-
Notifications
You must be signed in to change notification settings - Fork 266
/
ima_appraisal_hashes.pm
70 lines (55 loc) · 2.56 KB
/
ima_appraisal_hashes.pm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Copyright 2019-2021 SUSE LLC
# SPDX-License-Identifier: GPL-2.0-or-later
#
# Summary: Test IMA appraisal using hashes
# Maintainer: llzhao <llzhao@suse.com>, rfan1 <richard.fan@suse.com>
# Tags: poo#53579, poo#100694, poo#102311
use base 'opensusebasetest';
use strict;
use warnings;
use testapi;
use utils;
use bootloader_setup qw(add_grub_cmdline_settings replace_grub_cmdline_settings tianocore_disable_secureboot);
use power_action_utils 'power_action';
sub run {
my ($self) = @_;
$self->select_serial_terminal;
my $fstype = 'ext4';
my $sample_app = '/usr/bin/yes';
my $sample_cmd = 'yes --version';
my ($kver) = script_output('uname -r') =~ /(\d+\.\d+)\.\d+-*/;
assert_script_run "echo $kver";
my $tcb_cmdline = ($kver lt 4.13) ? 'ima_appraise_tcb' : 'ima_policy=appraise_tcb';
add_grub_cmdline_settings("ima_appraise=fix $tcb_cmdline", update_grub => 1);
record_info("bsc#1189988 ","We need disable secureboot");
power_action('reboot', textmode => 1);
$self->wait_grub(bootloader_time => 200);
$self->tianocore_disable_secureboot;
$self->wait_boot(textmode => 1);
$self->select_serial_terminal;
my $findret = script_output("find / -fstype $fstype -type f -uid 0 -exec sh -c \"< '{}'\" \\;", 900, proceed_on_failure => 1);
# Allow "No such file" message for the files in /proc because they are mutable
my @finds = split /\n/, $findret;
$_ =~ m/\/proc\/.*No such file/ or die "Failed to create security.ima for $_" foreach (@finds);
validate_script_output "getfattr -m security.ima -d $sample_app", sub {
# Base64 armored security.ima content (50 chars), we do not match the last
# three ones here for simplicity
m/security\.ima=[0-9a-zA-Z+\/]{47}/;
};
# Remove security.ima attribute manually, and verify it is empty
assert_script_run "setfattr -x security.ima $sample_app";
validate_script_output "getfattr -m security.ima -d $sample_app", sub { m/^$/ };
replace_grub_cmdline_settings('ima_appraise=fix', '', update_grub => 1);
# We need re-enable the secureboot after removing "ima_appraise=fix" kernel parameter
power_action('reboot', textmode => 1);
$self->wait_grub(bootloader_time => 200);
$self->tianocore_disable_secureboot('re_enable');
$self->wait_boot(textmode => 1);
$self->select_serial_terminal;
my $ret = script_output($sample_cmd, 30, proceed_on_failure => 1);
die "$sample_app should not have permission to run" if ($ret !~ "\Q$sample_app\E: *Permission denied");
}
sub test_flags {
return {always_rollback => 1};
}
1;