* [PATCH ltp v7 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it
@ 2021-09-22 18:52 Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 2/3] IMA: Move ima_check to ima_setup.sh Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Alex Henrie
0 siblings, 2 replies; 3+ messages in thread
From: Alex Henrie @ 2021-09-22 18:52 UTC (permalink / raw)
To: linux-integrity, ltp, zohar, pvorel, alexhenrie24; +Cc: Alex Henrie
Suggested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../security/integrity/ima/tests/ima_policy.sh | 16 +++-------------
.../security/integrity/ima/tests/ima_setup.sh | 10 ++++++++++
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 244cf081d..8924549df 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -11,19 +11,9 @@ TST_CNT=2
. ima_setup.sh
-check_policy_writable()
-{
- local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
-
- [ -f $IMA_POLICY ] || tst_brk TCONF "$err"
- # CONFIG_IMA_READ_POLICY
- echo "" 2> log > $IMA_POLICY
- grep -q "Device or resource busy" log && tst_brk TCONF "$err"
-}
-
setup()
{
- check_policy_writable
+ require_policy_writable
VALID_POLICY="$TST_DATAROOT/measure.policy"
[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
@@ -55,7 +45,7 @@ test1()
local p1
- check_policy_writable
+ require_policy_writable
load_policy $INVALID_POLICY & p1=$!
wait "$p1"
if [ $? -ne 0 ]; then
@@ -71,7 +61,7 @@ test2()
local p1 p2 rc1 rc2
- check_policy_writable
+ require_policy_writable
load_policy $VALID_POLICY & p1=$!
load_policy $VALID_POLICY & p2=$!
wait "$p1"; rc1=$?
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 565f0bc3e..9c25d634d 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -73,6 +73,16 @@ require_policy_readable()
fi
}
+require_policy_writable()
+{
+ local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
+
+ [ -f $IMA_POLICY ] || tst_brk TCONF "$err"
+ # CONFIG_IMA_READ_POLICY
+ echo "" 2> log > $IMA_POLICY
+ grep -q "Device or resource busy" log && tst_brk TCONF "$err"
+}
+
check_ima_policy_content()
{
local pattern="$1"
--
2.33.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH ltp v7 2/3] IMA: Move ima_check to ima_setup.sh
2021-09-22 18:52 [PATCH ltp v7 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Alex Henrie
@ 2021-09-22 18:52 ` Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Alex Henrie
1 sibling, 0 replies; 3+ messages in thread
From: Alex Henrie @ 2021-09-22 18:52 UTC (permalink / raw)
To: linux-integrity, ltp, zohar, pvorel, alexhenrie24; +Cc: Alex Henrie
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
[ pvorel: add test_file parameter to ima_check(), keep $TEST_FILE in
ima_measurements.sh ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../integrity/ima/tests/ima_measurements.sh | 31 ++-----------------
.../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++
2 files changed, 30 insertions(+), 29 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index ef8577d30..a83c416de 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -21,33 +21,6 @@ setup()
[ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy"
}
-ima_check()
-{
- local algorithm digest expected_digest line tmp
-
- # need to read file to get updated $ASCII_MEASUREMENTS
- cat $TEST_FILE > /dev/null
-
- line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
-
- if tmp=$(get_algorithm_digest "$line"); then
- algorithm=$(echo "$tmp" | cut -d'|' -f1)
- digest=$(echo "$tmp" | cut -d'|' -f2)
- else
- tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
- fi
-
- tst_res TINFO "computing digest for $algorithm algorithm"
- expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
- tst_brk TCONF "cannot compute digest for $algorithm algorithm"
-
- if [ "$digest" = "$expected_digest" ]; then
- tst_res TPASS "correct digest found"
- else
- tst_res TFAIL "digest not found"
- fi
-}
-
check_iversion_support()
{
local device mount fs
@@ -83,7 +56,7 @@ test1()
{
tst_res TINFO "verify adding record to the IMA measurement list"
ROD echo "$(date) this is a test file" \> $TEST_FILE
- ima_check
+ ima_check $TEST_FILE
}
test2()
@@ -92,7 +65,7 @@ test2()
tst_res TINFO "verify updating record in the IMA measurement list"
check_iversion_support || return
ROD echo "$(date) modified file" \> $TEST_FILE
- ima_check
+ ima_check $TEST_FILE
}
test3()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 9c25d634d..af7f3a5f5 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -279,6 +279,34 @@ get_algorithm_digest()
echo "$algorithm|$digest"
}
+ima_check()
+{
+ local test_file="$1"
+ local algorithm digest expected_digest line tmp
+
+ # need to read file to get updated $ASCII_MEASUREMENTS
+ cat $test_file > /dev/null
+
+ line="$(grep $test_file $ASCII_MEASUREMENTS | tail -1)"
+
+ if tmp=$(get_algorithm_digest "$line"); then
+ algorithm=$(echo "$tmp" | cut -d'|' -f1)
+ digest=$(echo "$tmp" | cut -d'|' -f2)
+ else
+ tst_res TBROK "failed to get algorithm/digest for '$test_file': $tmp"
+ fi
+
+ tst_res TINFO "computing digest for $algorithm algorithm"
+ expected_digest="$(compute_digest $algorithm $test_file)" || \
+ tst_brk TCONF "cannot compute digest for $algorithm algorithm"
+
+ if [ "$digest" = "$expected_digest" ]; then
+ tst_res TPASS "correct digest found"
+ else
+ tst_res TFAIL "digest not found"
+ fi
+}
+
# check_evmctl REQUIRED_TPM_VERSION
# return: 0: evmctl is new enough, 1: version older than required (or version < v0.9)
check_evmctl()
--
2.33.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH ltp v7 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options
2021-09-22 18:52 [PATCH ltp v7 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 2/3] IMA: Move ima_check to ima_setup.sh Alex Henrie
@ 2021-09-22 18:52 ` Alex Henrie
1 sibling, 0 replies; 3+ messages in thread
From: Alex Henrie @ 2021-09-22 18:52 UTC (permalink / raw)
To: linux-integrity, ltp, zohar, pvorel, alexhenrie24; +Cc: Alex Henrie
Requires "ima: add gid support".
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
[ pvorel: add test_file parameter to ima_check(), add
verify_measurement() (DRY) ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
v7: Change "Copyright (c) 2021 VPI Technology" to "Copyright (c) 2021
VPI Engineering" per internal feedback from VPI
---
runtest/ima | 1 +
.../integrity/ima/tests/ima_conditionals.sh | 62 +++++++++++++++++++
2 files changed, 63 insertions(+)
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
diff --git a/runtest/ima b/runtest/ima
index 29caa034a..01942eefa 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -6,4 +6,5 @@ ima_violations ima_violations.sh
ima_keys ima_keys.sh
ima_kexec ima_kexec.sh
ima_selinux ima_selinux.sh
+ima_conditionals ima_conditionals.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
new file mode 100755
index 000000000..b76f7cb5a
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2021 VPI Engineering
+# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Author: Alex Henrie <alexh@vpitech.com>
+#
+# Verify that conditional rules work.
+
+TST_NEEDS_CMDS="chgrp chown id sg sudo"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+verify_measurement()
+{
+ local request="$1"
+ local user="nobody"
+ local test_file="$PWD/test.txt"
+ local cmd="cat $test_file > /dev/null"
+
+ local value="$(id -u $user)"
+ [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+
+ require_policy_writable
+
+ ROD rm -f $test_file
+
+ tst_res TINFO "verify measuring user files when requested via $request"
+ ROD echo "measure $request=$value" \> $IMA_POLICY
+ ROD echo "$(date) $request test" \> $test_file
+
+ case "$request" in
+ fgroup)
+ chgrp $user $test_file
+ $cmd
+ fowner)
+ chown $user $test_file
+ $cmd
+ ;;
+ gid) sudo sg $user "sh -c '$cmd'";;
+ uid) sudo -n -u $user sh -c "$cmd";;
+ *) tst_brk TBROK "Invalid res type '$1'";;
+ esac
+
+ ima_check $test_file
+}
+
+test1()
+{
+ verify_measurement uid
+ verify_measurement fowner
+
+ if tst_kvcmp -lt 5.16; then
+ tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+ fi
+
+ verify_measurement gid
+ verify_measurement fgroup
+}
+
+tst_run
--
2.33.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-22 18:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-22 18:52 [PATCH ltp v7 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 2/3] IMA: Move ima_check to ima_setup.sh Alex Henrie
2021-09-22 18:52 ` [PATCH ltp v7 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Alex Henrie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).