This helps to run all testcases on systems without CONFIG_IMA_WRITE_POLICY=y (disabled by default in mainline, therefore disabled for some distros, e.g. openSUSE Tumbleweed), if SUT reboots.
Signed-off-by: Petr Vorel <[email protected]> --- runtest/ima | 5 +- .../integrity/ima/tests/ima_conditionals.sh | 67 ++++++++++++------- 2 files changed, 46 insertions(+), 26 deletions(-) diff --git a/runtest/ima b/runtest/ima index 01942eefa3..c8d0c6801e 100644 --- a/runtest/ima +++ b/runtest/ima @@ -6,5 +6,8 @@ ima_violations ima_violations.sh ima_keys ima_keys.sh ima_kexec ima_kexec.sh ima_selinux ima_selinux.sh -ima_conditionals ima_conditionals.sh +ima_conditionals_uid ima_conditionals.sh -r uid +ima_conditionals_fowner ima_conditionals.sh -r fowner +ima_conditionals_gid ima_conditionals.sh -r gid +ima_conditionals_fgroup ima_conditionals.sh -r fgroup evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh index ae947db1e9..7dd37373cd 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh @@ -11,35 +11,66 @@ TST_NEEDS_CMDS="cat chgrp chown" TST_SETUP="setup" -TST_CNT=1 +TST_OPTS="r:" +TST_USAGE="usage" +TST_PARSE_ARGS="parse_args" +REQUEST="uid" + +parse_args() +{ + REQUEST="$2" +} + +usage() +{ + cat << EOF +usage: $0 [-r <uid|fowner|gid|fgroup>] + +OPTIONS +-r Specify the request to be measured. One of: + uid, fowner, gid, fgroup + Default: uid +EOF +} setup() { + case "$REQUEST" in + fgroup|fowner|gid|uid) + tst_res TINFO "request '$REQUEST'" + ;; + *) tst_brk TBROK "Invalid -r '$REQUEST', use: -r <uid|fowner|gid|fgroup>";; + esac + if check_need_signed_policy; then tst_brk TCONF "policy have to be signed" fi } -verify_measurement() +test() { + # needs to be checked each run (not in setup) + require_policy_writable + local request="$1" - local user="nobody" local test_file="$PWD/test.txt" local cmd="cat $test_file > /dev/null" - local value="$TST_USR_UID" - [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$TST_USR_GID" - # needs to be checked each run (not in setup) - require_policy_writable + if [ "$REQUEST" = 'gid' -o "$REQUEST" = 'fgroup' ]; then + if tst_kvcmp -lt 5.16; then + tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer" + fi + value="$TST_USR_GID" + fi ROD rm -f $test_file - tst_res TINFO "verify measuring user files when requested via $request" - ROD echo "measure $request=$value" \> $IMA_POLICY - ROD echo "$(cat /proc/uptime) $request test" \> $test_file + tst_res TINFO "verify measuring user files when requested via $REQUEST" + ROD echo "measure $REQUEST=$value" \> $IMA_POLICY + ROD echo "$(cat /proc/uptime) $REQUEST test" \> $test_file - case "$request" in + case "$REQUEST" in fgroup) chgrp $TST_USR_GID $test_file sh -c "$cmd" @@ -49,24 +80,10 @@ verify_measurement() sh -c "$cmd" ;; gid|uid) tst_runas sh -c "$cmd";; - *) tst_brk TBROK "Invalid res type '$1'";; esac ima_check $test_file } -test1() -{ - verify_measurement uid - verify_measurement fowner - - if tst_kvcmp -lt 5.16; then - tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer" - fi - - verify_measurement gid - verify_measurement fgroup -} - . ima_setup.sh tst_run -- 2.51.0
