From patchwork Thu Aug 20 09:08:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11725935 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E73EC14F6 for ; Thu, 20 Aug 2020 09:08:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D5570207FB for ; Thu, 20 Aug 2020 09:08:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725819AbgHTJIn (ORCPT ); Thu, 20 Aug 2020 05:08:43 -0400 Received: from mx2.suse.de ([195.135.220.15]:39528 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725838AbgHTJIj (ORCPT ); Thu, 20 Aug 2020 05:08:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id AC165AC7F; Thu, 20 Aug 2020 09:09:04 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Lakshmi Ramasubramanian , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [LTP v4 1/5] IMA/ima_keys.sh: Fix policy content check usage Date: Thu, 20 Aug 2020 11:08:20 +0200 Message-Id: <20200820090824.3033-2-pvorel@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820090824.3033-1-pvorel@suse.cz> References: <20200820090824.3033-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org require_ima_policy_content cannot be used in subshell $() evaluation, because tst_brk does not quit the test. It calls cleanup for the subshell process and main process then continue: ima_keys 1 TCONF: IMA policy does not specify 'func=KEY_CHECK' => Here it's running first cleanup. umount errors are because parent shell process still has $PWD in directory to be unmounted: umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy. ima_keys 1 TINFO: umount(/dev/loop0) failed, try 1 ... ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests. umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy. ... ima_keys 1 TINFO: umount(/dev/loop0) failed, try 50 ... ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests. ima_keys 1 TWARN: Failed to umount(/dev/loop0) after 50 retries tst_device.c:222: WARN: ioctl(/dev/loop0, LOOP_CLR_FD, 0) no ENXIO for too long Usage: tst_device acquire [size [filename]] or: tst_device release /path/to/device ima_keys 1 TWARN: Failed to release device '/dev/loop0' rm: cannot remove '/tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint': Device or resource busy ima_keys 1 TINFO: AppArmor enabled, this may affect test results ima_keys 1 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root) ima_keys 1 TINFO: loaded AppArmor profiles: none /opt/ltp/testcases/bin/ima_keys.sh: line 25: 6166 Terminated sleep $sec && tst_res TBROK "test killed, timeout! If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1" && kill -9 -$pid (wd: ~) => Here it should quit after running cleanup, but instead continue running: ima_keys 1 TCONF: ima policy does not specify a keyrings to check NOTE: The same limitation for using subshell $() is for check_ima_policy_content, but it's safe due previous require_ima_policy_content check. Fixes: f20f44d72 ("IMA/ima_keys.sh: Fix policy readability check") Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 3aea26056..53c289054 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -16,11 +16,14 @@ TST_NEEDS_DEVICE=1 # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") test1() { - local keyrings keycheck_lines keycheck_line templates test_file="file.txt" + local keyrings keycheck_lines keycheck_line templates + local pattern="func=KEY_CHECK" + local test_file="file.txt" tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" - keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "") + require_ima_policy_content "$pattern" + keycheck_lines=$(check_ima_policy_content "$pattern" "") keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) if [ -z "$keycheck_line" ]; then From patchwork Thu Aug 20 09:08:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11725937 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1AD1216B1 for ; Thu, 20 Aug 2020 09:08:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 076D62078B for ; Thu, 20 Aug 2020 09:08:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725838AbgHTJIo (ORCPT ); Thu, 20 Aug 2020 05:08:44 -0400 Received: from mx2.suse.de ([195.135.220.15]:39544 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725859AbgHTJIj (ORCPT ); Thu, 20 Aug 2020 05:08:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id DFBB8B75C; Thu, 20 Aug 2020 09:09:04 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Lakshmi Ramasubramanian , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [LTP v4 2/5] IMA/ima_keys.sh: Require template=ima-buf, fix grep pattern Date: Thu, 20 Aug 2020 11:08:21 +0200 Message-Id: <20200820090824.3033-3-pvorel@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820090824.3033-1-pvorel@suse.cz> References: <20200820090824.3033-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org test1 (and following test2 which will be added) require ima-buf template which contains 'buf' identifier (the buffer data that was used to generate the hash without size limitations). For simplicity we ignore custom templates (ima_template_fmt kernel command line parameter), which could also define it. Also fix grep format for searching in the policy: add missing '.' Searching for lines with specified templates *and* keyrings in the measurement, but there is algorithm and hash in between, thus '.*'. Previously template was just ignored due using just '*'. Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys") Signed-off-by: Petr Vorel --- New commit (maybe I should have split them into 2 commits). .../kernel/security/integrity/ima/tests/ima_keys.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 53c289054..015a3c115 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -17,13 +17,15 @@ TST_NEEDS_DEVICE=1 test1() { local keyrings keycheck_lines keycheck_line templates - local pattern="func=KEY_CHECK" + local func='func=KEY_CHECK' + local buf='template=ima-buf' + local pattern="($func.*$buf|$buf.*$func)" local test_file="file.txt" tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" - require_ima_policy_content "$pattern" - keycheck_lines=$(check_ima_policy_content "$pattern" "") + require_ima_policy_content "$pattern" '-Eq' + keycheck_lines=$(check_ima_policy_content "$pattern" '-E') keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) if [ -z "$keycheck_line" ]; then @@ -39,7 +41,7 @@ test1() templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ cut -d'=' -f2) - grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line + grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line do local digest expected_digest algorithm From patchwork Thu Aug 20 09:08:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11725939 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3EF9E739 for ; Thu, 20 Aug 2020 09:08:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BA732078B for ; Thu, 20 Aug 2020 09:08:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725859AbgHTJIo (ORCPT ); Thu, 20 Aug 2020 05:08:44 -0400 Received: from mx2.suse.de ([195.135.220.15]:39558 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725866AbgHTJIk (ORCPT ); Thu, 20 Aug 2020 05:08:40 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 1C308B75F; Thu, 20 Aug 2020 09:09:05 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Lakshmi Ramasubramanian , Mimi Zohar , linux-integrity@vger.kernel.org, Lachlan Sneff Subject: [LTP v4 3/5] IMA: Refactor datafiles directory Date: Thu, 20 Aug 2020 11:08:22 +0200 Message-Id: <20200820090824.3033-4-pvorel@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820090824.3033-1-pvorel@suse.cz> References: <20200820090824.3033-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The IMA datafiles directory is structured so that it cannot be directly expanded to include datafiles for tests other than `ima_policy.sh` as it's installed into /opt/ltp/testcases/data/ima_policy. Also not all policies are meant to be for ima_policy.sh, thus move policies into their own directories based on the test which they belong to. Rename policy directory to ima_policy to follow the pattern that directory in sources match the installed directory. Reported-by: Lachlan Sneff Signed-off-by: Lachlan Sneff [ pvorel: based on Lachlan's patch, rewritten ] Signed-off-by: Petr Vorel --- The same as in v3. .../kernel/security/integrity/ima/datafiles/Makefile | 10 +++++----- .../integrity/ima/datafiles/ima_kexec/Makefile | 11 +++++++++++ .../ima/datafiles/{ => ima_kexec}/kexec.policy | 0 .../integrity/ima/datafiles/ima_keys/Makefile | 11 +++++++++++ .../ima/datafiles/{ => ima_keys}/keycheck.policy | 0 .../integrity/ima/datafiles/ima_policy/Makefile | 11 +++++++++++ .../ima/datafiles/{ => ima_policy}/measure.policy | 0 .../datafiles/{ => ima_policy}/measure.policy-invalid | 0 8 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (100%) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%) rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%) diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 369407112..6857ccfee 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -1,6 +1,8 @@ # # testcases/kernel/security/integrity/ima/policy testcases Makefile. # +# Copyright (c) Linux Test Project, 2019-2020 +# Copyright (c) 2020 Microsoft Corporation # Copyright (C) 2009, Cisco Systems Inc. # # This program is free software; you can redistribute it and/or modify @@ -20,12 +22,10 @@ # Ngie Cooper, July 2009 # -top_srcdir ?= ../../../../../.. +top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -INSTALL_DIR := testcases/data/ima_policy +SUBDIRS := ima_* -INSTALL_TARGETS := measure.policy-invalid *.policy - -include $(top_srcdir)/include/mk/generic_leaf_target.mk +include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile new file mode 100644 index 000000000..5e0d632a7 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2020 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_kexec +INSTALL_TARGETS := *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/kexec.policy rename to testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile new file mode 100644 index 000000000..452321843 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2020 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_keys +INSTALL_TARGETS := *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/keycheck.policy rename to testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile new file mode 100644 index 000000000..953e21556 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2020 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_policy +INSTALL_TARGETS := *.policy-invalid *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid From patchwork Thu Aug 20 09:08:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11725941 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CC1B2739 for ; Thu, 20 Aug 2020 09:08:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B4CF9207FB for ; Thu, 20 Aug 2020 09:08:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725866AbgHTJIr (ORCPT ); Thu, 20 Aug 2020 05:08:47 -0400 Received: from mx2.suse.de ([195.135.220.15]:39574 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725885AbgHTJIk (ORCPT ); Thu, 20 Aug 2020 05:08:40 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 4DA0FB75E; Thu, 20 Aug 2020 09:09:05 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Lachlan Sneff , Lakshmi Ramasubramanian , Mimi Zohar , linux-integrity@vger.kernel.org, Petr Vorel Subject: [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring Date: Thu, 20 Aug 2020 11:08:23 +0200 Message-Id: <20200820090824.3033-5-pvorel@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820090824.3033-1-pvorel@suse.cz> References: <20200820090824.3033-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Lachlan Sneff The IMA subsystem supports measuring certificates that have been imported into either system built-in or user-defined keyrings. A test to verify measurement of a certificate imported into a keyring is required. Add an IMA measurement test that verifies that an x509 certificate can be imported into a newly-created, user-defined keyring and measured correctly by the IMA subsystem. A certificate used by the test is included in the `datafiles/keys` directory. There can be restrictions on importing a certificate into a builtin trusted keyring. For example, the `.ima` keyring requires that imported certs be signed by a kernel private key in certain kernel configurations. For this reason, this test defines a user-defined keyring and imports a certificate into that. Reviewed-by: Petr Vorel Signed-off-by: Lachlan Sneff [ pvorel: Added key_import_test into keycheck.policy, cleanup key, reword instructions in README.md, LTP API related fixes ] Signed-off-by: Petr Vorel Reviewed-by: Mimi Zohar for the entire patch set. --- changes v3->v4: * Add cleanup function for test2: remove key with keyctl clear ID instead of running keyctl new_session > /dev/null which was reported as problematic (and still affects other tests which are run after this one) .../kernel/security/integrity/ima/README.md | 12 ++- .../integrity/ima/datafiles/ima_keys/Makefile | 2 +- .../ima/datafiles/ima_keys/keycheck.policy | 2 +- .../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes .../security/integrity/ima/tests/ima_keys.sh | 70 ++++++++++++++++-- 5 files changed, 73 insertions(+), 13 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 392e1e868..68d046678 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would require `IMA_READ_POLICY=y` therefore ignore this option. ### IMA key test -`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy -with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`. +The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA +policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`. -As well as what's required for the IMA tests, the following are also required --in the kernel configuration: +The certificate import test (second test) require measure policy with +`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in +`keycheck.policy`. + +As well as what's required for the IMA tests, key tests require reading the IMA +policy allowed in the kernel configuration: ``` CONFIG_IMA_READ_POLICY=y ``` diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile index 452321843..ac7ce33ab 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile @@ -6,6 +6,6 @@ top_srcdir ?= ../../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk INSTALL_DIR := testcases/data/ima_keys -INSTALL_TARGETS := *.policy +INSTALL_TARGETS := *.policy x509_ima.der include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy index 3f1934a3d..623162002 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy @@ -1 +1 @@ -measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der new file mode 100644 index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd GIT binary patch literal 650 zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W zvoaV27z!HjvoVLVaPe?t?=lA2Ij_I z27|^VOo=tim8DK0r^FsU zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{ zVTqGwuK95LlFE)6i{@=vlP6!2`Y}xDFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY WBem{7L5JThS+;$vggi%(*E;~nlJ80Y literal 0 HcmV?d00001 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 015a3c115..ad3cbbdc7 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -6,12 +6,18 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="cut grep sed tr xxd" -TST_CNT=1 +TST_NEEDS_CMDS="cmp cut grep sed tr xxd" +TST_CNT=2 TST_NEEDS_DEVICE=1 +TST_CLEANUP=cleanup . ima_setup.sh +cleanup() +{ + tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID +} + # Based on https://lkml.org/lkml/2019/12/13/564. # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") test1() @@ -29,13 +35,15 @@ test1() keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) if [ -z "$keycheck_line" ]; then - tst_brk TCONF "ima policy does not specify a keyrings to check" + tst_res TCONF "IMA policy does not specify a keyrings to check" + return fi keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ sed "s/\./\\\./g" | cut -d'=' -f2) if [ -z "$keyrings" ]; then - tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" + tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings" + return fi templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ @@ -51,11 +59,13 @@ test1() echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file - expected_digest="$(compute_digest $algorithm $test_file)" || \ - tst_brk TCONF "cannot compute digest for $algorithm" + if ! expected_digest="$(compute_digest $algorithm $test_file)"; then + tst_res TCONF "cannot compute digest for $algorithm" + return + fi if [ "$digest" != "$expected_digest" ]; then - tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" + tst_res TFAIL "incorrect digest was found for $keyring keyring" return fi done @@ -63,4 +73,50 @@ test1() tst_res TPASS "specified keyrings were measured correctly" } +# Create a new keyring, import a certificate into it, and verify +# that the certificate is measured correctly by IMA. +test2() +{ + tst_require_cmds evmctl keyctl openssl + + local cert_file="$TST_DATAROOT/x509_ima.der" + local keyring_name="key_import_test" + local temp_file="file.txt" + + tst_res TINFO "verify measurement of certificate imported into a keyring" + + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then + tst_brk TCONF "IMA policy does not contain $keyring_name keyring" + fi + + KEYRING_ID=$(keyctl newring $keyring_name @s) || \ + tst_brk TBROK "unable to create a new keyring" + + if ! tst_is_num $KEYRING_ID; then + tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')" + fi + + evmctl import $cert_file $KEYRING_ID > /dev/null || \ + tst_brk TBROK "unable to import a certificate into $keyring_name keyring" + + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > $temp_file + + if [ ! -s $temp_file ]; then + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS" + return + fi + + if ! openssl x509 -in $temp_file -inform der > /dev/null; then + tst_res TFAIL "logged certificate is not a valid x509 certificate" + return + fi + + if cmp -s $temp_file $cert_file; then + tst_res TPASS "logged certificate matches the original" + else + tst_res TFAIL "logged certificate does not match original" + fi +} + tst_run From patchwork Thu Aug 20 09:08:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11725943 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EF85E16B1 for ; Thu, 20 Aug 2020 09:08:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D3DDB21744 for ; Thu, 20 Aug 2020 09:08:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725885AbgHTJIr (ORCPT ); Thu, 20 Aug 2020 05:08:47 -0400 Received: from mx2.suse.de ([195.135.220.15]:39628 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726215AbgHTJIn (ORCPT ); Thu, 20 Aug 2020 05:08:43 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 7A79CB761; Thu, 20 Aug 2020 09:09:05 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Lakshmi Ramasubramanian , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [LTP v4 5/5] IMA/ima_keys.sh: Enhance policy checks Date: Thu, 20 Aug 2020 11:08:24 +0200 Message-Id: <20200820090824.3033-6-pvorel@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820090824.3033-1-pvorel@suse.cz> References: <20200820090824.3033-1-pvorel@suse.cz> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add check_keys_policy helper to check for all policy's keyrings and templates (removed head) and reuse policy check code. Replaced tr with sed to cut down the dependencies. Log keyrings and templates for easier debugging. NOTE: check_keys_policy cannot be used with subhell $() redirection (unless previously checked with other helpers), thus use redirection to the file. Tested on 2 policies with more lines than example policy in keycheck.policy: measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf measure func=KEY_CHECK keyrings=key_import_test template=ima-buf measure func=KEY_CHECK template=ima-buf keyrings=.ima|.builtin_trusted_keys measure func=KEY_CHECK template=ima-buf keyrings=key_import_test Signed-off-by: Petr Vorel --- changes v3->v4: * update check_keys_policy() and checking the policy in general * remove new line when working policy to find keyrings and templates * replace tr with sed .../security/integrity/ima/tests/ima_keys.sh | 60 ++++++++++++------- 1 file changed, 37 insertions(+), 23 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index ad3cbbdc7..c5a6d2591 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -6,48 +6,63 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="cmp cut grep sed tr xxd" +TST_NEEDS_CMDS="cmp cut grep sed xxd" TST_CNT=2 TST_NEEDS_DEVICE=1 +TST_SETUP=setup TST_CLEANUP=cleanup . ima_setup.sh +FUNC_KEYCHECK='func=KEY_CHECK' +TEMPLATE_BUF='template=ima-buf' +REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)" + +setup() +{ + require_ima_policy_content "$REQUIRED_POLICY" '-E' > policy.txt +} + cleanup() { tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } +check_keys_policy() +{ + local pattern="$1" + + if ! grep -E "$pattern" policy.txt; then + tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF" + return 1 + fi + return 0 +} + # Based on https://lkml.org/lkml/2019/12/13/564. # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") test1() { - local keyrings keycheck_lines keycheck_line templates - local func='func=KEY_CHECK' - local buf='template=ima-buf' - local pattern="($func.*$buf|$buf.*$func)" - local test_file="file.txt" - - tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" + local keycheck_lines i keyrings templates + local pattern='keyrings=[^[:space:]]+' + local test_file="file.txt" tmp_file="file2.txt" - require_ima_policy_content "$pattern" '-Eq' - keycheck_lines=$(check_ima_policy_content "$pattern" '-E') - keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) + tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" - if [ -z "$keycheck_line" ]; then - tst_res TCONF "IMA policy does not specify a keyrings to check" - return - fi - - keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ - sed "s/\./\\\./g" | cut -d'=' -f2) + check_keys_policy "$pattern" > $tmp_file || return + keycheck_lines=$(cat $tmp_file) + keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ + sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') if [ -z "$keyrings" ]; then tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings" return fi - templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ - cut -d'=' -f2) + templates=$(for i in $keycheck_lines; do echo "$i" | grep "template" | \ + cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') + + tst_res TINFO "keyrings: '$keyrings'" + tst_res TINFO "templates: '$templates'" grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line do @@ -81,13 +96,12 @@ test2() local cert_file="$TST_DATAROOT/x509_ima.der" local keyring_name="key_import_test" + local pattern="keyrings=[^[:space:]]*$keyring_name" local temp_file="file.txt" tst_res TINFO "verify measurement of certificate imported into a keyring" - if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then - tst_brk TCONF "IMA policy does not contain $keyring_name keyring" - fi + check_keys_policy "$pattern" >/dev/null || return KEYRING_ID=$(keyctl newring $keyring_name @s) || \ tst_brk TBROK "unable to create a new keyring"