diff mbox series

[ltp,v5,2/3] IMA: Move ima_check to ima_setup.sh

Message ID 20210922020801.466936-2-alexh@vpitech.com (mailing list archive)
State New, archived
Headers show
Series [ltp,v5,1/3] IMA: Move check_policy_writable to ima_setup.sh and rename it | expand

Commit Message

Alex Henrie Sept. 22, 2021, 2:08 a.m. UTC
Signed-off-by: Alex Henrie <alexh@vpitech.com>
---
 .../integrity/ima/tests/ima_measurements.sh   | 28 -------------------
 .../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++++
 2 files changed, 28 insertions(+), 28 deletions(-)

Comments

Petr Vorel Sept. 22, 2021, 11:47 a.m. UTC | #1
> Signed-off-by: Alex Henrie <alexh@vpitech.com>
> ---
>  .../integrity/ima/tests/ima_measurements.sh   | 28 -------------------
>  .../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++++
>  2 files changed, 28 insertions(+), 28 deletions(-)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 1927e937c..807c5f57b 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -17,38 +17,10 @@ setup()
>  {
>  	require_ima_policy_cmdline "tcb"

> -	TEST_FILE="$PWD/test.txt"
>  	POLICY="$IMA_DIR/policy"
>  	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
>  }

> -ima_check()
> -{
> -	local algorithm digest expected_digest line tmp
> -
> -	# need to read file to get updated $ASCII_MEASUREMENTS
> -	cat $TEST_FILE > /dev/null
> -
> -	line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
> -
> -	if tmp=$(get_algorithm_digest "$line"); then
> -		algorithm=$(echo "$tmp" | cut -d'|' -f1)
> -		digest=$(echo "$tmp" | cut -d'|' -f2)
> -	else
> -		tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
> -	fi
> -
> -	tst_res TINFO "computing digest for $algorithm algorithm"
> -	expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
> -		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
> -
> -	if [ "$digest" = "$expected_digest" ]; then
> -		tst_res TPASS "correct digest found"
> -	else
> -		tst_res TFAIL "digest not found"
> -	fi
> -}
> -
>  check_iversion_support()
>  {
>  	local device mount fs
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 9c25d634d..976c6a86c 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -188,6 +188,7 @@ ima_setup()
>  	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
>  		tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device"
>  		mount_loop_device
> +		TEST_FILE="$PWD/test.txt"
This is wrong, it's causing error, unless you have $TMPDIR (usually /tmp) on
tmpfs it's not defined and leads to error:

ima_measurements 1 TINFO: verify adding record to the IMA measurement list
tst_rod: Missing filename after >
ima_measurements 1 TBROK: echo Wed Sep 22 12:24:17 CEST 2021 this is a test file > failed

And even on tmpfs it fails (maybe caused by old kernel 3.10):

ima_measurements 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_measurements 1 TINFO: Formatting /dev/loop0 with ext3 extra opts=''
ima_measurements 1 TINFO: not using default policy
ima_measurements 1 TINFO: verify adding record to the IMA measurement list
ima_measurements 1 TBROK: failed to get algorithm/digest for '/tmp/LTP_ima_measurements.dLS7yCTHLY/mntpoint/test.txt': measurement record not found
ima_measurements 1 TINFO: computing digest for  algorithm
                                               ^
                                               => notice space - algorithm not detected
ima_measurements 1 TCONF: cannot compute digest for  algorithm
                                               ^
                                               => also here.

It's also wrong that $PWD is unique for each test and TMPDIR is removed after
test, thus TEST_FILE will not exist for the second test (ima_conditionals.sh).
Also, ima_setup(). Also, I put into ima_setup.sh IMA related variables.
TEST_FILE is not that case thus I'd keep $TEST_FILE in ima_measurements.sh and
define local test_file="$PWD/test.txt" in the only function in ima_conditionals.sh.

Also I intent do remove duplicity in ima_conditionals.sh, thus I'll send v6 in a minute.

Kind regards,
Petr
diff mbox series

Patch

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 1927e937c..807c5f57b 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -17,38 +17,10 @@  setup()
 {
 	require_ima_policy_cmdline "tcb"
 
-	TEST_FILE="$PWD/test.txt"
 	POLICY="$IMA_DIR/policy"
 	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
 }
 
-ima_check()
-{
-	local algorithm digest expected_digest line tmp
-
-	# need to read file to get updated $ASCII_MEASUREMENTS
-	cat $TEST_FILE > /dev/null
-
-	line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
-
-	if tmp=$(get_algorithm_digest "$line"); then
-		algorithm=$(echo "$tmp" | cut -d'|' -f1)
-		digest=$(echo "$tmp" | cut -d'|' -f2)
-	else
-		tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
-	fi
-
-	tst_res TINFO "computing digest for $algorithm algorithm"
-	expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
-		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
-
-	if [ "$digest" = "$expected_digest" ]; then
-		tst_res TPASS "correct digest found"
-	else
-		tst_res TFAIL "digest not found"
-	fi
-}
-
 check_iversion_support()
 {
 	local device mount fs
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 9c25d634d..976c6a86c 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -188,6 +188,7 @@  ima_setup()
 	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
 		tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device"
 		mount_loop_device
+		TEST_FILE="$PWD/test.txt"
 	fi
 
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
@@ -279,6 +280,33 @@  get_algorithm_digest()
 	echo "$algorithm|$digest"
 }
 
+ima_check()
+{
+	local algorithm digest expected_digest line tmp
+
+	# need to read file to get updated $ASCII_MEASUREMENTS
+	cat $TEST_FILE > /dev/null
+
+	line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
+
+	if tmp=$(get_algorithm_digest "$line"); then
+		algorithm=$(echo "$tmp" | cut -d'|' -f1)
+		digest=$(echo "$tmp" | cut -d'|' -f2)
+	else
+		tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
+	fi
+
+	tst_res TINFO "computing digest for $algorithm algorithm"
+	expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
+		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
+
+	if [ "$digest" = "$expected_digest" ]; then
+		tst_res TPASS "correct digest found"
+	else
+		tst_res TFAIL "digest not found"
+	fi
+}
+
 # check_evmctl REQUIRED_TPM_VERSION
 # return: 0: evmctl is new enough, 1: version older than required (or version < v0.9)
 check_evmctl()