1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2021 VPI Engineering 4# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz> 5# Author: Alex Henrie <alexh@vpitech.com> 6# 7# Verify that conditional rules work. 8# 9# gid and fgroup options test kernel commit 40224c41661b ("ima: add gid 10# support") from v5.16. 11 12TST_NEEDS_CMDS="cat chgrp chown id sg sudo" 13TST_CNT=1 14TST_NEEDS_DEVICE=1 15 16. ima_setup.sh 17 18verify_measurement() 19{ 20 local request="$1" 21 local user="nobody" 22 local test_file="$PWD/test.txt" 23 local cmd="cat $test_file > /dev/null" 24 25 local value="$(id -u $user)" 26 [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)" 27 28 require_policy_writable 29 30 ROD rm -f $test_file 31 32 tst_res TINFO "verify measuring user files when requested via $request" 33 ROD echo "measure $request=$value" \> $IMA_POLICY 34 ROD echo "$(cat /proc/uptime) $request test" \> $test_file 35 36 case "$request" in 37 fgroup) 38 chgrp $user $test_file 39 sh -c "$cmd" 40 ;; 41 fowner) 42 chown $user $test_file 43 sh -c "$cmd" 44 ;; 45 gid) sudo sg $user "sh -c '$cmd'";; 46 uid) sudo -n -u $user sh -c "$cmd";; 47 *) tst_brk TBROK "Invalid res type '$1'";; 48 esac 49 50 ima_check $test_file 51} 52 53test1() 54{ 55 verify_measurement uid 56 verify_measurement fowner 57 58 if tst_kvcmp -lt 5.16; then 59 tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer" 60 fi 61 62 verify_measurement gid 63 verify_measurement fgroup 64} 65 66tst_run 67