From: <mva...@re...> - 2011-07-15 10:50:25
|
From: Miroslav Vadkerti <mva...@re...> Changes: + Added rules needed for crypto/cryptsetup_access test Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/utils/selinux-policy/lspp_test.te | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/audit/utils/selinux-policy/lspp_test.te b/audit/utils/selinux-policy/lspp_test.te index 1bf5373..4959023 100644 --- a/audit/utils/selinux-policy/lspp_test.te +++ b/audit/utils/selinux-policy/lspp_test.te @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r staff_r') # the policy_module() and gen_require() statements. # -policy_module(lspp_test,6.3.1) +policy_module(lspp_test,6.3.2) # we really shouldn't be accessing these policy constructs directly but there # isn't always a policy interface available for what we want to do, so just @@ -51,6 +51,8 @@ gen_require(` type kernel_t, inetd_t, sshd_t, ping_t; # more objects needed for strace type staff_t, namespace_init_t, ssh_t, user_t, setfiles_t; + # more objects needed for dmcrypt and cryptsetup + type lvm_t, fsadm_t, udev_t; ') ### # @@ -349,3 +351,8 @@ allow sshd_t lspp_harness_t:process sigchld; allow staff_t lspp_harness_t:process sigchld; allow user_t lspp_harness_t:process sigchld; allow ssh_t lspp_harness_t:process sigchld; + +# needed for dmcrypt to work in crypto/ssh_sym test +allow lvm_t lspp_harness_t:sem { read write unix_write associate }; +allow udev_t fsadm_t:process { siginh noatsecure rlimitinh }; +allow udev_t lvm_t:process { siginh noatsecure rlimitinh }; -- 1.7.1 |
From: <mva...@re...> - 2011-07-15 10:50:26
|
From: Miroslav Vadkerti <mva...@re...> Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/crypto/tests/tp_luks_functions.bash | 129 +++++++++++++++++++++++++++++ 1 files changed, 129 insertions(+), 0 deletions(-) create mode 100644 audit/crypto/tests/tp_luks_functions.bash diff --git a/audit/crypto/tests/tp_luks_functions.bash b/audit/crypto/tests/tp_luks_functions.bash new file mode 100644 index 0000000..dd37a59 --- /dev/null +++ b/audit/crypto/tests/tp_luks_functions.bash @@ -0,0 +1,129 @@ +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +############################################################################### +# +# Description: +# Loop device helper functions +# + +source testcase.bash || exit 2 + +# default loop device to use +LOOPDEV="/dev/loop0" + +# Create LUKS on $LOOPDEV with $LUKSPASS password +# $1 - password to use +function create_luks { + expect -c " + spawn cryptsetup luksFormat $LOOPDEV + expect {Are you sure} {send \"YES\r\"} + expect {Enter LUKS} {send \"$1\r\"} + expect {Verify} {send \"$1\r\"} + expect eof + " +} + +# Close LUKS on $LOOPDEV +# $1 - luks device +function close_luks { + cryptsetup luksClose $LUKSDEV +} + +# Check if LUKS on $LOOPDEV created with correct parameters and uses +# given count of key slots +# $1 - number of key slots to check +function check_luks { + # check if mandatory paramter given + [ "x$1" = "x" ] && exit_error "Error: no parameter give for check_luks" + + # dump the LUKS device + TMP=$(mktemp) + cryptsetup luksDump /dev/loop0 &> $TMP + + # Check for correct parameters + egrep "Cipher name.*aes" $TMP || exit_fail "Failed check on cipher name" + egrep "Cipher mode.*cbc-essiv:sha256" $TMP || \ + exit_fail "Failed check on cipher mode" + egrep "Hash spec.*sha1" $TMP || exit_fail "Failed check on hash spec" + + # Check for correct count of used key slots + CNT=$(egrep "Key Slot.*ENABLED" $TMP | wc -l) + [ $CNT -ne $1 ] && \ + exit_fail "Incorrect count of key slots: $CNT (expected $1)" + +} + +# Add new key passphrase give as paramter to the $LUKSDEV device +# $1 - any current passphrase +# $2 - passphrase for the new key +function addkey_luks { + # check if mandatory parameter given + [ "x$1" = "x" ] && \ + exit_error "Error: no current passphrase given to addkey_luks" + [ "x$2" = "x" ] && \ + exit_error "Error: no new passphrase given to addkey_luks" + + # add new key slot + expect -c " + spawn cryptsetup luksAddKey $LOOPDEV + expect {Enter any} {send \"$1\r\"} + expect {Enter new} {send \"$2\r\"} + expect {Verify} {send \"$2\r\"} + expect eof + " +} + +# Create dm-crypt mapping for give LUKS device +# $1 - device name +# $2 - any passphrase for opening LUKS +# return - 0 if open successful, else 1 +function open_luks { + # check if mandatory parameter given + [ "x$1" = "x" ] && \ + exit_error "Error: no device name given to open_luks" + [ "x$2" = "x" ] && \ + exit_error "Error: no passphrase given to open_luks" + + # try to open the device + expect -c " + spawn cryptsetup luksOpen $LOOPDEV $1 + expect {Enter passphrase} {send \"$2\r\"} + expect eof { exit 0 } + exit 1 + " + + # open failed + [ $? -ne 0 ] && return 1 + + # open successful + return 0 +} + +# Remove dm-crypt mapping for given device +# $1 - device to remove +function close_luks { + # check if mandatory parameter given + [ "x$1" = "x" ] && \ + exit_error "Error: no device name given to close_luks" + + # close the device + cryptsetup luksClose $1 + + # check if close successful + [ $? -ne 0 ] && exit_fail "Failed to close LUKS device" + +} -- 1.7.1 |
From: <mva...@re...> - 2011-07-15 10:50:27
|
From: Miroslav Vadkerti <mva...@re...> Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/crypto/run.conf | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/audit/crypto/run.conf b/audit/crypto/run.conf index 61ea834..0c67695 100644 --- a/audit/crypto/run.conf +++ b/audit/crypto/run.conf @@ -38,6 +38,7 @@ function run_test { } if [[ $PPROFILE == capp || $PPROFILE == lspp ]]; then + + cryptsetup_access + ssh_cipher_hmac + ssh_dsa + ssh_multi -- 1.7.1 |
From: <mva...@re...> - 2011-07-15 10:50:27
|
From: Miroslav Vadkerti <mva...@re...> Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/crypto/tests/tp_loop_device.bash | 71 ++++++++++++++++++++++++++++++++ 1 files changed, 71 insertions(+), 0 deletions(-) create mode 100644 audit/crypto/tests/tp_loop_device.bash diff --git a/audit/crypto/tests/tp_loop_device.bash b/audit/crypto/tests/tp_loop_device.bash new file mode 100644 index 0000000..6bbc9bf --- /dev/null +++ b/audit/crypto/tests/tp_loop_device.bash @@ -0,0 +1,71 @@ +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +############################################################################### +# +# Description: +# Loop device helper functions +# + +source testcase.bash || exit 2 + +# Create new loop device. The paramters are optional. If you intend to pass +# only second paramater you need to supply the first too! +# $1 = loop device (default /dev/loop/0) +# $2 = size in MB (default 100MB) +function create_loop_device { + # defaults + LOOPDEV="/dev/loop0" + LOOPSIZE="100" + + # if parameters given + [ "x$1" != "x" ] && LOOPDEV=$1 + [ "x$2" != "x" ] && LOOPSIZE=$2 + + + # create the test file + LOOPFILE=$(mktemp) + dd if=/dev/zero of=$LOOPFILE bs=1M count=$LOOPSIZE || exit_error \ + "Error creating $LOOPFILE for device $LOOPDEV" + + # create loop device + losetup $LOOPDEV $LOOPFILE || exit_error \ + "Error setting up $LOOPDEV" +} + +# Umount, detach the loop device and remove the loop file. +# The paramter is optional. +# $1 = loop device (default /dev/loop/0) +function remove_loop_device { + # defaults + LOOPDEV="/dev/loop0" + + # if parameter given + [ "x$1" != "x" ] && LOOPDEV=$1 + + # umount the loop device + umount $LOOPDEV + + # extract the file associated with the device + LOOPFILE=$(losetup $LOOPDEV | sed 's|.*(\(/.*\))|\1|g') + + # detach the loop device + losetup -d $LOOPDEV || exit_error "Error detaching $LOOPDEV" + + # remove the loopfile + rm -f $LOOPFILE + +} -- 1.7.1 |
From: <mva...@re...> - 2011-07-15 10:50:28
|
From: Miroslav Vadkerti <mva...@re...> This test covers these SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) More inforamation in the test Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/crypto/tests/test_cryptsetup_access.bash | 119 ++++++++++++++++++++++++ 1 files changed, 119 insertions(+), 0 deletions(-) create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash diff --git a/audit/crypto/tests/test_cryptsetup_access.bash b/audit/crypto/tests/test_cryptsetup_access.bash new file mode 100755 index 0000000..37af3b8 --- /dev/null +++ b/audit/crypto/tests/test_cryptsetup_access.bash @@ -0,0 +1,119 @@ +#!/bin/bash +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +############################################################################### +# +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) +# +# AUTHOR: Miroslav Vadkerti <mva...@re...> +# +# DESCRIPTION: +# 1. Create LUKS encrypted loop device with more keys +# 2. Check if LUKS +# + can be accessed by correct keys +# + cannot be accessed by other keys +# + keeps all the data consistent +# + cannot be accessed if header reformated +# + +source testcase.bash || exit 2 +source tp_loop_device.bash || exit 2 +source tp_luks_functions.bash || exit 2 + +### defaults +DMCRYPT="cryptfs" +DMCRYPTDEV="/dev/mapper/$DMCRYPT" +LUKSPASS="7k+paSs" +LUKSPASSND="2nd7k+paSs!!!" +LUKSPASSRD="paSs!!1444b_" +MOUNT="/mnt/crypt" + +### functions + +### main() + +# be verbose +set -x + +# add new loop device +create_loop_device +prepend_cleanup "remove_loop_device" + +# create LUKS on loop device +create_luks $LUKSPASS + +# check if LUKS device uses 1 key slot +check_luks 1 + +# add another 2 keys +addkey_luks $LUKSPASS $LUKSPASSND +addkey_luks $LUKSPASS $LUKSPASSRD + +# check if LUKS device uses 2 key slots +check_luks 3 + +# open LUKS Device with first pass +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" + +# check if kernel supports secure data flag +cryptsetup status $DMCRYPT | grep "data flag" && \ + exit_fail "Kernel doesn't support secure data flag" + + +# create new ext3 fs on LUKS and mount it +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" +mkdir $MOUNT +prepend_cleanup "rm -rf $MOUNT" +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" + +# add some sample data and umount the fs +echo "CCC TEST" >> $MOUNT/testfile +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set ACL" +chcon -t etc_t $MOUNT/testfile +umount $MOUNT + +# close LUKS +close_luks $DMCRYPT + +# open LUKS Device with second pass +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" + +# mount the test fs again +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" + +# check if all created data consistent +getfacl $MOUNT/testfile | tr -d '\n' | \ + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ + exit_fail "Failed ACL check" +ls -Z $MOUNT/testfile | egrep "etc_t" || \ + exit_fail "Failed SELinux context check" +umount $MOUNT + +# close LUKS +close_luks $DMCRYPT + +# open LUKS Device with bad password +open_luks $DMCRYPT "BADPASS" && exit_fail "LUKS opened with invalid password" + +# reformat LUKS +create_luks $LUKSPASSRD + +# open LUKS Device with correct first pass after reformat +open_luks $DMCRYPT $LUKSPASSND && exit_fail "LUKS opened with old password" + +# if no failures - the test passes +exit_pass -- 1.7.1 |
From: Linda K. <lin...@hp...> - 2011-07-15 22:43:55
|
Hi Miroslav, I'm going to pull this patch set in but I have a few question below. -- ljk mva...@re... wrote: > From: Miroslav Vadkerti <mva...@re...> > > This test covers these SFRs: > FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) > > More inforamation in the test > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit/crypto/tests/test_cryptsetup_access.bash | 119 ++++++++++++++++++++++++ > 1 files changed, 119 insertions(+), 0 deletions(-) > create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash > > diff --git a/audit/crypto/tests/test_cryptsetup_access.bash b/audit/crypto/tests/test_cryptsetup_access.bash > new file mode 100755 > index 0000000..37af3b8 > --- /dev/null > +++ b/audit/crypto/tests/test_cryptsetup_access.bash > @@ -0,0 +1,119 @@ > +#!/bin/bash > +############################################################################### > +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. > +# > +# This copyrighted material is made available to anyone wishing > +# to use, modify, copy, or redistribute it subject to the terms > +# and conditions of the GNU General Public License version 2. > +# > +# This program is distributed in the hope that it will be > +# useful, but WITHOUT ANY WARRANTY; without even the implied > +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR > +# PURPOSE. See the GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public > +# License along with this program; if not, write to the Free > +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > +# Boston, MA 02110-1301, USA. > +############################################################################### > +# > +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) > +# > +# AUTHOR: Miroslav Vadkerti <mva...@re...> > +# > +# DESCRIPTION: > +# 1. Create LUKS encrypted loop device with more keys > +# 2. Check if LUKS > +# + can be accessed by correct keys > +# + cannot be accessed by other keys > +# + keeps all the data consistent > +# + cannot be accessed if header reformated > +# > + > +source testcase.bash || exit 2 > +source tp_loop_device.bash || exit 2 > +source tp_luks_functions.bash || exit 2 > + > +### defaults > +DMCRYPT="cryptfs" > +DMCRYPTDEV="/dev/mapper/$DMCRYPT" > +LUKSPASS="7k+paSs" > +LUKSPASSND="2nd7k+paSs!!!" > +LUKSPASSRD="paSs!!1444b_" > +MOUNT="/mnt/crypt" > + > +### functions > + > +### main() > + > +# be verbose > +set -x > + > +# add new loop device > +create_loop_device > +prepend_cleanup "remove_loop_device" > + > +# create LUKS on loop device > +create_luks $LUKSPASS > + > +# check if LUKS device uses 1 key slot > +check_luks 1 > + > +# add another 2 keys > +addkey_luks $LUKSPASS $LUKSPASSND > +addkey_luks $LUKSPASS $LUKSPASSRD > + > +# check if LUKS device uses 2 key slots > +check_luks 3 > + > +# open LUKS Device with first pass > +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" > + > +# check if kernel supports secure data flag > +cryptsetup status $DMCRYPT | grep "data flag" && \ > + exit_fail "Kernel doesn't support secure data flag" > + > + > +# create new ext3 fs on LUKS and mount it > +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" > +mkdir $MOUNT > +prepend_cleanup "rm -rf $MOUNT" > +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" > + > +# add some sample data and umount the fs > +echo "CCC TEST" >> $MOUNT/testfile > +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set ACL" > +chcon -t etc_t $MOUNT/testfile > +umount $MOUNT > + > +# close LUKS > +close_luks $DMCRYPT > + > +# open LUKS Device with second pass > +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" > + > +# mount the test fs again > +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" > + > +# check if all created data consistent > +getfacl $MOUNT/testfile | tr -d '\n' | \ > + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ > + exit_fail "Failed ACL check" If this fails, the filesystem is left mounted? > +ls -Z $MOUNT/testfile | egrep "etc_t" || \ > + exit_fail "Failed SELinux context check" Same here? Do you need an unmount in the cleanup? > +umount $MOUNT > + > +# close LUKS > +close_luks $DMCRYPT > + > +# open LUKS Device with bad password > +open_luks $DMCRYPT "BADPASS" && exit_fail "LUKS opened with invalid password" > + > +# reformat LUKS > +create_luks $LUKSPASSRD > + > +# open LUKS Device with correct first pass after reformat > +open_luks $DMCRYPT $LUKSPASSND && exit_fail "LUKS opened with old password" I don't know anything about LUKS. Is there any state that needs to be cleaned up? > + > +# if no failures - the test passes > +exit_pass |
From: Miroslav V. <mva...@re...> - 2011-07-18 05:50:25
|
Hi Linda, Yes you are right there should be proper cleanup if those cases fail. I will add unmount to the cleanup and also removing the luks device in case of a failure of the relevant test case. I will post the patches later today. /M On 07/16/2011 12:42 AM, Linda Knippers wrote: > Hi Miroslav, > > I'm going to pull this patch set in but I have a few question below. > > -- ljk > > mva...@re... wrote: >> From: Miroslav Vadkerti<mva...@re...> >> >> This test covers these SFRs: >> FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >> >> More inforamation in the test >> >> Signed-off-by: Miroslav Vadkerti<mva...@re...> >> --- >> audit/crypto/tests/test_cryptsetup_access.bash | 119 ++++++++++++++++++++++++ >> 1 files changed, 119 insertions(+), 0 deletions(-) >> create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash >> >> diff --git a/audit/crypto/tests/test_cryptsetup_access.bash b/audit/crypto/tests/test_cryptsetup_access.bash >> new file mode 100755 >> index 0000000..37af3b8 >> --- /dev/null >> +++ b/audit/crypto/tests/test_cryptsetup_access.bash >> @@ -0,0 +1,119 @@ >> +#!/bin/bash >> +############################################################################### >> +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. >> +# >> +# This copyrighted material is made available to anyone wishing >> +# to use, modify, copy, or redistribute it subject to the terms >> +# and conditions of the GNU General Public License version 2. >> +# >> +# This program is distributed in the hope that it will be >> +# useful, but WITHOUT ANY WARRANTY; without even the implied >> +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR >> +# PURPOSE. See the GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public >> +# License along with this program; if not, write to the Free >> +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, >> +# Boston, MA 02110-1301, USA. >> +############################################################################### >> +# >> +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >> +# >> +# AUTHOR: Miroslav Vadkerti<mva...@re...> >> +# >> +# DESCRIPTION: >> +# 1. Create LUKS encrypted loop device with more keys >> +# 2. Check if LUKS >> +# + can be accessed by correct keys >> +# + cannot be accessed by other keys >> +# + keeps all the data consistent >> +# + cannot be accessed if header reformated >> +# >> + >> +source testcase.bash || exit 2 >> +source tp_loop_device.bash || exit 2 >> +source tp_luks_functions.bash || exit 2 >> + >> +### defaults >> +DMCRYPT="cryptfs" >> +DMCRYPTDEV="/dev/mapper/$DMCRYPT" >> +LUKSPASS="7k+paSs" >> +LUKSPASSND="2nd7k+paSs!!!" >> +LUKSPASSRD="paSs!!1444b_" >> +MOUNT="/mnt/crypt" >> + >> +### functions >> + >> +### main() >> + >> +# be verbose >> +set -x >> + >> +# add new loop device >> +create_loop_device >> +prepend_cleanup "remove_loop_device" >> + >> +# create LUKS on loop device >> +create_luks $LUKSPASS >> + >> +# check if LUKS device uses 1 key slot >> +check_luks 1 >> + >> +# add another 2 keys >> +addkey_luks $LUKSPASS $LUKSPASSND >> +addkey_luks $LUKSPASS $LUKSPASSRD >> + >> +# check if LUKS device uses 2 key slots >> +check_luks 3 >> + >> +# open LUKS Device with first pass >> +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" >> + >> +# check if kernel supports secure data flag >> +cryptsetup status $DMCRYPT | grep "data flag"&& \ >> + exit_fail "Kernel doesn't support secure data flag" >> + >> + >> +# create new ext3 fs on LUKS and mount it >> +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" >> +mkdir $MOUNT >> +prepend_cleanup "rm -rf $MOUNT" >> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >> + >> +# add some sample data and umount the fs >> +echo "CCC TEST">> $MOUNT/testfile >> +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set ACL" >> +chcon -t etc_t $MOUNT/testfile >> +umount $MOUNT >> + >> +# close LUKS >> +close_luks $DMCRYPT >> + >> +# open LUKS Device with second pass >> +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" >> + >> +# mount the test fs again >> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >> + >> +# check if all created data consistent >> +getfacl $MOUNT/testfile | tr -d '\n' | \ >> + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ >> + exit_fail "Failed ACL check" > If this fails, the filesystem is left mounted? > >> +ls -Z $MOUNT/testfile | egrep "etc_t" || \ >> + exit_fail "Failed SELinux context check" > Same here? Do you need an unmount in the cleanup? > >> +umount $MOUNT >> + >> +# close LUKS >> +close_luks $DMCRYPT >> + >> +# open LUKS Device with bad password >> +open_luks $DMCRYPT "BADPASS"&& exit_fail "LUKS opened with invalid password" >> + >> +# reformat LUKS >> +create_luks $LUKSPASSRD >> + >> +# open LUKS Device with correct first pass after reformat >> +open_luks $DMCRYPT $LUKSPASSND&& exit_fail "LUKS opened with old password" > I don't know anything about LUKS. Is there any state that needs to be cleaned up? > >> + >> +# if no failures - the test passes >> +exit_pass -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkynova 99/71, 612 45, Brno, Czech Republic |
From: Miroslav V. <mva...@re...> - 2011-07-18 18:06:40
|
Hi Linda, I checked the code again and I forgot that the unmount cleanup is taken care of in remove_loop_device that is added to the cleanup section via prepend cleanup at the begging. The same situation is with create_luks that just formats the loop device which is in case of a problem properly cleaned up also in the above function. Sorry for the noise, Regards, /M ----- Original Message ----- > Hi Linda, > > Yes you are right there should be proper cleanup if those > cases fail. I will add unmount to the cleanup and also removing the > luks device in case of a failure of the relevant test case. I will > post > the patches later today. > > /M > > On 07/16/2011 12:42 AM, Linda Knippers wrote: > > Hi Miroslav, > > > > I'm going to pull this patch set in but I have a few question below. > > > > -- ljk > > > > mva...@re... wrote: > >> From: Miroslav Vadkerti<mva...@re...> > >> > >> This test covers these SFRs: > >> FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) > >> > >> More inforamation in the test > >> > >> Signed-off-by: Miroslav Vadkerti<mva...@re...> > >> --- > >> audit/crypto/tests/test_cryptsetup_access.bash | 119 > >> ++++++++++++++++++++++++ > >> 1 files changed, 119 insertions(+), 0 deletions(-) > >> create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash > >> > >> diff --git a/audit/crypto/tests/test_cryptsetup_access.bash > >> b/audit/crypto/tests/test_cryptsetup_access.bash > >> new file mode 100755 > >> index 0000000..37af3b8 > >> --- /dev/null > >> +++ b/audit/crypto/tests/test_cryptsetup_access.bash > >> @@ -0,0 +1,119 @@ > >> +#!/bin/bash > >> +############################################################################### > >> +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. > >> +# > >> +# This copyrighted material is made available to anyone wishing > >> +# to use, modify, copy, or redistribute it subject to the terms > >> +# and conditions of the GNU General Public License version 2. > >> +# > >> +# This program is distributed in the hope that it will be > >> +# useful, but WITHOUT ANY WARRANTY; without even the implied > >> +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR > >> +# PURPOSE. See the GNU General Public License for more details. > >> +# > >> +# You should have received a copy of the GNU General Public > >> +# License along with this program; if not, write to the Free > >> +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > >> +# Boston, MA 02110-1301, USA. > >> +############################################################################### > >> +# > >> +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) > >> +# > >> +# AUTHOR: Miroslav Vadkerti<mva...@re...> > >> +# > >> +# DESCRIPTION: > >> +# 1. Create LUKS encrypted loop device with more keys > >> +# 2. Check if LUKS > >> +# + can be accessed by correct keys > >> +# + cannot be accessed by other keys > >> +# + keeps all the data consistent > >> +# + cannot be accessed if header reformated > >> +# > >> + > >> +source testcase.bash || exit 2 > >> +source tp_loop_device.bash || exit 2 > >> +source tp_luks_functions.bash || exit 2 > >> + > >> +### defaults > >> +DMCRYPT="cryptfs" > >> +DMCRYPTDEV="/dev/mapper/$DMCRYPT" > >> +LUKSPASS="7k+paSs" > >> +LUKSPASSND="2nd7k+paSs!!!" > >> +LUKSPASSRD="paSs!!1444b_" > >> +MOUNT="/mnt/crypt" > >> + > >> +### functions > >> + > >> +### main() > >> + > >> +# be verbose > >> +set -x > >> + > >> +# add new loop device > >> +create_loop_device > >> +prepend_cleanup "remove_loop_device" > >> + > >> +# create LUKS on loop device > >> +create_luks $LUKSPASS > >> + > >> +# check if LUKS device uses 1 key slot > >> +check_luks 1 > >> + > >> +# add another 2 keys > >> +addkey_luks $LUKSPASS $LUKSPASSND > >> +addkey_luks $LUKSPASS $LUKSPASSRD > >> + > >> +# check if LUKS device uses 2 key slots > >> +check_luks 3 > >> + > >> +# open LUKS Device with first pass > >> +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" > >> + > >> +# check if kernel supports secure data flag > >> +cryptsetup status $DMCRYPT | grep "data flag"&& \ > >> + exit_fail "Kernel doesn't support secure data flag" > >> + > >> + > >> +# create new ext3 fs on LUKS and mount it > >> +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" > >> +mkdir $MOUNT > >> +prepend_cleanup "rm -rf $MOUNT" > >> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" > >> + > >> +# add some sample data and umount the fs > >> +echo "CCC TEST">> $MOUNT/testfile > >> +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set > >> ACL" > >> +chcon -t etc_t $MOUNT/testfile > >> +umount $MOUNT > >> + > >> +# close LUKS > >> +close_luks $DMCRYPT > >> + > >> +# open LUKS Device with second pass > >> +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" > >> + > >> +# mount the test fs again > >> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" > >> + > >> +# check if all created data consistent > >> +getfacl $MOUNT/testfile | tr -d '\n' | \ > >> + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ > >> + exit_fail "Failed ACL check" > > If this fails, the filesystem is left mounted? > > > >> +ls -Z $MOUNT/testfile | egrep "etc_t" || \ > >> + exit_fail "Failed SELinux context check" > > Same here? Do you need an unmount in the cleanup? > > > >> +umount $MOUNT > >> + > >> +# close LUKS > >> +close_luks $DMCRYPT > >> + > >> +# open LUKS Device with bad password > >> +open_luks $DMCRYPT "BADPASS"&& exit_fail "LUKS opened with invalid > >> password" > >> + > >> +# reformat LUKS > >> +create_luks $LUKSPASSRD > >> + > >> +# open LUKS Device with correct first pass after reformat > >> +open_luks $DMCRYPT $LUKSPASSND&& exit_fail "LUKS opened with old > >> password" > > I don't know anything about LUKS. Is there any state that needs to > > be cleaned up? > > > >> + > >> +# if no failures - the test passes > >> +exit_pass > > > -- > Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - > Security > Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 > 135 440 > IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at > pgp.mit.edu > Red Hat s.r.o, Purkynova 99/71, 612 45, Brno, Czech Republic > > > ------------------------------------------------------------------------------ > AppSumo Presents a FREE Video for the SourceForge Community by Eric > Ries, the creator of the Lean Startup Methodology on "Lean Startup > Secrets Revealed." This video shows you how to validate your ideas, > optimize your ideas and identify your business strategy. > http://p.sf.net/sfu/appsumosfdev2dev > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic |
From: Linda K. <lin...@hp...> - 2011-07-18 18:09:44
|
Hi Miroslav, Miroslav Vadkerti wrote: > Hi Linda, > > I checked the code again and I forgot that the unmount cleanup > is taken care of in remove_loop_device that is added to the > cleanup section via prepend cleanup at the begging. > > The same situation is with create_luks that just > formats the loop device which is in case of a problem properly > cleaned up also in the above function. > > Sorry for the noise, Thanks for checking. I didn't look at remove_loop_device so I missed it. Sorry about that. -- ljk > > Regards, > /M > > > ----- Original Message ----- >> Hi Linda, >> >> Yes you are right there should be proper cleanup if those >> cases fail. I will add unmount to the cleanup and also removing the >> luks device in case of a failure of the relevant test case. I will >> post >> the patches later today. >> >> /M >> >> On 07/16/2011 12:42 AM, Linda Knippers wrote: >>> Hi Miroslav, >>> >>> I'm going to pull this patch set in but I have a few question below. >>> >>> -- ljk >>> >>> mva...@re... wrote: >>>> From: Miroslav Vadkerti<mva...@re...> >>>> >>>> This test covers these SFRs: >>>> FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >>>> >>>> More inforamation in the test >>>> >>>> Signed-off-by: Miroslav Vadkerti<mva...@re...> >>>> --- >>>> audit/crypto/tests/test_cryptsetup_access.bash | 119 >>>> ++++++++++++++++++++++++ >>>> 1 files changed, 119 insertions(+), 0 deletions(-) >>>> create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash >>>> >>>> diff --git a/audit/crypto/tests/test_cryptsetup_access.bash >>>> b/audit/crypto/tests/test_cryptsetup_access.bash >>>> new file mode 100755 >>>> index 0000000..37af3b8 >>>> --- /dev/null >>>> +++ b/audit/crypto/tests/test_cryptsetup_access.bash >>>> @@ -0,0 +1,119 @@ >>>> +#!/bin/bash >>>> +############################################################################### >>>> +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. >>>> +# >>>> +# This copyrighted material is made available to anyone wishing >>>> +# to use, modify, copy, or redistribute it subject to the terms >>>> +# and conditions of the GNU General Public License version 2. >>>> +# >>>> +# This program is distributed in the hope that it will be >>>> +# useful, but WITHOUT ANY WARRANTY; without even the implied >>>> +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR >>>> +# PURPOSE. See the GNU General Public License for more details. >>>> +# >>>> +# You should have received a copy of the GNU General Public >>>> +# License along with this program; if not, write to the Free >>>> +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, >>>> +# Boston, MA 02110-1301, USA. >>>> +############################################################################### >>>> +# >>>> +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >>>> +# >>>> +# AUTHOR: Miroslav Vadkerti<mva...@re...> >>>> +# >>>> +# DESCRIPTION: >>>> +# 1. Create LUKS encrypted loop device with more keys >>>> +# 2. Check if LUKS >>>> +# + can be accessed by correct keys >>>> +# + cannot be accessed by other keys >>>> +# + keeps all the data consistent >>>> +# + cannot be accessed if header reformated >>>> +# >>>> + >>>> +source testcase.bash || exit 2 >>>> +source tp_loop_device.bash || exit 2 >>>> +source tp_luks_functions.bash || exit 2 >>>> + >>>> +### defaults >>>> +DMCRYPT="cryptfs" >>>> +DMCRYPTDEV="/dev/mapper/$DMCRYPT" >>>> +LUKSPASS="7k+paSs" >>>> +LUKSPASSND="2nd7k+paSs!!!" >>>> +LUKSPASSRD="paSs!!1444b_" >>>> +MOUNT="/mnt/crypt" >>>> + >>>> +### functions >>>> + >>>> +### main() >>>> + >>>> +# be verbose >>>> +set -x >>>> + >>>> +# add new loop device >>>> +create_loop_device >>>> +prepend_cleanup "remove_loop_device" >>>> + >>>> +# create LUKS on loop device >>>> +create_luks $LUKSPASS >>>> + >>>> +# check if LUKS device uses 1 key slot >>>> +check_luks 1 >>>> + >>>> +# add another 2 keys >>>> +addkey_luks $LUKSPASS $LUKSPASSND >>>> +addkey_luks $LUKSPASS $LUKSPASSRD >>>> + >>>> +# check if LUKS device uses 2 key slots >>>> +check_luks 3 >>>> + >>>> +# open LUKS Device with first pass >>>> +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" >>>> + >>>> +# check if kernel supports secure data flag >>>> +cryptsetup status $DMCRYPT | grep "data flag"&& \ >>>> + exit_fail "Kernel doesn't support secure data flag" >>>> + >>>> + >>>> +# create new ext3 fs on LUKS and mount it >>>> +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" >>>> +mkdir $MOUNT >>>> +prepend_cleanup "rm -rf $MOUNT" >>>> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >>>> + >>>> +# add some sample data and umount the fs >>>> +echo "CCC TEST">> $MOUNT/testfile >>>> +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set >>>> ACL" >>>> +chcon -t etc_t $MOUNT/testfile >>>> +umount $MOUNT >>>> + >>>> +# close LUKS >>>> +close_luks $DMCRYPT >>>> + >>>> +# open LUKS Device with second pass >>>> +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" >>>> + >>>> +# mount the test fs again >>>> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >>>> + >>>> +# check if all created data consistent >>>> +getfacl $MOUNT/testfile | tr -d '\n' | \ >>>> + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ >>>> + exit_fail "Failed ACL check" >>> If this fails, the filesystem is left mounted? >>> >>>> +ls -Z $MOUNT/testfile | egrep "etc_t" || \ >>>> + exit_fail "Failed SELinux context check" >>> Same here? Do you need an unmount in the cleanup? >>> >>>> +umount $MOUNT >>>> + >>>> +# close LUKS >>>> +close_luks $DMCRYPT >>>> + >>>> +# open LUKS Device with bad password >>>> +open_luks $DMCRYPT "BADPASS"&& exit_fail "LUKS opened with invalid >>>> password" >>>> + >>>> +# reformat LUKS >>>> +create_luks $LUKSPASSRD >>>> + >>>> +# open LUKS Device with correct first pass after reformat >>>> +open_luks $DMCRYPT $LUKSPASSND&& exit_fail "LUKS opened with old >>>> password" >>> I don't know anything about LUKS. Is there any state that needs to >>> be cleaned up? >>> >>>> + >>>> +# if no failures - the test passes >>>> +exit_pass >> >> -- >> Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - >> Security >> Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 >> 135 440 >> IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at >> pgp.mit.edu >> Red Hat s.r.o, Purkynova 99/71, 612 45, Brno, Czech Republic >> >> >> ------------------------------------------------------------------------------ >> AppSumo Presents a FREE Video for the SourceForge Community by Eric >> Ries, the creator of the Lean Startup Methodology on "Lean Startup >> Secrets Revealed." This video shows you how to validate your ideas, >> optimize your ideas and identify your business strategy. >> http://p.sf.net/sfu/appsumosfdev2dev >> _______________________________________________ >> Audit-test-developer mailing list >> Aud...@li... >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: Linda K. <lin...@hp...> - 2011-07-15 22:46:37
|
Hi Miroslav, Thanks for the patches. I've pulled these in. -- ljk > audit/crypto/run.conf | 1 + > audit/crypto/tests/test_cryptsetup_access.bash | 119 ++++++++++++++++++++++ > audit/crypto/tests/tp_loop_device.bash | 71 +++++++++++++ > audit/crypto/tests/tp_luks_functions.bash | 129 ++++++++++++++++++++++++ > audit/utils/selinux-policy/lspp_test.te | 9 ++- > 5 files changed, 328 insertions(+), 1 deletions(-) > create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash > create mode 100644 audit/crypto/tests/tp_loop_device.bash > create mode 100644 audit/crypto/tests/tp_luks_functions.bash |