1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0-or-later 3# Copyright (c) 2021 VPI Engineering 4# Copyright (c) 2021 Petr Vorel <[email protected]> 5# Author: Alex Henrie <[email protected]> 6# 7# Verify that conditional rules work. 8# 9# gid and fgroup options test kernel commit 40224c41661b ("ima: add gid 10# support") from v5.16. 11 12TST_NEEDS_CMDS="cat chgrp chown id sg sudo" 13TST_CNT=1 14 15verify_measurement() 16{ 17 local request="$1" 18 local user="nobody" 19 local test_file="$PWD/test.txt" 20 local cmd="cat $test_file > /dev/null" 21 22 local value="$(id -u $user)" 23 [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)" 24 25 require_policy_writable 26 27 ROD rm -f $test_file 28 29 tst_res TINFO "verify measuring user files when requested via $request" 30 ROD echo "measure $request=$value" \> $IMA_POLICY 31 ROD echo "$(cat /proc/uptime) $request test" \> $test_file 32 33 case "$request" in 34 fgroup) 35 chgrp $user $test_file 36 sh -c "$cmd" 37 ;; 38 fowner) 39 chown $user $test_file 40 sh -c "$cmd" 41 ;; 42 gid) sudo sg $user "sh -c '$cmd'";; 43 uid) sudo -n -u $user sh -c "$cmd";; 44 *) tst_brk TBROK "Invalid res type '$1'";; 45 esac 46 47 ima_check $test_file 48} 49 50test1() 51{ 52 verify_measurement uid 53 verify_measurement fowner 54 55 if tst_kvcmp -lt 5.16; then 56 tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer" 57 fi 58 59 verify_measurement gid 60 verify_measurement fgroup 61} 62 63. ima_setup.sh 64tst_run 65