xref: /aosp_15_r20/external/ltp/lib/tst_security.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1*49cdfc7eSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0-or-later
2*49cdfc7eSAndroid Build Coastguard Worker /*
3*49cdfc7eSAndroid Build Coastguard Worker  * Copyright (c) Linux Test Project, 2020-2024
4*49cdfc7eSAndroid Build Coastguard Worker  */
5*49cdfc7eSAndroid Build Coastguard Worker 
6*49cdfc7eSAndroid Build Coastguard Worker #define TST_NO_DEFAULT_MAIN
7*49cdfc7eSAndroid Build Coastguard Worker 
8*49cdfc7eSAndroid Build Coastguard Worker #define PATH_FIPS	"/proc/sys/crypto/fips_enabled"
9*49cdfc7eSAndroid Build Coastguard Worker #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
10*49cdfc7eSAndroid Build Coastguard Worker #define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
11*49cdfc7eSAndroid Build Coastguard Worker 
12*49cdfc7eSAndroid Build Coastguard Worker #if defined(__powerpc64__) || defined(__ppc64__)
13*49cdfc7eSAndroid Build Coastguard Worker # define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
14*49cdfc7eSAndroid Build Coastguard Worker # define VAR_DATA_SIZE 4
15*49cdfc7eSAndroid Build Coastguard Worker #else
16*49cdfc7eSAndroid Build Coastguard Worker # define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
17*49cdfc7eSAndroid Build Coastguard Worker # define VAR_DATA_SIZE 5
18*49cdfc7eSAndroid Build Coastguard Worker #endif
19*49cdfc7eSAndroid Build Coastguard Worker 
20*49cdfc7eSAndroid Build Coastguard Worker #include <fcntl.h>
21*49cdfc7eSAndroid Build Coastguard Worker #include <stdio.h>
22*49cdfc7eSAndroid Build Coastguard Worker #include <stdlib.h>
23*49cdfc7eSAndroid Build Coastguard Worker #include <sys/mount.h>
24*49cdfc7eSAndroid Build Coastguard Worker 
25*49cdfc7eSAndroid Build Coastguard Worker #include "tst_test.h"
26*49cdfc7eSAndroid Build Coastguard Worker #include "tst_safe_macros.h"
27*49cdfc7eSAndroid Build Coastguard Worker #include "tst_safe_stdio.h"
28*49cdfc7eSAndroid Build Coastguard Worker #include "tst_security.h"
29*49cdfc7eSAndroid Build Coastguard Worker #include "tst_private.h"
30*49cdfc7eSAndroid Build Coastguard Worker 
tst_fips_enabled(void)31*49cdfc7eSAndroid Build Coastguard Worker int tst_fips_enabled(void)
32*49cdfc7eSAndroid Build Coastguard Worker {
33*49cdfc7eSAndroid Build Coastguard Worker 	int fips = 0;
34*49cdfc7eSAndroid Build Coastguard Worker 
35*49cdfc7eSAndroid Build Coastguard Worker 	if (access(PATH_FIPS, R_OK) == 0)
36*49cdfc7eSAndroid Build Coastguard Worker 		SAFE_FILE_SCANF(PATH_FIPS, "%d", &fips);
37*49cdfc7eSAndroid Build Coastguard Worker 
38*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TINFO, "FIPS: %s", fips ? "on" : "off");
39*49cdfc7eSAndroid Build Coastguard Worker 
40*49cdfc7eSAndroid Build Coastguard Worker 	return fips;
41*49cdfc7eSAndroid Build Coastguard Worker }
42*49cdfc7eSAndroid Build Coastguard Worker 
tst_lockdown_enabled(void)43*49cdfc7eSAndroid Build Coastguard Worker int tst_lockdown_enabled(void)
44*49cdfc7eSAndroid Build Coastguard Worker {
45*49cdfc7eSAndroid Build Coastguard Worker 	char line[BUFSIZ];
46*49cdfc7eSAndroid Build Coastguard Worker 	FILE *file;
47*49cdfc7eSAndroid Build Coastguard Worker 	int ret;
48*49cdfc7eSAndroid Build Coastguard Worker 
49*49cdfc7eSAndroid Build Coastguard Worker 	if (access(PATH_LOCKDOWN, F_OK) != 0) {
50*49cdfc7eSAndroid Build Coastguard Worker 		char flag;
51*49cdfc7eSAndroid Build Coastguard Worker 
52*49cdfc7eSAndroid Build Coastguard Worker 		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
53*49cdfc7eSAndroid Build Coastguard Worker #if defined(__powerpc64__) || defined(__ppc64__)
54*49cdfc7eSAndroid Build Coastguard Worker 		flag = tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM") == 'y';
55*49cdfc7eSAndroid Build Coastguard Worker 		flag |= tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM_EARLY") == 'y';
56*49cdfc7eSAndroid Build Coastguard Worker #else
57*49cdfc7eSAndroid Build Coastguard Worker 		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
58*49cdfc7eSAndroid Build Coastguard Worker 		flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
59*49cdfc7eSAndroid Build Coastguard Worker #endif
60*49cdfc7eSAndroid Build Coastguard Worker 
61*49cdfc7eSAndroid Build Coastguard Worker 		if (flag && tst_secureboot_enabled() > 0)
62*49cdfc7eSAndroid Build Coastguard Worker 			return 1;
63*49cdfc7eSAndroid Build Coastguard Worker 
64*49cdfc7eSAndroid Build Coastguard Worker 		tst_res(TINFO, "Unable to determine system lockdown state");
65*49cdfc7eSAndroid Build Coastguard Worker 		return 0;
66*49cdfc7eSAndroid Build Coastguard Worker 	}
67*49cdfc7eSAndroid Build Coastguard Worker 
68*49cdfc7eSAndroid Build Coastguard Worker 	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
69*49cdfc7eSAndroid Build Coastguard Worker 	if (!fgets(line, sizeof(line), file))
70*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK | TERRNO, "fgets %s", PATH_LOCKDOWN);
71*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_FCLOSE(file);
72*49cdfc7eSAndroid Build Coastguard Worker 
73*49cdfc7eSAndroid Build Coastguard Worker 	ret = strstr(line, "[none]") == NULL;
74*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TINFO, "Kernel lockdown: %s", ret ? "on" : "off");
75*49cdfc7eSAndroid Build Coastguard Worker 
76*49cdfc7eSAndroid Build Coastguard Worker 	return ret;
77*49cdfc7eSAndroid Build Coastguard Worker }
78*49cdfc7eSAndroid Build Coastguard Worker 
tst_secureboot_enabled(void)79*49cdfc7eSAndroid Build Coastguard Worker int tst_secureboot_enabled(void)
80*49cdfc7eSAndroid Build Coastguard Worker {
81*49cdfc7eSAndroid Build Coastguard Worker 	int fd;
82*49cdfc7eSAndroid Build Coastguard Worker 	char data[5];
83*49cdfc7eSAndroid Build Coastguard Worker 
84*49cdfc7eSAndroid Build Coastguard Worker 	if (access(SECUREBOOT_VAR, F_OK)) {
85*49cdfc7eSAndroid Build Coastguard Worker 		tst_res(TINFO, "SecureBoot sysfs file not available");
86*49cdfc7eSAndroid Build Coastguard Worker 		return -1;
87*49cdfc7eSAndroid Build Coastguard Worker 	}
88*49cdfc7eSAndroid Build Coastguard Worker 
89*49cdfc7eSAndroid Build Coastguard Worker 	fd = open(SECUREBOOT_VAR, O_RDONLY);
90*49cdfc7eSAndroid Build Coastguard Worker 
91*49cdfc7eSAndroid Build Coastguard Worker 	if (fd == -1) {
92*49cdfc7eSAndroid Build Coastguard Worker 		tst_res(TINFO | TERRNO,
93*49cdfc7eSAndroid Build Coastguard Worker 			"Cannot open SecureBoot file");
94*49cdfc7eSAndroid Build Coastguard Worker 		return -1;
95*49cdfc7eSAndroid Build Coastguard Worker 	} else if (fd < 0) {
96*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
97*49cdfc7eSAndroid Build Coastguard Worker 		return -1;
98*49cdfc7eSAndroid Build Coastguard Worker 	}
99*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_READ(1, fd, data, VAR_DATA_SIZE);
100*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_CLOSE(fd);
101*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off");
102*49cdfc7eSAndroid Build Coastguard Worker 	return data[VAR_DATA_SIZE - 1];
103*49cdfc7eSAndroid Build Coastguard Worker }
104*49cdfc7eSAndroid Build Coastguard Worker 
tst_selinux_enforcing(void)105*49cdfc7eSAndroid Build Coastguard Worker int tst_selinux_enforcing(void)
106*49cdfc7eSAndroid Build Coastguard Worker {
107*49cdfc7eSAndroid Build Coastguard Worker 	int res = 0;
108*49cdfc7eSAndroid Build Coastguard Worker 
109*49cdfc7eSAndroid Build Coastguard Worker 	if (access(SELINUX_STATUS_PATH, F_OK) == 0)
110*49cdfc7eSAndroid Build Coastguard Worker 		SAFE_FILE_SCANF(SELINUX_STATUS_PATH, "%d", &res);
111*49cdfc7eSAndroid Build Coastguard Worker 
112*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TINFO, "SELinux enforcing: %s", res ? "on" : "off");
113*49cdfc7eSAndroid Build Coastguard Worker 
114*49cdfc7eSAndroid Build Coastguard Worker 	return res;
115*49cdfc7eSAndroid Build Coastguard Worker }
116