1 // SPDX-License-Identifier: GPL-2.0 1 // SPDX-License-Identifier: GPL-2.0
2 /* 2 /*
3 * Copyright (C) 2020-2024 Microsoft Corporati 3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4 */ 4 */
5 5
6 #include <linux/slab.h> 6 #include <linux/slab.h>
7 #include <linux/types.h> 7 #include <linux/types.h>
8 #include <linux/list.h> 8 #include <linux/list.h>
9 #include <kunit/test.h> 9 #include <kunit/test.h>
10 #include "policy.h" 10 #include "policy.h"
11 struct policy_case { 11 struct policy_case {
12 const char *const policy; 12 const char *const policy;
13 int errno; 13 int errno;
14 const char *const desc; 14 const char *const desc;
15 }; 15 };
16 16
17 static const struct policy_case policy_cases[] 17 static const struct policy_case policy_cases[] = {
18 { 18 {
19 "policy_name=allowall policy_v 19 "policy_name=allowall policy_version=0.0.0\n"
20 "DEFAULT action=ALLOW", 20 "DEFAULT action=ALLOW",
21 0, 21 0,
22 "basic", 22 "basic",
23 }, 23 },
24 { 24 {
25 "policy_name=trailing_comment 25 "policy_name=trailing_comment policy_version=152.0.0 #This is comment\n"
26 "DEFAULT action=ALLOW", 26 "DEFAULT action=ALLOW",
27 0, 27 0,
28 "trailing comment", 28 "trailing comment",
29 }, 29 },
30 { 30 {
31 "policy_name=allowallnewline p 31 "policy_name=allowallnewline policy_version=0.2.0\n"
32 "DEFAULT action=ALLOW\n" 32 "DEFAULT action=ALLOW\n"
33 "\n", 33 "\n",
34 0, 34 0,
35 "trailing newline", 35 "trailing newline",
36 }, 36 },
37 { 37 {
38 "policy_name=carriagereturnlin 38 "policy_name=carriagereturnlinefeed policy_version=0.0.1\n"
39 "DEFAULT action=ALLOW\n" 39 "DEFAULT action=ALLOW\n"
40 "\r\n", 40 "\r\n",
41 0, 41 0,
42 "clrf newline", 42 "clrf newline",
43 }, 43 },
44 { 44 {
45 "policy_name=whitespace policy 45 "policy_name=whitespace policy_version=0.0.0\n"
46 "DEFAULT\taction=ALLOW\n" 46 "DEFAULT\taction=ALLOW\n"
47 " \t DEFAULT \t op= 47 " \t DEFAULT \t op=EXECUTE action=DENY\n"
48 "op=EXECUTE boot_verified=TRUE 48 "op=EXECUTE boot_verified=TRUE action=ALLOW\n"
49 "# this is a\tcomment\t\t\t\t\ 49 "# this is a\tcomment\t\t\t\t\n"
50 "DEFAULT \t op=KMODULE\t\t\t 50 "DEFAULT \t op=KMODULE\t\t\t action=DENY\r\n"
51 "op=KMODULE boot_verified=TRUE 51 "op=KMODULE boot_verified=TRUE action=ALLOW\n",
52 0, 52 0,
53 "various whitespaces and neste 53 "various whitespaces and nested default",
54 }, 54 },
55 { 55 {
56 "policy_name=boot_verified pol 56 "policy_name=boot_verified policy_version=-1236.0.0\n"
57 "DEFAULT\taction=ALLOW\n", 57 "DEFAULT\taction=ALLOW\n",
58 -EINVAL, 58 -EINVAL,
59 "negative version", 59 "negative version",
60 }, 60 },
61 { 61 {
62 "policy_name=$@!*&^%%\\:;{}() 62 "policy_name=$@!*&^%%\\:;{}() policy_version=0.0.0\n"
63 "DEFAULT action=ALLOW", 63 "DEFAULT action=ALLOW",
64 0, 64 0,
65 "special characters", 65 "special characters",
66 }, 66 },
67 { 67 {
68 "policy_name=test policy_versi 68 "policy_name=test policy_version=999999.0.0\n"
69 "DEFAULT action=ALLOW", 69 "DEFAULT action=ALLOW",
70 -ERANGE, 70 -ERANGE,
71 "overflow version", 71 "overflow version",
72 }, 72 },
73 { 73 {
74 "policy_name=test policy_versi 74 "policy_name=test policy_version=255.0\n"
75 "DEFAULT action=ALLOW", 75 "DEFAULT action=ALLOW",
76 -EBADMSG, 76 -EBADMSG,
77 "incomplete version", 77 "incomplete version",
78 }, 78 },
79 { 79 {
80 "policy_name=test policy_versi 80 "policy_name=test policy_version=111.0.0.0\n"
81 "DEFAULT action=ALLOW", 81 "DEFAULT action=ALLOW",
82 -EBADMSG, 82 -EBADMSG,
83 "extra version", 83 "extra version",
84 }, 84 },
85 { 85 {
86 "", 86 "",
87 -EBADMSG, 87 -EBADMSG,
88 "0-length policy", 88 "0-length policy",
89 }, 89 },
90 { 90 {
91 "policy_name=test\0policy_vers 91 "policy_name=test\0policy_version=0.0.0\n"
92 "DEFAULT action=ALLOW", 92 "DEFAULT action=ALLOW",
93 -EBADMSG, 93 -EBADMSG,
94 "random null in header", 94 "random null in header",
95 }, 95 },
96 { 96 {
97 "policy_name=test policy_versi 97 "policy_name=test policy_version=0.0.0\n"
98 "\0DEFAULT action=ALLOW", 98 "\0DEFAULT action=ALLOW",
99 -EBADMSG, 99 -EBADMSG,
100 "incomplete policy from NULL", 100 "incomplete policy from NULL",
101 }, 101 },
102 { 102 {
103 "policy_name=test policy_versi 103 "policy_name=test policy_version=0.0.0\n"
104 "DEFAULT action=DENY\n\0" 104 "DEFAULT action=DENY\n\0"
105 "op=EXECUTE dmverity_signature 105 "op=EXECUTE dmverity_signature=TRUE action=ALLOW\n",
106 0, 106 0,
107 "NULL truncates policy", 107 "NULL truncates policy",
108 }, 108 },
109 { 109 {
110 "policy_name=test policy_versi 110 "policy_name=test policy_version=0.0.0\n"
111 "DEFAULT action=ALLOW\n" 111 "DEFAULT action=ALLOW\n"
112 "op=EXECUTE dmverity_signature 112 "op=EXECUTE dmverity_signature=abc action=ALLOW",
113 -EBADMSG, 113 -EBADMSG,
114 "invalid property type", 114 "invalid property type",
115 }, 115 },
116 { 116 {
117 "DEFAULT action=ALLOW", 117 "DEFAULT action=ALLOW",
118 -EBADMSG, 118 -EBADMSG,
119 "missing policy header", 119 "missing policy header",
120 }, 120 },
121 { 121 {
122 "policy_name=test policy_versi 122 "policy_name=test policy_version=0.0.0\n",
123 -EBADMSG, 123 -EBADMSG,
124 "missing default definition", 124 "missing default definition",
125 }, 125 },
126 { 126 {
127 "policy_name=test policy_versi 127 "policy_name=test policy_version=0.0.0\n"
128 "DEFAULT action=ALLOW\n" 128 "DEFAULT action=ALLOW\n"
129 "dmverity_signature=TRUE op=EX 129 "dmverity_signature=TRUE op=EXECUTE action=ALLOW",
130 -EBADMSG, 130 -EBADMSG,
131 "invalid rule ordering" 131 "invalid rule ordering"
132 }, 132 },
133 { 133 {
134 "policy_name=test policy_versi 134 "policy_name=test policy_version=0.0.0\n"
135 "DEFAULT action=ALLOW\n" 135 "DEFAULT action=ALLOW\n"
136 "action=ALLOW op=EXECUTE dmver 136 "action=ALLOW op=EXECUTE dmverity_signature=TRUE",
137 -EBADMSG, 137 -EBADMSG,
138 "invalid rule ordering (2)", 138 "invalid rule ordering (2)",
139 }, 139 },
140 { 140 {
141 "policy_name=test policy_versi 141 "policy_name=test policy_version=0.0\n"
142 "DEFAULT action=ALLOW\n" 142 "DEFAULT action=ALLOW\n"
143 "op=EXECUTE dmverity_signature 143 "op=EXECUTE dmverity_signature=TRUE action=ALLOW",
144 -EBADMSG, 144 -EBADMSG,
145 "invalid version", 145 "invalid version",
146 }, 146 },
147 { 147 {
148 "policy_name=test policy_versi 148 "policy_name=test policy_version=0.0.0\n"
149 "DEFAULT action=ALLOW\n" 149 "DEFAULT action=ALLOW\n"
150 "op=UNKNOWN dmverity_signature 150 "op=UNKNOWN dmverity_signature=TRUE action=ALLOW",
151 -EBADMSG, 151 -EBADMSG,
152 "unknown operation", 152 "unknown operation",
153 }, 153 },
154 { 154 {
155 "policy_name=asdvpolicy_versio 155 "policy_name=asdvpolicy_version=0.0.0\n"
156 "DEFAULT action=ALLOW\n", 156 "DEFAULT action=ALLOW\n",
157 -EBADMSG, 157 -EBADMSG,
158 "missing space after policy na 158 "missing space after policy name",
159 }, 159 },
160 { 160 {
161 "policy_name=test\xFF\xEF poli 161 "policy_name=test\xFF\xEF policy_version=0.0.0\n"
162 "DEFAULT action=ALLOW\n" 162 "DEFAULT action=ALLOW\n"
163 "op=EXECUTE dmverity_signature 163 "op=EXECUTE dmverity_signature=TRUE action=ALLOW",
164 0, 164 0,
165 "expanded ascii", 165 "expanded ascii",
166 }, 166 },
167 { 167 {
168 "policy_name=test\xFF\xEF poli 168 "policy_name=test\xFF\xEF policy_version=0.0.0\n"
169 "DEFAULT action=ALLOW\n" 169 "DEFAULT action=ALLOW\n"
170 "op=EXECUTE dmverity_roothash= 170 "op=EXECUTE dmverity_roothash=GOOD_DOG action=ALLOW",
171 -EBADMSG, 171 -EBADMSG,
172 "invalid property value (2)", 172 "invalid property value (2)",
173 }, 173 },
174 { 174 {
175 "policy_name=test policy_versi 175 "policy_name=test policy_version=0.0.0\n"
176 "policy_name=test policy_versi 176 "policy_name=test policy_version=0.1.0\n"
177 "DEFAULT action=ALLOW", 177 "DEFAULT action=ALLOW",
178 -EBADMSG, 178 -EBADMSG,
179 "double header" 179 "double header"
180 }, 180 },
181 { 181 {
182 "policy_name=test policy_versi 182 "policy_name=test policy_version=0.0.0\n"
183 "DEFAULT action=ALLOW\n" 183 "DEFAULT action=ALLOW\n"
184 "DEFAULT action=ALLOW\n", 184 "DEFAULT action=ALLOW\n",
185 -EBADMSG, 185 -EBADMSG,
186 "double default" 186 "double default"
187 }, 187 },
188 { 188 {
189 "policy_name=test policy_versi 189 "policy_name=test policy_version=0.0.0\n"
190 "DEFAULT action=ALLOW\n" 190 "DEFAULT action=ALLOW\n"
191 "DEFAULT op=EXECUTE action=DEN 191 "DEFAULT op=EXECUTE action=DENY\n"
192 "DEFAULT op=EXECUTE action=ALL 192 "DEFAULT op=EXECUTE action=ALLOW\n",
193 -EBADMSG, 193 -EBADMSG,
194 "double operation default" 194 "double operation default"
195 }, 195 },
196 { 196 {
197 "policy_name=test policy_versi 197 "policy_name=test policy_version=0.0.0\n"
198 "DEFAULT action=ALLOW\n" 198 "DEFAULT action=ALLOW\n"
199 "DEFAULT op=EXECUTE action=DEN 199 "DEFAULT op=EXECUTE action=DEN\n",
200 -EBADMSG, 200 -EBADMSG,
201 "invalid action value" 201 "invalid action value"
202 }, 202 },
203 { 203 {
204 "policy_name=test policy_versi 204 "policy_name=test policy_version=0.0.0\n"
205 "DEFAULT action=ALLOW\n" 205 "DEFAULT action=ALLOW\n"
206 "DEFAULT op=EXECUTE action\n", 206 "DEFAULT op=EXECUTE action\n",
207 -EBADMSG, 207 -EBADMSG,
208 "invalid action value (2)" 208 "invalid action value (2)"
209 }, 209 },
210 { 210 {
211 "policy_name=test policy_versi 211 "policy_name=test policy_version=0.0.0\n"
212 "DEFAULT action=ALLOW\n" 212 "DEFAULT action=ALLOW\n"
213 "UNKNOWN value=true\n", 213 "UNKNOWN value=true\n",
214 -EBADMSG, 214 -EBADMSG,
215 "unrecognized statement" 215 "unrecognized statement"
216 }, 216 },
217 { 217 {
218 "policy_name=test policy_versi 218 "policy_name=test policy_version=0.0.0\n"
219 "DEFAULT action=ALLOW\n" 219 "DEFAULT action=ALLOW\n"
220 "op=EXECUTE dmverity_roothash= 220 "op=EXECUTE dmverity_roothash=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n",
221 -EBADMSG, 221 -EBADMSG,
222 "old-style digest" 222 "old-style digest"
223 }, 223 },
224 { 224 {
225 "policy_name=test policy_versi 225 "policy_name=test policy_version=0.0.0\n"
226 "DEFAULT action=ALLOW\n" 226 "DEFAULT action=ALLOW\n"
227 "op=EXECUTE fsverity_digest=1c 227 "op=EXECUTE fsverity_digest=1c0d7ee1f8343b7fbe418378e8eb22c061d7dec7 action=DENY\n",
228 -EBADMSG, 228 -EBADMSG,
229 "old-style digest" 229 "old-style digest"
230 } 230 }
231 }; 231 };
232 232
233 static void pol_to_desc(const struct policy_ca 233 static void pol_to_desc(const struct policy_case *c, char *desc)
234 { 234 {
235 strscpy(desc, c->desc, KUNIT_PARAM_DES 235 strscpy(desc, c->desc, KUNIT_PARAM_DESC_SIZE);
236 } 236 }
237 237
238 KUNIT_ARRAY_PARAM(ipe_policies, policy_cases, 238 KUNIT_ARRAY_PARAM(ipe_policies, policy_cases, pol_to_desc);
239 239
240 /** 240 /**
241 * ipe_parser_unsigned_test - Test the parser 241 * ipe_parser_unsigned_test - Test the parser by passing unsigned policies.
242 * @test: Supplies a pointer to a kunit struct 242 * @test: Supplies a pointer to a kunit structure.
243 * 243 *
244 * This is called by the kunit harness. This t 244 * This is called by the kunit harness. This test does not check the correctness
245 * of the policy, but ensures that errors are 245 * of the policy, but ensures that errors are handled correctly.
246 */ 246 */
247 static void ipe_parser_unsigned_test(struct ku 247 static void ipe_parser_unsigned_test(struct kunit *test)
248 { 248 {
249 const struct policy_case *p = test->pa 249 const struct policy_case *p = test->param_value;
250 struct ipe_policy *pol; 250 struct ipe_policy *pol;
251 251
252 pol = ipe_new_policy(p->policy, strlen 252 pol = ipe_new_policy(p->policy, strlen(p->policy), NULL, 0);
253 253
254 if (p->errno) { 254 if (p->errno) {
255 KUNIT_EXPECT_EQ(test, PTR_ERR( 255 KUNIT_EXPECT_EQ(test, PTR_ERR(pol), p->errno);
256 return; 256 return;
257 } 257 }
258 258
259 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol 259 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pol);
260 KUNIT_EXPECT_NOT_ERR_OR_NULL(test, pol 260 KUNIT_EXPECT_NOT_ERR_OR_NULL(test, pol->parsed);
261 KUNIT_EXPECT_STREQ(test, pol->text, p- 261 KUNIT_EXPECT_STREQ(test, pol->text, p->policy);
262 KUNIT_EXPECT_PTR_EQ(test, NULL, pol->p 262 KUNIT_EXPECT_PTR_EQ(test, NULL, pol->pkcs7);
263 KUNIT_EXPECT_EQ(test, 0, pol->pkcs7len 263 KUNIT_EXPECT_EQ(test, 0, pol->pkcs7len);
264 264
265 ipe_free_policy(pol); 265 ipe_free_policy(pol);
266 } 266 }
267 267
268 /** 268 /**
269 * ipe_parser_widestring_test - Ensure parser 269 * ipe_parser_widestring_test - Ensure parser fail on a wide string policy.
270 * @test: Supplies a pointer to a kunit struct 270 * @test: Supplies a pointer to a kunit structure.
271 * 271 *
272 * This is called by the kunit harness. 272 * This is called by the kunit harness.
273 */ 273 */
274 static void ipe_parser_widestring_test(struct 274 static void ipe_parser_widestring_test(struct kunit *test)
275 { 275 {
276 const unsigned short policy[] = L"poli 276 const unsigned short policy[] = L"policy_name=Test policy_version=0.0.0\n"
277 L"DEFA 277 L"DEFAULT action=ALLOW";
278 struct ipe_policy *pol = NULL; 278 struct ipe_policy *pol = NULL;
279 279
280 pol = ipe_new_policy((const char *)pol 280 pol = ipe_new_policy((const char *)policy, (ARRAY_SIZE(policy) - 1) * 2, NULL, 0);
281 KUNIT_EXPECT_TRUE(test, IS_ERR_OR_NULL 281 KUNIT_EXPECT_TRUE(test, IS_ERR_OR_NULL(pol));
282 282
283 ipe_free_policy(pol); 283 ipe_free_policy(pol);
284 } 284 }
285 285
286 static struct kunit_case ipe_parser_test_cases 286 static struct kunit_case ipe_parser_test_cases[] = {
287 KUNIT_CASE_PARAM(ipe_parser_unsigned_t 287 KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params),
288 KUNIT_CASE(ipe_parser_widestring_test) 288 KUNIT_CASE(ipe_parser_widestring_test),
289 { } 289 { }
290 }; 290 };
291 291
292 static struct kunit_suite ipe_parser_test_suit 292 static struct kunit_suite ipe_parser_test_suite = {
293 .name = "ipe-parser", 293 .name = "ipe-parser",
294 .test_cases = ipe_parser_test_cases, 294 .test_cases = ipe_parser_test_cases,
295 }; 295 };
296 296
297 kunit_test_suite(ipe_parser_test_suite); 297 kunit_test_suite(ipe_parser_test_suite);
298 298
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.