xref: /aosp_15_r20/external/ltp/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0-or-later
3# Copyright (c) 2009 IBM Corporation
4# Copyright (c) 2018-2021 Petr Vorel <[email protected]>
5# Author: Mimi Zohar <[email protected]>
6#
7# Verify that measurements are added to the measurement list based on policy.
8
9TST_NEEDS_CMDS="awk cut sed"
10TST_SETUP="setup"
11TST_CNT=3
12
13setup()
14{
15	require_ima_policy_cmdline "tcb"
16
17	TEST_FILE="$PWD/test.txt"
18	[ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy"
19}
20
21check_iversion_support()
22{
23	local device mount fs
24
25	tst_kvcmp -ge "4.16" && return 0
26
27	device="$(df . | sed -e 1d | cut -f1 -d ' ')"
28	mount="$(grep $device /proc/mounts | head -1)"
29	fs="$(echo $mount | awk '{print $3'})"
30
31	case "$fs" in
32	ext[2-4])
33		if ! echo "$mount" | grep -q -w "i_version"; then
34			tst_res TCONF "device '$device' is not mounted with iversion, please mount it with 'mount $device -o remount,iversion'"
35			return 1
36		fi
37		;;
38	xfs)
39		if dmesg | grep -q "XFS.*Mounting V[1-4] Filesystem"; then
40			tst_res TCONF "XFS Filesystem >= V5 required for iversion support"
41			return 1
42		fi
43		;;
44	'')
45		tst_res TWARN "could not find mount info for device '$device'"
46		;;
47	esac
48
49	return 0
50}
51
52test1()
53{
54	tst_res TINFO "verify adding record to the IMA measurement list"
55	ROD echo "$(cat /proc/uptime) this is a test file" \> $TEST_FILE
56	ima_check $TEST_FILE
57}
58
59test2()
60{
61
62	tst_res TINFO "verify updating record in the IMA measurement list"
63	check_iversion_support || return
64	ROD echo "$(cat /proc/uptime) modified file" \> $TEST_FILE
65	ima_check $TEST_FILE
66}
67
68test3()
69{
70	local user="nobody"
71	local dir="$PWD/user"
72	local file="$dir/test.txt"
73
74	# Default policy does not measure user files
75	tst_res TINFO "verify not measuring user files"
76	tst_check_cmds sudo || return
77
78	if ! id $user >/dev/null 2>/dev/null; then
79		tst_res TCONF "missing system user $user (wrong installation)"
80		return
81	fi
82
83	[ -d "$dir" ] || mkdir -m 0700 $dir
84	chown $user $dir
85	cd $dir
86	# need to read file to get updated $ASCII_MEASUREMENTS
87	sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
88	cd ..
89
90	EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS"
91}
92
93. ima_setup.sh
94tst_run
95