Home | History | Annotate | Download | only in tests 
      1 #!/bin/sh
      2 # Copyright (c) 2009 IBM Corporation
      3 # Copyright (c) 2018 Petr Vorel <pvorel (at] suse.cz>
      4 #
      5 # This program is free software; you can redistribute it and/or
      6 # modify it under the terms of the GNU General Public License as
      7 # published by the Free Software Foundation; either version 2 of
      8 # the License, or (at your option) any later version.
      9 #
     10 # This program is distributed in the hope that it would be useful,
     11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
     12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     13 # GNU General Public License for more details.
     14 #
     15 # You should have received a copy of the GNU General Public License
     16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
     17 #
     18 # Author: Mimi Zohar, zohar (at] ibm.vnet.ibm.com
     19 #
     20 # Test replacing the default integrity measurement policy.
     21 
     22 TST_SETUP="setup"
     23 TST_CNT=2
     24 
     25 . ima_setup.sh
     26 
     27 check_policy_writable()
     28 {
     29 	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
     30 
     31 	[ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err"
     32 	# CONFIG_IMA_READ_POLICY
     33 	echo "" 2> log > $IMA_POLICY
     34 	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
     35 }
     36 
     37 setup()
     38 {
     39 	IMA_POLICY="$IMA_DIR/policy"
     40 	check_policy_writable
     41 
     42 	VALID_POLICY="$TST_DATAROOT/measure.policy"
     43 	[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
     44 
     45 	INVALID_POLICY="$TST_DATAROOT/measure.policy-invalid"
     46 	[ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY"
     47 }
     48 
     49 load_policy()
     50 {
     51 	local ret
     52 
     53 	exec 2>/dev/null 4>$IMA_POLICY
     54 	[ $? -eq 0 ] || exit 1
     55 
     56 	cat $1 >&4 2> /dev/null
     57 	ret=$?
     58 	exec 4>&-
     59 
     60 	[ $ret -eq 0 ] && \
     61 		tst_res TINFO "IMA policy updated, please reboot after testing to restore settings"
     62 
     63 	return $ret
     64 }
     65 
     66 test1()
     67 {
     68 	tst_res TINFO "verify that invalid policy isn't loaded"
     69 
     70 	local p1
     71 
     72 	check_policy_writable
     73 	load_policy $INVALID_POLICY & p1=$!
     74 	wait "$p1"
     75 	if [ $? -ne 0 ]; then
     76 		tst_res TPASS "didn't load invalid policy"
     77 	else
     78 		tst_res TFAIL "loaded invalid policy"
     79 	fi
     80 }
     81 
     82 test2()
     83 {
     84 	tst_res TINFO "verify that policy file is not opened concurrently and able to loaded multiple times"
     85 
     86 	local p1 p2 rc1 rc2
     87 
     88 	check_policy_writable
     89 	load_policy $VALID_POLICY & p1=$!
     90 	load_policy $VALID_POLICY & p2=$!
     91 	wait "$p1"; rc1=$?
     92 	wait "$p2"; rc2=$?
     93 	if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then
     94 		tst_res TFAIL "policy opened concurrently"
     95 	elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then
     96 		tst_res TPASS "policy was loaded just by one process and able to loaded multiple times"
     97 	else
     98 		tst_res TFAIL "problem loading or extending policy (may require policy to be signed)"
     99 	fi
    100 }
    101 
    102 tst_run
    103