From: Alex Henrie <alexh@vpitech.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH ltp v3 2/2] IMA: Add tests for uid, gid, fowner, and fgroup options
Date: Tue, 14 Sep 2021 10:15:03 -0600 [thread overview]
Message-ID: <20210914161503.97495-2-alexh@vpitech.com> (raw)
In-Reply-To: <20210914161503.97495-1-alexh@vpitech.com>
Requires "ima: add gid support".
Signed-off-by: Alex Henrie <alexh@vpitech.com>
---
v3:
- Put new tests in their own function
- Don't require sudo or CONFIG_IMA_READ_POLICY=y for all tests
- Increase kernel version requirement for new tests to 5.16
- Delete test file and recreate it with correct ownership for each test
---
.../integrity/ima/tests/ima_measurements.sh | 49 ++++++++++++++++++-
1 file changed, 47 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 1927e937c..5d22d12d3 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -8,7 +8,7 @@
TST_NEEDS_CMDS="awk cut sed"
TST_SETUP="setup"
-TST_CNT=3
+TST_CNT=4
TST_NEEDS_DEVICE=1
. ima_setup.sh
@@ -103,7 +103,7 @@ test3()
local file="$dir/test.txt"
# Default policy does not measure user files
- tst_res TINFO "verify not measuring user files"
+ tst_res TINFO "verify not measuring user files by default"
tst_check_cmds sudo || return
if ! id $user >/dev/null 2>/dev/null; then
@@ -121,4 +121,49 @@ test3()
EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS"
}
+test4()
+{
+ local user="nobody"
+
+ tst_check_cmds chgrp chown sg sudo || return
+
+ # try to write to the policy, then check whether it can be written again
+ cat $IMA_POLICY > $IMA_POLICY 2> /dev/null
+ require_policy_writable
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via uid"
+ ROD echo "measure uid=$(id -u $user)" \> $IMA_POLICY
+ ROD echo "$(date) uid test" \> $TEST_FILE
+ sudo -n -u $user sh -c "cat $TEST_FILE > /dev/null"
+ ima_check
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via fowner"
+ ROD echo "measure fowner=$(id -u $user)" \> $IMA_POLICY
+ ROD echo "$(date) fowner test" \> $TEST_FILE
+ chown $user $TEST_FILE
+ cat $TEST_FILE > /dev/null
+ ima_check
+
+ if tst_kvcmp -lt 5.16; then
+ tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+ fi
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via gid"
+ ROD echo "measure gid=$(id -g $user)" \> $IMA_POLICY
+ ROD echo "$(date) gid test" \> $TEST_FILE
+ sudo sg $user "sh -c 'cat $TEST_FILE > /dev/null'"
+ ima_check
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via fgroup"
+ ROD echo "measure fgroup=$(id -g $user)" \> $IMA_POLICY
+ ROD echo "$(date) fgroup test" \> $TEST_FILE
+ chgrp $user $TEST_FILE
+ cat $TEST_FILE > /dev/null
+ ima_check
+}
+
tst_run
--
2.33.0
WARNING: multiple messages have this Message-ID (diff)
From: Alex Henrie <alexh@vpitech.com>
To: linux-integrity@vger.kernel.org, ltp@lists.linux.it,
zohar@linux.ibm.com, pvorel@suse.cz, alexhenrie24@gmail.com
Subject: [LTP] [PATCH ltp v3 2/2] IMA: Add tests for uid, gid, fowner, and fgroup options
Date: Tue, 14 Sep 2021 10:15:03 -0600 [thread overview]
Message-ID: <20210914161503.97495-2-alexh@vpitech.com> (raw)
Message-ID: <20210914161503.pVeQXe5uMbsXK6zG5KisBOAnZamEtvLaiKqsVD89u_c@z> (raw)
In-Reply-To: <20210914161503.97495-1-alexh@vpitech.com>
Requires "ima: add gid support".
Signed-off-by: Alex Henrie <alexh@vpitech.com>
---
v3:
- Put new tests in their own function
- Don't require sudo or CONFIG_IMA_READ_POLICY=y for all tests
- Increase kernel version requirement for new tests to 5.16
- Delete test file and recreate it with correct ownership for each test
---
.../integrity/ima/tests/ima_measurements.sh | 49 ++++++++++++++++++-
1 file changed, 47 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 1927e937c..5d22d12d3 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -8,7 +8,7 @@
TST_NEEDS_CMDS="awk cut sed"
TST_SETUP="setup"
-TST_CNT=3
+TST_CNT=4
TST_NEEDS_DEVICE=1
. ima_setup.sh
@@ -103,7 +103,7 @@ test3()
local file="$dir/test.txt"
# Default policy does not measure user files
- tst_res TINFO "verify not measuring user files"
+ tst_res TINFO "verify not measuring user files by default"
tst_check_cmds sudo || return
if ! id $user >/dev/null 2>/dev/null; then
@@ -121,4 +121,49 @@ test3()
EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS"
}
+test4()
+{
+ local user="nobody"
+
+ tst_check_cmds chgrp chown sg sudo || return
+
+ # try to write to the policy, then check whether it can be written again
+ cat $IMA_POLICY > $IMA_POLICY 2> /dev/null
+ require_policy_writable
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via uid"
+ ROD echo "measure uid=$(id -u $user)" \> $IMA_POLICY
+ ROD echo "$(date) uid test" \> $TEST_FILE
+ sudo -n -u $user sh -c "cat $TEST_FILE > /dev/null"
+ ima_check
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via fowner"
+ ROD echo "measure fowner=$(id -u $user)" \> $IMA_POLICY
+ ROD echo "$(date) fowner test" \> $TEST_FILE
+ chown $user $TEST_FILE
+ cat $TEST_FILE > /dev/null
+ ima_check
+
+ if tst_kvcmp -lt 5.16; then
+ tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+ fi
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via gid"
+ ROD echo "measure gid=$(id -g $user)" \> $IMA_POLICY
+ ROD echo "$(date) gid test" \> $TEST_FILE
+ sudo sg $user "sh -c 'cat $TEST_FILE > /dev/null'"
+ ima_check
+
+ ROD rm -f $TEST_FILE
+ tst_res TINFO "verify measuring user files when requested via fgroup"
+ ROD echo "measure fgroup=$(id -g $user)" \> $IMA_POLICY
+ ROD echo "$(date) fgroup test" \> $TEST_FILE
+ chgrp $user $TEST_FILE
+ cat $TEST_FILE > /dev/null
+ ima_check
+}
+
tst_run
--
2.33.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2021-09-14 16:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 16:15 [LTP] [PATCH ltp v3 1/2] IMA: Move check_policy_writable to ima_setup.sh and rename it Alex Henrie
2021-09-14 16:15 ` Alex Henrie
2021-09-14 16:15 ` Alex Henrie [this message]
2021-09-14 16:15 ` [LTP] [PATCH ltp v3 2/2] IMA: Add tests for uid, gid, fowner, and fgroup options Alex Henrie
2021-09-17 11:05 ` Petr Vorel
2021-09-17 11:05 ` Petr Vorel
2021-09-17 12:01 ` Petr Vorel
2021-09-17 12:01 ` Petr Vorel
2021-09-17 11:16 ` [LTP] [PATCH ltp v3 1/2] IMA: Move check_policy_writable to ima_setup.sh and rename it Petr Vorel
2021-09-17 11:16 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210914161503.97495-2-alexh@vpitech.com \
--to=alexh@vpitech.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox