From patchwork Thu Apr 19 19:54:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 10351493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B09A560231 for ; Thu, 19 Apr 2018 19:55:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0C54284C9 for ; Thu, 19 Apr 2018 19:55:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9568328515; Thu, 19 Apr 2018 19:55:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2DBFC284C9 for ; Thu, 19 Apr 2018 19:55:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753487AbeDSTz1 (ORCPT ); Thu, 19 Apr 2018 15:55:27 -0400 Received: from mx2.suse.de ([195.135.220.15]:38416 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752558AbeDSTz0 (ORCPT ); Thu, 19 Apr 2018 15:55:26 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 34013ADE9; Thu, 19 Apr 2018 19:55:25 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Date: Thu, 19 Apr 2018 21:54:56 +0200 Message-Id: <20180419195503.7194-4-pvorel@suse.cz> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180419195503.7194-1-pvorel@suse.cz> References: <20180419195503.7194-1-pvorel@suse.cz> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP + merge test3 into test2 as we test multiple writes already in test2. Kernel without CONFIG_IMA_WRITE_POLICY is not possible to repeat writing into policy. Add check to TCONF in this case. It's not easy to detect disabled CONFIG_IMA_WRITE_POLICY for different behavior across kernel versions. On older kernels (before CONFIG_IMA_WRITE_POLICY enabled) or on new ones with enabled both CONFIG_IMA_READ_POLICY and CONFIG_IMA_WRITE_POLICY policy file after writing disappears. Kernels with enabled CONFIG_IMA_READ_POLICY and (regardless of CONFIG_IMA_WRITE_POLICY) keeps policy file with the same permissions 600. The only way to detect is is to echo empty string into policy and detect errno: | OLD | WRITE | READ && !WRITE | !READ && !WRITE ------------------------------------------------------------------ before | ENOENT | exit code 0 | exit code 0 | exit code 0 after | EACCES | exit code 0 | EBUSY | EACCES OLD: kernels before CONFIG_IMA_WRITE_POLICY introduced (kernel < 4.5) READ: CONFIG_IMA_READ_POLICY WRITE: CONFIG_IMA_WRITE_POLICY Signed-off-by: Petr Vorel Signed-off-by: Petr Vorel --- .../security/integrity/ima/tests/ima_policy.sh | 38 ++++++++++------------ 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 2efa90038..35eb4055b 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -20,15 +20,24 @@ # Test replacing the default integrity measurement policy. TST_SETUP="setup" -TST_CNT=3 +TST_CNT=2 . ima_setup.sh +check_policy_writable() +{ + local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" + + [ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err" + # CONFIG_IMA_READ_POLICY + echo "" 2> log > $IMA_POLICY + grep -q "Device or resource busy" log && tst_brk TCONF "$err" +} + setup() { IMA_POLICY="$IMA_DIR/policy" - [ -f $IMA_POLICY ] || \ - tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" + check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" @@ -68,6 +77,7 @@ test1() local p1 + check_policy_writable load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then @@ -79,10 +89,11 @@ test1() test2() { - tst_res TINFO "verify that policy file is not opened concurrently" + tst_res TINFO "verify that policy file is not opened concurrently and able to loaded multiple times" local p1 p2 rc1 rc2 + check_policy_writable load_policy $VALID_POLICY & p1=$! load_policy $VALID_POLICY & p2=$! wait "$p1"; rc1=$? @@ -90,24 +101,9 @@ test2() if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then tst_res TFAIL "policy opened concurrently" elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then - tst_res TPASS "policy was loaded just by one process" - else - tst_res TFAIL "problem loading policy" - fi -} - -test3() -{ - tst_res TINFO "verify that invalid policy isn't loaded" - - local p1 - - load_policy $INVALID_POLICY & p1=$! - wait "$p1" - if [ $? -ne 0 ]; then - tst_res TPASS "didn't replace valid policy" + tst_res TPASS "policy was loaded just by one process and able to loaded multiple times" else - tst_res TFAIL "replaced valid policy" + tst_res TFAIL "problem with loading policy (policy should be able to load multiple times)" fi }