#!/bin/sh ################################################################################ ## ## ## Copyright (C) 2009 IBM Corporation ## ## ## ## This program is free software; you can redistribute it and#or modify ## ## it under the terms of the GNU General Public License as published by ## ## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ## ## ## ## This program is distributed in the hope that it will be useful, but ## ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## ## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## ## for more details. ## ## ## ## You should have received a copy of the GNU General Public License ## ## along with this program; if not, write to the Free Software Foundation, ## ## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## ## ## ################################################################################ # # File : ima_measurements.sh # # Description: This file verifies measurements are added to the measurement # list based on policy. # # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com ################################################################################ export TST_TOTAL=3 export TCID="ima_measurements" init() { tst_check_cmds sha1sum # verify using default policy if [ ! -f "$IMA_DIR/policy" ]; then tst_resm TINFO "not using default policy" fi } # Function: test01 # Description - Verify reading a file causes a new measurement to # be added to the IMA measurement list. test01() { # Create file test.txt cat > test.txt <<-EOF $(date) - this is a test file EOF if [ $? -ne 0 ]; then tst_brkm TBROK "Unable to create test file" fi # Calculating the sha1sum of test.txt should add # the measurement to the measurement list. # (Assumes SHA1 IMA measurements.) hash=$(sha1sum "test.txt" | sed 's/ -//') # Check if the file is measured # (i.e. contained in the ascii measurement list.) cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements sleep 1 $(grep $hash measurements > /dev/null) if [ $? -ne 0 ]; then tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum" else tst_resm TPASS "TPM ascii measurement list contains sha1sum" fi } # Function: test02 # Description - Verify modifying, then reading, a file causes a new # measurement to be added to the IMA measurement list. test02() { # Modify test.txt echo $($date) - file modified >> test.txt # Calculating the sha1sum of test.txt should add # the new measurement to the measurement list hash=$(sha1sum test.txt | sed 's/ -//') # Check if the new measurement exists cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements $(grep $hash measurements > /dev/null) if [ $? -ne 0 ]; then tst_resm TFAIL "Modified file not measured" tst_resm TINFO "iversion not supported; or not mounted with iversion" else tst_resm TPASS "Modified file measured" fi } # Function: test03 # Description - Verify files are measured based on policy # (Default policy does not measure user files.) test03() { # create file user-test.txt mkdir -m 0700 user chown nobody.nobody user cd user hash=0 # As user nobody, create and cat the new file # (The LTP tests assumes existence of 'nobody'.) sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt; cat ./test.txt > /dev/null" # Calculating the hash will add the measurement to the measurement # list, so only calc the hash value after getting the measurement # list. cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements hash=$(sha1sum test.txt | sed 's/ -//') cd - >/dev/null # Check if the file is measured grep $hash measurements > /dev/null if [ $? -ne 0 ]; then tst_resm TPASS "user file test.txt not measured" else tst_resm TFAIL "user file test.txt measured" fi } . ima_setup.sh setup TST_CLEANUP=cleanup init test01 test02 test03 tst_exit