[PATCH] sample xfstests IMA-appraisal test module (resending)

Mimi Zohar zohar at linux.vnet.ibm.com
Fri Jun 9 19:55:43 UTC 2017


On systems where IMA-appraisal is configured, the file system properly
labeled and the system booted with the "ima_tcb ima_appraise_tcb" boot
command line options, new files created by root will have a file hash
written out as security.ima.

This xfstests creates a file and compares the security.ima before and
after modifying the file.  The results are compared with the "good"
file.

(For filesystems that are configured with IMA-appraisal, but aren't
labeled properly, boot the system with the "ima_appraise=tcb" boot
command line option as well.)

Mimi Zohar <zohar at linux.vnet.ibm.com>
---
 tests/generic/440     | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/440.out | 13 ++++++++
 tests/generic/group   |  1 +
 3 files changed, 103 insertions(+)
 create mode 100755 tests/generic/440
 create mode 100644 tests/generic/440.out

diff --git a/tests/generic/440 b/tests/generic/440
new file mode 100755
index 0000000..8616a48
--- /dev/null
+++ b/tests/generic/440
@@ -0,0 +1,89 @@
+#! /bin/bash
+# FS QA Test No. 440
+#
+# Tests IMA-appraisal
+# Derived from 062 tests
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/attr
+
+if [ "$FSTYP" = "btrfs" ]; then
+. ./common/btrfs
+elif [ "$FSTYP" = "xfs" ]; then
+. ./common/xfs
+fi
+
+_cleanup()
+{
+        cd /
+	echo; echo "*** unmount"
+	_scratch_unmount 2>/dev/null
+	rm -f $tmp.*
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+getfattr()
+{
+    $GETFATTR_PROG --absolute-names -dh $@ 2>&1 | _filter_scratch
+}
+
+setfattr()
+{
+    $SETFATTR_PROG $@ 2>&1 | _filter_scratch
+}
+
+_create_test_bed()
+{
+	echo "*** create temporary file"
+	echo "Hello" >  $SCRATCH_MNT/hello.txt
+}
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+
+_require_scratch
+_require_attrs
+_require_command "$(which timeout)" "timeout"
+
+# real QA test starts here
+_scratch_mkfs > /dev/null 2>&1 || _fail "mkfs failed"
+_scratch_mount || _fail "mount failed"
+_create_test_bed
+
+xattr="security.ima"
+testfile="hello.txt"
+
+if [ ! -f $SCRATCH_MNT/$testfile ]; then
+	echo "File $testfile does not exist"
+	msleep 1
+fi
+
+echo "*** Reading $SCRATCH_MNT"
+timeout -s KILL 2 cat $SCRATCH_MNT/$testfile > /dev/null
+if [ $? -ne 0 ]; then
+	echo "Failed to read $SCRATCH_MNT/$testfile"
+fi
+
+echo "*** initial security.ima hash"
+getfattr -e hex -n $xattr $SCRATCH_MNT/$testfile
+
+echo " World!" >> $SCRATCH_MNT/$testfile
+
+echo "*** updated security.ima hash"
+getfattr -e hex -n $xattr $SCRATCH_MNT/$testfile
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/440.out b/tests/generic/440.out
new file mode 100644
index 0000000..a827377
--- /dev/null
+++ b/tests/generic/440.out
@@ -0,0 +1,13 @@
+QA output created by 440
+*** create temporary file
+*** Reading /mnt/scratch
+*** initial security.ima hash
+# file: SCRATCH_MNT/hello.txt
+security.ima=0x040466a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18
+
+*** updated security.ima hash
+# file: SCRATCH_MNT/hello.txt
+security.ima=0x0404cddd9990ad741e165a6a50990afe969c2233fc8794d027cdbf382f698a62a22f
+
+
+*** unmount
diff --git a/tests/generic/group b/tests/generic/group
index 5d3e4dc..c1ecc23 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -442,3 +442,4 @@
 437 auto quick
 438 auto
 439 auto quick punch
+440 attr
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list