aggr}" ] || RC=$? + [ "${pcr}" = "${aggr}" ] || ret=$? fi done < $dev_pcrs - return $RC + return $ret } -# Function: test02 -# Description - Verify ima calculated aggregate PCR values matches -# actual PCR value. -test02() +test2() { + tst_res TINFO "verify PCR values" - # Would be nice to know where the PCRs are located. Is this safe? - PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs) + # Would be nice to know where the PCRs are located. Is this safe? + local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)" if [ $? -eq 0 ]; then - validate_pcr $PCRS_PATH + validate_pcr $pcrs_path if [ $? -eq 0 ]; then - tst_resm TPASS "aggregate PCR value matches real PCR value." + tst_res TPASS "aggregate PCR value matches real PCR value" else - tst_resm TFAIL "aggregate PCR value does not match real PCR value." + tst_res TFAIL "aggregate PCR value does not match real PCR value" fi else - tst_resm TFAIL "TPM not enabled, no PCR value to validate" + tst_res TFAIL "TPM not enabled, no PCR value to validate" fi } -# Function: test03 -# Description - Verify template hash value for IMA entry is correct. -test03() +test3() { + tst_res TINFO "verify template hash value" - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements - aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null + local ima_measurements="$BINARY_MEASUREMENTS" + ima_measure $ima_measurements --verify --validate if [ $? -eq 0 ]; then - tst_resm TPASS "verified IMA template hash values." + tst_res TPASS "verified IMA template hash values" else - tst_resm TFAIL "error verifing IMA template hash values." + tst_res TFAIL "error verifing IMA template hash values" fi } -. ima_setup.sh - -setup -TST_CLEANUP=cleanup - init -test01 -test02 -test03 - -tst_exit +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 1b86b5f1a..80a01a546 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -1,44 +1,45 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> # -# File : ima_violations.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: This file tests ToMToU and open_writer violations invalidate -# the PCR and are logged. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # -# Return - zero on success -# - non zero on failure. return value from commands ($RC) -################################################################################ +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# +# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. -export TST_TOTAL=3 -export TCID="ima_violations" +TST_TESTFUNC="test" +TST_CNT=3 +. ima_setup.sh -open_file_read() +FILE="test.txt" +IMA_VIOLATIONS="$SECURITYFS/ima/violations" + +init() { - exec 3< $1 - if [ $? -ne 0 ]; then - exit 1 + LOG="/var/log/messages" + SLEEP="500ms" + if service auditd status > /dev/null 2>&1; then + LOG="/var/log/audit/audit.log" + tst_res TINFO "requires integrity auditd patch" fi + tst_res TINFO "using log $LOG" +} + +open_file_read() +{ + exec 3< $FILE || exit 1 } close_file_read() @@ -48,11 +49,8 @@ close_file_read() open_file_write() { - exec 4> $1 - if [ $? -ne 0 ]; then - exit 1 - echo 'testing, testing, ' >&4 - fi + exec 4> $FILE || exit 1 + echo 'test writing' >&4 } close_file_write() @@ -60,103 +58,89 @@ close_file_write() exec 4>&- } -init() +get_count() { - service auditd status > /dev/null 2>&1 - if [ $? -ne 0 ]; then - log=/var/log/messages - else - log=/var/log/audit/audit.log - tst_resm TINFO "requires integrity auditd patch" - fi - - ima_violations=$SECURITYFS/ima/violations + local search="$1" + echo $(grep -c "${search}.*${FILE}" $LOG) } -# Function: test01 -# Description - Verify open writers violation -test01() +validate() { - read num_violations < $ima_violations - - TMPFN=test.txt - open_file_write $TMPFN - open_file_read $TMPFN - close_file_read - close_file_write - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txt | grep -q 'open_writers' - if [ $? -eq 0 ]; then - tst_resm TPASS "open_writers violation added(test.txt)" + local num_violations="$1" + local count="$2" + local search="$3" + local count2="$(get_count $search)" + local num_violations_new + + [ -n "$SLEEP" ] && tst_sleep $SLEEP + + read num_violations_new < $IMA_VIOLATIONS + if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then + if [ $count2 -gt $count ]; then + tst_res TPASS "$search violation added" else - tst_resm TFAIL "(message ratelimiting?)" + tst_res TFAIL "$search not found in $LOG" fi else - tst_resm TFAIL "open_writers violation not added(test.txt)" + tst_res TFAIL "$search violation not added" fi } -# Function: test02 -# Description - Verify ToMToU violation -test02() +test1() { - read num_violations < $ima_violations + tst_res TINFO "verify open writers violation" - TMPFN=test.txt - open_file_read $TMPFN - open_file_write $TMPFN - close_file_write + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read close_file_read - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txt | grep -q 'ToMToU' - if [ $? -eq 0 ]; then - tst_resm TPASS "ToMToU violation added(test.txt)" - else - tst_resm TFAIL "(message ratelimiting?)" - fi - else - tst_resm TFAIL "ToMToU violation not added(test.txt)" - fi + close_file_write + + validate $num_violations $count $search } -# Function: test03 -# Description - verify open_writers using mmapped files -test03() +test2() { - read num_violations < $ima_violations - - TMPFN=test.txtb - echo 'testing testing ' > $TMPFN - ima_mmap $TMPFN & p1=$! - sleep 1 # got to wait for ima_mmap to mmap the file - open_file_read $TMPFN - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txtb | grep -q 'open_writers' - if [ $? -eq 0 ]; then - tst_resm TPASS "mmapped open_writers violation added(test.txtb)" - else - tst_resm TFAIL "(message ratelimiting?)" - fi - else - tst_resm TFAIL "mmapped open_writers violation not added(test.txtb)" - fi + tst_res TINFO "verify ToMToU violation" + + local search="ToMToU" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_read + open_file_write + close_file_write close_file_read + + validate $num_violations $count $search } -. ima_setup.sh +test3() +{ + tst_res TINFO "verify open_writers using mmapped files" -setup -TST_CLEANUP=cleanup + local search="open_writers" + local count num_violations -init -test01 -test02 -test03 + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + echo 'testing testing ' > $FILE + ima_mmap $FILE & + sleep 1 -tst_exit + open_file_read + close_file_read + + validate $num_violations $count $search +} + +init +tst_run
* simplify code, remove duplicity * ima_measurements.sh: - add support for sha256sum - check for i_version only for ext[2-4] filesystems (other filesystems don't report it) - chown only UID (GID of nobody is different on some OS, so it's better not to set it as it's not necessary for the test) * ima_policy.sh: - break tests instead of print TINFO when kernel is not configured to enable multiple writes to the IMA policy (IMA_WRITE_POLICY) - add warning when policy has been updated that reboot is needed * ima_violations.sh: - change check to measure occurrence of messages in log (previous way to grep tail of the log was buggy) + add sleep when SUT uses /var/log/messages to prevent failure during * remove duplicate whitespace from runtest file Signed-off-by: Petr Vorel <pvorel@suse.cz> --- runtest/ima | 8 +- .../integrity/ima/tests/ima_measurements.sh | 182 +++++++----------- .../security/integrity/ima/tests/ima_policy.sh | 145 +++++++------- .../security/integrity/ima/tests/ima_setup.sh | 109 +++++------ .../kernel/security/integrity/ima/tests/ima_tpm.sh | 129 ++++++------- .../security/integrity/ima/tests/ima_violations.sh | 214 ++++++++++----------- 6 files changed, 337 insertions(+), 450 deletions(-) mode change 100755 => 100644 testcases/kernel/security/integrity/ima/tests/ima_setup.sh