1 #!/bin/sh 2 # Copyright (c) 2009 IBM Corporation 3 # Copyright (c) 2018 Petr Vorel <pvorel (at] suse.cz> 4 # 5 # This program is free software; you can redistribute it and/or 6 # modify it under the terms of the GNU General Public License as 7 # published by the Free Software Foundation; either version 2 of 8 # the License, or (at your option) any later version. 9 # 10 # This program is distributed in the hope that it would be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program. If not, see <http://www.gnu.org/licenses/>. 17 # 18 # Author: Mimi Zohar, zohar (at] ibm.vnet.ibm.com 19 # 20 # Test replacing the default integrity measurement policy. 21 22 TST_SETUP="setup" 23 TST_CNT=2 24 25 . ima_setup.sh 26 27 check_policy_writable() 28 { 29 local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" 30 31 [ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err" 32 # CONFIG_IMA_READ_POLICY 33 echo "" 2> log > $IMA_POLICY 34 grep -q "Device or resource busy" log && tst_brk TCONF "$err" 35 } 36 37 setup() 38 { 39 IMA_POLICY="$IMA_DIR/policy" 40 check_policy_writable 41 42 VALID_POLICY="$TST_DATAROOT/measure.policy" 43 [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" 44 45 INVALID_POLICY="$TST_DATAROOT/measure.policy-invalid" 46 [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" 47 } 48 49 load_policy() 50 { 51 local ret 52 53 exec 2>/dev/null 4>$IMA_POLICY 54 [ $? -eq 0 ] || exit 1 55 56 cat $1 >&4 2> /dev/null 57 ret=$? 58 exec 4>&- 59 60 [ $ret -eq 0 ] && \ 61 tst_res TINFO "IMA policy updated, please reboot after testing to restore settings" 62 63 return $ret 64 } 65 66 test1() 67 { 68 tst_res TINFO "verify that invalid policy isn't loaded" 69 70 local p1 71 72 check_policy_writable 73 load_policy $INVALID_POLICY & p1=$! 74 wait "$p1" 75 if [ $? -ne 0 ]; then 76 tst_res TPASS "didn't load invalid policy" 77 else 78 tst_res TFAIL "loaded invalid policy" 79 fi 80 } 81 82 test2() 83 { 84 tst_res TINFO "verify that policy file is not opened concurrently and able to loaded multiple times" 85 86 local p1 p2 rc1 rc2 87 88 check_policy_writable 89 load_policy $VALID_POLICY & p1=$! 90 load_policy $VALID_POLICY & p2=$! 91 wait "$p1"; rc1=$? 92 wait "$p2"; rc2=$? 93 if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then 94 tst_res TFAIL "policy opened concurrently" 95 elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then 96 tst_res TPASS "policy was loaded just by one process and able to loaded multiple times" 97 else 98 tst_res TFAIL "problem loading or extending policy (may require policy to be signed)" 99 fi 100 } 101 102 tst_run 103