File: TEST-67-INTEGRITY.sh

package info (click to toggle)
systemd-udeb 259-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 104,120 kB
  • sloc: ansic: 726,480; xml: 121,118; python: 35,852; sh: 33,447; cpp: 946; awk: 102; makefile: 89; lisp: 13; sed: 1
file content (138 lines) | stat: -rwxr-xr-x 4,182 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -euxo pipefail

. /etc/os-release

DM_NAME="integrity_test"
DM_NODE="/dev/mapper/${DM_NAME}"
DM_SERVICE="systemd-integritysetup@${DM_NAME}.service"
FS_UUID="01234567-ffff-eeee-eeee-0123456789ab"

TMP_DIR=
LOOP=

cleanup() (
    set +e

    if [[ -n "${LOOP}" ]]; then
        losetup -d "${LOOP}"
    fi

    if [[ -n "${TMP_DIR}" ]]; then
        rm -rf "${TMP_DIR}"
    fi

    rm -rf /run/udev/rules.d/
    udevadm control --reload
)

trap cleanup EXIT

udevadm settle

# Enable debugging logs for loop and dm block devices.
mkdir -p /run/udev/rules.d/
cat >/run/udev/rules.d/00-integrity-test.rules <<EOF
SUBSYSTEM=="block", KERNEL=="loop*|dm-*", OPTIONS="log_level=debug"
EOF

# FIXME:
# There is no ordering restriction between underlying loopback block devices and DM devices.
# Hence, we may get wrong device node symlinks. To workaround that issue, let's decrease the
# priority for loopback block devices.
cat >/run/udev/rules.d/99-priority.rules <<EOF
SUBSYSTEM=="block", KERNEL=="loop*", OPTIONS="link_priority=-200"
EOF

udevadm control --reload

TMP_DIR="$(mktemp -d -t -p / integrity.tmp.XXXXXX)"
dd if=/dev/zero of="${TMP_DIR}/image" bs=1048576 count=64
dd if=/dev/zero of="${TMP_DIR}/data" bs=1048576 count=64
LOOP="$(losetup --show -f "${TMP_DIR}/image")"
udevadm wait --timeout=30 --settle "${LOOP}"

test_cleanup() (
    set +e

    if [[ -e "/run/systemd/generator/${DM_SERVICE}" ]]; then
        systemctl stop "${DM_SERVICE}"
    elif [[ -e "${DM_NODE}" ]]; then
        integritysetup close "${DM_NAME}"
    fi

    udevadm wait --timeout=30 --settle --removed "${DM_NODE}"

    # Clear integritytab.
    rm -f /etc/integritytab

    # Make the generator to re-run.
    systemctl daemon-reload
)

test_one() {
    local algorithm="${1?}"
    local separate_data="${2?}"
    local data_option

    trap test_cleanup RETURN

    if [[ "${separate_data}" == 1 ]]; then
        data_option="--data-device=${TMP_DIR}/data"
    else
        data_option=""
    fi

    integritysetup format "${LOOP}" --batch-mode -I "${algorithm}" "${data_option}"
    integritysetup open -I "${algorithm}" "${LOOP}" "${DM_NAME}" "${data_option}"
    udevadm wait --timeout=30 --settle "${DM_NODE}"
    mkfs.ext4 -U "${FS_UUID}" "${DM_NODE}"
    # Wait for synthetic events being processed.
    udevadm settle --timeout=30
    integritysetup close "${DM_NAME}"
    udevadm wait --timeout=30 --settle --removed "${DM_NODE}"

    # Create integritytab.
    if [[ "${separate_data}" == 1 ]]; then
        data_option=",data-device=${TMP_DIR}/data"
    else
        data_option=""
    fi
    cat >"/etc/integritytab" <<EOF
${DM_NAME} ${LOOP} - integrity-algorithm=${algorithm}${data_option}
EOF

    # Make the generator to re-run.
    systemctl daemon-reload

    # Check for existence of the unit file.
    [[ -e "/run/systemd/generator/${DM_SERVICE}" ]]

    # Make sure we are in a consistent state, e.g. not already active before we start.
    [[ "$(systemctl is-active "${DM_SERVICE}")" == inactive ]]
    systemctl start "${DM_SERVICE}"
    udevadm wait --timeout=30 --settle "${DM_NODE}"

    # Check the signature on the FS to ensure we can retrieve it and that is matches.
    [[ "$(blkid -U "${FS_UUID}")" == "${DM_NODE}" ]]
}

for a in crc32c crc32 xxhash64 sha1 sha256; do
    if [[ "$a" == crc32 && "${ID_LIKE:-}" == alpine ]]; then
        # crc32 is not supported on alpine/postmarketos ??
        # --------
        # [   22.419458] TEST-67-INTEGRITY.sh[3085]: + integritysetup format /dev/loop0 --batch-mode -I crc32 ''
        # [   22.433168] kernel: device-mapper: table: 253:0: integrity: Invalid internal hash (-ENOENT)
        # [   22.433220] TEST-67-INTEGRITY.sh[3475]: device-mapper: reload ioctl on temporary-cryptsetup-6b3b80ef-6854-4102-8239-6360f15af0c3 (253:0) failed: No such file or directory
        # [   22.433220] TEST-67-INTEGRITY.sh[3475]: Cannot format integrity for device /dev/loop0.
        # [   22.433835] kernel: device-mapper: ioctl: error adding target to table
        # --------
        continue;
    fi

    test_one "$a" 0
    test_one "$a" 1
done

touch /testok