1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2009 IBM Corporation 4# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz> 5# Author: Mimi Zohar <zohar@linux.ibm.com> 6 7TST_TESTFUNC="test" 8TST_SETUP_CALLER="$TST_SETUP" 9TST_SETUP="ima_setup" 10TST_CLEANUP_CALLER="$TST_CLEANUP" 11TST_CLEANUP="ima_cleanup" 12TST_NEEDS_ROOT=1 13 14. tst_test.sh 15 16SYSFS="/sys" 17UMOUNT= 18TST_FS_TYPE="ext3" 19 20check_ima_policy() 21{ 22 local policy="$1" 23 local i 24 25 grep -q "ima_$policy" /proc/cmdline && return 26 for i in $(cat /proc/cmdline); do 27 if echo "$i" | grep -q '^ima_policy='; then 28 echo "$i" | grep -q -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" && return 29 fi 30 done 31 tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)" 32} 33 34mount_helper() 35{ 36 local type="$1" 37 local default_dir="$2" 38 local dir 39 40 dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)" 41 [ -n "$dir" ] && { echo "$dir"; return; } 42 43 if ! mkdir -p $default_dir; then 44 tst_brk TBROK "failed to create $default_dir" 45 fi 46 if ! mount -t $type $type $default_dir; then 47 tst_brk TBROK "failed to mount $type" 48 fi 49 UMOUNT="$default_dir $UMOUNT" 50 echo $default_dir 51} 52 53mount_loop_device() 54{ 55 local ret 56 57 tst_mkfs 58 tst_mount 59 cd $TST_MNTPOINT 60} 61 62print_ima_config() 63{ 64 local config="/boot/config-$(uname -r)" 65 local i 66 67 if [ -r "$config" ]; then 68 tst_res TINFO "IMA kernel config:" 69 for i in $(grep ^CONFIG_IMA $config); do 70 tst_res TINFO "$i" 71 done 72 fi 73 74 tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" 75} 76 77ima_setup() 78{ 79 SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" 80 81 IMA_DIR="$SECURITYFS/ima" 82 [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" 83 ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" 84 BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" 85 86 print_ima_config 87 88 if [ "$TST_NEEDS_DEVICE" = 1 ]; then 89 tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device" 90 mount_loop_device 91 fi 92 93 [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER 94} 95 96ima_cleanup() 97{ 98 local dir 99 100 [ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER 101 102 for dir in $UMOUNT; do 103 umount $dir 104 done 105 106 if [ "$TST_NEEDS_DEVICE" = 1 ]; then 107 cd $TST_TMPDIR 108 tst_umount 109 fi 110} 111 112# loop device is needed to use only for tmpfs 113TMPDIR="${TMPDIR:-/tmp}" 114if [ "$(df -T $TMPDIR | tail -1 | awk '{print $2}')" != "tmpfs" -a -n "$TST_NEEDS_DEVICE" ]; then 115 unset TST_NEEDS_DEVICE 116fi 117