-
Notifications
You must be signed in to change notification settings - Fork 0
/
evm_multiple_lsms.test
executable file
·354 lines (277 loc) · 9.03 KB
/
evm_multiple_lsms.test
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
#!/bin/bash
#
# Check if HMAC calculation is correct with multiple LSMs providing an xattr at file creation.
trap cleanup SIGINT SIGTERM SIGSEGV EXIT
# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"
TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"
# From security/integrity/evm/evm.h in kernel source directory
let "EVM_INIT_HMAC=0x0001"
let "EVM_INIT_X509=0x0002"
let "EVM_ALLOW_METADATA_WRITES=0x0004"
let "EVM_SETUP_COMPLETE=-0x80000000"
cd "$(dirname "$0")"
export PATH=$PWD/../src:$PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
. ./functions.sh
_require evmctl
cleanup() {
if [ -n "$masterkey" ]; then
rm $masterkey
fi
if [ "$loop2_mounted" = "1" ]; then
popd > /dev/null
umount $mountpoint2
fi
if [ "$loop_mounted" = "1" ]; then
popd > /dev/null
umount $mountpoint
fi
if [ -n "$dev2" ]; then
losetup -d $dev2
fi
if [ -n "$dev" ]; then
losetup -d $dev
fi
rm -f $image
rm -f $image2
rm -f $key_path_der
rm -Rf $mountpoint
rm -Rf $mountpoint2
if [ -n "$mountpoint_idmapped" ]; then
rm -Rf $mountpoint_idmapped
fi
_cleanup_user_mode
_report_exit
}
get_xattr() {
format="hex"
if [ "$1" = "security.selinux" ] || [ "${1#security.testlsm}" != "$1" ]; then
format="text"
fi
getfattr -n $1 -e $format -d $2 2> /dev/null | awk -F "=" '$1 == "'$1'" {if ("'$format'" == "hex") v=substr($2, 3); else { split($2, temp, "\""); v=temp[2] }; print v}'
}
IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26d"
IMA_UUID2="28b23254-9467-44c0-b6ba-34b12e85a26e"
APPRAISE_FOWNER=2000
APPRAISE_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_FOWNER"
check_load_ima_rule() {
rule_loaded=$(cat /sys/kernel/security/ima/policy | grep "$1")
if [ -z "$rule_loaded" ]; then
new_policy=$(mktemp -p $mountpoint)
echo $1 > $new_policy
if [ -n "$TST_KEY_PATH" ]; then
evmctl sign -o -a sha256 --imasig --key $TST_KEY_PATH --kernel-xattr-list $new_policy &> /dev/null
fi
echo $new_policy > /sys/kernel/security/ima/policy
result=$?
rm -f $new_policy
if [ $result -ne 0 ]; then
echo "${RED}Failed to set IMA policy${NORM}"
return $FAIL
fi
fi
return $OK
}
check_lsm_xattrs() {
echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $evm_value, lsm: $LSM_LIST, fs: $2)"
echo "test" 2>/dev/null > test-file
if [ "${LSM_LIST#testlsm-xattr-bug}" != "$LSM_LIST" ]; then
if [ -f test-file ]; then
echo "${RED}test-file creation unexpected${NORM}"
return $FAIL
fi
return $OK
fi
for lsm in ${LSM_LIST//,/ }; do
if [ ${lsm#testlsm} = $lsm ]; then
continue
fi
if [ "${lsm#testlsm-xattr}" = $lsm ]; then
continue
fi
testlsm_xattr=$(get_xattr security.$lsm test-file)
if [ "$testlsm_xattr" != "$lsm" ]; then
echo "${RED}Missing security.$lsm or unexpected value $testlsm_xattr${NORM}"
return $FAIL
fi
if [ -n "$mountpoint2" ] && [ "$(mount | awk '$3 =="'$mountpoint2'" {print $5}')" = "reiserfs" ]; then
break
fi
done
return $OK
}
cleanup_lsm_xattrs() {
rm -f test-file
}
# The purpose of this test is to verify that EVM takes into account for HMAC
# calculation all xattrs provided by LSMs.
check_ima_hmac_appraisal() {
echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $evm_value, lsm: $LSM_LIST, fs: $2)"
if [ "${LSM_LIST#testlsm-xattr-bug}" != "$LSM_LIST" ]; then
return $OK
fi
check_load_ima_rule "$APPRAISE_RULE"
result=$?
if [ $result -ne $OK ]; then
return $result
fi
i=0
capsh --uid=$APPRAISE_FOWNER -- -c 'touch test-file'
if [ $? -ne 0 ]; then
echo "${RED}Cannot create test-file${NORM}"
return $FAIL
fi
while [ $i -lt 3 ]; do
# Append content to test-file.
echo "test" >> test-file
if [ $? -ne 0 ]; then
echo "${RED}Cannot append content to test-file${NORM}"
return $FAIL
fi
# Check if appraisal works.
cat test-file > /dev/null
if [ $? -ne 0 ]; then
echo "${RED}Cannot read test-file${NORM}"
return $FAIL
fi
if [ -z "$evm_value" ]; then
((i++))
continue
fi
# Compare HMAC calculated by the kernel with that calculated by evmctl.
evm_xattr=$(get_xattr security.evm test-file)
if [ $(echo $evm_xattr | wc -c) != $(${1}sum test-file | awk '{printf("0x0%s", $1)}' | wc -c) ]; then
echo "${RED}Unexpected size of security.evm${NORM}"
return $FAIL
fi
evm_xattr_evmctl=$(evmctl hmac -v -n test-file --uuid=$IMA_UUID -a $1 --hmackey $TST_HMAC_KEY_PATH --kernel-xattr-list 2>&1 | awk -F " " '$1 == "hmac:" {print $2}')
if [ "$evm_xattr" != "02$evm_xattr_evmctl" ]; then
echo "${RED}security.evm mismatch between the kernel and evmctl${NORM}"
return $FAIL
fi
((i++))
done
return $OK
}
cleanup_ima_hmac_appraisal() {
rm -f test-file
}
if [ $$ -ne 1 ]; then
for algo in sha1 sha256 sha512; do
# Run in User Mode Linux.
LSM_LIST="testlsm-xattr,testlsm-noxattr,integrity"
_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
LSM_LIST="testlsm-noxattr,testlsm-noxattr-2,integrity"
_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
LSM_LIST="testlsm-xattr-3,testlsm-noxattr,testlsm-noxattr-2,testlsm-xattr-2,integrity"
_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
LSM_LIST="testlsm-xattr-2,testlsm-noxattr,testlsm-noxattr-2,testlsm-xattr,testlsm-xattr-3,testlsm-noxattr-3,integrity"
_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
LSM_LIST="testlsm-xattr-bug,testlsm-xattr-2,integrity"
_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
done
# Exit from the parent if UML was used.
_exit_user_mode ../linux
fi
# Mount filesystems in UML environment.
_init_user_mode
mountpoint=$(mktemp -d)
image=$(mktemp)
if [ -z "$mountpoint" ]; then
echo "${RED}Mountpoint directory not created${NORM}"
exit $FAIL
fi
if [ $(whoami) != "root" ]; then
echo "${CYAN}This script must be executed as root${NORM}"
exit $SKIP
fi
dd if=/dev/zero of=$image bs=1M count=10 &> /dev/null
if [ $? -ne 0 ]; then
echo "${RED}Cannot create test image${NORM}"
exit $FAIL
fi
dev=$(losetup -f $image --show)
if [ -z "$dev" ]; then
echo "${RED}Cannot create loop device${NORM}"
exit $FAIL
fi
mkfs.ext4 -U $IMA_UUID -b 4096 $dev &> /dev/null
if [ $? -ne 0 ]; then
echo "${RED}Cannot format $dev${NORM}"
exit $FAIL
fi
mount -o i_version $dev $mountpoint
if [ $? -ne 0 ]; then
echo "${RED}Cannot mount loop device${NORM}"
exit $FAIL
fi
loop_mounted=1
chmod 777 $mountpoint
pushd $mountpoint > /dev/null
if [ -f /sys/kernel/security/evm ]; then
evm_value=$(cat /sys/kernel/security/evm)
fi
if [ -n "$evm_value" ] && [ $((evm_value & EVM_INIT_HMAC)) -ne $EVM_INIT_HMAC ]; then
masterkey=$(mktemp)
hmackey=$(mktemp)
if [ -z "$TST_HMAC_KEY_PATH" ]; then
TST_HMAC_KEY_PATH=$hmackey
fi
dd if=/dev/zero of=$masterkey bs=128 count=1 &> /dev/null
user_id=$(cat $masterkey | keyctl padd user kmk @u)
evm_id=$(keyctl add encrypted evm-key "new user:kmk 128" @u)
keyctl print $evm_id &> /dev/null
dmesg | awk '$3 == "decrypted" {for (i=5;i<=NF;i++) printf("%s", $i)}' | xxd -r -p > $hmackey
echo $EVM_INIT_HMAC > /sys/kernel/security/evm
if [ $? -ne 0 ]; then
keyctl unlink $user_id
keyctl unlink $evm_id
fi
fi
if [ -f /sys/kernel/security/evm ]; then
evm_value=$(cat /sys/kernel/security/evm)
for lsm in ${LSM_LIST//,/ }; do
if [ ${lsm#testlsm} = $lsm ]; then
continue
fi
echo security.$lsm > /sys/kernel/security/integrity/evm/evm_xattrs
done
fi
expect_pass check_lsm_xattrs $TST_ALGO ext4
cleanup_lsm_xattrs
expect_pass check_ima_hmac_appraisal $TST_ALGO ext4
cleanup_ima_hmac_appraisal
if [ -z "$(which mkfs.reiserfs 2> /dev/null)" ]; then
exit 0
fi
mountpoint2=$(mktemp -d)
image2=$(mktemp)
dd if=/dev/zero of=$image2 bs=1M count=50 &> /dev/null
if [ $? -ne 0 ]; then
echo "${RED}Cannot create test image${NORM}"
exit $FAIL
fi
dev2=$(losetup -f $image2 --show)
if [ -z "$dev2" ]; then
echo "${RED}Cannot create loop device${NORM}"
exit $FAIL
fi
mkfs.reiserfs -u $IMA_UUID2 -b 4096 -q $dev2 &> /dev/null
if [ $? -ne 0 ]; then
echo "${RED}Cannot format $dev2${NORM}"
exit $FAIL
fi
mount $dev2 $mountpoint2 2> /dev/null
if [ $? -ne 0 ]; then
if [ ${LSM_LIST#testlsm-xattr-bug} != $LSM_LIST ]; then
exit $OK
fi
echo "${RED}Cannot mount loop device${NORM}"
exit $FAIL
fi
loop2_mounted=1
chmod 777 $mountpoint2
pushd $mountpoint2 > /dev/null
expect_pass check_lsm_xattrs $TST_ALGO reiserfs
cleanup_lsm_xattrs