From patchwork Fri Jun 9 19:55:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 9779157 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B67CC6034B for ; Fri, 9 Jun 2017 19:56:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A688A2857D for ; Fri, 9 Jun 2017 19:56:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9AAC9286B7; Fri, 9 Jun 2017 19:56:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2704D2857D for ; Fri, 9 Jun 2017 19:56:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751652AbdFIT4q (ORCPT ); Fri, 9 Jun 2017 15:56:46 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:47638 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751656AbdFIT4p (ORCPT ); Fri, 9 Jun 2017 15:56:45 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v59Js0CT140575 for ; Fri, 9 Jun 2017 15:56:45 -0400 Received: from e23smtp04.au.ibm.com (e23smtp04.au.ibm.com [202.81.31.146]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ays2mj75m-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 09 Jun 2017 15:56:45 -0400 Received: from localhost by e23smtp04.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 10 Jun 2017 05:56:42 +1000 Received: from d23relay07.au.ibm.com (202.81.31.226) by e23smtp04.au.ibm.com (202.81.31.210) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sat, 10 Jun 2017 05:56:41 +1000 Received: from d23av05.au.ibm.com (d23av05.au.ibm.com [9.190.234.119]) by d23relay07.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v59JuW0Q66977934; Sat, 10 Jun 2017 05:56:40 +1000 Received: from d23av05.au.ibm.com (localhost [127.0.0.1]) by d23av05.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v59Ju8X2021813; Sat, 10 Jun 2017 05:56:08 +1000 Received: from localhost.localdomain ([9.80.110.47]) by d23av05.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v59Ju55K021438; Sat, 10 Jun 2017 05:56:06 +1000 Subject: [PATCH] sample xfstests IMA-appraisal test module (resending) From: Mimi Zohar To: Christoph Hellwig , Al Viro Cc: James Morris , linux-fsdevel@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org Date: Fri, 09 Jun 2017 15:55:43 -0400 In-Reply-To: <1497031364-19949-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1497031364-19949-1-git-send-email-zohar@linux.vnet.ibm.com> X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 X-TM-AS-MML: disable x-cbid: 17060919-0012-0000-0000-00000245007C X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17060919-0013-0000-0000-0000075D0FB2 Message-Id: <1497038143.21594.251.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-06-09_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706090346 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On systems where IMA-appraisal is configured, the file system properly labeled and the system booted with the "ima_tcb ima_appraise_tcb" boot command line options, new files created by root will have a file hash written out as security.ima. This xfstests creates a file and compares the security.ima before and after modifying the file. The results are compared with the "good" file. (For filesystems that are configured with IMA-appraisal, but aren't labeled properly, boot the system with the "ima_appraise=tcb" boot command line option as well.) Mimi Zohar --- tests/generic/440 | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++ tests/generic/440.out | 13 ++++++++ tests/generic/group | 1 + 3 files changed, 103 insertions(+) create mode 100755 tests/generic/440 create mode 100644 tests/generic/440.out diff --git a/tests/generic/440 b/tests/generic/440 new file mode 100755 index 0000000..8616a48 --- /dev/null +++ b/tests/generic/440 @@ -0,0 +1,89 @@ +#! /bin/bash +# FS QA Test No. 440 +# +# Tests IMA-appraisal +# Derived from 062 tests +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/attr + +if [ "$FSTYP" = "btrfs" ]; then +. ./common/btrfs +elif [ "$FSTYP" = "xfs" ]; then +. ./common/xfs +fi + +_cleanup() +{ + cd / + echo; echo "*** unmount" + _scratch_unmount 2>/dev/null + rm -f $tmp.* +} +trap "_cleanup; exit \$status" 0 1 2 3 15 + +getfattr() +{ + $GETFATTR_PROG --absolute-names -dh $@ 2>&1 | _filter_scratch +} + +setfattr() +{ + $SETFATTR_PROG $@ 2>&1 | _filter_scratch +} + +_create_test_bed() +{ + echo "*** create temporary file" + echo "Hello" > $SCRATCH_MNT/hello.txt +} + +# real QA test starts here +_supported_fs generic +_supported_os Linux + +_require_scratch +_require_attrs +_require_command "$(which timeout)" "timeout" + +# real QA test starts here +_scratch_mkfs > /dev/null 2>&1 || _fail "mkfs failed" +_scratch_mount || _fail "mount failed" +_create_test_bed + +xattr="security.ima" +testfile="hello.txt" + +if [ ! -f $SCRATCH_MNT/$testfile ]; then + echo "File $testfile does not exist" + msleep 1 +fi + +echo "*** Reading $SCRATCH_MNT" +timeout -s KILL 2 cat $SCRATCH_MNT/$testfile > /dev/null +if [ $? -ne 0 ]; then + echo "Failed to read $SCRATCH_MNT/$testfile" +fi + +echo "*** initial security.ima hash" +getfattr -e hex -n $xattr $SCRATCH_MNT/$testfile + +echo " World!" >> $SCRATCH_MNT/$testfile + +echo "*** updated security.ima hash" +getfattr -e hex -n $xattr $SCRATCH_MNT/$testfile + +# success, all done +status=0 +exit diff --git a/tests/generic/440.out b/tests/generic/440.out new file mode 100644 index 0000000..a827377 --- /dev/null +++ b/tests/generic/440.out @@ -0,0 +1,13 @@ +QA output created by 440 +*** create temporary file +*** Reading /mnt/scratch +*** initial security.ima hash +# file: SCRATCH_MNT/hello.txt +security.ima=0x040466a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18 + +*** updated security.ima hash +# file: SCRATCH_MNT/hello.txt +security.ima=0x0404cddd9990ad741e165a6a50990afe969c2233fc8794d027cdbf382f698a62a22f + + +*** unmount diff --git a/tests/generic/group b/tests/generic/group index 5d3e4dc..c1ecc23 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -442,3 +442,4 @@ 437 auto quick 438 auto 439 auto quick punch +440 attr