Skip to content

Commit

Permalink
Fapolicyd sanity test for checking usage of trustdb
Browse files Browse the repository at this point in the history
It was mostly transformed basic fapolicyd scenario
into ansible playbook. [1]

[1] https://github.com/RedHat-SP-Security/tests/blob/master/fapolicyd/Sanity/trusted-execution/runtest.sh
  • Loading branch information
Koncpa committed Nov 20, 2023
1 parent c5c2791 commit 9316b91
Showing 1 changed file with 135 additions and 0 deletions.
135 changes: 135 additions & 0 deletions tests/tests_trusted_execution.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
---
- name: Basic test for fapolicyd
hosts: all
vars:
__directories:
- path: /var/tmp/executable_binaries
mode: '0755'
- path: "{{ __bootloader_binaries_dir }}/source"
mode: '0755'
__bootloader_binaries_dir: /var/tmp/executable_binaries
__bootloader_source_dir: "{{ __bootloader_binaries_dir }}/source"
__bootloader_source_file: "{{ __bootloader_source_dir }}/main.c"
__bootloader_exe1: "{{ __bootloader_binaries_dir }}/exe1"
__bootloader_exe2: "{{ __bootloader_binaries_dir }}/exe2"
__bootloader_user: testuser

tasks:
- name: Create directories for executable binaries and source files
file:
path: "{{ item.path }}"
state: directory
mode: "{{ item.mode }}"
loop: "{{ __directories }}"

- name: Create C source code (binary1)
copy:
content: |
int main(void) {
return 0;
}
dest: "{{ __bootloader_source_file }}"
mode: '0755'

- name: Install GCC and glibc-devel
package:
name:
- gcc
- glibc-devel
state: present

- name: Compile C programs (exe1)
command: gcc -o {{ __bootloader_exe1 }} {{ __bootloader_source_file }}
register: compile_result
changed_when: "compile_result.rc != 0"

- name: Compile C programs (exe2)
command: gcc -g -o {{ __bootloader_exe2 }} {{ __bootloader_source_file }}
register: compile_result
changed_when: "compile_result.rc != 0"

- name: Create a new user
user:
name: "{{ __bootloader_user }}"
state: present
shell: /bin/bash

- name: Run the role
include_role:
name: linux-system-roles.fapolicyd
vars:
fapolicyd_setup_enable_service: true
fapolicyd_setup_integrity: sha256
fapolicyd_setup_trust: rpmdb,file
fapolicyd_add_trusted_file:
- /etc/passwd
- /etc/fapolicyd/fapolicyd.conf
- /etc/krb5.conf
- "{{ __bootloader_exe1 }}"

- name: Run trusted binary exe1
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe1 }}
register: run_exe
changed_when: "run_exe.rc != 0"

- name: Replace binary exe1 with exe2
shell: cat {{ __bootloader_exe2 }} > {{ __bootloader_exe1 }}
register: cat_exe
changed_when: "cat_exe.rc != 0"

- name: Run untrusted binary exe2

Check failure on line 80 in tests/tests_trusted_execution.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

no-changed-when

Commands should not change things if nothing needs doing.
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe2 }}
register: run_exe
ignore_errors: true
failed_when: "run_exe.rc != 126"

- name: Check now untrusted exe1 after replacement

Check failure on line 86 in tests/tests_trusted_execution.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

no-changed-when

Commands should not change things if nothing needs doing.
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe1 }}
register: run_exe
ignore_errors: true
failed_when: "run_exe.rc != 126"

- name: Check untrusted binary exe2

Check failure on line 92 in tests/tests_trusted_execution.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

no-changed-when

Commands should not change things if nothing needs doing.
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe2 }}
register: run_exe
ignore_errors: true
failed_when: "run_exe.rc != 126"

- name: Delete binary exe1 from trustdb
command: fapolicyd-cli -f delete {{ __bootloader_exe1 }}
register: delete_from_db
changed_when: "delete_from_db.rc != 0"

- name: Update trustdb
command: fapolicyd-cli --update
register: update_db
changed_when: "update_db.rc != 0"

- name: Run untrusted exe1 after removing from trustdb

Check failure on line 108 in tests/tests_trusted_execution.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

no-changed-when

Commands should not change things if nothing needs doing.
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe1 }}
register: run_exe
ignore_errors: true
failed_when: "run_exe.rc != 126"

- name: Add binary exe1 to trustdb
command: fapolicyd-cli -f add {{ __bootloader_exe1 }}
register: add_to_db
changed_when: "add_to_db.rc != 0"

- name: Update trustdb
command: fapolicyd-cli --update
register: update_db
changed_when: "update_db.rc != 0"

- name: Run trusted exe1
command: su - {{ __bootloader_user }} -c {{ __bootloader_exe1 }}
register: run_exe
changed_when: "run_exe.rc != 0"

- name: Clean up binaries
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ __bootloader_exe1 }}"
- "{{ __bootloader_exe2 }}"

0 comments on commit 9316b91

Please sign in to comment.