Menu
▾
▴
Re: [Audit-test-developer] [PATCH 5/5] Added crypto/cryptsetup_access
|
From: Linda K. <lin...@hp...> - 2011-07-18 18:09:44
|
Hi Miroslav, Miroslav Vadkerti wrote: > Hi Linda, > > I checked the code again and I forgot that the unmount cleanup > is taken care of in remove_loop_device that is added to the > cleanup section via prepend cleanup at the begging. > > The same situation is with create_luks that just > formats the loop device which is in case of a problem properly > cleaned up also in the above function. > > Sorry for the noise, Thanks for checking. I didn't look at remove_loop_device so I missed it. Sorry about that. -- ljk > > Regards, > /M > > > ----- Original Message ----- >> Hi Linda, >> >> Yes you are right there should be proper cleanup if those >> cases fail. I will add unmount to the cleanup and also removing the >> luks device in case of a failure of the relevant test case. I will >> post >> the patches later today. >> >> /M >> >> On 07/16/2011 12:42 AM, Linda Knippers wrote: >>> Hi Miroslav, >>> >>> I'm going to pull this patch set in but I have a few question below. >>> >>> -- ljk >>> >>> mva...@re... wrote: >>>> From: Miroslav Vadkerti<mva...@re...> >>>> >>>> This test covers these SFRs: >>>> FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >>>> >>>> More inforamation in the test >>>> >>>> Signed-off-by: Miroslav Vadkerti<mva...@re...> >>>> --- >>>> audit/crypto/tests/test_cryptsetup_access.bash | 119 >>>> ++++++++++++++++++++++++ >>>> 1 files changed, 119 insertions(+), 0 deletions(-) >>>> create mode 100755 audit/crypto/tests/test_cryptsetup_access.bash >>>> >>>> diff --git a/audit/crypto/tests/test_cryptsetup_access.bash >>>> b/audit/crypto/tests/test_cryptsetup_access.bash >>>> new file mode 100755 >>>> index 0000000..37af3b8 >>>> --- /dev/null >>>> +++ b/audit/crypto/tests/test_cryptsetup_access.bash >>>> @@ -0,0 +1,119 @@ >>>> +#!/bin/bash >>>> +############################################################################### >>>> +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. >>>> +# >>>> +# This copyrighted material is made available to anyone wishing >>>> +# to use, modify, copy, or redistribute it subject to the terms >>>> +# and conditions of the GNU General Public License version 2. >>>> +# >>>> +# This program is distributed in the hope that it will be >>>> +# useful, but WITHOUT ANY WARRANTY; without even the implied >>>> +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR >>>> +# PURPOSE. See the GNU General Public License for more details. >>>> +# >>>> +# You should have received a copy of the GNU General Public >>>> +# License along with this program; if not, write to the Free >>>> +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, >>>> +# Boston, MA 02110-1301, USA. >>>> +############################################################################### >>>> +# >>>> +# SFRs: FDP_ACF.1(CP), FDP_CDP.1(CP), FMT_MSA.3(CP) >>>> +# >>>> +# AUTHOR: Miroslav Vadkerti<mva...@re...> >>>> +# >>>> +# DESCRIPTION: >>>> +# 1. Create LUKS encrypted loop device with more keys >>>> +# 2. Check if LUKS >>>> +# + can be accessed by correct keys >>>> +# + cannot be accessed by other keys >>>> +# + keeps all the data consistent >>>> +# + cannot be accessed if header reformated >>>> +# >>>> + >>>> +source testcase.bash || exit 2 >>>> +source tp_loop_device.bash || exit 2 >>>> +source tp_luks_functions.bash || exit 2 >>>> + >>>> +### defaults >>>> +DMCRYPT="cryptfs" >>>> +DMCRYPTDEV="/dev/mapper/$DMCRYPT" >>>> +LUKSPASS="7k+paSs" >>>> +LUKSPASSND="2nd7k+paSs!!!" >>>> +LUKSPASSRD="paSs!!1444b_" >>>> +MOUNT="/mnt/crypt" >>>> + >>>> +### functions >>>> + >>>> +### main() >>>> + >>>> +# be verbose >>>> +set -x >>>> + >>>> +# add new loop device >>>> +create_loop_device >>>> +prepend_cleanup "remove_loop_device" >>>> + >>>> +# create LUKS on loop device >>>> +create_luks $LUKSPASS >>>> + >>>> +# check if LUKS device uses 1 key slot >>>> +check_luks 1 >>>> + >>>> +# add another 2 keys >>>> +addkey_luks $LUKSPASS $LUKSPASSND >>>> +addkey_luks $LUKSPASS $LUKSPASSRD >>>> + >>>> +# check if LUKS device uses 2 key slots >>>> +check_luks 3 >>>> + >>>> +# open LUKS Device with first pass >>>> +open_luks $DMCRYPT $LUKSPASS || exit_fail "Failed to open LUKS" >>>> + >>>> +# check if kernel supports secure data flag >>>> +cryptsetup status $DMCRYPT | grep "data flag"&& \ >>>> + exit_fail "Kernel doesn't support secure data flag" >>>> + >>>> + >>>> +# create new ext3 fs on LUKS and mount it >>>> +mkfs.ext4 $DMCRYPTDEV || exit_fail "Failed to format LUKS" >>>> +mkdir $MOUNT >>>> +prepend_cleanup "rm -rf $MOUNT" >>>> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >>>> + >>>> +# add some sample data and umount the fs >>>> +echo "CCC TEST">> $MOUNT/testfile >>>> +setfacl -m u:root:r $MOUNT/testfile || exit_fail "Failed to set >>>> ACL" >>>> +chcon -t etc_t $MOUNT/testfile >>>> +umount $MOUNT >>>> + >>>> +# close LUKS >>>> +close_luks $DMCRYPT >>>> + >>>> +# open LUKS Device with second pass >>>> +open_luks $DMCRYPT $LUKSPASSND || exit_fail "Failed to open LUKS" >>>> + >>>> +# mount the test fs again >>>> +mount -o acl $DMCRYPTDEV $MOUNT || exit_fail "Cannot mount LUKS" >>>> + >>>> +# check if all created data consistent >>>> +getfacl $MOUNT/testfile | tr -d '\n' | \ >>>> + egrep "user::rw-user:root:r--group::r--mask::r--other::r--" || \ >>>> + exit_fail "Failed ACL check" >>> If this fails, the filesystem is left mounted? >>> >>>> +ls -Z $MOUNT/testfile | egrep "etc_t" || \ >>>> + exit_fail "Failed SELinux context check" >>> Same here? Do you need an unmount in the cleanup? >>> >>>> +umount $MOUNT >>>> + >>>> +# close LUKS >>>> +close_luks $DMCRYPT >>>> + >>>> +# open LUKS Device with bad password >>>> +open_luks $DMCRYPT "BADPASS"&& exit_fail "LUKS opened with invalid >>>> password" >>>> + >>>> +# reformat LUKS >>>> +create_luks $LUKSPASSRD >>>> + >>>> +# open LUKS Device with correct first pass after reformat >>>> +open_luks $DMCRYPT $LUKSPASSND&& exit_fail "LUKS opened with old >>>> password" >>> I don't know anything about LUKS. Is there any state that needs to >>> be cleaned up? >>> >>>> + >>>> +# if no failures - the test passes >>>> +exit_pass >> >> -- >> Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - >> Security >> Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 >> 135 440 >> IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at >> pgp.mit.edu >> Red Hat s.r.o, Purkynova 99/71, 612 45, Brno, Czech Republic >> >> >> ------------------------------------------------------------------------------ >> AppSumo Presents a FREE Video for the SourceForge Community by Eric >> Ries, the creator of the Lean Startup Methodology on "Lean Startup >> Secrets Revealed." This video shows you how to validate your ideas, >> optimize your ideas and identify your business strategy. >> http://p.sf.net/sfu/appsumosfdev2dev >> _______________________________________________ >> Audit-test-developer mailing list >> Aud...@li... >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |