[PATCH 6/7] evmtest: test the preservation of extended attributes

From: David Jacobson
Date: Tue Aug 14 2018 - 14:06:29 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 016/104] fix __legitimize_mnt()/mntput() race"
Previous message: David Jacobson: "[PATCH 3/7] evmtest: test kernel module loading"
In reply to: David Jacobson: "[PATCH 3/7] evmtest: test kernel module loading"
Next in thread: James Morris: "Re: [PATCH 1/7] evmtest: Regression testing Integrity Subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IMA supports file signatures by storing information in a security.ima
extended file attribute. This test ensures that the attribute is
preserved when a file is copied. This test requires root because only
root can write "security." xattrs to files.

Signed-off-by: David Jacobson <davidj@xxxxxxxxxxxxx>
---
evmtest/functions/r_xattr_preserve.sh | 74 +++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100755 evmtest/functions/r_xattr_preserve.sh

diff --git a/evmtest/functions/r_xattr_preserve.sh b/evmtest/functions/r_xattr_preserve.sh
new file mode 100755
index 0000000..e7f0e2a
--- /dev/null
+++ b/evmtest/functions/r_xattr_preserve.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+# Author: David Jacobson <davidj@xxxxxxxxxxxxx>
+TEST="r_xattr_preserve"
+ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )/.."
+source $ROOT/files/common.sh
+
+VERBOSE=0
+# This test ensures that extended file attributes are preserved when a file is
+# moved with the correct flag
+
+usage (){
+ echo ""
+ echo "xattr_preserve [-hv]"
+ echo ""
+ echo "This test must be run as root"
+ echo ""
+ echo " This test ensures that extended file attributes (specifically"
+ echo " security.ima labels) are preserved when copying"
+ echo "Options"
+ echo " -h,--help Display this help message"
+ echo " -v,--verbose Verbose logging"
+}
+
+TEMP=`getopt -o 'hv' -l 'help,verbose' -n 'r_xattr_preserve' -- "$@"`
+eval set -- "$TEMP"
+
+while true ; do
+ case "$1" in
+ -h|--help) usage; exit; shift;;
+ -v|--verbose) VERBOSE=1; shift;;
+ --) shift; break;;
+ *) echo "[*] Unrecognized option $1"; exit 1;;
+ esac
+done
+
+EVMTEST_require_root
+
+begin
+
+LOCATION_1=`mktemp`
+LOCATION_2=`mktemp -u` # Doesn't create the file
+v_out "Labeling file..."
+
+evmctl ima_hash $LOCATION_1
+initial_ima_label=`getfattr -m ^security.ima -e hex \
+ --dump $LOCATION_1 2> /dev/null`
+
+initial_hash=`echo $initial_ima_label | awk -F '=' '{print $2}'`
+
+if [[ $initial_ima_label = *"security.ima"* ]]; then
+ v_out "Found hash on initial file... "
+else
+ fail "Hash not found on initial file"
+fi
+
+initial_hash=`echo $initial_ima_label | awk -F '=' '{print $2}'`
+
+v_out "Copying file..."
+cp --preserve=xattr $LOCATION_1 $LOCATION_2
+v_out "Checking if extended attribute has been preserved..."
+
+
+second_ima_label=`getfattr -m ^security.ima -e hex \
+ --dump $LOCATION_2 2> /dev/null`
+second_hash=`echo $second_ima_label | awk -F '=' '{print $2}'`
+if [[ "$initial_hash" != "$second_hash" ]]; then
+ fail "security.ima xattr was not preserved!"
+else
+ v_out "Extended attribute was preserved during copy"
+fi
+v_out "Cleaning up..."
+rm $LOCATION_1 $LOCATION_2
+
+passed
--
2.17.1

Next message: Greg Kroah-Hartman: "[PATCH 4.14 016/104] fix __legitimize_mnt()/mntput() race"
Previous message: David Jacobson: "[PATCH 3/7] evmtest: test kernel module loading"
In reply to: David Jacobson: "[PATCH 3/7] evmtest: test kernel module loading"
Next in thread: James Morris: "Re: [PATCH 1/7] evmtest: Regression testing Integrity Subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]