1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2009 IBM Corporation 4# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz> 5# Author: Mimi Zohar <zohar@linux.ibm.com> 6# 7# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. 8 9TST_SETUP="setup" 10TST_CLEANUP="cleanup" 11TST_CNT=3 12 13setup() 14{ 15 FILE="test.txt" 16 IMA_VIOLATIONS="$SECURITYFS/ima/violations" 17 LOG="/var/log/messages" 18 PRINTK_RATE_LIMIT= 19 20 if status_daemon auditd; then 21 LOG="/var/log/audit/audit.log" 22 elif tst_check_cmds sysctl; then 23 PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` 24 sysctl -wq kernel.printk_ratelimit=0 25 fi 26 [ -f "$LOG" ] || \ 27 tst_brk TBROK "log $LOG does not exist (bug in detection?)" 28 tst_res TINFO "using log $LOG" 29} 30 31cleanup() 32{ 33 [ "$PRINTK_RATE_LIMIT" ] && \ 34 sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT 35} 36 37open_file_read() 38{ 39 exec 3< $FILE || exit 1 40} 41 42close_file_read() 43{ 44 exec 3>&- 45} 46 47open_file_write() 48{ 49 exec 4> $FILE || exit 1 50 echo 'test writing' >&4 51} 52 53close_file_write() 54{ 55 exec 4>&- 56} 57 58get_count() 59{ 60 local search="$1" 61 echo $(grep -c "$search.*$FILE" $LOG) 62} 63 64validate() 65{ 66 local num_violations="$1" 67 local count="$2" 68 local search="$3" 69 local max_attempt=3 70 local count2 i num_violations_new 71 72 for i in $(seq 1 $max_attempt); do 73 read num_violations_new < $IMA_VIOLATIONS 74 count2="$(get_count $search)" 75 if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then 76 if [ $count2 -gt $count ]; then 77 tst_res TPASS "$search violation added" 78 return 79 else 80 tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..." 81 tst_sleep 1s 82 fi 83 else 84 tst_res TFAIL "$search violation not added" 85 return 86 fi 87 done 88 tst_res TFAIL "$search not found in $LOG" 89} 90 91test1() 92{ 93 tst_res TINFO "verify open writers violation" 94 95 local search="open_writers" 96 local count num_violations 97 98 read num_violations < $IMA_VIOLATIONS 99 count="$(get_count $search)" 100 101 open_file_write 102 open_file_read 103 close_file_read 104 close_file_write 105 106 validate $num_violations $count $search 107} 108 109test2() 110{ 111 tst_res TINFO "verify ToMToU violation" 112 113 local search="ToMToU" 114 local count num_violations 115 116 read num_violations < $IMA_VIOLATIONS 117 count="$(get_count $search)" 118 119 open_file_read 120 open_file_write 121 close_file_write 122 close_file_read 123 124 validate $num_violations $count $search 125} 126 127test3() 128{ 129 tst_res TINFO "verify open_writers using mmapped files" 130 131 local search="open_writers" 132 local count num_violations 133 134 read num_violations < $IMA_VIOLATIONS 135 count="$(get_count $search)" 136 137 echo 'testing testing' > $FILE 138 139 ima_mmap -f $FILE & 140 # wait for violations appear in logs 141 tst_sleep 1s 142 143 open_file_read 144 close_file_read 145 146 validate $num_violations $count $search 147 148 # wait for ima_mmap to exit, so we can umount 149 tst_sleep 2s 150} 151 152. ima_setup.sh 153. daemonlib.sh 154tst_run 155