From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_2 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AD60C433E0 for ; Thu, 30 Jul 2020 19:50:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DA8412074B for ; Thu, 30 Jul 2020 19:50:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596138644; bh=YvcGbYZEw3vFmip1LWbW7P2dPiKLq+rSoC2yjz9Nw/A=; h=Subject:From:To:Cc:Date:In-Reply-To:References:List-ID:From; b=L5xEpl0dUlFlfJrmIrzWCJXHNdx4VaWSrDY9e+scTEM5oy8Pi17CdFE1FgfKifDsj n4Ns0BUNX3CBPFyClBwFIAF+ZFFgRb4YEJrfdNkgKDHWyAVXD/3NAYZCxLVgoqtogs sNW4C8CtXs07wmFC6p5obJe3KGkf4lKGq0SGZBQs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726857AbgG3Tun (ORCPT ); Thu, 30 Jul 2020 15:50:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:46978 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730587AbgG3Tuk (ORCPT ); Thu, 30 Jul 2020 15:50:40 -0400 Received: from localhost.localdomain (pool-96-246-152-186.nycmny.fios.verizon.net [96.246.152.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D1A22074B; Thu, 30 Jul 2020 19:50:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596138640; bh=YvcGbYZEw3vFmip1LWbW7P2dPiKLq+rSoC2yjz9Nw/A=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=Xk3mmOsJjzD8KcGkOW+392890YPvEG3jzTlNo/swEFXpPUJzzze0j44g36LLDDIw4 uOPtgEqmcONDTlsXzGvluBFv6LYvVXqmcjP47IjT9NFY/TslmutretGymK0f2omBVq QcbAlfBk/LUlzgj6EUJX7DMthm88Ygk2zf33fHQs= Message-ID: <1596138638.25003.6.camel@kernel.org> Subject: Re: [PATCH v5 2/4] IMA: Add policy related helpers From: Mimi Zohar To: Petr Vorel , ltp@lists.linux.it Cc: Lachlan Sneff , Lakshmi Ramasubramanian , Mimi Zohar , balajib@linux.microsoft.com, linux-integrity@vger.kernel.org Date: Thu, 30 Jul 2020 15:50:38 -0400 In-Reply-To: <20200727223041.13110-3-pvorel@suse.cz> References: <20200727223041.13110-1-pvorel@suse.cz> <20200727223041.13110-3-pvorel@suse.cz> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote: > Signed-off-by: Petr Vorel Other than inverting the [ -f $IMA_POLICY ] tests. Reviewed-by: Mimi Zohar > --- > New in v5. > > .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > index 975ce9cbb..c46f273ab 100644 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -54,6 +54,45 @@ compute_digest() > return 1 > } > > +check_policy_readable() > +{ > + if [ -f $IMA_POLICY ]; then > + tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)" > + return 1 > + fi > + cat $IMA_POLICY > /dev/null 2>/dev/null > +} > + > +require_policy_readable() > +{ > + if [ -f $IMA_POLICY ]; then > + tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)" > + fi > + if ! check_policy_readable; then > + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > + fi > +} > + > +check_ima_policy_content() > +{ > + local pattern="$1" > + local grep_params="${2--q}" > + > + check_policy_readable || return 1 > + grep $grep_params "$pattern" $IMA_POLICY > +} > + > +require_ima_policy_content() > +{ > + local pattern="$1" > + local grep_params="${2--q}" > + > + require_policy_readable > + if ! grep $grep_params "$pattern" $IMA_POLICY; then > + tst_brk TCONF "IMA policy does not specify '$pattern'" > + fi > +} > + > require_ima_policy_cmdline() > { > local policy="$1" From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Date: Thu, 30 Jul 2020 15:50:38 -0400 Subject: [LTP] [PATCH v5 2/4] IMA: Add policy related helpers In-Reply-To: <20200727223041.13110-3-pvorel@suse.cz> References: <20200727223041.13110-1-pvorel@suse.cz> <20200727223041.13110-3-pvorel@suse.cz> Message-ID: <1596138638.25003.6.camel@kernel.org> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: ltp@lists.linux.it On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote: > Signed-off-by: Petr Vorel Other than inverting the [ -f $IMA_POLICY ] tests. Reviewed-by: Mimi Zohar > --- > New in v5. > > .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > index 975ce9cbb..c46f273ab 100644 > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > @@ -54,6 +54,45 @@ compute_digest() > return 1 > } > > +check_policy_readable() > +{ > + if [ -f $IMA_POLICY ]; then > + tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)" > + return 1 > + fi > + cat $IMA_POLICY > /dev/null 2>/dev/null > +} > + > +require_policy_readable() > +{ > + if [ -f $IMA_POLICY ]; then > + tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)" > + fi > + if ! check_policy_readable; then > + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > + fi > +} > + > +check_ima_policy_content() > +{ > + local pattern="$1" > + local grep_params="${2--q}" > + > + check_policy_readable || return 1 > + grep $grep_params "$pattern" $IMA_POLICY > +} > + > +require_ima_policy_content() > +{ > + local pattern="$1" > + local grep_params="${2--q}" > + > + require_policy_readable > + if ! grep $grep_params "$pattern" $IMA_POLICY; then > + tst_brk TCONF "IMA policy does not specify '$pattern'" > + fi > +} > + > require_ima_policy_cmdline() > { > local policy="$1"