1#!/bin/sh
2# Copyright (c) 2009 IBM Corporation
3# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License as
7# published by the Free Software Foundation; either version 2 of
8# the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it would be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program. If not, see <http://www.gnu.org/licenses/>.
17#
18# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
19#
20# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged.
21
22TST_SETUP="setup"
23TST_CNT=3
24TST_NEEDS_DEVICE=1
25
26. ima_setup.sh
27. daemonlib.sh
28
29setup()
30{
31	FILE="test.txt"
32	IMA_VIOLATIONS="$SECURITYFS/ima/violations"
33	LOG="/var/log/messages"
34
35	if status_daemon auditd; then
36		LOG="/var/log/audit/audit.log"
37	fi
38	[ -f "$LOG" ] || \
39		tst_brk TBROK "log $LOG does not exist (bug in detection?)"
40	tst_res TINFO "using log $LOG"
41}
42
43open_file_read()
44{
45	exec 3< $FILE || exit 1
46}
47
48close_file_read()
49{
50	exec 3>&-
51}
52
53open_file_write()
54{
55	exec 4> $FILE || exit 1
56	echo 'test writing' >&4
57}
58
59close_file_write()
60{
61	exec 4>&-
62}
63
64get_count()
65{
66	local search="$1"
67	echo $(grep -c "${search}.*${FILE}" $LOG)
68}
69
70validate()
71{
72	local num_violations="$1"
73	local count="$2"
74	local search="$3"
75	local max_attempt=3
76	local count2 i num_violations_new
77
78	for i in $(seq 1 $max_attempt); do
79		read num_violations_new < $IMA_VIOLATIONS
80		count2="$(get_count $search)"
81		if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
82			if [ $count2 -gt $count ]; then
83				tst_res TPASS "$search violation added"
84				return
85			else
86				tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
87				tst_sleep 1s
88			fi
89		else
90			tst_res TFAIL "$search violation not added"
91			return
92		fi
93	done
94	tst_res TFAIL "$search not found in $LOG"
95}
96
97test1()
98{
99	tst_res TINFO "verify open writers violation"
100
101	local search="open_writers"
102	local count num_violations
103
104	read num_violations < $IMA_VIOLATIONS
105	count="$(get_count $search)"
106
107	open_file_write
108	open_file_read
109	close_file_read
110	close_file_write
111
112	validate $num_violations $count $search
113}
114
115test2()
116{
117	tst_res TINFO "verify ToMToU violation"
118
119	local search="ToMToU"
120	local count num_violations
121
122	read num_violations < $IMA_VIOLATIONS
123	count="$(get_count $search)"
124
125	open_file_read
126	open_file_write
127	close_file_write
128	close_file_read
129
130	validate $num_violations $count $search
131}
132
133test3()
134{
135	tst_res TINFO "verify open_writers using mmapped files"
136
137	local search="open_writers"
138	local count num_violations
139
140	read num_violations < $IMA_VIOLATIONS
141	count="$(get_count $search)"
142
143	echo 'testing testing' > $FILE
144
145	ima_mmap -f $FILE &
146	# wait for violations appear in logs
147	tst_sleep 1s
148
149	open_file_read
150	close_file_read
151
152	validate $num_violations $count $search
153
154	# wait for ima_mmap to exit, so we can umount
155	tst_sleep 2s
156}
157
158tst_run
159