[v3,00/10] LTP tests: load predefined policy, enhancements

Message ID	20250114112915.610297-1-pvorel@suse.cz (mailing list archive)
Headers	show Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F383224B07 for <linux-integrity@vger.kernel.org>; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) From: Petr Vorel <pvorel@suse.cz> To: ltp@lists.linux.it Cc: Petr Vorel <pvorel@suse.cz>, Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org Subject: [PATCH v3 00/10] LTP tests: load predefined policy, enhancements Date: Tue, 14 Jan 2025 12:29:05 +0100 Message-ID: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid]; RCVD_TLS_ALL(0.00)[]
Series	LTP tests: load predefined policy, enhancements \| expand [v3,00/10] LTP tests: load predefined policy, enhancements [v3,01/10] ima_violations.sh: Fix log detection [v3,02/10] IMA: Add TCB policy as an example for ima_measurements.sh [v3,03/10] IMA: Move requirement check to ima_setup.sh [v3,04/10] IMA: Add example policy for ima_violations.sh [v3,05/10] IMA: Read required policy from file [v3,06/10] ima_violations.sh: Declare tcb builtin policy [v3,07/10] ima_setup.sh: Add digest index detection for ima-buf format [v3,08/10] ima_setup.sh: Allow to load predefined policy [v3,09/10] ima_measurements.sh: Check policy for test3 [v3,10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

Message ID

20250114112915.610297-1-pvorel@suse.cz (mailing list archive)

Headers

From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Petr Vorel <pvorel@suse.cz>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org
Subject: [PATCH v3 00/10] LTP tests: load predefined policy, enhancements
Date: Tue, 14 Jan 2025 12:29:05 +0100
Message-ID: <20250114112915.610297-1-pvorel@suse.cz>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

LTP tests: load predefined policy, enhancements | expand

Message

Petr Vorel Jan. 14, 2025, 11:29 a.m. UTC

Changes v2->v3:
* Rewrite verifying logic if policy needs to be loaded and how it is
  loaded.
* Allow testing when policy is not reliable, but relax failures to TCONF.
* Add TCB policy example.
* Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
* Fix test policy installation (previously wrong Makefile).
* Removed some of the previous commits ("ima_kexec.sh: Relax result on
  unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
  "ima_setup: Print warning when policy not readable").
* More cleanup.

TODO: ima_measurements.sh and ima_violations.sh use detection for
ima_policy=tcb builtin policy. But if example policy is loaded there is
no longer tcb policy. Not sure how to fix it - some tooling might not
support reboot, thus I wanted to use ima_policy=tcb, which previously
worked.

Petr Vorel (10):
  ima_violations.sh: Fix log detection
  IMA: Add TCB policy as an example for ima_measurements.sh
  IMA: Move requirement check to ima_setup.sh
  IMA: Add example policy for ima_violations.sh
  IMA: Read required policy from file
  ima_violations.sh: Declare tcb builtin policy
  ima_setup.sh: Add digest index detection for ima-buf format
  ima_setup.sh: Allow to load predefined policy
  ima_measurements.sh: Check policy for test3
  tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

 doc/users/setup_tests.rst                     |   3 +
 .../kernel/security/integrity/ima/README.md   |  12 ++
 .../security/integrity/ima/datafiles/Makefile |   4 +-
 .../ima/datafiles/ima_measurements/Makefile   |  11 ++
 .../ima/datafiles/ima_measurements/tcb.policy |  20 +++
 .../ima/datafiles/ima_violations/Makefile     |  11 ++
 .../ima_violations/violations.policy          |   2 +
 .../integrity/ima/tests/evm_overlay.sh        |   3 +-
 .../security/integrity/ima/tests/ima_kexec.sh |  20 +--
 .../security/integrity/ima/tests/ima_keys.sh  |  48 ++-----
 .../integrity/ima/tests/ima_measurements.sh   |  19 ++-
 .../integrity/ima/tests/ima_selinux.sh        |  23 ++-
 .../security/integrity/ima/tests/ima_setup.sh | 135 +++++++++++++++---
 .../integrity/ima/tests/ima_violations.sh     |  15 +-
 testcases/lib/tst_test.sh                     |   4 +-
 15 files changed, 235 insertions(+), 95 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy

Comments

Mimi Zohar Jan. 23, 2025, 5:37 p.m. UTC | #1

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Changes v2->v3:
> * Rewrite verifying logic if policy needs to be loaded and how it is
>   loaded.
> * Allow testing when policy is not reliable, but relax failures to TCONF.
> * Add TCB policy example.
> * Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
> * Fix test policy installation (previously wrong Makefile).
> * Removed some of the previous commits ("ima_kexec.sh: Relax result on
>   unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
>   "ima_setup: Print warning when policy not readable").
> * More cleanup.

Very nice patch set.  Thank you!

> 
> TODO: ima_measurements.sh and ima_violations.sh use detection for
> ima_policy=tcb builtin policy. But if example policy is loaded there is
> no longer tcb policy. Not sure how to fix it - some tooling might not
> support reboot, thus I wanted to use ima_policy=tcb, which previously
> worked.

The specific policy rules are mostly a subset of the tcb policy.  The only time that
loading a specific policy first is an issue is when it is the one and only custom
policy allowed to be loaded.  One possible method of avoiding this problem, would be
to require running the ima_measurements.sh first.

Mimi