tests/evm_multiple_lsms.test

#!/bin/bash

#
# Check if HMAC calculation is correct with multiple LSMs providing an xattr at file creation.

trap cleanup SIGINT SIGTERM SIGSEGV EXIT

# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"
TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"

# From security/integrity/evm/evm.h in kernel source directory
let "EVM_INIT_HMAC=0x0001"
let "EVM_INIT_X509=0x0002"
let "EVM_ALLOW_METADATA_WRITES=0x0004"
let "EVM_SETUP_COMPLETE=-0x80000000"

cd "$(dirname "$0")"
export PATH=$PWD/../src:$PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
. ./functions.sh
_require evmctl

cleanup() {
	if [ -n "$masterkey" ]; then
		rm $masterkey
	fi

	if [ "$loop2_mounted" = "1" ]; then
		popd > /dev/null
		umount $mountpoint2
	fi

	if [ "$loop_mounted" = "1" ]; then
		popd > /dev/null
		umount $mountpoint
	fi

	if [ -n "$dev2" ]; then
		losetup -d $dev2
	fi

	if [ -n "$dev" ]; then
		losetup -d $dev
	fi

	rm -f $image
	rm -f $image2
	rm -f $key_path_der
	rm -Rf $mountpoint
	rm -Rf $mountpoint2

	if [ -n "$mountpoint_idmapped" ]; then
		rm -Rf $mountpoint_idmapped
	fi

	_cleanup_user_mode
	_report_exit
}

get_xattr() {
	format="hex"

	if [ "$1" = "security.selinux" ] || [ "${1#security.testlsm}" != "$1" ]; then
		format="text"
	fi

	getfattr -n $1 -e $format -d $2 2> /dev/null | awk -F "=" '$1 == "'$1'" {if ("'$format'" == "hex") v=substr($2, 3); else { split($2, temp, "\""); v=temp[2] }; print v}'
}

IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26d"
IMA_UUID2="28b23254-9467-44c0-b6ba-34b12e85a26e"
APPRAISE_FOWNER=2000
APPRAISE_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_FOWNER"

check_load_ima_rule() {
	rule_loaded=$(cat /sys/kernel/security/ima/policy | grep "$1")
	if [ -z "$rule_loaded" ]; then
		new_policy=$(mktemp -p $mountpoint)
		echo $1 > $new_policy

		if [ -n "$TST_KEY_PATH" ]; then
			evmctl sign -o -a sha256 --imasig --key $TST_KEY_PATH --kernel-xattr-list $new_policy &> /dev/null
		fi

		echo $new_policy > /sys/kernel/security/ima/policy
		result=$?
		rm -f $new_policy

		if [ $result -ne 0 ]; then
			echo "${RED}Failed to set IMA policy${NORM}"
			return $FAIL
		fi
	fi

	return $OK
}

check_lsm_xattrs() {
	echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $evm_value, lsm: $LSM_LIST, fs: $2)"

	echo "test" 2>/dev/null > test-file

	if [ "${LSM_LIST#testlsm-xattr-bug}" != "$LSM_LIST" ]; then
		if [ -f test-file ]; then
			echo "${RED}test-file creation unexpected${NORM}"
			return $FAIL
		fi

		return $OK
	fi

	for lsm in ${LSM_LIST//,/ }; do
		if [ ${lsm#testlsm} = $lsm ]; then
			continue
		fi

		if [ "${lsm#testlsm-xattr}" = $lsm ]; then
			continue
		fi

		testlsm_xattr=$(get_xattr security.$lsm test-file)
		if [ "$testlsm_xattr" != "$lsm" ]; then
			echo "${RED}Missing security.$lsm or unexpected value $testlsm_xattr${NORM}"
			return $FAIL
		fi

		if [ -n "$mountpoint2" ] && [ "$(mount | awk '$3 =="'$mountpoint2'" {print $5}')" = "reiserfs" ]; then
			break
		fi
	done

	return $OK
}

cleanup_lsm_xattrs() {
	rm -f test-file
}

# The purpose of this test is to verify that EVM takes into account for HMAC
# calculation all xattrs provided by LSMs.
check_ima_hmac_appraisal() {
	echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $evm_value, lsm: $LSM_LIST, fs: $2)"

	if [ "${LSM_LIST#testlsm-xattr-bug}" != "$LSM_LIST" ]; then
		return $OK
	fi

	check_load_ima_rule "$APPRAISE_RULE"
	result=$?
	if [ $result -ne $OK ]; then
		return $result
	fi

	i=0

	capsh --uid=$APPRAISE_FOWNER -- -c 'touch test-file'
	if [ $? -ne 0 ]; then
		echo "${RED}Cannot create test-file${NORM}"
		return $FAIL
	fi

	while [ $i -lt 3 ]; do
		# Append content to test-file.
		echo "test" >> test-file
		if [ $? -ne 0 ]; then
			echo "${RED}Cannot append content to test-file${NORM}"
			return $FAIL
		fi

		# Check if appraisal works.
		cat test-file > /dev/null
		if [ $? -ne 0 ]; then
			echo "${RED}Cannot read test-file${NORM}"
			return $FAIL
		fi

		if [ -z "$evm_value" ]; then
			((i++))
			continue
		fi

		# Compare HMAC calculated by the kernel with that calculated by evmctl.
		evm_xattr=$(get_xattr security.evm test-file)
		if [ $(echo $evm_xattr | wc -c) != $(${1}sum test-file | awk '{printf("0x0%s", $1)}' | wc -c) ]; then
			echo "${RED}Unexpected size of security.evm${NORM}"
			return $FAIL
		fi

		evm_xattr_evmctl=$(evmctl hmac -v -n test-file --uuid=$IMA_UUID -a $1 --hmackey $TST_HMAC_KEY_PATH --kernel-xattr-list 2>&1 | awk -F " " '$1 == "hmac:" {print $2}')
		if [ "$evm_xattr" != "02$evm_xattr_evmctl" ]; then
			echo "${RED}security.evm mismatch between the kernel and evmctl${NORM}"
			return $FAIL
		fi

		((i++))
	done

	return $OK
}

cleanup_ima_hmac_appraisal() {
	rm -f test-file
}

if [ $$ -ne 1 ]; then
	for algo in sha1 sha256 sha512; do
		# Run in User Mode Linux.
		LSM_LIST="testlsm-xattr,testlsm-noxattr,integrity"
		_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"

		LSM_LIST="testlsm-noxattr,testlsm-noxattr-2,integrity"
		_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"

		LSM_LIST="testlsm-xattr-3,testlsm-noxattr,testlsm-noxattr-2,testlsm-xattr-2,integrity"
		_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"

		LSM_LIST="testlsm-xattr-2,testlsm-noxattr,testlsm-noxattr-2,testlsm-xattr,testlsm-xattr-3,testlsm-noxattr-3,integrity"
		_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"

		LSM_LIST="testlsm-xattr-bug,testlsm-xattr-2,integrity"
		_run_user_mode ../linux $PWD/$(basename $0) "PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH lsm=$LSM_LIST LSM_LIST=$LSM_LIST TST_ALGO=$algo evm_hash=$algo"
	done

	# Exit from the parent if UML was used.
	_exit_user_mode ../linux
fi

# Mount filesystems in UML environment.
_init_user_mode

mountpoint=$(mktemp -d)
image=$(mktemp)

if [ -z "$mountpoint" ]; then
	echo "${RED}Mountpoint directory not created${NORM}"
	exit $FAIL
fi

if [ $(whoami) != "root" ]; then
	echo "${CYAN}This script must be executed as root${NORM}"
	exit $SKIP
fi

dd if=/dev/zero of=$image bs=1M count=10 &> /dev/null
if [ $? -ne 0 ]; then
	echo "${RED}Cannot create test image${NORM}"
	exit $FAIL
fi

dev=$(losetup -f $image --show)
if [ -z "$dev" ]; then
	echo "${RED}Cannot create loop device${NORM}"
	exit $FAIL
fi

mkfs.ext4 -U $IMA_UUID  -b 4096 $dev &> /dev/null
if [ $? -ne 0 ]; then
	echo "${RED}Cannot format $dev${NORM}"
	exit $FAIL
fi

mount -o i_version $dev $mountpoint
if [ $? -ne 0 ]; then
	echo "${RED}Cannot mount loop device${NORM}"
	exit $FAIL
fi

loop_mounted=1
chmod 777 $mountpoint
pushd $mountpoint > /dev/null

if [ -f /sys/kernel/security/evm ]; then
	evm_value=$(cat /sys/kernel/security/evm)
fi

if [ -n "$evm_value" ] && [ $((evm_value & EVM_INIT_HMAC)) -ne $EVM_INIT_HMAC ]; then
	masterkey=$(mktemp)
	hmackey=$(mktemp)
	if [ -z "$TST_HMAC_KEY_PATH" ]; then
		TST_HMAC_KEY_PATH=$hmackey
	fi

	dd if=/dev/zero of=$masterkey bs=128 count=1 &> /dev/null

	user_id=$(cat $masterkey | keyctl padd user kmk @u)
	evm_id=$(keyctl add encrypted evm-key "new user:kmk 128" @u)
	keyctl print $evm_id &> /dev/null
	dmesg | awk '$3 == "decrypted" {for (i=5;i<=NF;i++) printf("%s", $i)}' | xxd -r -p > $hmackey
	echo $EVM_INIT_HMAC > /sys/kernel/security/evm
	if [ $? -ne 0 ]; then
		keyctl unlink $user_id
		keyctl unlink $evm_id
	fi
fi

if [ -f /sys/kernel/security/evm ]; then
	evm_value=$(cat /sys/kernel/security/evm)

	for lsm in ${LSM_LIST//,/ }; do
		if [ ${lsm#testlsm} = $lsm ]; then
			continue
		fi

		echo security.$lsm > /sys/kernel/security/integrity/evm/evm_xattrs
	done
fi

expect_pass check_lsm_xattrs $TST_ALGO ext4
cleanup_lsm_xattrs
expect_pass check_ima_hmac_appraisal $TST_ALGO ext4
cleanup_ima_hmac_appraisal

if [ -z "$(which mkfs.reiserfs 2> /dev/null)" ]; then
	exit 0
fi

mountpoint2=$(mktemp -d)
image2=$(mktemp)

dd if=/dev/zero of=$image2 bs=1M count=50 &> /dev/null
if [ $? -ne 0 ]; then
	echo "${RED}Cannot create test image${NORM}"
	exit $FAIL
fi

dev2=$(losetup -f $image2 --show)
if [ -z "$dev2" ]; then
	echo "${RED}Cannot create loop device${NORM}"
	exit $FAIL
fi

mkfs.reiserfs -u $IMA_UUID2 -b 4096 -q $dev2 &> /dev/null
if [ $? -ne 0 ]; then
	echo "${RED}Cannot format $dev2${NORM}"
	exit $FAIL
fi

mount $dev2 $mountpoint2 2> /dev/null
if [ $? -ne 0 ]; then
	if [ ${LSM_LIST#testlsm-xattr-bug} != $LSM_LIST ]; then
		exit $OK
	fi

	echo "${RED}Cannot mount loop device${NORM}"
	exit $FAIL
fi

loop2_mounted=1
chmod 777 $mountpoint2
pushd $mountpoint2 > /dev/null

expect_pass check_lsm_xattrs $TST_ALGO reiserfs
cleanup_lsm_xattrs