File: ima_policy_check.test

package info (click to toggle)
ima-evm-utils 1.5-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 880 kB
  • sloc: ansic: 4,211; sh: 3,159; awk: 113; makefile: 109
file content (245 lines) | stat: -rwxr-xr-x 9,831 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
 
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
#
# Test for ima_policy_check.awk

trap '_report_exit_and_cleanup' SIGINT SIGTERM EXIT

cd "$(dirname "$0")" || exit 1
. ./functions.sh

export PATH=$PWD:$PATH

check_result() {
	local result

	echo -e "\nTest: $1"
	echo "New rule: $2"
	echo "IMA policy: $3"

	echo -n "Result (expect $4): "

	echo -e "$2\n$3" | ima_policy_check.awk
	result=$?

	if [ "$result" -ne "$4" ]; then
		echo "${RED}$result${NORM}"
		return "$FAIL"
	fi

	echo "${GREEN}$result${NORM}"
	return "$OK"
}

# ima_policy_check.awk returns a bit mask with the following values:
# - 1: invalid new rule;
# - 2: overlap of the new rule with an existing rule in the IMA policy;
# - 4: new rule exists in the IMA policy.

# Basic checks.
desc="empty IMA policy"
rule="measure func=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Empty new rule"
rule=""
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1

desc="Unknown policy keyword fun"
rule="measure fun=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1

desc="Missing action"
rule="func=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1

# Non-overlapping rules.
desc="Non-overlapping by action measure/dont_appraise, same func"
rule="measure func=FILE_CHECK"
ima_policy="dont_appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by action audit/dont_appraise, same func"
rule="audit func=FILE_CHECK"
ima_policy="dont_appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by action appraise/dont_measure, same func"
rule="appraise func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by action dont_measure/hash, same func"
rule="dont_measure func=FILE_CHECK"
ima_policy="hash func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by uid, func is equal"
rule="measure func=FILE_CHECK uid=0"
ima_policy="measure uid=1 func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by uid, func is equal, same policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio"
ima_policy="measure uid=1 func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by mask, func and uid are equal, same policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="Non-overlapping by mask, func and uid are equal, different policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

# Overlapping and different rules.
desc="same actions, different keywords"
rule="appraise func=FILE_CHECK"
ima_policy="appraise uid=0"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="unrelated actions with appraise and a do action, same func"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="unrelated actions with appraise and a do action, different func"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=MMAP_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="related actions, same func"
rule="measure func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="related actions, same func, different policy options"
rule="measure func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="related actions, same func, different policy options"
rule="measure func=FILE_CHECK permit_directio"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, same mask with different modifier (no disjoint sets with the ^ modifier)"
rule="measure func=FILE_CHECK mask=MAY_EXEC"
ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, different mask with same modifier (no disjoint sets with the ^ modifier)"
rule="measure func=FILE_CHECK mask=^MAY_READ"
ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, different policy options"
rule="measure func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, different policy options"
rule="measure func=FILE_CHECK permit_directio"
ima_policy="measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, MMAP_CHECK and MMAP_CHECK_REQPROT hooks"
rule="measure func=MMAP_CHECK"
ima_policy="measure func=MMAP_CHECK_REQPROT"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="related actions, same func, same mask with same modifier"
rule="measure func=FILE_CHECK mask=^MAY_EXEC"
ima_policy="dont_measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, different uid with same operator (overlap because operators are not supported)"
rule="measure func=FILE_CHECK uid>0"
ima_policy="measure func=FILE_CHECK uid>1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

desc="same actions, same func, same uid with different operator (overlap because operators are not supported)"
rule="measure func=FILE_CHECK uid>1"
ima_policy="measure func=FILE_CHECK uid<1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2

# Overlapping and same rules.
desc="same actions, same func"
rule="appraise func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func, same mask"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func, same mask, same policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK permit_directio appraise_type=imasig"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ permit_directio appraise_type=imasig"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func"
rule="measure func=MMAP_CHECK_REQPROT"
ima_policy="measure func=MMAP_CHECK_REQPROT"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK)"
rule="measure func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask with same modifiers"
rule="measure mask=^MAY_READ func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
rule="measure mask=^MAY_READ uid>0 func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid>0"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
rule="measure mask=^MAY_READ uid<1 func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid<1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

# Overlapping and two rules (one same, one different).
desc="first: same actions, same func, second: unrelated actions with appraise and a do action"
rule="appraise func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK\nmeasure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6

desc="first: unrelated actions with appraise and a do action, same func, second: same actions"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK\nappraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6

desc="first: same actions, same func, same mask, second: different policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6

desc="first: same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask, second: different policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=PATH_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6

# Non-overlapping and three rules.
desc="same actions, same func and mask, different uid"
rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=2\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0

desc="same actions, same func and mask, different uid, except one that is the same"
rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=0\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4