xref: /aosp_15_r20/external/ltp/testcases/lib/tst_security.sh (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1*49cdfc7eSAndroid Build Coastguard Worker#!/bin/sh
2*49cdfc7eSAndroid Build Coastguard Worker# SPDX-License-Identifier: GPL-2.0-or-later
3*49cdfc7eSAndroid Build Coastguard Worker# Copyright (c) 2018 Petr Vorel <[email protected]>
4*49cdfc7eSAndroid Build Coastguard Worker
5*49cdfc7eSAndroid Build Coastguard Workerif [ -z "$TST_LIB_LOADED" ]; then
6*49cdfc7eSAndroid Build Coastguard Worker	echo "please load tst_test.sh first" >&2
7*49cdfc7eSAndroid Build Coastguard Worker	exit 1
8*49cdfc7eSAndroid Build Coastguard Workerfi
9*49cdfc7eSAndroid Build Coastguard Worker
10*49cdfc7eSAndroid Build Coastguard Worker[ -n "$TST_SECURITY_LOADED" ] && return 0
11*49cdfc7eSAndroid Build Coastguard WorkerTST_SECURITY_LOADED=1
12*49cdfc7eSAndroid Build Coastguard Worker
13*49cdfc7eSAndroid Build Coastguard Worker_tst_check_security_modules()
14*49cdfc7eSAndroid Build Coastguard Worker{
15*49cdfc7eSAndroid Build Coastguard Worker	local cmd
16*49cdfc7eSAndroid Build Coastguard Worker	local profiles
17*49cdfc7eSAndroid Build Coastguard Worker
18*49cdfc7eSAndroid Build Coastguard Worker	if tst_apparmor_enabled; then
19*49cdfc7eSAndroid Build Coastguard Worker		tst_res TINFO "AppArmor enabled, this may affect test results"
20*49cdfc7eSAndroid Build Coastguard Worker		[ "$TST_DISABLE_APPARMOR" = 1 ] || \
21*49cdfc7eSAndroid Build Coastguard Worker			tst_res TINFO "it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)"
22*49cdfc7eSAndroid Build Coastguard Worker		profiles=
23*49cdfc7eSAndroid Build Coastguard Worker		for cmd in $TST_NEEDS_CMDS; do
24*49cdfc7eSAndroid Build Coastguard Worker			tst_apparmor_used_profile $cmd && profiles="$cmd $profiles"
25*49cdfc7eSAndroid Build Coastguard Worker		done
26*49cdfc7eSAndroid Build Coastguard Worker		[ -z "$profiles" ] && profiles="none"
27*49cdfc7eSAndroid Build Coastguard Worker		tst_res TINFO "loaded AppArmor profiles: $profiles"
28*49cdfc7eSAndroid Build Coastguard Worker	fi
29*49cdfc7eSAndroid Build Coastguard Worker
30*49cdfc7eSAndroid Build Coastguard Worker	if tst_selinux_enforced; then
31*49cdfc7eSAndroid Build Coastguard Worker		tst_res TINFO "SELinux enabled in enforcing mode, this may affect test results"
32*49cdfc7eSAndroid Build Coastguard Worker
33*49cdfc7eSAndroid Build Coastguard Worker		[ "$TST_DISABLE_SELINUX" = 1 ] || \
34*49cdfc7eSAndroid Build Coastguard Worker			tst_res TINFO "it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)"
35*49cdfc7eSAndroid Build Coastguard Worker		profiles=
36*49cdfc7eSAndroid Build Coastguard Worker		for cmd in $TST_NEEDS_CMDS; do
37*49cdfc7eSAndroid Build Coastguard Worker			tst_selinux_used_profile $cmd && profiles="$cmd $profiles"
38*49cdfc7eSAndroid Build Coastguard Worker		done
39*49cdfc7eSAndroid Build Coastguard Worker		[ -z "$profiles" ] && profiles="none"
40*49cdfc7eSAndroid Build Coastguard Worker		tst_res TINFO "loaded SELinux profiles: $profiles"
41*49cdfc7eSAndroid Build Coastguard Worker	fi
42*49cdfc7eSAndroid Build Coastguard Worker}
43*49cdfc7eSAndroid Build Coastguard Worker
44*49cdfc7eSAndroid Build Coastguard Worker# Detect whether AppArmor profiles are loaded
45*49cdfc7eSAndroid Build Coastguard Worker# Return 0: profiles loaded, 1: none profile loaded or AppArmor disabled
46*49cdfc7eSAndroid Build Coastguard Workertst_apparmor_enabled()
47*49cdfc7eSAndroid Build Coastguard Worker{
48*49cdfc7eSAndroid Build Coastguard Worker	local f="/sys/module/apparmor/parameters/enabled"
49*49cdfc7eSAndroid Build Coastguard Worker	[ -f "$f" ] && [ "$(cat $f)" = "Y" ]
50*49cdfc7eSAndroid Build Coastguard Worker}
51*49cdfc7eSAndroid Build Coastguard Worker
52*49cdfc7eSAndroid Build Coastguard Worker# Detect whether AppArmor profile for command is enforced
53*49cdfc7eSAndroid Build Coastguard Worker# tst_apparmor_used_profile CMD
54*49cdfc7eSAndroid Build Coastguard Worker# Return 0: loaded profile for CMD
55*49cdfc7eSAndroid Build Coastguard Worker# Return 1: no profile CMD
56*49cdfc7eSAndroid Build Coastguard Workertst_apparmor_used_profile()
57*49cdfc7eSAndroid Build Coastguard Worker{
58*49cdfc7eSAndroid Build Coastguard Worker	[ $# -eq 1 ] || tst_brk TCONF "usage tst_apparmor_used_profile CMD"
59*49cdfc7eSAndroid Build Coastguard Worker	local cmd="$1"
60*49cdfc7eSAndroid Build Coastguard Worker	grep -q "$cmd .*(enforce)" /sys/kernel/security/apparmor/profiles 2>/dev/null
61*49cdfc7eSAndroid Build Coastguard Worker}
62*49cdfc7eSAndroid Build Coastguard Worker
63*49cdfc7eSAndroid Build Coastguard Worker# Detect whether SELinux is enabled in enforcing mode
64*49cdfc7eSAndroid Build Coastguard Worker# Return 0: enabled in enforcing mode
65*49cdfc7eSAndroid Build Coastguard Worker# Return 1: enabled in permissive mode or disabled
66*49cdfc7eSAndroid Build Coastguard Workertst_selinux_enforced()
67*49cdfc7eSAndroid Build Coastguard Worker{
68*49cdfc7eSAndroid Build Coastguard Worker	local f="$(tst_get_enforce)"
69*49cdfc7eSAndroid Build Coastguard Worker
70*49cdfc7eSAndroid Build Coastguard Worker	[ -f "$f" ] && [ "$(cat $f)" = "1" ]
71*49cdfc7eSAndroid Build Coastguard Worker}
72*49cdfc7eSAndroid Build Coastguard Worker
73*49cdfc7eSAndroid Build Coastguard Worker# Detect whether SELinux profile for command is enforced
74*49cdfc7eSAndroid Build Coastguard Worker# tst_selinux_used_profile CMD
75*49cdfc7eSAndroid Build Coastguard Worker# Return 0: loaded profile for CMD
76*49cdfc7eSAndroid Build Coastguard Worker# Return 1: profile for CMD not loaded or seinfo not available
77*49cdfc7eSAndroid Build Coastguard Workertst_selinux_used_profile()
78*49cdfc7eSAndroid Build Coastguard Worker{
79*49cdfc7eSAndroid Build Coastguard Worker	[ $# -eq 1 ] || tst_brk TCONF "usage tst_selinux_used_profile CMD"
80*49cdfc7eSAndroid Build Coastguard Worker	local cmd="$1"
81*49cdfc7eSAndroid Build Coastguard Worker
82*49cdfc7eSAndroid Build Coastguard Worker	if ! tst_cmd_available seinfo; then
83*49cdfc7eSAndroid Build Coastguard Worker		if [ -z "$seinfo_warn_printed" ]; then
84*49cdfc7eSAndroid Build Coastguard Worker			tst_res TINFO "install seinfo to find used SELinux profiles"
85*49cdfc7eSAndroid Build Coastguard Worker			export seinfo_warn_printed=1
86*49cdfc7eSAndroid Build Coastguard Worker		fi
87*49cdfc7eSAndroid Build Coastguard Worker		return 1
88*49cdfc7eSAndroid Build Coastguard Worker	fi
89*49cdfc7eSAndroid Build Coastguard Worker	seinfo -t 2>/dev/null | grep -q $cmd
90*49cdfc7eSAndroid Build Coastguard Worker}
91*49cdfc7eSAndroid Build Coastguard Worker
92*49cdfc7eSAndroid Build Coastguard Worker# Try disable AppArmor
93*49cdfc7eSAndroid Build Coastguard Worker# Return 0: AppArmor disabled
94*49cdfc7eSAndroid Build Coastguard Worker# Return > 0: failed to disable AppArmor
95*49cdfc7eSAndroid Build Coastguard Workertst_disable_apparmor()
96*49cdfc7eSAndroid Build Coastguard Worker{
97*49cdfc7eSAndroid Build Coastguard Worker	tst_res TINFO "trying to disable AppArmor (requires super/root)"
98*49cdfc7eSAndroid Build Coastguard Worker	tst_require_root
99*49cdfc7eSAndroid Build Coastguard Worker
100*49cdfc7eSAndroid Build Coastguard Worker	local f="aa-teardown"
101*49cdfc7eSAndroid Build Coastguard Worker	local action
102*49cdfc7eSAndroid Build Coastguard Worker
103*49cdfc7eSAndroid Build Coastguard Worker	tst_cmd_available $f && { $f >/dev/null; return; }
104*49cdfc7eSAndroid Build Coastguard Worker	f="/etc/init.d/apparmor"
105*49cdfc7eSAndroid Build Coastguard Worker	if [ -f "$f" ]; then
106*49cdfc7eSAndroid Build Coastguard Worker		for action in teardown kill stop; do
107*49cdfc7eSAndroid Build Coastguard Worker			$f $action >/dev/null 2>&1 && return
108*49cdfc7eSAndroid Build Coastguard Worker		done
109*49cdfc7eSAndroid Build Coastguard Worker	fi
110*49cdfc7eSAndroid Build Coastguard Worker}
111*49cdfc7eSAndroid Build Coastguard Worker
112*49cdfc7eSAndroid Build Coastguard Worker# Try disable SELinux
113*49cdfc7eSAndroid Build Coastguard Worker# Return 0: SELinux disabled
114*49cdfc7eSAndroid Build Coastguard Worker# Return > 0: failed to disable SELinux
115*49cdfc7eSAndroid Build Coastguard Workertst_disable_selinux()
116*49cdfc7eSAndroid Build Coastguard Worker{
117*49cdfc7eSAndroid Build Coastguard Worker	tst_res TINFO "trying to disable SELinux (requires super/root)"
118*49cdfc7eSAndroid Build Coastguard Worker	tst_require_root
119*49cdfc7eSAndroid Build Coastguard Worker
120*49cdfc7eSAndroid Build Coastguard Worker	local f="$(tst_get_enforce)"
121*49cdfc7eSAndroid Build Coastguard Worker
122*49cdfc7eSAndroid Build Coastguard Worker	[ -f "$f" ] && cat 0 > $f
123*49cdfc7eSAndroid Build Coastguard Worker}
124*49cdfc7eSAndroid Build Coastguard Worker
125*49cdfc7eSAndroid Build Coastguard Worker# Get SELinux directory path
126*49cdfc7eSAndroid Build Coastguard Workertst_get_selinux_dir()
127*49cdfc7eSAndroid Build Coastguard Worker{
128*49cdfc7eSAndroid Build Coastguard Worker	local dir="/sys/fs/selinux"
129*49cdfc7eSAndroid Build Coastguard Worker
130*49cdfc7eSAndroid Build Coastguard Worker	[ -d "$dir" ] || dir="/selinux"
131*49cdfc7eSAndroid Build Coastguard Worker	[ -d "$dir" ] && echo "$dir"
132*49cdfc7eSAndroid Build Coastguard Worker}
133*49cdfc7eSAndroid Build Coastguard Worker
134*49cdfc7eSAndroid Build Coastguard Worker# Get SELinux enforce file path
135*49cdfc7eSAndroid Build Coastguard Workertst_get_enforce()
136*49cdfc7eSAndroid Build Coastguard Worker{
137*49cdfc7eSAndroid Build Coastguard Worker	local dir=$(tst_get_selinux_dir)
138*49cdfc7eSAndroid Build Coastguard Worker	[ -z "$dir" ] && return
139*49cdfc7eSAndroid Build Coastguard Worker
140*49cdfc7eSAndroid Build Coastguard Worker	local f="$dir/enforce"
141*49cdfc7eSAndroid Build Coastguard Worker	[ -f "$f" ] && echo "$f"
142*49cdfc7eSAndroid Build Coastguard Worker}
143*49cdfc7eSAndroid Build Coastguard Worker
144*49cdfc7eSAndroid Build Coastguard Workertst_update_selinux_state()
145*49cdfc7eSAndroid Build Coastguard Worker{
146*49cdfc7eSAndroid Build Coastguard Worker	local cur_val new_val
147*49cdfc7eSAndroid Build Coastguard Worker	local dir=$(tst_get_selinux_dir)
148*49cdfc7eSAndroid Build Coastguard Worker	[ -z "$dir" ] || return 1
149*49cdfc7eSAndroid Build Coastguard Worker
150*49cdfc7eSAndroid Build Coastguard Worker	cur_val=$(cat $dir/checkreqprot)
151*49cdfc7eSAndroid Build Coastguard Worker	[ $cur_val = 1 ] && new_val=0 || new_val=1
152*49cdfc7eSAndroid Build Coastguard Worker	echo $new_val > $dir/checkreqprot
153*49cdfc7eSAndroid Build Coastguard Worker}
154