1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> 4 5if [ -z "$TST_LIB_LOADED" ]; then 6 echo "please load tst_test.sh first" >&2 7 exit 1 8fi 9 10[ -n "$TST_SECURITY_LOADED" ] && return 0 11TST_SECURITY_LOADED=1 12 13_tst_check_security_modules() 14{ 15 local cmd 16 local profiles 17 18 if tst_apparmor_enabled; then 19 tst_res TINFO "AppArmor enabled, this may affect test results" 20 [ "$TST_DISABLE_APPARMOR" = 1 ] || \ 21 tst_res TINFO "it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)" 22 profiles= 23 for cmd in $TST_NEEDS_CMDS; do 24 tst_apparmor_used_profile $cmd && profiles="$cmd $profiles" 25 done 26 [ -z "$profiles" ] && profiles="none" 27 tst_res TINFO "loaded AppArmor profiles: $profiles" 28 fi 29 30 if tst_selinux_enforced; then 31 tst_res TINFO "SELinux enabled in enforcing mode, this may affect test results" 32 33 [ "$TST_DISABLE_SELINUX" = 1 ] || \ 34 tst_res TINFO "it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)" 35 profiles= 36 for cmd in $TST_NEEDS_CMDS; do 37 tst_selinux_used_profile $cmd && profiles="$cmd $profiles" 38 done 39 [ -z "$profiles" ] && profiles="none" 40 tst_res TINFO "loaded SELinux profiles: $profiles" 41 fi 42} 43 44# Detect whether AppArmor profiles are loaded 45# Return 0: profiles loaded, 1: none profile loaded or AppArmor disabled 46tst_apparmor_enabled() 47{ 48 local f="/sys/module/apparmor/parameters/enabled" 49 [ -f "$f" ] && [ "$(cat $f)" = "Y" ] 50} 51 52# Detect whether AppArmor profile for command is enforced 53# tst_apparmor_used_profile CMD 54# Return 0: loaded profile for CMD 55# Return 1: no profile CMD 56tst_apparmor_used_profile() 57{ 58 [ $# -eq 1 ] || tst_brk TCONF "usage tst_apparmor_used_profile CMD" 59 local cmd="$1" 60 grep -q "$cmd .*(enforce)" /sys/kernel/security/apparmor/profiles 2>/dev/null 61} 62 63# Detect whether SELinux is enabled in enforcing mode 64# Return 0: enabled in enforcing mode 65# Return 1: enabled in permissive mode or disabled 66tst_selinux_enforced() 67{ 68 local f="$(tst_get_enforce)" 69 70 [ -f "$f" ] && [ "$(cat $f)" = "1" ] 71} 72 73# Detect whether SELinux profile for command is enforced 74# tst_selinux_used_profile CMD 75# Return 0: loaded profile for CMD 76# Return 1: profile for CMD not loaded or seinfo not available 77tst_selinux_used_profile() 78{ 79 [ $# -eq 1 ] || tst_brk TCONF "usage tst_selinux_used_profile CMD" 80 local cmd="$1" 81 82 if ! tst_cmd_available seinfo; then 83 if [ -z "$seinfo_warn_printed" ]; then 84 tst_res TINFO "install seinfo to find used SELinux profiles" 85 export seinfo_warn_printed=1 86 fi 87 return 1 88 fi 89 seinfo -t 2>/dev/null | grep -q $cmd 90} 91 92# Try disable AppArmor 93# Return 0: AppArmor disabled 94# Return > 0: failed to disable AppArmor 95tst_disable_apparmor() 96{ 97 tst_res TINFO "trying to disable AppArmor (requires super/root)" 98 tst_require_root 99 100 local f="aa-teardown" 101 local action 102 103 tst_cmd_available $f && { $f >/dev/null; return; } 104 f="/etc/init.d/apparmor" 105 if [ -f "$f" ]; then 106 for action in teardown kill stop; do 107 $f $action >/dev/null 2>&1 && return 108 done 109 fi 110} 111 112# Try disable SELinux 113# Return 0: SELinux disabled 114# Return > 0: failed to disable SELinux 115tst_disable_selinux() 116{ 117 tst_res TINFO "trying to disable SELinux (requires super/root)" 118 tst_require_root 119 120 local f="$(tst_get_enforce)" 121 122 [ -f "$f" ] && cat 0 > $f 123} 124 125# Get SELinux directory path 126tst_get_selinux_dir() 127{ 128 local dir="/sys/fs/selinux" 129 130 [ -d "$dir" ] || dir="/selinux" 131 [ -d "$dir" ] && echo "$dir" 132} 133 134# Get SELinux enforce file path 135tst_get_enforce() 136{ 137 local dir=$(tst_get_selinux_dir) 138 [ -z "$dir" ] && return 139 140 local f="$dir/enforce" 141 [ -f "$f" ] && echo "$f" 142} 143 144tst_update_selinux_state() 145{ 146 local cur_val new_val 147 local dir=$(tst_get_selinux_dir) 148 [ -z "$dir" ] || return 1 149 150 cur_val=$(cat $dir/checkreqprot) 151 [ $cur_val = 1 ] && new_val=0 || new_val=1 152 echo $new_val > $dir/checkreqprot 153} 154