From: Subrata M. <su...@li...> - 2009-07-30 18:29:45
|
On Fri, 2009-07-24 at 11:51 -0400, Mimi Zohar wrote: > - Replace bashisms: source, uid, substr, '&>' - redirection, '=='. > - To create a file using 'sudo -u', some platforms require 'user' to exist. > - Document verifying PCR-10 fails on Ubuntu on reboot due to kexec. > - Determine if the entire boot-aggregate hash value is zero, not just the > first couple of characters. > - Add a space before the continuation mark on wrapped lines. > - Explicity verify file open return codes, making sure that only one open > succeeded (tpm_policy.sh: test02). > > Signed-off-by: Mimi Zohar <zo...@us...> Thanks. I was asking about this in my earlier mail. Regards-- Subrata > > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh > @@ -35,9 +35,10 @@ init() > export TST_TOTAL=3 > export TCID="init" > export TST_COUNT=0 > + RC=0 > > # check that sha1sum is installed > - which sha1sum &> /dev/null || RC=$? > + which sha1sum >/dev/null 2>&1 || RC=$? > if [ $RC -ne 0 ]; then > tst_brkm TBROK NULL "$TCID: sha1sum not found" > return $RC > @@ -45,7 +46,7 @@ init() > > # verify using default policy > if [ ! -f $IMA_DIR/policy ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: not using default policy" > fi > return $RC > @@ -65,7 +66,7 @@ test01() > `date` - this is a test file > EOF > if [ $RC -ne 0 ]; then > - tst_brkm TBROK $LTPTMP/imalog.$$\ > + tst_brkm TBROK $LTPTMP/imalog.$$ \ > "$TCID: Unable to create test file" > return $RC > fi > @@ -82,11 +83,11 @@ test01() > sleep 1 > `grep $hash $LTPIMA/measurements > /dev/null` || RC=$? > if [ $RC -ne 0 ]; then > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: TPM ascii measurement list does not contain sha1sum" > return $RC > else > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: TPM ascii measurement list contains sha1sum" > fi > return $RC > @@ -114,13 +115,13 @@ test02() > `grep $hash $LTPIMA/measurements > /dev/null` || RC=$? > > if [ $RC -ne 0 ]; then > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: Modified file not measured" > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: iversion not supported; or not mounted with iversion" > return $RC > else > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: Modified file measured" > fi > return $RC > @@ -137,12 +138,13 @@ test03() > > # create file user-test.txt > mkdir -m 0700 $LTPIMA/user > - chown 99.99 $LTPIMA/user > + chown nobody.nobody $LTPIMA/user > cd $LTPIMA/user > hash=0 > > - # As user 99, create and cat the new file > - sudo -u \#99 sh -c "echo `date` - create test.txt > ./test.txt; > + # As user nobody, create and cat the new file > + # (The LTP tests assumes existence of 'nobody'.) > + sudo -u nobody sh -c "echo `date` - create test.txt > ./test.txt; > cat ./test.txt > /dev/null" > > # Calculating the hash will add the measurement to the measurement > @@ -157,11 +159,11 @@ test03() > grep $hash $LTPIMA/measurements > /dev/null || RC=$? > if [ $RC -ne 0 ]; then > RC=0 > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: user file test.txt not measured" > else > RC=1 > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: user file test.txt measured" > fi > return $RC > @@ -176,9 +178,8 @@ test03() > # > RC=0 > EXIT_VAL=0 > -source `dirname $0`\/ima_setup.sh > +. `dirname $0`\/ima_setup.sh > setup || exit $RC > - > init > test01 || EXIT_VAL=$RC > test02 || EXIT_VAL=$RC > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_policy.sh > @@ -39,21 +39,21 @@ init() > # verify using default policy > IMA_POLICY=$IMA_DIR/policy > if [ ! -f $IMA_POLICY ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: default policy already replaced" > RC=1 > fi > > VALID_POLICY=`dirname $0`\/..\/policy/measure.policy > if [ ! -f $VALID_POLICY ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: missing $VALID_POLICY" > RC=1 > fi > > INVALID_POLICY=`dirname $0`\/..\/policy/measure.policy-invalid > if [ ! -f $INVALID_POLICY ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: missing $INVALID_POLICY" > RC=1 > fi > @@ -70,7 +70,7 @@ load_policy() > cat $1 | > while read line ; do > { > - if [ "${line:0:1}" != "#" ] ; then > + if [ "${line#\#}" = "${line}" ] ; then > echo $line >&4 2> /dev/null > if [ $? -ne 0 ]; then > exec 4>&- > @@ -95,11 +95,11 @@ test01() > wait "$p1"; RC=$? > if [ $RC -ne 0 ]; then > RC=0 > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: didn't load invalid policy" > else > RC=1 > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: loaded invalid policy" > fi > return $RC > @@ -118,16 +118,15 @@ test02() > load_policy $VALID_POLICY & p2=$! # forked process 2 > wait "$p1"; RC1=$? > wait "$p2"; RC2=$? > - RC=$((`expr $RC1 + $RC2`)) > - if [ $RC -eq 1 ]; then > + if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then > + tst_res TFAIL $LTPTMP/imalog.$$ \ > + "$TCID: measurement policy opened concurrently" > + elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then > RC=0 > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: replaced default measurement policy" > - elif [ $RC -eq 0 ]; then > - tst_res TFAIL $LTPTMP/imalog.$$\ > - "$TCID: measurement policy opened concurrently" > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: problems opening measurement policy" > fi > return 0 > @@ -145,7 +144,7 @@ test03() > wait "$p1"; RC=$? > if [ $RC -ne 0 ]; then > RC=0 > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: didn't replace valid policy" > else > RC=1 > @@ -164,7 +163,7 @@ test03() > RC=0 # Return value from setup, init, and test functions. > EXIT_VAL=0 > > -source `dirname $0`\/ima_setup.sh > +. `dirname $0`\/ima_setup.sh > setup || exit $RC > > init || exit $RC > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -46,7 +46,7 @@ mount_sysfs() > mount_securityfs() > { > SECURITYFS=`mount | grep securityfs` || RC=$? > - if [ $RC == 1 ]; then > + if [ $RC -eq 1 ]; then > SECURITYFS=$SYSFS/kernel/security > `mkdir -p $SECURITYFS` > `mount -t securityfs securityfs $SECURITYFS` > @@ -77,7 +77,8 @@ setup() > fi > > # Must be root > - if [ $UID -ne 0 ]; then > + userid=`id -u` > + if [ $userid -ne 0 ]; then > tst_brkm TBROK $LTPTMP/imalog.$$ \ > "$TCID: Must be root to execute test" > return 1 > @@ -92,7 +93,7 @@ setup() > # create the temporary directory used by this testcase > LTPIMA=$LTPTMP/ima > umask 077 > - mkdir $LTPIMA &>/dev/null || RC=$? > + mkdir $LTPIMA > /dev/null 2>&1 || RC=$? > if [ $RC -ne 0 ]; then > tst_brk TBROK "$TCID: Unable to create temporary directory" > return $RC > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > @@ -37,17 +37,17 @@ init() > RC=0 > > # verify ima_boot_aggregate is available > - which ima_boot_aggregate &> /dev/null || RC=$? > + which ima_boot_aggregate >/dev/null 2>&1 || RC=$? > if [ $RC -ne 0 ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: ima_tpm.sh test requires openssl-devel, skipping" > return $RC > fi > > # verify ima_measure is available > - which ima_measure &> /dev/null || RC=$? > + which ima_measure > /dev/null 2>&1 || RC=$? > if [ $RC -ne 0 ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: ima_tpm.sh test requires openssl-devel, skipping" > fi > return $RC > @@ -60,34 +60,36 @@ test01() > TCID="test01" > TST_COUNT=1 > RC=0 > + zero="0000000000000000000000000000000000000000" > > # IMA boot aggregate > ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements > read line < $ima_measurements > + ima_aggr=`expr substr "${line}" 49 40` > > # verify TPM is available and enabled. > tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements > if [ ! -f $tpm_bios ]; then > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: no TPM, TPM not builtin kernel, or TPM not enabled" > > - [ "${line:49:40}" -eq 0 ] || RC=$? > + [ "${ima_aggr}" = "${zero}" ] || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: bios boot aggregate is 0." > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: bios boot aggregate is not 0." > fi > else > boot_aggregate=`ima_boot_aggregate $tpm_bios` > - > - [ "${line:48:40}" == "${boot_aggregate:15:40}" ] || RC=$? > + boot_aggr=`expr substr $boot_aggregate 16 40` > + [ ${ima_aggr} = ${boot_aggr} ] || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: bios aggregate matches IMA boot aggregate." > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: bios aggregate does not match IMA boot " \ > "aggregate." > fi > @@ -103,10 +105,14 @@ validate_pcr() > ima_measurements=$SECURITYFS/ima/binary_runtime_measurements > aggregate_pcr=`ima_measure $ima_measurements --validate` > dev_pcrs=$1 > + RC=0 > + > while read line ; do > - if [ "${line:0:6}" == "PCR-10" ]; then > - [ "${line:8:59}" == "${aggregate_pcr:25:59}" ] > - RC=$? > + pcr=`expr substr "${line}" 1 6` > + if [ "${pcr}" = "PCR-10" ]; then > + aggr=`expr substr "${aggregate_pcr}" 26 59` > + pcr=`expr substr "${line}" 9 59` > + [ "${pcr}" = "${aggr}" ] || RC=$? > fi > done < $dev_pcrs > return $RC > @@ -126,15 +132,15 @@ test02() > if [ $RC -eq 0 ]; then > validate_pcr $PCRS_PATH || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: aggregate PCR value matches real PCR value." > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: aggregate PCR value does not match" \ > " real PCR value." > fi > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: TPM not enabled, no PCR value to validate" > fi > return $RC > @@ -152,10 +158,10 @@ test03() > aggregate_pcr=`ima_measure $ima_measurements --verify --validate` > /dev/null > RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > + tst_res TPASS $LTPTMP/imalog.$$ \ > "$TCID: verified IMA template hash values." > else > - tst_res TFAIL $LTPTMP/imalog.$$\ > + tst_res TFAIL $LTPTMP/imalog.$$ \ > "$TCID: error verifing IMA template hash values." > fi > return $RC > @@ -172,7 +178,7 @@ RC=0 # Return value from setup, and t > EXIT_VAL=0 > > # set the testcases/bin directory > -source `dirname $0`\/ima_setup.sh > +. `dirname $0`\/ima_setup.sh > setup || exit $RC > > init || exit $RC > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -64,12 +64,17 @@ init() > export TST_COUNT=0 > RC=0 > > - service auditd status &> /dev/null || RC=$? > + if [ -f /etc/init.d/auditd ]; then > + service auditd status > /dev/null 2>&1 || RC=$? > + else > + RC=$? > + fi > + > if [ $RC -ne 0 ]; then > log=/var/log/messages > else > log=/var/log/audit/audit.log > - tst_res TINFO $LTPTMP/imalog.$$\ > + tst_res TINFO $LTPTMP/imalog.$$ \ > "$TCID: requires integrity auditd patch" > fi > } > @@ -96,13 +101,16 @@ test01() > tail $log | grep test.txt-$$ | \ > grep 1>/dev/null 'open_writers' || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > - "$TCID: open_writers violation added" > + tst_res TPASS $LTPTMP/imalog.$$ \ > + "$TCID: open_writers violation added(test.txt-$$)" > return $RC > + else > + tst_res TINFO $LTPTMP/imalog.$$ \ > + "$TCID: (message ratelimiting?)" > fi > fi > - tst_res TFAIL $LTPTMP/imalog.$$\ > - "$TCID: open_writers violation not added" > + tst_res TFAIL $LTPTMP/imalog.$$ \ > + "$TCID: open_writers violation not added(test.txt-$$)" > return $RC > } > > @@ -128,12 +136,16 @@ test02() > tail $log | grep test.txt-$$ | \ > grep 'ToMToU' 1>/dev/null || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > - "$TCID: ToMToU violation added" > + tst_res TPASS $LTPTMP/imalog.$$ \ > + "$TCID: ToMToU violation added(test.txt-$$)" > return $RC > + else > + tst_res TINFO $LTPTMP/imalog.$$ \ > + "$TCID: (message ratelimiting?)" > fi > fi > - tst_res TFAIL $LTPTMP/imalog.$$ "$TCID: ToMToU violation not added" > + tst_res TFAIL $LTPTMP/imalog.$$ \ > + "$TCID: ToMToU violation not added(test.txt-$$)" > return $RC > } > > @@ -160,13 +172,16 @@ test03() > tail $log | grep test.txtb-$$ | \ > grep 1>/dev/null 'open_writers' || RC=$? > if [ $RC -eq 0 ]; then > - tst_res TPASS $LTPTMP/imalog.$$\ > - "$TCID: mmapped open_writers violation added" > + tst_res TPASS $LTPTMP/imalog.$$ \ > + "$TCID: mmapped open_writers violation added(test.txtb-$$)" > return $RC > + else > + tst_res TINFO $LTPTMP/imalog.$$ \ > + "$TCID: (message ratelimiting?)" > fi > fi > - tst_res TFAIL $LTPTMP/imalog.$$\ > - "$TCID: mmapped open_writers violation not added" > + tst_res TFAIL $LTPTMP/imalog.$$ \ > + "$TCID: mmapped open_writers violation not added(test.txtb-$$)" > close_file_read > return $RC > } > @@ -181,9 +196,8 @@ test03() > RC=0 # Return value from setup, init, and test functions. > EXIT_VAL=0 > > -source `dirname $0`\/ima_setup.sh > +. `dirname $0`\/ima_setup.sh > setup || exit $RC > - > init || exit $RC > test01 || EXIT_VAL=$RC > test02 || EXIT_VAL=$RC > Index: ltp-full-20090531/testcases/kernel/security/integrity/ima/README > =================================================================== > --- ltp-full-20090531.orig/testcases/kernel/security/integrity/ima/README > +++ ltp-full-20090531/testcases/kernel/security/integrity/ima/README > @@ -52,11 +52,16 @@ open for read by root. If the default po > another measurement policy will fail, as the policy may only be replaced > once per boot. Some of the policy dependency tests might also fail as well. > > +ima_tpm.sh: test02, verifying the PCR-10 value, requires a hard reboot. > +[On Ubuntu, before running the ltp tests, disable /etc/init.d/kexec-load > +and reboot.] > + > Run tests > --------- > After doing 'make' and 'make install' from the top-level, > - execute './ltp-full-<version>/runltp -f ima' to run the entire testsuite. > -- To run individual tests, cd into the IMA directory: > +- To run individual tests, cd into the IMA directory, and add testcases/bin > + to PATH: > ./ltp-full-<version>/testcases/kernel/security/integrity/ima/tests/ > and execute the individual scripts. > > > |