1f08c3bdfSopenharmony_ci#!/bin/sh 2f08c3bdfSopenharmony_ci# SPDX-License-Identifier: GPL-2.0-or-later 3f08c3bdfSopenharmony_ci# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz> 4f08c3bdfSopenharmony_ci 5f08c3bdfSopenharmony_ciif [ -z "$TST_LIB_LOADED" ]; then 6f08c3bdfSopenharmony_ci echo "please load tst_test.sh first" >&2 7f08c3bdfSopenharmony_ci exit 1 8f08c3bdfSopenharmony_cifi 9f08c3bdfSopenharmony_ci 10f08c3bdfSopenharmony_ci[ -n "$TST_SECURITY_LOADED" ] && return 0 11f08c3bdfSopenharmony_ciTST_SECURITY_LOADED=1 12f08c3bdfSopenharmony_ci 13f08c3bdfSopenharmony_ci_tst_check_security_modules() 14f08c3bdfSopenharmony_ci{ 15f08c3bdfSopenharmony_ci local cmd 16f08c3bdfSopenharmony_ci local profiles 17f08c3bdfSopenharmony_ci 18f08c3bdfSopenharmony_ci if tst_apparmor_enabled; then 19f08c3bdfSopenharmony_ci tst_res TINFO "AppArmor enabled, this may affect test results" 20f08c3bdfSopenharmony_ci [ "$TST_DISABLE_APPARMOR" = 1 ] || \ 21f08c3bdfSopenharmony_ci tst_res TINFO "it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)" 22f08c3bdfSopenharmony_ci profiles= 23f08c3bdfSopenharmony_ci for cmd in $TST_NEEDS_CMDS; do 24f08c3bdfSopenharmony_ci tst_apparmor_used_profile $cmd && profiles="$cmd $profiles" 25f08c3bdfSopenharmony_ci done 26f08c3bdfSopenharmony_ci [ -z "$profiles" ] && profiles="none" 27f08c3bdfSopenharmony_ci tst_res TINFO "loaded AppArmor profiles: $profiles" 28f08c3bdfSopenharmony_ci fi 29f08c3bdfSopenharmony_ci 30f08c3bdfSopenharmony_ci if tst_selinux_enforced; then 31f08c3bdfSopenharmony_ci tst_res TINFO "SELinux enabled in enforcing mode, this may affect test results" 32f08c3bdfSopenharmony_ci 33f08c3bdfSopenharmony_ci [ "$TST_DISABLE_SELINUX" = 1 ] || \ 34f08c3bdfSopenharmony_ci tst_res TINFO "it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)" 35f08c3bdfSopenharmony_ci profiles= 36f08c3bdfSopenharmony_ci for cmd in $TST_NEEDS_CMDS; do 37f08c3bdfSopenharmony_ci tst_selinux_used_profile $cmd && profiles="$cmd $profiles" 38f08c3bdfSopenharmony_ci done 39f08c3bdfSopenharmony_ci [ -z "$profiles" ] && profiles="none" 40f08c3bdfSopenharmony_ci tst_res TINFO "loaded SELinux profiles: $profiles" 41f08c3bdfSopenharmony_ci fi 42f08c3bdfSopenharmony_ci} 43f08c3bdfSopenharmony_ci 44f08c3bdfSopenharmony_ci# Detect whether AppArmor profiles are loaded 45f08c3bdfSopenharmony_ci# Return 0: profiles loaded, 1: none profile loaded or AppArmor disabled 46f08c3bdfSopenharmony_citst_apparmor_enabled() 47f08c3bdfSopenharmony_ci{ 48f08c3bdfSopenharmony_ci local f="/sys/module/apparmor/parameters/enabled" 49f08c3bdfSopenharmony_ci [ -f "$f" ] && [ "$(cat $f)" = "Y" ] 50f08c3bdfSopenharmony_ci} 51f08c3bdfSopenharmony_ci 52f08c3bdfSopenharmony_ci# Detect whether AppArmor profile for command is enforced 53f08c3bdfSopenharmony_ci# tst_apparmor_used_profile CMD 54f08c3bdfSopenharmony_ci# Return 0: loaded profile for CMD 55f08c3bdfSopenharmony_ci# Return 1: no profile CMD 56f08c3bdfSopenharmony_citst_apparmor_used_profile() 57f08c3bdfSopenharmony_ci{ 58f08c3bdfSopenharmony_ci [ $# -eq 1 ] || tst_brk TCONF "usage tst_apparmor_used_profile CMD" 59f08c3bdfSopenharmony_ci local cmd="$1" 60f08c3bdfSopenharmony_ci grep -q "$cmd .*(enforce)" /sys/kernel/security/apparmor/profiles 2>/dev/null 61f08c3bdfSopenharmony_ci} 62f08c3bdfSopenharmony_ci 63f08c3bdfSopenharmony_ci# Detect whether SELinux is enabled in enforcing mode 64f08c3bdfSopenharmony_ci# Return 0: enabled in enforcing mode 65f08c3bdfSopenharmony_ci# Return 1: enabled in permissive mode or disabled 66f08c3bdfSopenharmony_citst_selinux_enforced() 67f08c3bdfSopenharmony_ci{ 68f08c3bdfSopenharmony_ci local f="$(tst_get_enforce)" 69f08c3bdfSopenharmony_ci 70f08c3bdfSopenharmony_ci [ -f "$f" ] && [ "$(cat $f)" = "1" ] 71f08c3bdfSopenharmony_ci} 72f08c3bdfSopenharmony_ci 73f08c3bdfSopenharmony_ci# Detect whether SELinux profile for command is enforced 74f08c3bdfSopenharmony_ci# tst_selinux_used_profile CMD 75f08c3bdfSopenharmony_ci# Return 0: loaded profile for CMD 76f08c3bdfSopenharmony_ci# Return 1: profile for CMD not loaded or seinfo not available 77f08c3bdfSopenharmony_citst_selinux_used_profile() 78f08c3bdfSopenharmony_ci{ 79f08c3bdfSopenharmony_ci [ $# -eq 1 ] || tst_brk TCONF "usage tst_selinux_used_profile CMD" 80f08c3bdfSopenharmony_ci local cmd="$1" 81f08c3bdfSopenharmony_ci 82f08c3bdfSopenharmony_ci if ! tst_cmd_available seinfo; then 83f08c3bdfSopenharmony_ci if [ -z "$seinfo_warn_printed" ]; then 84f08c3bdfSopenharmony_ci tst_res TINFO "install seinfo to find used SELinux profiles" 85f08c3bdfSopenharmony_ci export seinfo_warn_printed=1 86f08c3bdfSopenharmony_ci fi 87f08c3bdfSopenharmony_ci return 1 88f08c3bdfSopenharmony_ci fi 89f08c3bdfSopenharmony_ci seinfo -t 2>/dev/null | grep -q $cmd 90f08c3bdfSopenharmony_ci} 91f08c3bdfSopenharmony_ci 92f08c3bdfSopenharmony_ci# Try disable AppArmor 93f08c3bdfSopenharmony_ci# Return 0: AppArmor disabled 94f08c3bdfSopenharmony_ci# Return > 0: failed to disable AppArmor 95f08c3bdfSopenharmony_citst_disable_apparmor() 96f08c3bdfSopenharmony_ci{ 97f08c3bdfSopenharmony_ci tst_res TINFO "trying to disable AppArmor (requires super/root)" 98f08c3bdfSopenharmony_ci tst_require_root 99f08c3bdfSopenharmony_ci 100f08c3bdfSopenharmony_ci local f="aa-teardown" 101f08c3bdfSopenharmony_ci local action 102f08c3bdfSopenharmony_ci 103f08c3bdfSopenharmony_ci tst_cmd_available $f && { $f >/dev/null; return; } 104f08c3bdfSopenharmony_ci f="/etc/init.d/apparmor" 105f08c3bdfSopenharmony_ci if [ -f "$f" ]; then 106f08c3bdfSopenharmony_ci for action in teardown kill stop; do 107f08c3bdfSopenharmony_ci $f $action >/dev/null 2>&1 && return 108f08c3bdfSopenharmony_ci done 109f08c3bdfSopenharmony_ci fi 110f08c3bdfSopenharmony_ci} 111f08c3bdfSopenharmony_ci 112f08c3bdfSopenharmony_ci# Try disable SELinux 113f08c3bdfSopenharmony_ci# Return 0: SELinux disabled 114f08c3bdfSopenharmony_ci# Return > 0: failed to disable SELinux 115f08c3bdfSopenharmony_citst_disable_selinux() 116f08c3bdfSopenharmony_ci{ 117f08c3bdfSopenharmony_ci tst_res TINFO "trying to disable SELinux (requires super/root)" 118f08c3bdfSopenharmony_ci tst_require_root 119f08c3bdfSopenharmony_ci 120f08c3bdfSopenharmony_ci local f="$(tst_get_enforce)" 121f08c3bdfSopenharmony_ci 122f08c3bdfSopenharmony_ci [ -f "$f" ] && cat 0 > $f 123f08c3bdfSopenharmony_ci} 124f08c3bdfSopenharmony_ci 125f08c3bdfSopenharmony_ci# Get SELinux directory path 126f08c3bdfSopenharmony_citst_get_selinux_dir() 127f08c3bdfSopenharmony_ci{ 128f08c3bdfSopenharmony_ci local dir="/sys/fs/selinux" 129f08c3bdfSopenharmony_ci 130f08c3bdfSopenharmony_ci [ -d "$dir" ] || dir="/selinux" 131f08c3bdfSopenharmony_ci [ -d "$dir" ] && echo "$dir" 132f08c3bdfSopenharmony_ci} 133f08c3bdfSopenharmony_ci 134f08c3bdfSopenharmony_ci# Get SELinux enforce file path 135f08c3bdfSopenharmony_citst_get_enforce() 136f08c3bdfSopenharmony_ci{ 137f08c3bdfSopenharmony_ci local dir=$(tst_get_selinux_dir) 138f08c3bdfSopenharmony_ci [ -z "$dir" ] && return 139f08c3bdfSopenharmony_ci 140f08c3bdfSopenharmony_ci local f="$dir/enforce" 141f08c3bdfSopenharmony_ci [ -f "$f" ] && echo "$f" 142f08c3bdfSopenharmony_ci} 143f08c3bdfSopenharmony_ci 144f08c3bdfSopenharmony_citst_update_selinux_state() 145f08c3bdfSopenharmony_ci{ 146f08c3bdfSopenharmony_ci local cur_val new_val 147f08c3bdfSopenharmony_ci local dir=$(tst_get_selinux_dir) 148f08c3bdfSopenharmony_ci [ -z "$dir" ] || return 1 149f08c3bdfSopenharmony_ci 150f08c3bdfSopenharmony_ci cur_val=$(cat $dir/checkreqprot) 151f08c3bdfSopenharmony_ci [ $cur_val = 1 ] && new_val=0 || new_val=1 152f08c3bdfSopenharmony_ci echo $new_val > $dir/checkreqprot 153f08c3bdfSopenharmony_ci} 154