| Message ID | 20210922020801.466936-2-alexh@vpitech.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ltp,v5,1/3] IMA: Move check_policy_writable to ima_setup.sh and rename it | expand |
> Signed-off-by: Alex Henrie <alexh@vpitech.com> > --- > .../integrity/ima/tests/ima_measurements.sh | 28 ------------------- > .../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++++ > 2 files changed, 28 insertions(+), 28 deletions(-) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > index 1927e937c..807c5f57b 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > @@ -17,38 +17,10 @@ setup() > { > require_ima_policy_cmdline "tcb" > - TEST_FILE="$PWD/test.txt" > POLICY="$IMA_DIR/policy" > [ -f "$POLICY" ] || tst_res TINFO "not using default policy" > } > -ima_check() > -{ > - local algorithm digest expected_digest line tmp > - > - # need to read file to get updated $ASCII_MEASUREMENTS > - cat $TEST_FILE > /dev/null > - > - line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)" > - > - if tmp=$(get_algorithm_digest "$line"); then > - algorithm=$(echo "$tmp" | cut -d'|' -f1) > - digest=$(echo "$tmp" | cut -d'|' -f2) > - else > - tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp" > - fi > - > - tst_res TINFO "computing digest for $algorithm algorithm" > - expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \ > - tst_brk TCONF "cannot compute digest for $algorithm algorithm" > - > - if [ "$digest" = "$expected_digest" ]; then > - tst_res TPASS "correct digest found" > - else > - tst_res TFAIL "digest not found" > - fi > -} > - > check_iversion_support() > { > local device mount fs > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > index 9c25d634d..976c6a86c 100644 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -188,6 +188,7 @@ ima_setup() > if [ "$TST_NEEDS_DEVICE" = 1 ]; then > tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device" > mount_loop_device > + TEST_FILE="$PWD/test.txt" This is wrong, it's causing error, unless you have $TMPDIR (usually /tmp) on tmpfs it's not defined and leads to error: ima_measurements 1 TINFO: verify adding record to the IMA measurement list tst_rod: Missing filename after > ima_measurements 1 TBROK: echo Wed Sep 22 12:24:17 CEST 2021 this is a test file > failed And even on tmpfs it fails (maybe caused by old kernel 3.10): ima_measurements 1 TINFO: $TMPDIR is on tmpfs => run on loop device ima_measurements 1 TINFO: Formatting /dev/loop0 with ext3 extra opts='' ima_measurements 1 TINFO: not using default policy ima_measurements 1 TINFO: verify adding record to the IMA measurement list ima_measurements 1 TBROK: failed to get algorithm/digest for '/tmp/LTP_ima_measurements.dLS7yCTHLY/mntpoint/test.txt': measurement record not found ima_measurements 1 TINFO: computing digest for algorithm ^ => notice space - algorithm not detected ima_measurements 1 TCONF: cannot compute digest for algorithm ^ => also here. It's also wrong that $PWD is unique for each test and TMPDIR is removed after test, thus TEST_FILE will not exist for the second test (ima_conditionals.sh). Also, ima_setup(). Also, I put into ima_setup.sh IMA related variables. TEST_FILE is not that case thus I'd keep $TEST_FILE in ima_measurements.sh and define local test_file="$PWD/test.txt" in the only function in ima_conditionals.sh. Also I intent do remove duplicity in ima_conditionals.sh, thus I'll send v6 in a minute. Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 1927e937c..807c5f57b 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -17,38 +17,10 @@ setup() { require_ima_policy_cmdline "tcb" - TEST_FILE="$PWD/test.txt" POLICY="$IMA_DIR/policy" [ -f "$POLICY" ] || tst_res TINFO "not using default policy" } -ima_check() -{ - local algorithm digest expected_digest line tmp - - # need to read file to get updated $ASCII_MEASUREMENTS - cat $TEST_FILE > /dev/null - - line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)" - - if tmp=$(get_algorithm_digest "$line"); then - algorithm=$(echo "$tmp" | cut -d'|' -f1) - digest=$(echo "$tmp" | cut -d'|' -f2) - else - tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp" - fi - - tst_res TINFO "computing digest for $algorithm algorithm" - expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \ - tst_brk TCONF "cannot compute digest for $algorithm algorithm" - - if [ "$digest" = "$expected_digest" ]; then - tst_res TPASS "correct digest found" - else - tst_res TFAIL "digest not found" - fi -} - check_iversion_support() { local device mount fs diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 9c25d634d..976c6a86c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -188,6 +188,7 @@ ima_setup() if [ "$TST_NEEDS_DEVICE" = 1 ]; then tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device" mount_loop_device + TEST_FILE="$PWD/test.txt" fi [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER @@ -279,6 +280,33 @@ get_algorithm_digest() echo "$algorithm|$digest" } +ima_check() +{ + local algorithm digest expected_digest line tmp + + # need to read file to get updated $ASCII_MEASUREMENTS + cat $TEST_FILE > /dev/null + + line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)" + + if tmp=$(get_algorithm_digest "$line"); then + algorithm=$(echo "$tmp" | cut -d'|' -f1) + digest=$(echo "$tmp" | cut -d'|' -f2) + else + tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp" + fi + + tst_res TINFO "computing digest for $algorithm algorithm" + expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \ + tst_brk TCONF "cannot compute digest for $algorithm algorithm" + + if [ "$digest" = "$expected_digest" ]; then + tst_res TPASS "correct digest found" + else + tst_res TFAIL "digest not found" + fi +} + # check_evmctl REQUIRED_TPM_VERSION # return: 0: evmctl is new enough, 1: version older than required (or version < v0.9) check_evmctl()
Signed-off-by: Alex Henrie <alexh@vpitech.com> --- .../integrity/ima/tests/ima_measurements.sh | 28 ------------------- .../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++++ 2 files changed, 28 insertions(+), 28 deletions(-)