From patchwork Thu Jun 13 16:14:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 10992651 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ADF9E14C0 for ; Thu, 13 Jun 2019 16:14:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CF5426222 for ; Thu, 13 Jun 2019 16:14:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9B5DA26224; Thu, 13 Jun 2019 16:14:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D45C26222 for ; Thu, 13 Jun 2019 16:14:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391075AbfFMQOs (ORCPT ); Thu, 13 Jun 2019 12:14:48 -0400 Received: from mx2.suse.de ([195.135.220.15]:34138 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731311AbfFMQOr (ORCPT ); Thu, 13 Jun 2019 12:14:47 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id DF376AD8D; Thu, 13 Jun 2019 16:14:46 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Ignaz Forster , linux-integrity@vger.kernel.org, Mimi Zohar Subject: [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup Date: Thu, 13 Jun 2019 18:14:11 +0200 Message-Id: <20190613161414.29161-2-pvorel@suse.cz> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz> References: <20190613161414.29161-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP to work the same way as setup Acked-by: Mimi Zohar Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 +++++- .../kernel/security/integrity/ima/tests/ima_violations.sh | 2 -- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 52551190a..cbded42c2 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,7 +20,8 @@ TST_TESTFUNC="test" TST_SETUP_CALLER="$TST_SETUP" TST_SETUP="ima_setup" -TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}" +TST_CLEANUP_CALLER="$TST_CLEANUP" +TST_CLEANUP="ima_cleanup" TST_NEEDS_TMPDIR=1 TST_NEEDS_ROOT=1 @@ -95,6 +96,9 @@ ima_setup() ima_cleanup() { local dir + + [ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER + for dir in $UMOUNT; do umount $dir done diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 74223c221..a44bd1230 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -51,8 +51,6 @@ cleanup() { [ "$PRINTK_RATE_LIMIT" != "0" ] && \ sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT - - ima_cleanup } open_file_read() From patchwork Thu Jun 13 16:14:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 10992653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A458A14C0 for ; Thu, 13 Jun 2019 16:14:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9406F2239C for ; Thu, 13 Jun 2019 16:14:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 87E91212BE; Thu, 13 Jun 2019 16:14:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 20C7826222 for ; Thu, 13 Jun 2019 16:14:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727987AbfFMQOy (ORCPT ); Thu, 13 Jun 2019 12:14:54 -0400 Received: from mx2.suse.de ([195.135.220.15]:34146 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731187AbfFMQOs (ORCPT ); Thu, 13 Jun 2019 12:14:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A94CDAE20; Thu, 13 Jun 2019 16:14:47 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Ignaz Forster , linux-integrity@vger.kernel.org, Mimi Zohar Subject: [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount Date: Thu, 13 Jun 2019 18:14:12 +0200 Message-Id: <20190613161414.29161-3-pvorel@suse.cz> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz> References: <20190613161414.29161-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP + use it directly as a cleanup function in df01.sh Acked-by: Mimi Zohar Signed-off-by: Petr Vorel --- doc/test-writing-guidelines.txt | 4 ++-- testcases/commands/df/df01.sh | 7 +------ testcases/commands/mkfs/mkfs01.sh | 2 +- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- testcases/lib/tst_test.sh | 2 +- 5 files changed, 6 insertions(+), 11 deletions(-) diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt index f1912dc12..fc64b418b 100644 --- a/doc/test-writing-guidelines.txt +++ b/doc/test-writing-guidelines.txt @@ -2115,8 +2115,8 @@ The 'tst_mount' mounts '$TST_DEVICE' of '$TST_FS_TYPE' (optional) to '$TST_MNT_PARAMS'. The '$TST_MNTPOINT' directory is created if it didn't exist prior to the function call. -If the path passed to the 'tst_umount' is not mounted (present in '/proc/mounts') -it's noop. +If the path passed (optional, defaults to '$TST_DEVICE') to the 'tst_umount' is +not mounted (present in '/proc/mounts') it's noop. Otherwise it retries to umount the filesystem a few times on a failure, which is a workaround since there are a daemons dumb enough to probe all newly mounted filesystems, which prevents them from umounting shortly after they diff --git a/testcases/commands/df/df01.sh b/testcases/commands/df/df01.sh index 9b0be76fe..3876816dc 100755 --- a/testcases/commands/df/df01.sh +++ b/testcases/commands/df/df01.sh @@ -18,7 +18,7 @@ TST_CNT=12 TST_SETUP=setup -TST_CLEANUP=cleanup +TST_CLEANUP=tst_umount TST_TESTFUNC=test TST_OPTS="f:" TST_USAGE=usage @@ -54,11 +54,6 @@ setup() DF_FS_TYPE=$(mount | grep "$TST_DEVICE" | awk '{print $5}') } -cleanup() -{ - tst_umount $TST_DEVICE -} - df_test() { local cmd="$1 -P" diff --git a/testcases/commands/mkfs/mkfs01.sh b/testcases/commands/mkfs/mkfs01.sh index 88f7f0baa..28af890b3 100755 --- a/testcases/commands/mkfs/mkfs01.sh +++ b/testcases/commands/mkfs/mkfs01.sh @@ -71,7 +71,7 @@ mkfs_verify_size() { tst_mount local blocknum=`df -P -B 1k mntpoint | tail -n1 | awk '{print $2}'` - tst_umount "$TST_DEVICE" + tst_umount if [ $blocknum -gt "$2" ]; then return 1 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index cbded42c2..da49eb1b2 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -105,7 +105,7 @@ ima_cleanup() if [ "$TST_NEEDS_DEVICE" = 1 ]; then cd $TST_TMPDIR - tst_umount $TST_DEVICE + tst_umount fi } diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh index 512732315..740253df1 100644 --- a/testcases/lib/tst_test.sh +++ b/testcases/lib/tst_test.sh @@ -259,7 +259,7 @@ tst_mount() tst_umount() { - local device="$1" + local device="${1:-$TST_DEVICE}" local i=0 if ! grep -q "$device" /proc/mounts; then From patchwork Thu Jun 13 16:14:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 10992647 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7071814C0 for ; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6040A26223 for ; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 54CDA262FF; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BF62126224 for ; Thu, 13 Jun 2019 16:14:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731222AbfFMQOv (ORCPT ); Thu, 13 Jun 2019 12:14:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:34166 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731311AbfFMQOu (ORCPT ); Thu, 13 Jun 2019 12:14:50 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 61ED4AD43; Thu, 13 Jun 2019 16:14:48 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Ignaz Forster , linux-integrity@vger.kernel.org Subject: [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy Date: Thu, 13 Jun 2019 18:14:13 +0200 Message-Id: <20190613161414.29161-4-pvorel@suse.cz> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz> References: <20190613161414.29161-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Although custom policy which may contain the equivalent measurement tcb rules can be loaded via dracut, systemd or later manually from user space, detecting it would require IMA_READ_POLICY=y. In order to simplify the check and avoid false positives lets ignore this option and require builtin IMA tcb policy. Create check_ima_policy() helper in ima_setup.sh, so it can be reused in other tests. + Use SPDX license identifier Signed-off-by: Petr Vorel --- .../integrity/ima/tests/ima_measurements.sh | 23 ++++---------- .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++--------- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 328affc43..1b9ed85b8 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,19 +1,7 @@ #!/bin/sh # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018 Petr Vorel -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it would be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright (c) 2018-2019 Petr Vorel +# SPDX-License-Identifier: GPL-2.0-or-later # # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com # @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1 setup() { - TEST_FILE="$PWD/test.txt" + check_ima_policy "tcb" + TEST_FILE="$PWD/test.txt" POLICY="$IMA_DIR/policy" [ -f "$POLICY" ] || tst_res TINFO "not using default policy" - DIGEST_INDEX= local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)" local i + # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; @@ -56,8 +45,6 @@ setup() [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \ "Cannot find digest index (template: '$template')" - - tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)" } # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index da49eb1b2..606034fec 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,19 +1,7 @@ #!/bin/sh # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018 Petr Vorel -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it would be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright (c) 2018-2019 Petr Vorel +# SPDX-License-Identifier: GPL-2.0-or-later # # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com @@ -31,6 +19,20 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +check_ima_policy() +{ + local policy="$1" + local i + + grep -q "ima_$policy" /proc/cmdline && return + for i in $(cat /proc/cmdline); do + if grep -q '^ima_policy=' $i; then + grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return + fi + done + tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)" +} + mount_helper() { local type="$1" From patchwork Thu Jun 13 16:14:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 10992649 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BA5351515 for ; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA22126256 for ; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9E9B1262AE; Thu, 13 Jun 2019 16:14:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF3AC26256 for ; Thu, 13 Jun 2019 16:14:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731311AbfFMQOv (ORCPT ); Thu, 13 Jun 2019 12:14:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:34146 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2391408AbfFMQOu (ORCPT ); Thu, 13 Jun 2019 12:14:50 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 2E919AE36; Thu, 13 Jun 2019 16:14:49 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Ignaz Forster , linux-integrity@vger.kernel.org, Mimi Zohar Subject: [PATCH v4 4/4] ima: Add overlay test + doc Date: Thu, 13 Jun 2019 18:14:14 +0200 Message-Id: <20190613161414.29161-5-pvorel@suse.cz> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz> References: <20190613161414.29161-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP test demonstrate a bug on overlayfs on current mainline kernel when combining IMA with EVM. Based on reproducer made by Ignaz Forster used for not upstreamed patchset [1] and previous report [2]. IMA only behavior has already been fixed [3]. NOTE: backup variables are needed because ima_setup.sh calling tst_mount as well when TMPDIR is on tmpfs device. Documentation is based on Ignaz Forster instructions for openSUSE [4]. [1] https://www.spinics.net/lists/linux-integrity/msg05926.html [2] https://www.spinics.net/lists/linux-integrity/msg03593.html [3] https://patchwork.kernel.org/patch/10776231/ [4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html Tested-by: Ignaz Forster Acked-by: Mimi Zohar Signed-off-by: Petr Vorel --- runtest/ima | 1 + .../security/integrity/ima/tests/README.md | 83 +++++++++++++++++ .../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++ .../security/integrity/ima/tests/ima_setup.sh | 4 +- 4 files changed, 179 insertions(+), 2 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh diff --git a/runtest/ima b/runtest/ima index bcae16bb7..f3ea88cf0 100644 --- a/runtest/ima +++ b/runtest/ima @@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh ima_policy ima_policy.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh +evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md new file mode 100644 index 000000000..961b68a38 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/README.md @@ -0,0 +1,83 @@ +IMA + EVM testing +================= + +IMA tests +--------- + +`ima_measurements.sh` require builtin IMA tcb policy to be loaded +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter). +Although custom policy which contains which may contain the equivalent +measurement tcb rules can be loaded via dracut, systemd or later manually +from user space, detecting it would require `IMA_READ_POLICY=y` therefore +ignore this option. + +Mandatory kernel configuration for IMA: +``` +CONFIG_INTEGRITY=y +CONFIG_IMA=y +``` + +EVM tests +--------- + +`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` +kernel parameter) which appraises the integrity of all files owned by root and EVM setup. +Again, for simplicity ignore possibility to load reuired rules via custom policy. + +Mandatory kernel configuration for IMA & EVM: +``` +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_IMA=y +CONFIG_IMA_APPRAISE=y +CONFIG_EVM=y +CONFIG_KEYS=y +CONFIG_TRUSTED_KEYS=y +CONFIG_ENCRYPTED_KEYS=y +``` + +Example of installing IMA + EVM on openSUSE: + +* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters + (for IMA measurement, IMA appraisal and EVM protection) +* Proceed with installation until summary screen, but do not start the installation yet +* Select package `dracut-ima` (required for early boot EVM support) for installation + (Debian based distros already contain IMA + EVM support in `dracut` package) +* Change to a console window and run commands to generate keys required by EVM: +``` +# mkdir /etc/keys +# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u) +# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob +# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u) +# keyctl pipe "$evm_key" >/etc/keys/evm.blob +# cat </etc/sysconfig/masterkey +MASTERKEYTYPE="user" +MASTERKEY="/etc/keys/kmk-user.blob" +END +# cat </etc/sysconfig/evm +EVMKEY="/etc/keys/evm.blob" +END +# mount -t securityfs security /sys/kernel/security +# echo 1 >/sys/kernel/security/evm +``` + +* Go back to the installation summary screen and start the installation +* During the installation execute the following commands from the console: +``` +# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt +# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/ +``` + +This should work on any distribution using dracut. +Loading EVM keys is also possible with initramfs-tools (Debian based distributions). + +Of course it's possible to install OS usual way, add keys later and fix missing xattrs with: +``` +evmctl -r ima_fix / +``` + +or with `find` if evmctl not available: +``` +find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \; +``` +Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters. diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh new file mode 100755 index 000000000..024b03917 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# Copyright (c) 2019 Petr Vorel +# Based on reproducer and further discussion with Ignaz Forster +# Reproducer for not upstreamed patchset [1] and previous report [2]. +# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html +# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html + +TST_SETUP="setup" +TST_CLEANUP="cleanup" +TST_NEEDS_DEVICE=1 +TST_CNT=4 +. ima_setup.sh + +setup() +{ + EVM_FILE="/sys/kernel/security/evm" + + [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel" + [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot" + + check_ima_policy "appraise_tcb" + + lower="$TST_MNTPOINT/lower" + upper="$TST_MNTPOINT/upper" + work="$TST_MNTPOINT/work" + merged="$TST_MNTPOINT/merged" + mkdir -p $lower $upper $work $merged + + device_backup="$TST_DEVICE" + TST_DEVICE="overlay" + + fs_type_backup="$TST_FS_TYPE" + TST_FS_TYPE="overlay" + + mntpoint_backup="$TST_MNTPOINT" + TST_MNTPOINT="$merged" + + params_backup="$TST_MNT_PARAMS" + TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work" + + tst_mount + mounted=1 +} + +test1() +{ + local file="foo1.txt" + + tst_res TINFO "overwrite file in overlay" + EXPECT_PASS echo lower \> $lower/$file + EXPECT_PASS echo overlay \> $merged/$file +} + +test2() +{ + local file="foo2.txt" + + tst_res TINFO "append file in overlay" + EXPECT_PASS echo lower \> $lower/$file + EXPECT_PASS echo overlay \>\> $merged/$file +} + +test3() +{ + local file="foo3.txt" + + tst_res TINFO "create a new file in overlay" + EXPECT_PASS echo overlay \> $merged/$file +} + +test4() +{ + local f + + tst_res TINFO "read all created files" + for f in $(find $TST_MNTPOINT -type f); do + EXPECT_PASS cat $f \> /dev/null 2\> /dev/null + done +} + +cleanup() +{ + [ -n "$mounted" ] || return 0 + + tst_umount $TST_DEVICE + + TST_DEVICE="$device_backup" + TST_FS_TYPE="$fs_type_backup" + TST_MNTPOINT="$mntpoint_backup" + TST_MNT_PARAMS="$params_backup" +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 606034fec..529b77529 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -66,14 +66,14 @@ print_ima_config() local config="/boot/config-$(uname -r)" local i - tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" - if [ -r "$config" ]; then tst_res TINFO "IMA kernel config:" for i in $(grep ^CONFIG_IMA $config); do tst_res TINFO "$i" done fi + + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" } ima_setup()