1 #!/bin/sh 2 # Copyright (c) 2009 IBM Corporation 3 # Copyright (c) 2018 Petr Vorel <pvorel (at] suse.cz> 4 # 5 # This program is free software; you can redistribute it and/or 6 # modify it under the terms of the GNU General Public License as 7 # published by the Free Software Foundation; either version 2 of 8 # the License, or (at your option) any later version. 9 # 10 # This program is distributed in the hope that it would be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program. If not, see <http://www.gnu.org/licenses/>. 17 # 18 # Author: Mimi Zohar, zohar (at] ibm.vnet.ibm.com 19 # 20 # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. 21 22 TST_SETUP="setup" 23 TST_CNT=3 24 TST_NEEDS_DEVICE=1 25 26 . ima_setup.sh 27 . daemonlib.sh 28 29 setup() 30 { 31 FILE="test.txt" 32 IMA_VIOLATIONS="$SECURITYFS/ima/violations" 33 LOG="/var/log/messages" 34 35 if status_daemon auditd; then 36 LOG="/var/log/audit/audit.log" 37 fi 38 [ -f "$LOG" ] || \ 39 tst_brk TBROK "log $LOG does not exist (bug in detection?)" 40 tst_res TINFO "using log $LOG" 41 } 42 43 open_file_read() 44 { 45 exec 3< $FILE || exit 1 46 } 47 48 close_file_read() 49 { 50 exec 3>&- 51 } 52 53 open_file_write() 54 { 55 exec 4> $FILE || exit 1 56 echo 'test writing' >&4 57 } 58 59 close_file_write() 60 { 61 exec 4>&- 62 } 63 64 get_count() 65 { 66 local search="$1" 67 echo $(grep -c "${search}.*${FILE}" $LOG) 68 } 69 70 validate() 71 { 72 local num_violations="$1" 73 local count="$2" 74 local search="$3" 75 local max_attempt=3 76 local count2 i num_violations_new 77 78 for i in $(seq 1 $max_attempt); do 79 read num_violations_new < $IMA_VIOLATIONS 80 count2="$(get_count $search)" 81 if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then 82 if [ $count2 -gt $count ]; then 83 tst_res TPASS "$search violation added" 84 return 85 else 86 tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..." 87 tst_sleep 1s 88 fi 89 else 90 tst_res TFAIL "$search violation not added" 91 return 92 fi 93 done 94 tst_res TFAIL "$search not found in $LOG" 95 } 96 97 test1() 98 { 99 tst_res TINFO "verify open writers violation" 100 101 local search="open_writers" 102 local count num_violations 103 104 read num_violations < $IMA_VIOLATIONS 105 count="$(get_count $search)" 106 107 open_file_write 108 open_file_read 109 close_file_read 110 close_file_write 111 112 validate $num_violations $count $search 113 } 114 115 test2() 116 { 117 tst_res TINFO "verify ToMToU violation" 118 119 local search="ToMToU" 120 local count num_violations 121 122 read num_violations < $IMA_VIOLATIONS 123 count="$(get_count $search)" 124 125 open_file_read 126 open_file_write 127 close_file_write 128 close_file_read 129 130 validate $num_violations $count $search 131 } 132 133 test3() 134 { 135 tst_res TINFO "verify open_writers using mmapped files" 136 137 local search="open_writers" 138 local count num_violations 139 140 read num_violations < $IMA_VIOLATIONS 141 count="$(get_count $search)" 142 143 echo 'testing testing' > $FILE 144 145 ima_mmap -f $FILE & 146 # wait for violations appear in logs 147 tst_sleep 1s 148 149 open_file_read 150 close_file_read 151 152 validate $num_violations $count $search 153 154 # wait for ima_mmap to exit, so we can umount 155 tst_sleep 2s 156 } 157 158 tst_run 159
