1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2009 IBM Corporation 4# Copyright (c) 2018-2021 Petr Vorel <pvorel@suse.cz> 5# Author: Mimi Zohar <zohar@linux.ibm.com> 6# 7# Verify that measurements are added to the measurement list based on policy. 8 9TST_NEEDS_CMDS="awk cut sed" 10TST_SETUP="setup" 11TST_CNT=3 12TST_NEEDS_DEVICE=1 13 14. ima_setup.sh 15 16setup() 17{ 18 require_ima_policy_cmdline "tcb" 19 20 TEST_FILE="$PWD/test.txt" 21 [ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy" 22} 23 24check_iversion_support() 25{ 26 local device mount fs 27 28 tst_kvcmp -ge "4.16" && return 0 29 30 device="$(df . | sed -e 1d | cut -f1 -d ' ')" 31 mount="$(grep $device /proc/mounts | head -1)" 32 fs="$(echo $mount | awk '{print $3'})" 33 34 case "$fs" in 35 ext[2-4]) 36 if ! echo "$mount" | grep -q -w "i_version"; then 37 tst_res TCONF "device '$device' is not mounted with iversion, please mount it with 'mount $device -o remount,iversion'" 38 return 1 39 fi 40 ;; 41 xfs) 42 if dmesg | grep -q "XFS.*Mounting V[1-4] Filesystem"; then 43 tst_res TCONF "XFS Filesystem >= V5 required for iversion support" 44 return 1 45 fi 46 ;; 47 '') 48 tst_res TWARN "could not find mount info for device '$device'" 49 ;; 50 esac 51 52 return 0 53} 54 55test1() 56{ 57 tst_res TINFO "verify adding record to the IMA measurement list" 58 ROD echo "$(cat /proc/uptime) this is a test file" \> $TEST_FILE 59 ima_check $TEST_FILE 60} 61 62test2() 63{ 64 65 tst_res TINFO "verify updating record in the IMA measurement list" 66 check_iversion_support || return 67 ROD echo "$(cat /proc/uptime) modified file" \> $TEST_FILE 68 ima_check $TEST_FILE 69} 70 71test3() 72{ 73 local user="nobody" 74 local dir="$PWD/user" 75 local file="$dir/test.txt" 76 77 # Default policy does not measure user files 78 tst_res TINFO "verify not measuring user files" 79 tst_check_cmds sudo || return 80 81 if ! id $user >/dev/null 2>/dev/null; then 82 tst_res TCONF "missing system user $user (wrong installation)" 83 return 84 fi 85 86 [ -d "$dir" ] || mkdir -m 0700 $dir 87 chown $user $dir 88 cd $dir 89 # need to read file to get updated $ASCII_MEASUREMENTS 90 sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null" 91 cd .. 92 93 EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS" 94} 95 96tst_run 97