tools/testing/selftests/bpf/ima_setup.sh

   1 #!/bin/bash
   2 # SPDX-License-Identifier: GPL-2.0
   3
   4 set -e
   5 set -u
   6 set -o pipefail
   7
   8 IMA_POLICY_FILE="/sys/kernel/security/ima/policy"
   9 TEST_BINARY="/bin/true"
  10 VERBOSE="${SELFTESTS_VERBOSE:=0}"
  11 LOG_FILE="$(mktemp /tmp/ima_setup.XXXX.log)"
  12
  13 usage()
  14 {
  15         echo "Usage: $0 <setup|cleanup|run|modify-bin|restore-bin|load-policy> <existing_tmp_dir>"
  16         exit 1
  17 }
  18
  19 ensure_mount_securityfs()
  20 {
  21         local securityfs_dir=$(grep "securityfs" /proc/mounts | awk '{print $2}')
  22
  23         if [ -z "${securityfs_dir}" ]; then
  24                 securityfs_dir=/sys/kernel/security
  25                 mount -t securityfs security "${securityfs_dir}"
  26         fi
  27
  28         if [ ! -d "${securityfs_dir}" ]; then
  29                 echo "${securityfs_dir}: securityfs is not mounted" && exit 1
  30         fi
  31 }
  32
  33 setup()
  34 {
  35         local tmp_dir="$1"
  36         local mount_img="${tmp_dir}/test.img"
  37         local mount_dir="${tmp_dir}/mnt"
  38         local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
  39         mkdir -p ${mount_dir}
  40
  41         dd if=/dev/zero of="${mount_img}" bs=1M count=10
  42
  43         losetup -f "${mount_img}"
  44         local loop_device=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
  45
  46         mkfs.ext2 "${loop_device:?}"
  47         mount "${loop_device}" "${mount_dir}"
  48
  49         cp "${TEST_BINARY}" "${mount_dir}"
  50         local mount_uuid="$(blkid ${loop_device} | sed 's/.*UUID="\([^"]*\)".*/\1/')"
  51
  52         ensure_mount_securityfs
  53         echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}
  54         echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${mount_dir}/policy_test
  55 }
  56
  57 cleanup() {
  58         local tmp_dir="$1"
  59         local mount_img="${tmp_dir}/test.img"
  60         local mount_dir="${tmp_dir}/mnt"
  61
  62         local loop_devices=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
  63
  64         for loop_dev in "${loop_devices}"; do
  65                 losetup -d $loop_dev
  66         done
  67
  68         umount ${mount_dir}
  69         rm -rf ${tmp_dir}
  70 }
  71
  72 run()
  73 {
  74         local tmp_dir="$1"
  75         local mount_dir="${tmp_dir}/mnt"
  76         local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
  77
  78         exec "${copied_bin_path}"
  79 }
  80
  81 modify_bin()
  82 {
  83         local tmp_dir="$1"
  84         local mount_dir="${tmp_dir}/mnt"
  85         local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
  86
  87         echo "mod" >> "${copied_bin_path}"
  88 }
  89
  90 restore_bin()
  91 {
  92         local tmp_dir="$1"
  93         local mount_dir="${tmp_dir}/mnt"
  94         local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
  95
  96         truncate -s -4 "${copied_bin_path}"
  97 }
  98
  99 load_policy()
 100 {
 101         local tmp_dir="$1"
 102         local mount_dir="${tmp_dir}/mnt"
 103
 104         echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE} 2> /dev/null
 105 }
 106
 107 catch()
 108 {
 109         local exit_code="$1"
 110         local log_file="$2"
 111
 112         if [[ "${exit_code}" -ne 0 ]]; then
 113                 cat "${log_file}" >&3
 114         fi
 115
 116         rm -f "${log_file}"
 117         exit ${exit_code}
 118 }
 119
 120 main()
 121 {
 122         [[ $# -ne 2 ]] && usage
 123
 124         local action="$1"
 125         local tmp_dir="$2"
 126
 127         [[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
 128
 129         if [[ "${action}" == "setup" ]]; then
 130                 setup "${tmp_dir}"
 131         elif [[ "${action}" == "cleanup" ]]; then
 132                 cleanup "${tmp_dir}"
 133         elif [[ "${action}" == "run" ]]; then
 134                 run "${tmp_dir}"
 135         elif [[ "${action}" == "modify-bin" ]]; then
 136                 modify_bin "${tmp_dir}"
 137         elif [[ "${action}" == "restore-bin" ]]; then
 138                 restore_bin "${tmp_dir}"
 139         elif [[ "${action}" == "load-policy" ]]; then
 140                 load_policy "${tmp_dir}"
 141         else
 142                 echo "Unknown action: ${action}"
 143                 exit 1
 144         fi
 145 }
 146
 147 trap 'catch "$?" "${LOG_FILE}"' EXIT
 148
 149 if [[ "${VERBOSE}" -eq 0 ]]; then
 150         # Save the stderr to 3 so that we can output back to
 151         # it incase of an error.
 152         exec 3>&2 1>"${LOG_FILE}" 2>&1
 153 fi
 154
 155 main "$@"
 156 rm -f "${LOG_FILE}"