1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2009 IBM Corporation 4# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> 5# Author: Mimi Zohar <zohar@linux.ibm.com> 6# 7# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. 8 9TST_SETUP="setup" 10TST_CLEANUP="cleanup" 11TST_CNT=3 12TST_NEEDS_DEVICE=1 13 14. ima_setup.sh 15. daemonlib.sh 16 17setup() 18{ 19 FILE="test.txt" 20 IMA_VIOLATIONS="$SECURITYFS/ima/violations" 21 LOG="/var/log/messages" 22 PRINTK_RATE_LIMIT="0" 23 24 if status_daemon auditd; then 25 LOG="/var/log/audit/audit.log" 26 else 27 tst_check_cmds sysctl 28 29 PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` 30 sysctl -wq kernel.printk_ratelimit=0 31 fi 32 [ -f "$LOG" ] || \ 33 tst_brk TBROK "log $LOG does not exist (bug in detection?)" 34 tst_res TINFO "using log $LOG" 35} 36 37cleanup() 38{ 39 [ "$PRINTK_RATE_LIMIT" != "0" ] && \ 40 sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT 41} 42 43open_file_read() 44{ 45 exec 3< $FILE || exit 1 46} 47 48close_file_read() 49{ 50 exec 3>&- 51} 52 53open_file_write() 54{ 55 exec 4> $FILE || exit 1 56 echo 'test writing' >&4 57} 58 59close_file_write() 60{ 61 exec 4>&- 62} 63 64get_count() 65{ 66 local search="$1" 67 echo $(grep -c "${search}.*${FILE}" $LOG) 68} 69 70validate() 71{ 72 local num_violations="$1" 73 local count="$2" 74 local search="$3" 75 local max_attempt=3 76 local count2 i num_violations_new 77 78 for i in $(seq 1 $max_attempt); do 79 read num_violations_new < $IMA_VIOLATIONS 80 count2="$(get_count $search)" 81 if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then 82 if [ $count2 -gt $count ]; then 83 tst_res TPASS "$search violation added" 84 return 85 else 86 tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..." 87 tst_sleep 1s 88 fi 89 else 90 tst_res TFAIL "$search violation not added" 91 return 92 fi 93 done 94 tst_res TFAIL "$search not found in $LOG" 95} 96 97test1() 98{ 99 tst_res TINFO "verify open writers violation" 100 101 local search="open_writers" 102 local count num_violations 103 104 read num_violations < $IMA_VIOLATIONS 105 count="$(get_count $search)" 106 107 open_file_write 108 open_file_read 109 close_file_read 110 close_file_write 111 112 validate $num_violations $count $search 113} 114 115test2() 116{ 117 tst_res TINFO "verify ToMToU violation" 118 119 local search="ToMToU" 120 local count num_violations 121 122 read num_violations < $IMA_VIOLATIONS 123 count="$(get_count $search)" 124 125 open_file_read 126 open_file_write 127 close_file_write 128 close_file_read 129 130 validate $num_violations $count $search 131} 132 133test3() 134{ 135 tst_res TINFO "verify open_writers using mmapped files" 136 137 local search="open_writers" 138 local count num_violations 139 140 read num_violations < $IMA_VIOLATIONS 141 count="$(get_count $search)" 142 143 echo 'testing testing' > $FILE 144 145 ima_mmap -f $FILE & 146 # wait for violations appear in logs 147 tst_sleep 1s 148 149 open_file_read 150 close_file_read 151 152 validate $num_violations $count $search 153 154 # wait for ima_mmap to exit, so we can umount 155 tst_sleep 2s 156} 157 158tst_run 159