Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp460275img; Fri, 22 Mar 2019 01:36:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqxf+RTcT4aOx63JK434hmnEqtnnde8GFDSNQc6K0XUXzmnQuJYEvsxHW88i9zBjvJlRzdZ7 X-Received: by 2002:aa7:8d01:: with SMTP id j1mr8149881pfe.122.1553243788880; Fri, 22 Mar 2019 01:36:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553243788; cv=none; d=google.com; s=arc-20160816; b=NAwW8+zFJlMa93oQoktbBN9bWfTO6zeqA1YIc2/7yKJts6N7/Nrwep2BS86xDRF6OS WdwVB6yZYq7+kYJmay5kCkDh4FWpbBWNHCdQqRgsWhyu1Uivff9E1KsZjHDkSliKwmM/ fq7ECBRGZ/buwfLVZ+0o8yIIMrOxhu9Txx1JbzWI6YAhKKQCAAyzn2FlrCzD4cyxpz1t u16MqwZFd3PyFCAdulO/pHDM8v0h6las3Mq5S7STM+MnbGavx35hXGC64HaL0bTLrgFD DGc/NQNu61F+DAm0cp9in1H7ogxMCevr7mwuX1VpFyz2sP1YIzzI+UI1k0CAQ4qpXhOJ 6Zng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PhnXicmFBTSFqGzyUFmfRXJnBFygK9aujfgCD+WFYQc=; b=RPHCIk6OQPjQzCPXPNy3kDr9F+NRl8RWb/+upfm2z1U/jfYkojkg4bGUtul7K/CIwE p7tqTnWlH4otup7he79eNvf0/r6YYZhvDYPiNzj9GKYY/4oZrP5tbv9xZ+vkiwIcj7aI sc5wg22BkcxUv0MQXCwaOLtzPc3F40onyRuRYnanl7NG1u4byz8HV599zHcIhFINGw1l pa73CmMXNBM2h/sN3sbJ6/ulLV2KcZssUmX4ThjVIRM76CIPNFTSQXDFCO55KsaVzblc /Rz14XLXMkXje9Pe6Mw9/cATANitvNUV/ZYnM+PTwG3WpppE6gf9gT2gQX/KBLkILU44 ovXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@binghamton.edu header.s=google header.b=U3GGCL4E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x123si6319728pfx.135.2019.03.22.01.36.14; Fri, 22 Mar 2019 01:36:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@binghamton.edu header.s=google header.b=U3GGCL4E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727946AbfCVIfX (ORCPT + 99 others); Fri, 22 Mar 2019 04:35:23 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:37029 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727832AbfCVIfG (ORCPT ); Fri, 22 Mar 2019 04:35:06 -0400 Received: by mail-qt1-f193.google.com with SMTP id z16so1623871qtn.4 for ; Fri, 22 Mar 2019 01:35:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=binghamton.edu; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=PhnXicmFBTSFqGzyUFmfRXJnBFygK9aujfgCD+WFYQc=; b=U3GGCL4EZQ0KRnBnwtu0pLNYoBpC9WIh8gZny1AkxtFqhJ94HZHIepwHsgMlHJ/yvq hTxDBfS5Bh0ZvdKwLzKAMki1lkTQ+vPZ1gqP904HWsGpZ2SCEMYCDfs9HMaUJ9ENvzmE tfXA5UczkNHPjCuv/pcWjbsbEwr/DKIEoCgijm44GYcJTvn+cGPMp3+urbtxrEj/frcf Kqq6BBR8g5lvLI2kbYo2ABR688HWgKOfrYifB4wnI7s/Qpn1k/Zs6L+ek0MvjjPtkfXN WilkzKD9H3l/xMSuAtIU/6WhBi/usLlREzQ5+AJNI6X2WkOsILumXXOZRZ8eUzlBBQPz Rsrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PhnXicmFBTSFqGzyUFmfRXJnBFygK9aujfgCD+WFYQc=; b=mLX0m4UvO5SU0mqhVW7c7wwG2r0B0EW8vZjpSkXdQOwe5SJDMPzmCGOHik6AlduB0M PcdaGDrqUg+fZJawjwBPwKkPX8eZokesVZfz5FMDUdgmPSgg84iSf0NLQGoMia1g4utJ JNGasaDSASZIMEdRcPuCpBVaXn/I1spNGkay7EChV1sAQVAlaaSqtbXJPXlD3IwsCGra tlLY2FyGDk03xDwcI8hsv4F2N3wHT3cDI418t4WTgk8FkPCjfS1fbkG9RE65EGrUe7uQ nIjK+FNeTaHwP+Z+OQm4jQ5j/JdYU/1MqzUpyHgaT4alcXuEI6x1ihH76cDNPnBNXBWJ +Mdg== X-Gm-Message-State: APjAAAXL6xL1ltrqyROYS0w0uJ5o4PU8g6pu17Up1lNL2ZnQ+v3yBjQa uynPN7xnJ9LnEugB3cxNc+e55g== X-Received: by 2002:ac8:30ea:: with SMTP id w39mr7125192qta.351.1553243704818; Fri, 22 Mar 2019 01:35:04 -0700 (PDT) Received: from localhost.localdomain ([194.59.251.45]) by smtp.gmail.com with ESMTPSA id u16sm7441870qtc.84.2019.03.22.01.35.04 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Mar 2019 01:35:04 -0700 (PDT) From: djacobs7@binghamton.edu To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: zohar@linux.ibm.com, pvorel@suse.cz, vt@altlinux.org, David Jacobson Subject: [PATCH v2 6/8] evmtest: test the preservation of extended attributes Date: Fri, 22 Mar 2019 04:34:39 -0400 Message-Id: <20190322083441.31084-6-djacobs7@binghamton.edu> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190322083441.31084-1-djacobs7@binghamton.edu> References: <20190322083441.31084-1-djacobs7@binghamton.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Jacobson IMA supports file signatures by storing information in a security.ima extended file attribute. This test ensures that the attribute is preserved when a file is copied. This test requires root because only root can write "security." xattrs to files. Signed-off-by: David Jacobson Changelog: * Clean ups suggested via mailing list * getfattr used correctly * more information about which file is created * added xattr_preserve to test list * shellcheck compliant * move from functions to tests * checkbashisms complaint * remove begin * removed long opts * restructured using functions --- evmtest/README | 1 + evmtest/evmtest | 1 + evmtest/tests/xattr_preserve.sh | 81 +++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100755 evmtest/tests/xattr_preserve.sh diff --git a/evmtest/README b/evmtest/README index b2d37e2..4dddbc0 100644 --- a/evmtest/README +++ b/evmtest/README @@ -42,6 +42,7 @@ TEST NAMES policy_sig - verify loading IMA policies kexec_sig - test IMA-appraise on kexec image loading kmod_sig - test IMA-appraise on kernel module loading + xattr_preserve - test metadata preservation on file move Introduction diff --git a/evmtest/evmtest b/evmtest/evmtest index 3c967f9..18cb98d 100755 --- a/evmtest/evmtest +++ b/evmtest/evmtest @@ -32,6 +32,7 @@ usage (){ echo "[R] kexec_sig" echo "[R] kmod_sig" echo "[R] policy_sig" + echo "[R] xattr_preserve" echo "" echo "Note: Tests may be run directly from the \"tests\" directory" diff --git a/evmtest/tests/xattr_preserve.sh b/evmtest/tests/xattr_preserve.sh new file mode 100755 index 0000000..61f6ded --- /dev/null +++ b/evmtest/tests/xattr_preserve.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# Author: David Jacobson +TEST="xattr_preserve" +ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )/.." +source "$ROOT"/files/common.sh + +VERBOSE=0 +# This test ensures that extended file attributes are preserved when a file is +# moved with the correct flag + +usage (){ + echo "" + echo "xattr_preserve [-hv]" + echo "" + echo "This test requires root privileges to write security xattrs" + echo "" + echo " This test ensures that extended file attributes (specifically" + echo " security.ima labels) are preserved when copying" + echo "Options" + echo " -h Display this help message" + echo " -v Verbose logging" +} + +parse_args () { + TEMP=$(getopt -o 'hv' -n 'xattr_preserve' -- "$@") + eval set -- "$TEMP" + + while true ; do + case "$1" in + -h) usage; exit; shift;; + -v) VERBOSE=1; shift;; + --) shift; break;; + *) echo "[*] Unrecognized option $1"; exit 1;; + esac + done +} + +check_xattr_preserve () { + LOCATION_1=$(mktemp) + LOCATION_2=$(mktemp -u) # Doesn't create the file + + v_out "Creating and labeling file $LOCATION_1..." + + evmctl ima_hash "$LOCATION_1" + + initial_ima_label=$(getfattr --absolute-names -n security.ima \ + "$LOCATION_1") + initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}') + if printf '%s' "$initial_ima_label" | grep -E -q "security.ima"; then + v_out "Found hash on initial file... " + else + fail "Hash not found on initial file" + fi + + initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}') + + v_out "Copying file to $LOCATION_2..." + cp --preserve=xattr "$LOCATION_1" "$LOCATION_2" + v_out "Checking if extended attribute has been preserved..." + + + second_ima_label=$(getfattr --absolute-names -n security.ima \ + "$LOCATION_2") + second_hash=$(echo "$second_ima_label" | awk -F '=' '{print $2}') + if [ "$initial_hash" != "$second_hash" ]; then + fail "security.ima xattr was not preserved!" + else + v_out "Extended attribute was preserved during copy" + fi +} + +cleanup () { + v_out "Cleaning up..." + rm "$LOCATION_1" "$LOCATION_2" +} + +EVMTEST_require_root +echo "[*] Starting test: $TEST" +check_xattr_preserve +cleanup +passed -- 2.20.1