diff --git a/fapolicyd/Sanity/integrity-advanced/main.fmf b/fapolicyd/Sanity/integrity-advanced/main.fmf index 2658aa73..76fd1ce7 100644 --- a/fapolicyd/Sanity/integrity-advanced/main.fmf +++ b/fapolicyd/Sanity/integrity-advanced/main.fmf @@ -11,11 +11,11 @@ require+: - fapolicyd - library(ControlFlow/Cleanup) - library(distribution/testUser) -enabled: false +- attr duration: 5m extra-summary: /CoreOS/fapolicyd/Sanity/integrity extra-task: /CoreOS/fapolicyd/Sanity/integrity extra-nitrate: TC#0609439 adjust+: - enabled: false - when: distro < rhel-8.4 \ No newline at end of file + when: distro < rhel-8.4 diff --git a/fapolicyd/Sanity/integrity-advanced/runtest.sh b/fapolicyd/Sanity/integrity-advanced/runtest.sh new file mode 100755 index 00000000..31298358 --- /dev/null +++ b/fapolicyd/Sanity/integrity-advanced/runtest.sh @@ -0,0 +1,119 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /fapolicyd/Sanity/integrity-advanced +# Description: Test for BZ#1887451 (Rebase FAPOLICYD to the latest upstream version) +# Author: Patrik Koncity +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2023 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="fapolicyd" + +set_config_option() { + local file=/etc/fapolicyd/fapolicyd.conf + sed -i -r "/^$1 =/d" $file + [[ -n "$2" ]] && { + echo >> $file + echo "$1 = $2" >> $file + } + echo "# grep$numbers -v -e '^\s*#' -e '^\s*$' \"$file\"" + grep$numbers -v -e '^\s*#' -e '^\s*$' "$file" + echo "---" +} + +# $1 - command +# $2 - expected result, default 0 +uRun() { + rlRun "timeout 2 su - $testUser -c \"$1\"" ${2:-0} +} + +rlJournalStart && { + rlPhaseStartSetup && { + rlRun "rlImport --all" 0 "Import libraries" || rlDie "cannot continue" + rlRun "rlCheckMakefileRequires" || rlDie "cannot continue" + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + CleanupRegister "rlRun 'rm -r $TmpDir' 0 'Removing tmp directory'" + CleanupRegister 'rlRun "popd"' + rlRun "pushd $TmpDir" + rlRun "chmod -R a+rwx $TmpDir" + CleanupRegister 'rlRun "testUserCleanup"' + rlRun "testUserSetup" + CleanupRegister 'fapCleanup' + rlRun "fapSetup" + fapPrepareTestPackages + CleanupRegister 'rlRun "rpm -e fapTestPackage"' + rlRun "rpm -ivh ${fapTestPackage[1]}" + cat $fapTestProgram > fapTestProgram + rlRun "rpm -e fapTestPackage" + rlPhaseEnd; } + + rlPhaseStartTest "functionality check" && { + rlRun "cp /bin/ls ./" + CleanupRegister --mark 'rlRun "fapStop"' + rlRun "fapStart --debug" + uRun "$TmpDir/ls" 126 + CleanupDo --mark + rlRun "fapServiceOut -t" + rlPhaseEnd; } + + rlPhaseStartTest "integrity none" && { + # any binary in the trusted path should work + rlRun "rpm -ivh --force $fapTestPackage" + set_config_option integrity 'none' + CleanupRegister --mark 'rlRun "fapStop"' + rlRun "fapStart" + uRun "$fapTestProgram" 124 + rlRun "cat fapTestProgram > $fapTestProgram" + uRun "$fapTestProgram" 124 + rlRun "cat /bin/ls > $fapTestProgram" + uRun "$fapTestProgram" + CleanupDo --mark + rlPhaseEnd; } + + rlPhaseStartTest "integrity ima" && { + rlRun "rpm -ivh --force $fapTestPackage" + HASH=($(sha256sum ${fapTestProgram})) + sleep 5 + set_config_option integrity 'IMA' + CleanupRegister --mark 'rlRun "fapStop"' + #label IMA to all files file attr + find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; + rlRun "fapStart --debug" + uRun "$fapTestProgram" 124 + rlRun -s "getfattr -m - -d -e hex /usr/local/bin/fapTestProgram | grep ${HASH}" + rlRun "cat fapTestProgram > $fapTestProgram" + uRun "$fapTestProgram" 126 + rlRun "cat /bin/ls > $fapTestProgram" + uRun "$fapTestProgram" 126 + bash + CleanupDo --mark + rlRun "fapServiceOut -t" + rlPhaseEnd; } + + rlPhaseStartCleanup && { + CleanupDo + rlPhaseEnd; } + rlJournalPrintText +rlJournalEnd; } diff --git a/fapolicyd/Setup/configure_kernel_ima_module/main.fmf b/fapolicyd/Setup/configure_kernel_ima_module/main.fmf new file mode 100644 index 00000000..dfaca6b1 --- /dev/null +++ b/fapolicyd/Setup/configure_kernel_ima_module/main.fmf @@ -0,0 +1,18 @@ +summary: Configures kernel ima module on a running system +description: Enables kernel_ima on a tested system +contact: Patrik Koncity +component: +- keylime +test: ./runtest.sh +tag: +- setup +framework: beakerlib +require: +- grubby +- openssl +duration: 10m +enabled: true +adjust: + - when: distro == rhel-8 or distro = centos-stream-8 + enabled: false + because: RHEL-8 has old kernel diff --git a/fapolicyd/Setup/configure_kernel_ima_module/runtest.sh b/fapolicyd/Setup/configure_kernel_ima_module/runtest.sh new file mode 100755 index 00000000..fd48fd76 --- /dev/null +++ b/fapolicyd/Setup/configure_kernel_ima_module/runtest.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +[ -z "${IMA_APPRAISE}" ] && IMA_APPRAISE="fix" +[ -z "${IMA_POLICY}" ] && IMA_POLICY="tcb" +[ -z "${IMA_HASH}" ] && IMA_HASH="sha256" +[ -z "${IMA_AUDIT}" ] && IMA_AUDIT="1" + +COOKIE=/var/tmp/configure-kernel-ima-module-rebooted +TESTFILE=/var/tmp/configure-kernel-ima-module-test$$ + +rlJournalStart + + if [ ! -e $COOKIE ]; then + rlPhaseStartSetup "pre-reboot phase" + rlRun "grubby --info ALL" + rlRun "grubby --default-index" + rlRun "grubby --update-kernel DEFAULT --args 'ima_appraise=${IMA_APPRAISE} ima_appraise_tcb ima_policy=${IMA_POLICY} ima_hash=${IMA_HASH} ima_audit=${IMA_AUDIT}'" + rlRun -s "grubby --info DEFAULT | grep '^args'" + rlAssertGrep "ima_appraise=${IMA_APPRAISE}" $rlRun_LOG + rlAssertGrep "ima_policy=${IMA_POLICY}" $rlRun_LOG + rlAssertGrep "ima_audit=${IMA_AUDIT}" $rlRun_LOG + rlAssertGrep "ima_hash=${IMA_HASH}" $rlRun_LOG + rlRun "touch $COOKIE" + rlPhaseEnd + + rhts-reboot + + else + rlPhaseStartTest "post-reboot IMA test" + rlRun -s "cat /proc/cmdline" + rlAssertGrep "ima_appraise=${IMA_APPRAISE}" $rlRun_LOG + rlAssertGrep "ima_policy=${IMA_POLICY}" $rlRun_LOG + rlAssertGrep "ima_audit=${IMA_AUDIT}" $rlRun_LOG + rlAssertGrep "ima_hash=${IMA_HASH}" $rlRun_LOG + rlRun "grubby --info ALL" + rlRun "grubby --default-index" + rlRun "rm $COOKIE" + if [ "${IMA_STATE}" == "on" -o "${IMA_STATE}" == "1" ]; then + rlRun "touch ${TESTFILE} && cat ${TESTFILE} && rm ${TESTFILE}" + rlRun "grep ${TESTFILE} /sys/kernel/security/ima/ascii_runtime_measurements" + fi + rlPhaseEnd + fi + +rlJournalEnd diff --git a/fapolicyd/plans/ima-integrity.fmf b/fapolicyd/plans/ima-integrity.fmf new file mode 100644 index 00000000..43784f89 --- /dev/null +++ b/fapolicyd/plans/ima-integrity.fmf @@ -0,0 +1,21 @@ +summary: run fapolicyd with IMA integrity check + + +prepare: + - how: shell + script: + - rpm -Uv https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm || true + when: distro == rhel-9 or distro == centos-stream-9 + +discover: + - name: Configure_simple_IMA_policy + how: fmf + test: + - /Setup/configure_kernel_ima_module + - name: Run_fapolicyd_IMA_integrity_check + how: fmf + test: + - /fapolicyd/Sanity/integrity-advanced + +execute: + how: tmt