lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190322083441.31084-6-djacobs7@binghamton.edu>
Date:   Fri, 22 Mar 2019 04:34:39 -0400
From:   djacobs7@...ghamton.edu
To:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     zohar@...ux.ibm.com, pvorel@...e.cz, vt@...linux.org,
        David Jacobson <djacobs7@...ghamton.edu>
Subject: [PATCH v2 6/8] evmtest: test the preservation of extended attributes

From: David Jacobson <djacobs7@...ghamton.edu>

IMA supports file signatures by storing information in a security.ima
extended file attribute. This test ensures that the attribute is
preserved when a file is copied.  This test requires root because only
root can write "security." xattrs to files.

Signed-off-by: David Jacobson <djacobs7@...ghamton.edu>

Changelog:
* Clean ups suggested via mailing list
* getfattr used correctly
* more information about which file is created
* added xattr_preserve to test list
* shellcheck compliant
* move from functions to tests
* checkbashisms complaint
* remove begin
* removed long opts
* restructured using functions
---
 evmtest/README                  |  1 +
 evmtest/evmtest                 |  1 +
 evmtest/tests/xattr_preserve.sh | 81 +++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100755 evmtest/tests/xattr_preserve.sh

diff --git a/evmtest/README b/evmtest/README
index b2d37e2..4dddbc0 100644
--- a/evmtest/README
+++ b/evmtest/README
@@ -42,6 +42,7 @@ TEST NAMES
  policy_sig - verify loading IMA policies
  kexec_sig - test IMA-appraise on kexec image loading
  kmod_sig - test IMA-appraise on kernel module loading
+ xattr_preserve - test metadata preservation on file move
 
 
 Introduction
diff --git a/evmtest/evmtest b/evmtest/evmtest
index 3c967f9..18cb98d 100755
--- a/evmtest/evmtest
+++ b/evmtest/evmtest
@@ -32,6 +32,7 @@ usage (){
 	echo "[R]	kexec_sig"
 	echo "[R]	kmod_sig"
 	echo "[R]	policy_sig"
+	echo "[R]	xattr_preserve"
 
 	echo ""
 	echo "Note: Tests may be run directly from the \"tests\" directory"
diff --git a/evmtest/tests/xattr_preserve.sh b/evmtest/tests/xattr_preserve.sh
new file mode 100755
index 0000000..61f6ded
--- /dev/null
+++ b/evmtest/tests/xattr_preserve.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# Author: David Jacobson <davidj@...ux.ibm.com>
+TEST="xattr_preserve"
+ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )/.."
+source "$ROOT"/files/common.sh
+
+VERBOSE=0
+# This test ensures that extended file attributes are preserved when a file is
+# moved with the correct flag
+
+usage (){
+	echo ""
+	echo "xattr_preserve [-hv]"
+	echo ""
+	echo "This test requires root privileges to write security xattrs"
+	echo ""
+	echo "	This test ensures that extended file attributes (specifically"
+	echo "	security.ima labels) are preserved when copying"
+	echo "Options"
+	echo "  -h	Display this help message"
+	echo "  -v	Verbose logging"
+}
+
+parse_args () {
+	TEMP=$(getopt -o 'hv' -n 'xattr_preserve' -- "$@")
+	eval set -- "$TEMP"
+
+	while true ; do
+		case "$1" in
+		-h) usage; exit; shift;;
+		-v) VERBOSE=1; shift;;
+		--) shift; break;;
+		*) echo "[*] Unrecognized option $1"; exit 1;;
+		esac
+	done
+}
+
+check_xattr_preserve () {
+	LOCATION_1=$(mktemp)
+	LOCATION_2=$(mktemp -u) # Doesn't create the file
+
+	v_out "Creating and labeling file $LOCATION_1..."
+
+	evmctl ima_hash "$LOCATION_1"
+
+	initial_ima_label=$(getfattr --absolute-names -n security.ima \
+			"$LOCATION_1")
+	initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}')
+	if printf '%s' "$initial_ima_label" | grep -E -q "security.ima"; then
+		v_out "Found hash on initial file... "
+	else
+		fail "Hash not found on initial file"
+	fi
+
+	initial_hash=$(echo "$initial_ima_label" | awk -F '=' '{print $2}')
+
+	v_out "Copying file to $LOCATION_2..."
+	cp --preserve=xattr "$LOCATION_1" "$LOCATION_2"
+	v_out "Checking if extended attribute has been preserved..."
+
+
+	second_ima_label=$(getfattr --absolute-names -n security.ima \
+			"$LOCATION_2")
+	second_hash=$(echo "$second_ima_label" | awk -F '=' '{print $2}')
+	if [ "$initial_hash" != "$second_hash" ]; then
+		fail "security.ima xattr was not preserved!"
+	else
+		v_out "Extended attribute was preserved during copy"
+	fi
+}
+
+cleanup () {
+	v_out "Cleaning up..."
+	rm "$LOCATION_1" "$LOCATION_2"
+}
+
+EVMTEST_require_root
+echo "[*] Starting test: $TEST"
+check_xattr_preserve
+cleanup
+passed
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ