1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2009 IBM Corporation 4# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz> 5# Author: Mimi Zohar <zohar@linux.ibm.com> 6# 7# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. 8 9TST_SETUP="setup" 10TST_CLEANUP="cleanup" 11TST_CNT=3 12TST_NEEDS_DEVICE=1 13 14. ima_setup.sh 15. daemonlib.sh 16 17setup() 18{ 19 FILE="test.txt" 20 IMA_VIOLATIONS="$SECURITYFS/ima/violations" 21 LOG="/var/log/messages" 22 PRINTK_RATE_LIMIT= 23 24 if status_daemon auditd; then 25 LOG="/var/log/audit/audit.log" 26 elif tst_check_cmds sysctl; then 27 PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` 28 sysctl -wq kernel.printk_ratelimit=0 29 fi 30 [ -f "$LOG" ] || \ 31 tst_brk TBROK "log $LOG does not exist (bug in detection?)" 32 tst_res TINFO "using log $LOG" 33} 34 35cleanup() 36{ 37 [ "$PRINTK_RATE_LIMIT" ] && \ 38 sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT 39} 40 41open_file_read() 42{ 43 exec 3< $FILE || exit 1 44} 45 46close_file_read() 47{ 48 exec 3>&- 49} 50 51open_file_write() 52{ 53 exec 4> $FILE || exit 1 54 echo 'test writing' >&4 55} 56 57close_file_write() 58{ 59 exec 4>&- 60} 61 62get_count() 63{ 64 local search="$1" 65 echo $(grep -c "$search.*$FILE" $LOG) 66} 67 68validate() 69{ 70 local num_violations="$1" 71 local count="$2" 72 local search="$3" 73 local max_attempt=3 74 local count2 i num_violations_new 75 76 for i in $(seq 1 $max_attempt); do 77 read num_violations_new < $IMA_VIOLATIONS 78 count2="$(get_count $search)" 79 if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then 80 if [ $count2 -gt $count ]; then 81 tst_res TPASS "$search violation added" 82 return 83 else 84 tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..." 85 tst_sleep 1s 86 fi 87 else 88 tst_res TFAIL "$search violation not added" 89 return 90 fi 91 done 92 tst_res TFAIL "$search not found in $LOG" 93} 94 95test1() 96{ 97 tst_res TINFO "verify open writers violation" 98 99 local search="open_writers" 100 local count num_violations 101 102 read num_violations < $IMA_VIOLATIONS 103 count="$(get_count $search)" 104 105 open_file_write 106 open_file_read 107 close_file_read 108 close_file_write 109 110 validate $num_violations $count $search 111} 112 113test2() 114{ 115 tst_res TINFO "verify ToMToU violation" 116 117 local search="ToMToU" 118 local count num_violations 119 120 read num_violations < $IMA_VIOLATIONS 121 count="$(get_count $search)" 122 123 open_file_read 124 open_file_write 125 close_file_write 126 close_file_read 127 128 validate $num_violations $count $search 129} 130 131test3() 132{ 133 tst_res TINFO "verify open_writers using mmapped files" 134 135 local search="open_writers" 136 local count num_violations 137 138 read num_violations < $IMA_VIOLATIONS 139 count="$(get_count $search)" 140 141 echo 'testing testing' > $FILE 142 143 ima_mmap -f $FILE & 144 # wait for violations appear in logs 145 tst_sleep 1s 146 147 open_file_read 148 close_file_read 149 150 validate $num_violations $count $search 151 152 # wait for ima_mmap to exit, so we can umount 153 tst_sleep 2s 154} 155 156tst_run 157