From patchwork Fri Dec 13 22:20:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907996 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42D871A8F8F for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; cv=none; b=GDx+k1hAqByfgpw4oeRYkOdcAH9di77wPJarSVbtfbie7XD5z6Bss3GU3mF0cEx6WGbq9qopTRq2E0oUMj8iaT/b3Um5qzE3OkFtxSl89dXumih9wJZASJBUe/C+ixAzfgiZXHS0zrpmvBHwmprMiUrY3ZcikUNI1JD4hzj5hxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; c=relaxed/simple; bh=2j47SL2xdfmfoTQwUxRGq8LY9+6SOl/r/n+rmtThisE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QOlpzo+fCQ9X6hH2BMHxClrXO1wTw2m3Sb8VFZgrW/XPKrU4RWvMpTFRmiytfMSm3Nw/2nBFPlqPVXLTZ5KHHuzcmn/wHKP4cSNePxUe1Vh8GYTTfbzmOuBmIKZySX/n/PwY4E8TlIBFefTjyRfGQpPFbMItIPPTwDjDaU6Ior4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=I2KBoSRU; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ezCxDRs3; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=ZqoDs/3M; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=6dIbI435; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="I2KBoSRU"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ezCxDRs3"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="ZqoDs/3M"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="6dIbI435" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 7D7C41F394; Fri, 13 Dec 2024 22:20:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v8/U+Ch2bJ8t8VQWtTlo5ySV+zmxuP8YmkpK5rGFIEU=; b=I2KBoSRU3A28VjUmCtweUXPQtKD8kw3s0X3tYQQ7zRe00S8BhPIS/3o8PaoFN5k01vOzb1 mjh2DIGsEPVq68/EDPmrV7M3mZowcBOOwQR61Yv7XuK+Whykqg0lBHL5AX8/U64EVrlRQC ag9KiVJ20njVVMunaRVCLNRJJ5G4jTA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v8/U+Ch2bJ8t8VQWtTlo5ySV+zmxuP8YmkpK5rGFIEU=; b=ezCxDRs3P3b0AWXOUMfgCb4lTyOH2zV47vrUVUcS7U57vW65EoHPSY8mRNxVPP7h7PWBbr 8YSYfynZeDFOVUAA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128417; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v8/U+Ch2bJ8t8VQWtTlo5ySV+zmxuP8YmkpK5rGFIEU=; b=ZqoDs/3MkizEcuKjrbV+FD2IPEzm5bBZiMEM2K8Mbr9vZ56oHSuFypN4uUNDrS20YSjM06 mz6JYXT7OGUQY5Faj5rlulMDTQUQdeTsX7gfpSJTrJlv1yFBtShQPEM+EomRQlrwGh1hpV LMjzrzuHXvCltc5XvlMlW1G9xBwF8Nk= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128417; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v8/U+Ch2bJ8t8VQWtTlo5ySV+zmxuP8YmkpK5rGFIEU=; b=6dIbI435E4eXn3Z8DtuW0sc3j2wFUVG92zKEzzYx99HqTW+CT2bqu7bpPrwEnN8J19dwHN nB2vKfQMrn+3A0BQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4D4B813939; Fri, 13 Dec 2024 22:20:17 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id CEUuESGzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:17 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh Date: Fri, 13 Dec 2024 23:20:07 +0100 Message-ID: <20241213222014.1580991-2-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs) as suggested by Mimi. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Petr Vorel --- I would like to check in ima_measurements.sh for this policy as an variant to ima_policy=tcb command line parameter. Do I need to check for all of these (suppose all are in ima_policy=tcb). .../ima/datafiles/ima_measurements/tcb.policy | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy new file mode 100644 index 0000000000..1c919f7260 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy @@ -0,0 +1,19 @@ +dont_measure fsmagic=0x9fa0 +dont_measure fsmagic=0x62656572 +dont_measure fsmagic=0x64626720 +dont_measure fsmagic=0x1cd1 +dont_measure fsmagic=0x42494e4d +dont_measure fsmagic=0x73636673 +dont_measure fsmagic=0xf97cff8c +dont_measure fsmagic=0x43415d53 +dont_measure fsmagic=0x27e0eb +dont_measure fsmagic=0x63677270 +dont_measure fsmagic=0x6e736673 +dont_measure fsmagic=0xde5e81e4 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=^MAY_READ euid=0 +measure func=FILE_CHECK mask=^MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK From patchwork Fri Dec 13 22:20:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907994 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42DD61A8F91 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; cv=none; b=Uhwabt5a3lU6jAr6vdHJzZQujb9dUu/APeQGnSrNCCTFCSuIFrWsqE9khneT3dubQyINtAW5eA5EaxKBOhLSHLpR6H2STo9Wj57017DAArrsGIwoI7sWSVDFWX/dkHzF8+wyf8ZucxrsGQ2tyj8W0xmEmyUq9gwz+yyIQjhKxE4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; c=relaxed/simple; bh=x48c2tzlRe2VEMfLEc0kC1+QC2kWZtX1sJ+I5IeGda4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=REjObHzgRL46Uc3BzrEQH2bFDLcOwFRfA62cJniQ6vvSosZ+WP0F5q84NLYOyY/sSC+HffVW5S4ZzzVYir0oE1JrZfT0/0BCtsoFj/GBFrfnLlYoG5HS6BXQQK/Kyw7w2tVt3lSEfr1MOh9AxmIkzQc4kzbiryK2+gqscyA4q4g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=NEGP9VdU; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=D4Arjtvi; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=qdXnf2Qm; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=AP4jDfkD; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="NEGP9VdU"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="D4Arjtvi"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="qdXnf2Qm"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="AP4jDfkD" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id C8E261F442; Fri, 13 Dec 2024 22:20:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cuiiUtJ1LIssrkXNjvaHrB/KOqTnvtCiuvZnB1bzDN0=; b=NEGP9VdUj0w+mMwgt9PlRrfV4U7PGMkeHA8K8lu/WqilLUsEkmBE61B4dkX3evrsz5Kf/5 K+XuTCmNL01dQfnyATxOZEu3S5q8avAealNQs8xgnWiOL16I3JGEaVJMqoVU5JWZuNQDfk YPFYSifoAN9SzZ1SP4n7wNm79JmRjks= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cuiiUtJ1LIssrkXNjvaHrB/KOqTnvtCiuvZnB1bzDN0=; b=D4Arjtvi3PYkklusRyvADw1BodlallmbdGyxfV8XGUpZvqnVE1OGcFOuTW/dDLhjOTDxd/ djk4yRvYDWFCdcDA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128417; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cuiiUtJ1LIssrkXNjvaHrB/KOqTnvtCiuvZnB1bzDN0=; b=qdXnf2Qm8EGlqjDCmCI44pC4hZzx+YHgs9+ppZDTtrDM/oFaPvc1bKOVA+nFkFORRea6dB kUACUa/v74p0LiQCqLf1bpiYpB5bQwfRPthIr7KTn62mE2HGRZvoFsYyINrzs2Fdww9Jyl kPRFQgz8qQHOyEEh9JRQydaDA7ZQtKM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128417; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cuiiUtJ1LIssrkXNjvaHrB/KOqTnvtCiuvZnB1bzDN0=; b=AP4jDfkDOaxX0/IW/odjqu3QVRrLQotPgOB+y6qT4fiqWaeJ8CATRIE4VsAfcFgeTHWn3m DfTwiqtx3u/TUrDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8DF1613A52; Fri, 13 Dec 2024 22:20:17 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4FHYHSGzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:17 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy Date: Fri, 13 Dec 2024 23:20:08 +0100 Message-ID: <20241213222014.1580991-3-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy if available. This should be used only if tooling running LTP tests allows to reboot afterwards because policy may be writable only once, e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each other. Loading may fail due various reasons (e.g. previously mentioned missing CONFIG_IMA_WRITE_POLICY=y and policy already loaded or when secure boot is enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an appraise func=POLICY_CHECK appraise_type=imasig rule is loaded, requiring the IMA policy itself to be signed). Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/README.md | 12 +++++ .../integrity/ima/tests/ima_measurements.sh | 17 +++++- .../security/integrity/ima/tests/ima_setup.sh | 54 ++++++++++++++++--- 3 files changed, 74 insertions(+), 9 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 5b261a1914..c5b3db1a5a 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -8,6 +8,18 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +### Loading policy for testing (optional) +Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example +policy if available. This should be used only if tooling running LTP tests +allows to reboot afterwards because policy may be writable only once, e.g. +missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other. + +Loading may fail due various reasons (e.g. previously mentioned missing +`CONFIG_IMA_WRITE_POLICY=y` and policy already loaded or when secure boot is +enabled and the kernel is configured with `CONFIG_IMA_ARCH_POLICY` enabled, an +`appraise func=POLICY_CHECK appraise_type=imasig` rule is loaded, requiring the +IMA policy itself to be signed). + ### IMA measurement tests `ima_measurements.sh` require builtin IMA tcb policy to be loaded (`ima_policy=tcb` kernel parameter). diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 1da2aa6a51..2c95aeb990 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2021 Petr Vorel +# Copyright (c) 2018-2024 Petr Vorel # Author: Mimi Zohar # # Verify that measurements are added to the measurement list based on policy. @@ -12,10 +12,23 @@ TST_CNT=3 setup() { - require_ima_policy_cmdline "tcb" + local policy="tcb" TEST_FILE="$PWD/test.txt" [ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy" + + if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then + require_ima_policy_cmdline $policy + return + elif check_ima_policy_cmdline $policy; then + return + fi + + if ! check_ima_policy_cmdline $policy && + ! require_ima_policy_content '^measure func=FILE_CHECK mask=^MAY_READ uid=0' && + ! require_ima_policy_content 'measure func=POLICY_CHECK'; then + tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter) or it's equivalent (try LTP_IMA_LOAD_POLICY=1)" + fi } check_iversion_support() diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index df3fc5603f..7afb1a0967 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2024 Petr Vorel # Author: Mimi Zohar TST_TESTFUNC="test" @@ -72,14 +72,20 @@ require_policy_readable() fi } -require_policy_writable() +check_policy_writable() { - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" - - [ -f $IMA_POLICY ] || tst_brk TCONF "$err" - # CONFIG_IMA_READ_POLICY + [ -f $IMA_POLICY ] || return 1 + # workaround for kernels < v4.18 without fix + # ffb122de9a60b ("ima: Reflect correct permissions for policy") echo "" 2> log > $IMA_POLICY - grep -q "Device or resource busy" log && tst_brk TCONF "$err" + grep -q "Device or resource busy" log && return 1 + return 0 +} + +require_policy_writable() +{ + check_policy_writable || tst_brk TCONF \ + "IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" } check_ima_policy_content() @@ -158,6 +164,34 @@ print_ima_config() tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" } +load_ima_policy() +{ + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)" + + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test" + return + fi + + if [ -z "$policy" -o ! -f "$policy" ]; then + tst_res TINFO "no policy for this test" + LTP_IMA_LOAD_POLICY= + return + fi + + tst_res TINFO "trying to load '$policy' policy:" + cat $policy + if ! check_policy_writable; then + tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required" + LTP_IMA_LOAD_POLICY= + return + fi + + cat "$policy" 2> log > $IMA_POLICY + if grep -q "Device or resource busy" log; then + tst_brk TBROK "Loading policy failed" + fi +} ima_setup() { SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" @@ -180,6 +214,8 @@ ima_setup() cd "$TST_MNTPOINT" fi + load_ima_policy + [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } @@ -192,6 +228,10 @@ ima_cleanup() for dir in $UMOUNT; do umount $dir done + + if [ "$LTP_IMA_LOAD_POLICY" = 1 ]; then + tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended" + fi } set_digest_index() From patchwork Fri Dec 13 22:20:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907997 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42D351A7AC7 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; cv=none; b=KjAwbQrU9HYzm15ORMapVMdwMwUq16lhU/G1nbgScXDtVXVEz4SrE8nHarzQg1eMeUqicUZYbJruGQeQ1TOy7Xrdj8bzM8R0/Kv5HICE0Ck082iVFcEO5A4duI9T5S5g02U7BKpw0zW75j/iJ/VG8Y/efKJw9hQICDC09YMTCGw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; c=relaxed/simple; bh=6JGVyxPNoiscfSKcDdoi/LHfvDQdcicvK0gRYEKH4Mw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NK00agVaDEPJkYTF3bbzvtYa9gdo6yMi3GMtWDt3qIk+EiE8R3nQudRQ3Q15fSn4m6zKqJRQ7ela3h+zKVztl3sWNWg/PkdGuI/l+DAdltkv0V0CtIX+MiaPPqOF70LEDCYjCRMu3rGiLVBI1rxwMrdF8mzDe/j4Cmih5LiiS+g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=OSmMXXfB; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=XV33A1Rj; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="OSmMXXfB"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="XV33A1Rj" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 2EF4B1F445; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QUpq1cVt6R5qZy8sb67a4RKAP7lOu8qrYbdQ9+PCRvA=; b=OSmMXXfBnSTDfNIMz6/mufiVu2OMU/A9ICpJdWq1ILSp96UcSpHKkh/dZcfKCaUtE0HpyI REAGXD3zwDSoJoHRDb9TFwbLYrZj8On0jmYsnIb8xDhTuNyRKaY3vsz7cBHUdXwlP4bSSo HEItmarNkzMdfPBHtBXyMqLmgSXpzuo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QUpq1cVt6R5qZy8sb67a4RKAP7lOu8qrYbdQ9+PCRvA=; b=XV33A1RjEqbJtpSqC+r115E6jRvEKIf+AVoqfv8AjuWqjMfr/SqrKdu8oYMTwo+quJsANQ C6wCzGvqeFIoDGDQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D03D113A75; Fri, 13 Dec 2024 22:20:17 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id uCsiMSGzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:17 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org, Cyril Hrubis Subject: [PATCH v2 3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Date: Fri, 13 Dec 2024 23:20:09 +0100 Message-ID: <20241213222014.1580991-4-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25478, ipnet:::/0, country:RU] X-Spam-Score: -4.00 X-Spam-Flag: NO X-Rspamd-Queue-Id: 2EF4B1F445 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- @Cyril: or should we use the opposite approach - by default unused and declare tests where should be used? I guess tests for typical userspace tools should use it (e.g. runtest/commands or tests which use tst_net.sh). testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 1 + testcases/lib/tst_test.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 7afb1a0967..cf769ac751 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -11,6 +11,7 @@ TST_CLEANUP_CALLER="$TST_CLEANUP" TST_CLEANUP="ima_cleanup" TST_NEEDS_ROOT=1 TST_MOUNT_DEVICE=1 +TST_SKIP_LSM_WARNINGS=1 # TST_MOUNT_DEVICE can be unset, therefore specify explicitly TST_NEEDS_TMPDIR=1 diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh index cfdae02300..3e03a1717f 100644 --- a/testcases/lib/tst_test.sh +++ b/testcases/lib/tst_test.sh @@ -81,7 +81,7 @@ _tst_do_exit() fi if [ $TST_BROK -gt 0 -o $TST_FAIL -gt 0 -o $TST_WARN -gt 0 ]; then - _tst_check_security_modules + [ -z "$TST_SKIP_LSM_WARNINGS" ] && _tst_check_security_modules fi cat >&2 << EOF From patchwork Fri Dec 13 22:20:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907992 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48A951A8F98 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; cv=none; b=F7K5XdZQk6SMxgi+eaKjo+/cFtHD43Bx1xU1DoYAawm0aVU2GkJRLeDvxWMdF/JGm8n9A1Ou6S8pxmuaVC8cjCjxuius0ltJHdgfViz+3k1NO+a+VpgiPHFPnRVdgUKbFCMVp+Qnn3inTcgD4CoC7l/Tw0xZLovR0jba7SLAScM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; c=relaxed/simple; bh=GKsFzih+l6AdtxQDZ4mFgNwA1R7L87B1aNnQT2MDg7Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qhA+FjozTDidriVQyKhitAE6NG5hoDboQv2W+QNPlCQ9/r7o+wuml4/j6xe80VPE9dhqMLUidexVuPWt4aMNkgEPWKFrK0YAUUZ2NKlQiny6+x2dT5VGtqOLay0bSyPjtUtesJ8bOzoydKGBZTCa+gDuU+pPot1hUN9UTFK5m9E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=YlUfEUYR; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=B4Q80ktE; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=YlUfEUYR; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=B4Q80ktE; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="YlUfEUYR"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="B4Q80ktE"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="YlUfEUYR"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="B4Q80ktE" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5DB0821137; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WydU/QQar/N9B7tlfpvzCBpnM6HuAvTIztO6LfvbG4k=; b=YlUfEUYR3aXte9qAeNQtPswuPAXz7lOMhVHNjFJ2q9BD3lM6zLet9OFsM9l2mtyjz6Yl4D gxoGHxkQ1Bemc1q7Q1N04H9L49ABH2/mebjL7iIiM3tKlsJYc4hWDLrW6v2pUkOesStnIs zxTQCayM3tNm/bb3ycJqplxnYpY40xA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WydU/QQar/N9B7tlfpvzCBpnM6HuAvTIztO6LfvbG4k=; b=B4Q80ktEBGYZQRaqdcj1YpX0fEbGth4IYjdzo5syh8wRYN0DKYmtvz32vMFlqcbOxNcADf 18xCG0Xgaro0iwBA== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WydU/QQar/N9B7tlfpvzCBpnM6HuAvTIztO6LfvbG4k=; b=YlUfEUYR3aXte9qAeNQtPswuPAXz7lOMhVHNjFJ2q9BD3lM6zLet9OFsM9l2mtyjz6Yl4D gxoGHxkQ1Bemc1q7Q1N04H9L49ABH2/mebjL7iIiM3tKlsJYc4hWDLrW6v2pUkOesStnIs zxTQCayM3tNm/bb3ycJqplxnYpY40xA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WydU/QQar/N9B7tlfpvzCBpnM6HuAvTIztO6LfvbG4k=; b=B4Q80ktEBGYZQRaqdcj1YpX0fEbGth4IYjdzo5syh8wRYN0DKYmtvz32vMFlqcbOxNcADf 18xCG0Xgaro0iwBA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 31BD313AD6; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id qOQ6CyKzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:18 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 4/8] ima_setup: Print warning when policy not readable Date: Fri, 13 Dec 2024 23:20:10 +0100 Message-ID: <20241213222014.1580991-5-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO check_ima_policy_content() now prints TINFO message when policy is not readable and it does not return 1 in this case. Therefore "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed" TWARN message in ima_kexec.sh is not printed when policy is not readable. This is better because in previous case test always failed due TWARN but result is actually unknown (e.g. don't expect missing policy, return 1 as failure only when policy is readable and checking with grep failed). Fixes: 3843e2d6fb ("IMA: Add policy related helpers") Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index cf769ac751..e958dd3334 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -94,8 +94,11 @@ check_ima_policy_content() local pattern="$1" local grep_params="${2--q}" - check_policy_readable || return 1 - grep $grep_params "$pattern" $IMA_POLICY + if check_policy_readable; then + grep $grep_params "$pattern" $IMA_POLICY + else + tst_res TINFO "WARNING: policy not readable, can't check policy for '$pattern' (possible false positives)" + fi } require_ima_policy_content() From patchwork Fri Dec 13 22:20:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907990 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 473141A8F97 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; cv=none; b=GqUAY8klIK5dPCBg8CFU+a71CF80v0BwO+ETKqSZVolzAVYmtxH9Jqqa+VS0SxfJ4xruopK4gqbfGciuVqgkZ63ZhyOeTyk1cikSXGiBqlD8ofYJc5M5N5XWv3srTE41RAEUQ3z341uHXZ9WkIYIXJGyso2J65YdCuZM4kTvtm8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; c=relaxed/simple; bh=Bv7zPhNapWqzQFrQYGGqk8hVQOXOiKWw3WlUonaG0KE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aL+PuhL/mAn6QUvUjVz9q1CL7qI2x7ookYHoCVq1bxj/cQKqGByBXHE3pry+XZVQ5SQL8JDDlIShWXngXTJSoNp7X78qmSdKDa2Vpb4HRZQuAmlW0iNlMiadEH6r64Hxx0ExoNle4o+9yBYufMX5nxQsD7qdi01kR6F901ZH4pc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 931722117F; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Authentication-Results: smtp-out1.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5FCED13AD7; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4N1EFiKzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:18 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh Date: Fri, 13 Dec 2024 23:20:11 +0100 Message-ID: <20241213222014.1580991-6-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spam-Level: X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25478, ipnet:::/0, country:RU] X-Spam-Score: -4.00 X-Spam-Flag: NO X-Rspamd-Queue-Id: 931722117F X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org It will be reused. Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_kexec.sh | 8 ++------ .../kernel/security/integrity/ima/tests/ima_setup.sh | 10 ++++++++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh index 3446bc24bf..df8658655d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh @@ -47,10 +47,7 @@ setup() tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE" fi - if check_policy_readable; then - require_ima_policy_content "$REQUIRED_POLICY" - policy_readable=1 - fi + require_ima_policy_content_if_readable "$REQUIRED_POLICY" } kexec_failure_hint() @@ -97,8 +94,7 @@ kexec_test() ROD kexec -su if ! measure "$cmdline"; then - if [ "$policy_readable" != 1 ]; then - tst_res TWARN "policy not readable, it might not contain required policy '$REQUIRED_POLICY'" + if ! check_policy_readable; then res=TBROK fi tst_brk $res "unable to find a correct measurement" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index e958dd3334..9a05a31c31 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -101,6 +101,16 @@ check_ima_policy_content() fi } +require_ima_policy_content_if_readable() +{ + local pattern="$1" + local grep_params="${2--q}" + + if ! check_ima_policy_content "$pattern" "$grep_params"; then + tst_brk TCONF "IMA policy does not specify '$pattern'" + fi +} + require_ima_policy_content() { local pattern="$1" From patchwork Fri Dec 13 22:20:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907993 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8C171A4F21 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; cv=none; b=QjsV/cUejWmkKeigqeA5WK+f7WLmbJjgLux2dCWvuNFE7rWuqgkuf4rkgveUsskY4tnUhqArXiQ4GOdolNs4TL5UUaOq+R+OIQkIRB1DmXzp/k1LiujN8TLYoHtLgfM3g5cqWdZOAYjnwQb+/OaZ9XSPgwexIpIN2LoBL8c3Z1Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128422; c=relaxed/simple; bh=Wz++N/TqtM98ycWjqPsUw0VW1o7NwoXjXbp//v+3Dsc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=H9traOEjCMW5fVr36AlklttvYWbcK/vr96LgcR5UGlHFY4otS1K9E8x+Qg0hfGL05ZmfOVDxoE1gTZdTfvNdcsLobgn5Olfgdh6D72y89im24pVEbkTdsdLAVTfFrESPz2CIkeK7hU/YrN+TcG2LRuMhrcA6SckgPT6m0pMX/d8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=WsKHDXun; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=tUHW+Ko4; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=WsKHDXun; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=tUHW+Ko4; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="WsKHDXun"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="tUHW+Ko4"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="WsKHDXun"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="tUHW+Ko4" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id DC4801F46E; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DGrabM/RTjYOWG32YCic41PKnBU/k6Nk5QL41lBHGqo=; b=WsKHDXunr0pGwiyfDdN0I4Ti56Hhc13TAIfOXhcdDYLqHVb51u9/zyIreO3tc2sa50BWJV sHRrDKZUoR72+rf0+gfID0jnXOLscrhpLMXphs1CoQZ2kSf2X/g6qeyL9MkCmzDp2SNaT5 tg9pLvl0vYMWBVUDQSqf00IhtX1RH0c= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DGrabM/RTjYOWG32YCic41PKnBU/k6Nk5QL41lBHGqo=; b=tUHW+Ko4a97J70ValSNk573aKzzga3AjwGdje4o0at3r9RwJYxnixb+xUcbt2UurTma68L MpXy0p4ANYDR1JAQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DGrabM/RTjYOWG32YCic41PKnBU/k6Nk5QL41lBHGqo=; b=WsKHDXunr0pGwiyfDdN0I4Ti56Hhc13TAIfOXhcdDYLqHVb51u9/zyIreO3tc2sa50BWJV sHRrDKZUoR72+rf0+gfID0jnXOLscrhpLMXphs1CoQZ2kSf2X/g6qeyL9MkCmzDp2SNaT5 tg9pLvl0vYMWBVUDQSqf00IhtX1RH0c= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128418; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DGrabM/RTjYOWG32YCic41PKnBU/k6Nk5QL41lBHGqo=; b=tUHW+Ko4a97J70ValSNk573aKzzga3AjwGdje4o0at3r9RwJYxnixb+xUcbt2UurTma68L MpXy0p4ANYDR1JAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 992F7137CF; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id WJp7IyKzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:18 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh Date: Fri, 13 Dec 2024 23:20:12 +0100 Message-ID: <20241213222014.1580991-7-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + 1 file changed, 1 insertion(+) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy new file mode 100644 index 0000000000..5734c7617f --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy @@ -0,0 +1 @@ +func=FILE_CHECK From patchwork Fri Dec 13 22:20:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907995 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EFFAD1A8F9C for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; cv=none; b=aVvVmpE3D3g+UnpuMCDm/9U0v1HnRsNYAbo9F/CsquG2wd38GfpdByK3NNxjZ/vIKcv6JKcwvEY/239pzPuuytuY7+vbMdzbusPxaNfNsHQ9XnRC73O1AhBdDD8WH26vauHfbUoZivy+OovNfI2pBn6aDjVWpXl64JNefAnLYn8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; c=relaxed/simple; bh=HoMyYN5J2yL3cx0DpEEfmITCgnrPVSA+rXnLph4fguE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bpg5uHpVZmfvzkJPpWJq6IuvwHxPBvfoLQ9+SNxZw3xNTnIrtmiEhel6qhl+g6PjlJOx2+xOCSGLuKMsw4qO6V1+QVqwApmTdsJTobacKY/WiE8e93PHNbOPhonIBFtaHgYsN0cV+lGluwaS0hVHyuJJ8IyhxBpFmlzgNxDQlT0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=OsyGGQhM; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=Q7nrjrxi; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=OsyGGQhM; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=Q7nrjrxi; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="OsyGGQhM"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="Q7nrjrxi"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="OsyGGQhM"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="Q7nrjrxi" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 1B03021196; Fri, 13 Dec 2024 22:20:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128419; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+IACrbzar+q2gwbFX3a7IyWwyvw/T4otCMTSaJqhvFw=; b=OsyGGQhMyqzu69X//ITStD4ftphXU9WtyZZboywVLIhaNVWobxrDY0b+jpbIEcahuaeyXL 6w6a/oJsegwpw88wTYMexL4eTS6hHhRaHkQ+xbdSJFm60uwQTDZ//cx1C5YRJQlZvA9oRV PBlq9fVZlpTDExYNyZXsksTCo7cq5VM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128419; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+IACrbzar+q2gwbFX3a7IyWwyvw/T4otCMTSaJqhvFw=; b=Q7nrjrxiAT2qFnFfuG44FVyuVGE/dNfqXF61AuK1pYqLOgANhKvxhMvPFLFxq9Gj1HDYMZ JKWs+F9KGOIRqAAQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1734128419; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+IACrbzar+q2gwbFX3a7IyWwyvw/T4otCMTSaJqhvFw=; b=OsyGGQhMyqzu69X//ITStD4ftphXU9WtyZZboywVLIhaNVWobxrDY0b+jpbIEcahuaeyXL 6w6a/oJsegwpw88wTYMexL4eTS6hHhRaHkQ+xbdSJFm60uwQTDZ//cx1C5YRJQlZvA9oRV PBlq9fVZlpTDExYNyZXsksTCo7cq5VM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1734128419; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+IACrbzar+q2gwbFX3a7IyWwyvw/T4otCMTSaJqhvFw=; b=Q7nrjrxiAT2qFnFfuG44FVyuVGE/dNfqXF61AuK1pYqLOgANhKvxhMvPFLFxq9Gj1HDYMZ JKWs+F9KGOIRqAAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E235C13939; Fri, 13 Dec 2024 22:20:18 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GIpRNCKzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:18 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v2 7/8] ima_violations.sh: Check for a required policy Date: Fri, 13 Dec 2024 23:20:13 +0100 Message-ID: <20241213222014.1580991-8-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO Add check for ^func=FILE_CHECK' Signed-off-by: Petr Vorel Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 0f710dea2e..73b9fe6f30 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2024 Petr Vorel # Author: Mimi Zohar # # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. @@ -9,6 +9,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" TST_CNT=3 +REQUIRED_POLICY='^func=FILE_CHECK' setup() { @@ -17,6 +18,8 @@ setup() LOG="/var/log/messages" PRINTK_RATE_LIMIT= + require_ima_policy_content_if_readable "$REQUIRED_POLICY" + if status_daemon auditd; then LOG="/var/log/audit/audit.log" elif tst_check_cmds sysctl; then From patchwork Fri Dec 13 22:20:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13907998 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38AC01953A1 for ; Fri, 13 Dec 2024 22:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; cv=none; b=NLd6+kxqq186TdWUUy3oVlAmwuYUhPrVaFMlZWUa1elh0Lea4Ki4+KlPHtoEgP0Eda7YBxIB+2Gqcgg7CoCP2ICB9znTxdxklRsGgywzUM35BwKgc2uu6Ip5apeiyPC/WnvAEReYEypqaqvjOTmYi9ahEHIgUiz4ikZJS6A/2BE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734128423; c=relaxed/simple; bh=/S5vMNaGRvXNypISjO8oFcAjY1dbhjEBo5arTNQRRDk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=U4EZcu8fufG4AhGwl7h0nKb3yuQ1eRpYMDZjKJ1F6Yxv1RQ8F5p+G0svTauCg1kwOH779PqAlD+CTFiP47PgDkzg5xgmJjpKyjFZCx6TxDuwNbbM+RnN+QwbiHo3mn0Udvcow9wWyUe3qn76VTv9XgV9uRK2mm9xptUzGcE+ldg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 576CD1F74B; Fri, 13 Dec 2024 22:20:19 +0000 (UTC) Authentication-Results: smtp-out2.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 229D2137CF; Fri, 13 Dec 2024 22:20:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id OBgIByOzXGf5QQAAD6G6ig (envelope-from ); Fri, 13 Dec 2024 22:20:19 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org, Martin Doucha Subject: [PATCH v2 8/8] [RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF Date: Fri, 13 Dec 2024 23:20:14 +0100 Message-ID: <20241213222014.1580991-9-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25478, ipnet:::/0, country:RU] X-Spam-Flag: NO X-Spam-Score: -4.00 X-Rspamd-Queue-Id: 576CD1F74B X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Level: Although d1e29adca6, which set minimal version fixed some false positives, it might be better to be optimistic and exit with TCONF when result is unknown due policy not being readable than "fail" with TBROK and TWARN. Fixes: 731aae8121 ("IMA: Add test for kexec cmdline measurement") Reported-by: Martin Doucha Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh index df8658655d..c52d767fe7 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh @@ -95,7 +95,7 @@ kexec_test() ROD kexec -su if ! measure "$cmdline"; then if ! check_policy_readable; then - res=TBROK + res=TCONF fi tst_brk $res "unable to find a correct measurement" fi