[PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs

[PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs

[Petr Vorel]

Hi Mimi, Ignaz,

changes v3->v4:
* Add helper check_ima_policy() and use it in ima_measurements.sh and
  evm_overlay.sh
* Rephrase commit message for ima_measurements.sh changes and docs
* Use SPDX-License-Identifier: GPL-2.0-or-later

Anything wrong in docs / commit message?

Kind regards,
Petr

Petr Vorel (4):
  ima: Call test's cleanup inside ima_setup.sh cleanup
  shell: Add $TST_DEVICE as default parameter to tst_umount
  ima/ima_measurements.sh: Require builtin IMA tcb policy
  ima: Add overlay test + doc

 doc/test-writing-guidelines.txt               |  4 +-
 runtest/ima                                   |  1 +
 testcases/commands/df/df01.sh                 |  7 +-
 testcases/commands/mkfs/mkfs01.sh             |  2 +-
 .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
 .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
 .../integrity/ima/tests/ima_measurements.sh   | 23 +----
 .../security/integrity/ima/tests/ima_setup.sh | 42 +++++----
 .../integrity/ima/tests/ima_violations.sh     |  2 -
 testcases/lib/tst_test.sh                     |  2 +-
 10 files changed, 211 insertions(+), 48 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
 create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

-- 
2.21.0

[LTP] [PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs

[Petr Vorel]

Hi Mimi, Ignaz,

changes v3->v4:
* Add helper check_ima_policy() and use it in ima_measurements.sh and
  evm_overlay.sh
* Rephrase commit message for ima_measurements.sh changes and docs
* Use SPDX-License-Identifier: GPL-2.0-or-later

Anything wrong in docs / commit message?

Kind regards,
Petr

Petr Vorel (4):
  ima: Call test's cleanup inside ima_setup.sh cleanup
  shell: Add $TST_DEVICE as default parameter to tst_umount
  ima/ima_measurements.sh: Require builtin IMA tcb policy
  ima: Add overlay test + doc

 doc/test-writing-guidelines.txt               |  4 +-
 runtest/ima                                   |  1 +
 testcases/commands/df/df01.sh                 |  7 +-
 testcases/commands/mkfs/mkfs01.sh             |  2 +-
 .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
 .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
 .../integrity/ima/tests/ima_measurements.sh   | 23 +----
 .../security/integrity/ima/tests/ima_setup.sh | 42 +++++----
 .../integrity/ima/tests/ima_violations.sh     |  2 -
 testcases/lib/tst_test.sh                     |  2 +-
 10 files changed, 211 insertions(+), 48 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
 create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

-- 
2.21.0

[PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup

[Petr Vorel]

to work the same way as setup

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh  | 6 +++++-
 .../kernel/security/integrity/ima/tests/ima_violations.sh   | 2 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 52551190a..cbded42c2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,7 +20,8 @@
 TST_TESTFUNC="test"
 TST_SETUP_CALLER="$TST_SETUP"
 TST_SETUP="ima_setup"
-TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}"
+TST_CLEANUP_CALLER="$TST_CLEANUP"
+TST_CLEANUP="ima_cleanup"
 TST_NEEDS_TMPDIR=1
 TST_NEEDS_ROOT=1
 
@@ -95,6 +96,9 @@ ima_setup()
 ima_cleanup()
 {
 	local dir
+
+	[ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
+
 	for dir in $UMOUNT; do
 		umount $dir
 	done
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 74223c221..a44bd1230 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -51,8 +51,6 @@ cleanup()
 {
 	[ "$PRINTK_RATE_LIMIT" != "0" ] && \
 		sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT
-
-	ima_cleanup
 }
 
 open_file_read()
-- 
2.21.0

[LTP] [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup

[Petr Vorel]

to work the same way as setup

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh  | 6 +++++-
 .../kernel/security/integrity/ima/tests/ima_violations.sh   | 2 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 52551190a..cbded42c2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,7 +20,8 @@
 TST_TESTFUNC="test"
 TST_SETUP_CALLER="$TST_SETUP"
 TST_SETUP="ima_setup"
-TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}"
+TST_CLEANUP_CALLER="$TST_CLEANUP"
+TST_CLEANUP="ima_cleanup"
 TST_NEEDS_TMPDIR=1
 TST_NEEDS_ROOT=1
 
@@ -95,6 +96,9 @@ ima_setup()
 ima_cleanup()
 {
 	local dir
+
+	[ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
+
 	for dir in $UMOUNT; do
 		umount $dir
 	done
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 74223c221..a44bd1230 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -51,8 +51,6 @@ cleanup()
 {
 	[ "$PRINTK_RATE_LIMIT" != "0" ] && \
 		sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT
-
-	ima_cleanup
 }
 
 open_file_read()
-- 
2.21.0

[PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount

[Petr Vorel]

+ use it directly as a cleanup function in df01.sh

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 doc/test-writing-guidelines.txt                            | 4 ++--
 testcases/commands/df/df01.sh                              | 7 +------
 testcases/commands/mkfs/mkfs01.sh                          | 2 +-
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
 testcases/lib/tst_test.sh                                  | 2 +-
 5 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt
index f1912dc12..fc64b418b 100644
--- a/doc/test-writing-guidelines.txt
+++ b/doc/test-writing-guidelines.txt
@@ -2115,8 +2115,8 @@ The 'tst_mount' mounts '$TST_DEVICE' of '$TST_FS_TYPE' (optional) to
 '$TST_MNT_PARAMS'. The '$TST_MNTPOINT' directory is created if it didn't
 exist prior to the function call.
 
-If the path passed to the 'tst_umount' is not mounted (present in '/proc/mounts')
-it's noop.
+If the path passed (optional, defaults to '$TST_DEVICE') to the 'tst_umount' is
+not mounted (present in '/proc/mounts') it's noop.
 Otherwise it retries to umount the filesystem a few times on a failure, which
 is a workaround since there are a daemons dumb enough to probe all newly
 mounted filesystems, which prevents them from umounting shortly after they
diff --git a/testcases/commands/df/df01.sh b/testcases/commands/df/df01.sh
index 9b0be76fe..3876816dc 100755
--- a/testcases/commands/df/df01.sh
+++ b/testcases/commands/df/df01.sh
@@ -18,7 +18,7 @@
 
 TST_CNT=12
 TST_SETUP=setup
-TST_CLEANUP=cleanup
+TST_CLEANUP=tst_umount
 TST_TESTFUNC=test
 TST_OPTS="f:"
 TST_USAGE=usage
@@ -54,11 +54,6 @@ setup()
 	DF_FS_TYPE=$(mount | grep "$TST_DEVICE" | awk '{print $5}')
 }
 
-cleanup()
-{
-	tst_umount $TST_DEVICE
-}
-
 df_test()
 {
 	local cmd="$1 -P"
diff --git a/testcases/commands/mkfs/mkfs01.sh b/testcases/commands/mkfs/mkfs01.sh
index 88f7f0baa..28af890b3 100755
--- a/testcases/commands/mkfs/mkfs01.sh
+++ b/testcases/commands/mkfs/mkfs01.sh
@@ -71,7 +71,7 @@ mkfs_verify_size()
 {
 	tst_mount
 	local blocknum=`df -P -B 1k mntpoint | tail -n1 | awk '{print $2}'`
-	tst_umount "$TST_DEVICE"
+	tst_umount
 
 	if [ $blocknum -gt "$2" ]; then
 		return 1
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cbded42c2..da49eb1b2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -105,7 +105,7 @@ ima_cleanup()
 
 	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
 		cd $TST_TMPDIR
-		tst_umount $TST_DEVICE
+		tst_umount
 	fi
 }
 
diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
index 512732315..740253df1 100644
--- a/testcases/lib/tst_test.sh
+++ b/testcases/lib/tst_test.sh
@@ -259,7 +259,7 @@ tst_mount()
 
 tst_umount()
 {
-	local device="$1"
+	local device="${1:-$TST_DEVICE}"
 	local i=0
 
 	if ! grep -q "$device" /proc/mounts; then
-- 
2.21.0

[LTP] [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount

[Petr Vorel]

+ use it directly as a cleanup function in df01.sh

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 doc/test-writing-guidelines.txt                            | 4 ++--
 testcases/commands/df/df01.sh                              | 7 +------
 testcases/commands/mkfs/mkfs01.sh                          | 2 +-
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
 testcases/lib/tst_test.sh                                  | 2 +-
 5 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt
index f1912dc12..fc64b418b 100644
--- a/doc/test-writing-guidelines.txt
+++ b/doc/test-writing-guidelines.txt
@@ -2115,8 +2115,8 @@ The 'tst_mount' mounts '$TST_DEVICE' of '$TST_FS_TYPE' (optional) to
 '$TST_MNT_PARAMS'. The '$TST_MNTPOINT' directory is created if it didn't
 exist prior to the function call.
 
-If the path passed to the 'tst_umount' is not mounted (present in '/proc/mounts')
-it's noop.
+If the path passed (optional, defaults to '$TST_DEVICE') to the 'tst_umount' is
+not mounted (present in '/proc/mounts') it's noop.
 Otherwise it retries to umount the filesystem a few times on a failure, which
 is a workaround since there are a daemons dumb enough to probe all newly
 mounted filesystems, which prevents them from umounting shortly after they
diff --git a/testcases/commands/df/df01.sh b/testcases/commands/df/df01.sh
index 9b0be76fe..3876816dc 100755
--- a/testcases/commands/df/df01.sh
+++ b/testcases/commands/df/df01.sh
@@ -18,7 +18,7 @@
 
 TST_CNT=12
 TST_SETUP=setup
-TST_CLEANUP=cleanup
+TST_CLEANUP=tst_umount
 TST_TESTFUNC=test
 TST_OPTS="f:"
 TST_USAGE=usage
@@ -54,11 +54,6 @@ setup()
 	DF_FS_TYPE=$(mount | grep "$TST_DEVICE" | awk '{print $5}')
 }
 
-cleanup()
-{
-	tst_umount $TST_DEVICE
-}
-
 df_test()
 {
 	local cmd="$1 -P"
diff --git a/testcases/commands/mkfs/mkfs01.sh b/testcases/commands/mkfs/mkfs01.sh
index 88f7f0baa..28af890b3 100755
--- a/testcases/commands/mkfs/mkfs01.sh
+++ b/testcases/commands/mkfs/mkfs01.sh
@@ -71,7 +71,7 @@ mkfs_verify_size()
 {
 	tst_mount
 	local blocknum=`df -P -B 1k mntpoint | tail -n1 | awk '{print $2}'`
-	tst_umount "$TST_DEVICE"
+	tst_umount
 
 	if [ $blocknum -gt "$2" ]; then
 		return 1
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cbded42c2..da49eb1b2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -105,7 +105,7 @@ ima_cleanup()
 
 	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
 		cd $TST_TMPDIR
-		tst_umount $TST_DEVICE
+		tst_umount
 	fi
 }
 
diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
index 512732315..740253df1 100644
--- a/testcases/lib/tst_test.sh
+++ b/testcases/lib/tst_test.sh
@@ -259,7 +259,7 @@ tst_mount()
 
 tst_umount()
 {
-	local device="$1"
+	local device="${1:-$TST_DEVICE}"
 	local i=0
 
 	if ! grep -q "$device" /proc/mounts; then
-- 
2.21.0

[PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy

[Petr Vorel]

Although custom policy which may contain the equivalent measurement
tcb rules can be loaded via dracut, systemd or later manually from
user space, detecting it would require IMA_READ_POLICY=y. In order
to simplify the check and avoid false positives lets ignore this
option and require builtin IMA tcb policy.

Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
other tests.

+ Use SPDX license identifier

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
 .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
 2 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 328affc43..1b9ed85b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 #
@@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
 
 setup()
 {
-	TEST_FILE="$PWD/test.txt"
+	check_ima_policy "tcb"
 
+	TEST_FILE="$PWD/test.txt"
 	POLICY="$IMA_DIR/policy"
 	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
-
 	DIGEST_INDEX=
 
 	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
 	local i
 
+	# parse digest index
 	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
 	case "$template" in
 	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
@@ -56,8 +45,6 @@ setup()
 
 	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
 		"Cannot find digest index (template: '$template')"
-
-	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
 }
 
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index da49eb1b2..606034fec 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 
@@ -31,6 +19,20 @@ SYSFS="/sys"
 UMOUNT=
 TST_FS_TYPE="ext3"
 
+check_ima_policy()
+{
+	local policy="$1"
+	local i
+
+	grep -q "ima_$policy" /proc/cmdline && return
+	for i in $(cat /proc/cmdline); do
+		if grep -q '^ima_policy=' $i; then
+			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
+		fi
+	done
+	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+}
+
 mount_helper()
 {
 	local type="$1"
-- 
2.21.0

[LTP] [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy

[Petr Vorel]

Although custom policy which may contain the equivalent measurement
tcb rules can be loaded via dracut, systemd or later manually from
user space, detecting it would require IMA_READ_POLICY=y. In order
to simplify the check and avoid false positives lets ignore this
option and require builtin IMA tcb policy.

Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
other tests.

+ Use SPDX license identifier

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
 .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
 2 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 328affc43..1b9ed85b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 #
@@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
 
 setup()
 {
-	TEST_FILE="$PWD/test.txt"
+	check_ima_policy "tcb"
 
+	TEST_FILE="$PWD/test.txt"
 	POLICY="$IMA_DIR/policy"
 	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
-
 	DIGEST_INDEX=
 
 	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
 	local i
 
+	# parse digest index
 	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
 	case "$template" in
 	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
@@ -56,8 +45,6 @@ setup()
 
 	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
 		"Cannot find digest index (template: '$template')"
-
-	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
 }
 
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index da49eb1b2..606034fec 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 
@@ -31,6 +19,20 @@ SYSFS="/sys"
 UMOUNT=
 TST_FS_TYPE="ext3"
 
+check_ima_policy()
+{
+	local policy="$1"
+	local i
+
+	grep -q "ima_$policy" /proc/cmdline && return
+	for i in $(cat /proc/cmdline); do
+		if grep -q '^ima_policy=' $i; then
+			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
+		fi
+	done
+	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+}
+
 mount_helper()
 {
 	local type="$1"
-- 
2.21.0

[PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.

Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].

NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.

Documentation is based on Ignaz Forster instructions for openSUSE [4].

[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html

Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  1 +
 .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
 .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  4 +-
 4 files changed, 179 insertions(+), 2 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
 create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
 ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+  (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+  (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+	EVM_FILE="/sys/kernel/security/evm"
+
+	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+	check_ima_policy "appraise_tcb"
+
+	lower="$TST_MNTPOINT/lower"
+	upper="$TST_MNTPOINT/upper"
+	work="$TST_MNTPOINT/work"
+	merged="$TST_MNTPOINT/merged"
+	mkdir -p $lower $upper $work $merged
+
+	device_backup="$TST_DEVICE"
+	TST_DEVICE="overlay"
+
+	fs_type_backup="$TST_FS_TYPE"
+	TST_FS_TYPE="overlay"
+
+	mntpoint_backup="$TST_MNTPOINT"
+	TST_MNTPOINT="$merged"
+
+	params_backup="$TST_MNT_PARAMS"
+	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+	tst_mount
+	mounted=1
+}
+
+test1()
+{
+	local file="foo1.txt"
+
+	tst_res TINFO "overwrite file in overlay"
+	EXPECT_PASS echo lower \> $lower/$file
+	EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+	local file="foo2.txt"
+
+	tst_res TINFO "append file in overlay"
+	EXPECT_PASS echo lower \> $lower/$file
+	EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+	local file="foo3.txt"
+
+	tst_res TINFO "create a new file in overlay"
+	EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+	local f
+
+	tst_res TINFO "read all created files"
+	for f in $(find $TST_MNTPOINT -type f); do
+		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+	done
+}
+
+cleanup()
+{
+	[ -n "$mounted" ] || return 0
+
+	tst_umount $TST_DEVICE
+
+	TST_DEVICE="$device_backup"
+	TST_FS_TYPE="$fs_type_backup"
+	TST_MNTPOINT="$mntpoint_backup"
+	TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
 	local config="/boot/config-$(uname -r)"
 	local i
 
-	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
 	if [ -r "$config" ]; then
 		tst_res TINFO "IMA kernel config:"
 		for i in $(grep ^CONFIG_IMA $config); do
 			tst_res TINFO "$i"
 		done
 	fi
+
+	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
 }
 
 ima_setup()
-- 
2.21.0

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.

Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].

NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.

Documentation is based on Ignaz Forster instructions for openSUSE [4].

[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html

Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  1 +
 .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
 .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  4 +-
 4 files changed, 179 insertions(+), 2 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
 create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
 ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+  (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+  (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+	EVM_FILE="/sys/kernel/security/evm"
+
+	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+	check_ima_policy "appraise_tcb"
+
+	lower="$TST_MNTPOINT/lower"
+	upper="$TST_MNTPOINT/upper"
+	work="$TST_MNTPOINT/work"
+	merged="$TST_MNTPOINT/merged"
+	mkdir -p $lower $upper $work $merged
+
+	device_backup="$TST_DEVICE"
+	TST_DEVICE="overlay"
+
+	fs_type_backup="$TST_FS_TYPE"
+	TST_FS_TYPE="overlay"
+
+	mntpoint_backup="$TST_MNTPOINT"
+	TST_MNTPOINT="$merged"
+
+	params_backup="$TST_MNT_PARAMS"
+	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+	tst_mount
+	mounted=1
+}
+
+test1()
+{
+	local file="foo1.txt"
+
+	tst_res TINFO "overwrite file in overlay"
+	EXPECT_PASS echo lower \> $lower/$file
+	EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+	local file="foo2.txt"
+
+	tst_res TINFO "append file in overlay"
+	EXPECT_PASS echo lower \> $lower/$file
+	EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+	local file="foo3.txt"
+
+	tst_res TINFO "create a new file in overlay"
+	EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+	local f
+
+	tst_res TINFO "read all created files"
+	for f in $(find $TST_MNTPOINT -type f); do
+		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+	done
+}
+
+cleanup()
+{
+	[ -n "$mounted" ] || return 0
+
+	tst_umount $TST_DEVICE
+
+	TST_DEVICE="$device_backup"
+	TST_FS_TYPE="$fs_type_backup"
+	TST_MNTPOINT="$mntpoint_backup"
+	TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
 	local config="/boot/config-$(uname -r)"
 	local i
 
-	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
 	if [ -r "$config" ]; then
 		tst_res TINFO "IMA kernel config:"
 		for i in $(grep ^CONFIG_IMA $config); do
 			tst_res TINFO "$i"
 		done
 	fi
+
+	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
 }
 
 ima_setup()
-- 
2.21.0

Re: [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy

[Ignaz Forster]

Hi Petr,

Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> Although custom policy which may contain the equivalent measurement
> tcb rules can be loaded via dracut, systemd or later manually from
> user space, detecting it would require IMA_READ_POLICY=y. In order
> to simplify the check and avoid false positives lets ignore this
> option and require builtin IMA tcb policy.
> 
> Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
> other tests.
> 
> + Use SPDX license identifier
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
>   .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
>   2 files changed, 21 insertions(+), 32 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 328affc43..1b9ed85b8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   #
> @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
>   
>   setup()
>   {
> -	TEST_FILE="$PWD/test.txt"
> +	check_ima_policy "tcb"
>   
> +	TEST_FILE="$PWD/test.txt"
>   	POLICY="$IMA_DIR/policy"
>   	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> -
>   	DIGEST_INDEX=
>   
>   	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
>   	local i
>   
> +	# parse digest index
>   	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
>   	case "$template" in
>   	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> @@ -56,8 +45,6 @@ setup()
>   
>   	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
>   		"Cannot find digest index (template: '$template')"
> -
> -	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
>   }
>   
>   # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index da49eb1b2..606034fec 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   
> @@ -31,6 +19,20 @@ SYSFS="/sys"
>   UMOUNT=
>   TST_FS_TYPE="ext3"
>   
> +check_ima_policy()
> +{
> +	local policy="$1"
> +	local i
> +
> +	grep -q "ima_$policy" /proc/cmdline && return
> +	for i in $(cat /proc/cmdline); do
> +		if grep -q '^ima_policy=' $i; then

$i will not contain a file, which grep will expect here. I guess you 
meant to echo the variable instead?

Ignaz

> +			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
> +		fi
> +	done
> +	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
> +}
> +
>   mount_helper()
>   {
>   	local type="$1"
> 

[LTP] [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy

[Ignaz Forster]

Hi Petr,

Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> Although custom policy which may contain the equivalent measurement
> tcb rules can be loaded via dracut, systemd or later manually from
> user space, detecting it would require IMA_READ_POLICY=y. In order
> to simplify the check and avoid false positives lets ignore this
> option and require builtin IMA tcb policy.
> 
> Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
> other tests.
> 
> + Use SPDX license identifier
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
>   .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
>   2 files changed, 21 insertions(+), 32 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 328affc43..1b9ed85b8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   #
> @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
>   
>   setup()
>   {
> -	TEST_FILE="$PWD/test.txt"
> +	check_ima_policy "tcb"
>   
> +	TEST_FILE="$PWD/test.txt"
>   	POLICY="$IMA_DIR/policy"
>   	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> -
>   	DIGEST_INDEX=
>   
>   	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
>   	local i
>   
> +	# parse digest index
>   	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
>   	case "$template" in
>   	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> @@ -56,8 +45,6 @@ setup()
>   
>   	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
>   		"Cannot find digest index (template: '$template')"
> -
> -	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
>   }
>   
>   # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index da49eb1b2..606034fec 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   
> @@ -31,6 +19,20 @@ SYSFS="/sys"
>   UMOUNT=
>   TST_FS_TYPE="ext3"
>   
> +check_ima_policy()
> +{
> +	local policy="$1"
> +	local i
> +
> +	grep -q "ima_$policy" /proc/cmdline && return
> +	for i in $(cat /proc/cmdline); do
> +		if grep -q '^ima_policy=' $i; then

$i will not contain a file, which grep will expect here. I guess you 
meant to echo the variable instead?

Ignaz

> +			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
> +		fi
> +	done
> +	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
> +}
> +
>   mount_helper()
>   {
>   	local type="$1"
> 

Re: [PATCH v4 4/4] ima: Add overlay test + doc

[Ignaz Forster]

Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> test demonstrate a bug on overlayfs on current mainline kernel when
> combining IMA with EVM.
> 
> Based on reproducer made by Ignaz Forster <iforster@suse.de>
> used for not upstreamed patchset [1] and previous report [2].
> IMA only behavior has already been fixed [3].
> 
> NOTE: backup variables are needed because ima_setup.sh calling
> tst_mount as well when TMPDIR is on tmpfs device.
> 
> Documentation is based on Ignaz Forster instructions for openSUSE [4].
> 
> [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> [3] https://patchwork.kernel.org/patch/10776231/
> [4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
> 
> Tested-by: Ignaz Forster <iforster@suse.de>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   runtest/ima                                   |  1 +
>   .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
>   .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
>   .../security/integrity/ima/tests/ima_setup.sh |  4 +-
>   4 files changed, 179 insertions(+), 2 deletions(-)
>   create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
>   create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> 
> diff --git a/runtest/ima b/runtest/ima
> index bcae16bb7..f3ea88cf0 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
>   ima_policy ima_policy.sh
>   ima_tpm ima_tpm.sh
>   ima_violations ima_violations.sh
> +evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
> new file mode 100644
> index 000000000..961b68a38
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> @@ -0,0 +1,83 @@
> +IMA + EVM testing
> +=================
> +
> +IMA tests
> +---------
> +
> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).

This test requires "appraise_tcb" ("tcb" is not enough), as the errors 
only occur during appraisal.

> +Although custom policy which contains which may contain the equivalent
> +measurement tcb rules can be loaded via dracut, systemd or later manually
> +from user space, detecting it would require `IMA_READ_POLICY=y` therefore
> +ignore this option.

I guess this should be
"Although a custom policy, loaded via dracut, systemd or manually from 
user space, may contain equivalent measurement tcb rules, detecting them 
would [...]"

> +Mandatory kernel configuration for IMA:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_IMA=y
> +```
> +
> +EVM tests
> +---------
> +
> +`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`                              ^^
                              a

> +kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> +Again, for simplicity ignore possibility to load reuired rules via custom policy.
                                                       ^q

> +Mandatory kernel configuration for IMA & EVM:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_IMA=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_EVM=y
> +CONFIG_KEYS=y
> +CONFIG_TRUSTED_KEYS=y
> +CONFIG_ENCRYPTED_KEYS=y
> +```
> +
> +Example of installing IMA + EVM on openSUSE:
> +
> +* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters

I was missing the measurement option. ima_policy should have been
ima_policy='tcb|appraise_tcb' for the statement below to be true.

> +  (for IMA measurement, IMA appraisal and EVM protection)
> +* Proceed with installation until summary screen, but do not start the installation yet
> +* Select package `dracut-ima` (required for early boot EVM support) for installation
> +  (Debian based distros already contain IMA + EVM support in `dracut` package)
> +* Change to a console window and run commands to generate keys required by EVM:
> +```
> +# mkdir /etc/keys
> +# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> +# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> +# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> +# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> +# cat <<END >/etc/sysconfig/masterkey
> +MASTERKEYTYPE="user"
> +MASTERKEY="/etc/keys/kmk-user.blob"
> +END
> +# cat <<END >/etc/sysconfig/evm
> +EVMKEY="/etc/keys/evm.blob"
> +END
> +# mount -t securityfs security /sys/kernel/security
> +# echo 1 >/sys/kernel/security/evm
> +```
> +
> +* Go back to the installation summary screen and start the installation
> +* During the installation execute the following commands from the console:
> +```
> +# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> +# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> +```
> +
> +This should work on any distribution using dracut.
> +Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> +
> +Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> +```
> +evmctl -r ima_fix /
> +```
> +
> +or with `find` if evmctl not available:
                            ^
                            is

> +```
> +find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> +```
> +Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.

Maybe also add the tcb option for measurement here.

Ignaz

> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> new file mode 100755
> index 000000000..024b03917
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> @@ -0,0 +1,93 @@
> +#!/bin/sh
> +# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> +# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> +# Reproducer for not upstreamed patchset [1] and previous report [2].
> +# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> +# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> +
> +TST_SETUP="setup"
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_DEVICE=1
> +TST_CNT=4
> +. ima_setup.sh
> +
> +setup()
> +{
> +	EVM_FILE="/sys/kernel/security/evm"
> +
> +	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> +	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> +
> +	check_ima_policy "appraise_tcb"
> +
> +	lower="$TST_MNTPOINT/lower"
> +	upper="$TST_MNTPOINT/upper"
> +	work="$TST_MNTPOINT/work"
> +	merged="$TST_MNTPOINT/merged"
> +	mkdir -p $lower $upper $work $merged
> +
> +	device_backup="$TST_DEVICE"
> +	TST_DEVICE="overlay"
> +
> +	fs_type_backup="$TST_FS_TYPE"
> +	TST_FS_TYPE="overlay"
> +
> +	mntpoint_backup="$TST_MNTPOINT"
> +	TST_MNTPOINT="$merged"
> +
> +	params_backup="$TST_MNT_PARAMS"
> +	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> +
> +	tst_mount
> +	mounted=1
> +}
> +
> +test1()
> +{
> +	local file="foo1.txt"
> +
> +	tst_res TINFO "overwrite file in overlay"
> +	EXPECT_PASS echo lower \> $lower/$file
> +	EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test2()
> +{
> +	local file="foo2.txt"
> +
> +	tst_res TINFO "append file in overlay"
> +	EXPECT_PASS echo lower \> $lower/$file
> +	EXPECT_PASS echo overlay \>\> $merged/$file
> +}
> +
> +test3()
> +{
> +	local file="foo3.txt"
> +
> +	tst_res TINFO "create a new file in overlay"
> +	EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test4()
> +{
> +	local f
> +
> +	tst_res TINFO "read all created files"
> +	for f in $(find $TST_MNTPOINT -type f); do
> +		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> +	done
> +}
> +
> +cleanup()
> +{
> +	[ -n "$mounted" ] || return 0
> +
> +	tst_umount $TST_DEVICE
> +
> +	TST_DEVICE="$device_backup"
> +	TST_FS_TYPE="$fs_type_backup"
> +	TST_MNTPOINT="$mntpoint_backup"
> +	TST_MNT_PARAMS="$params_backup"
> +}
> +
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 606034fec..529b77529 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -66,14 +66,14 @@ print_ima_config()
>   	local config="/boot/config-$(uname -r)"
>   	local i
>   
> -	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> -
>   	if [ -r "$config" ]; then
>   		tst_res TINFO "IMA kernel config:"
>   		for i in $(grep ^CONFIG_IMA $config); do
>   			tst_res TINFO "$i"
>   		done
>   	fi
> +
> +	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
>   }
>   
>   ima_setup()
> 

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Ignaz Forster]

Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> test demonstrate a bug on overlayfs on current mainline kernel when
> combining IMA with EVM.
> 
> Based on reproducer made by Ignaz Forster <iforster@suse.de>
> used for not upstreamed patchset [1] and previous report [2].
> IMA only behavior has already been fixed [3].
> 
> NOTE: backup variables are needed because ima_setup.sh calling
> tst_mount as well when TMPDIR is on tmpfs device.
> 
> Documentation is based on Ignaz Forster instructions for openSUSE [4].
> 
> [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> [3] https://patchwork.kernel.org/patch/10776231/
> [4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
> 
> Tested-by: Ignaz Forster <iforster@suse.de>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   runtest/ima                                   |  1 +
>   .../security/integrity/ima/tests/README.md    | 83 +++++++++++++++++
>   .../integrity/ima/tests/evm_overlay.sh        | 93 +++++++++++++++++++
>   .../security/integrity/ima/tests/ima_setup.sh |  4 +-
>   4 files changed, 179 insertions(+), 2 deletions(-)
>   create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
>   create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> 
> diff --git a/runtest/ima b/runtest/ima
> index bcae16bb7..f3ea88cf0 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
>   ima_policy ima_policy.sh
>   ima_tpm ima_tpm.sh
>   ima_violations ima_violations.sh
> +evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
> new file mode 100644
> index 000000000..961b68a38
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> @@ -0,0 +1,83 @@
> +IMA + EVM testing
> +=================
> +
> +IMA tests
> +---------
> +
> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).

This test requires "appraise_tcb" ("tcb" is not enough), as the errors 
only occur during appraisal.

> +Although custom policy which contains which may contain the equivalent
> +measurement tcb rules can be loaded via dracut, systemd or later manually
> +from user space, detecting it would require `IMA_READ_POLICY=y` therefore
> +ignore this option.

I guess this should be
"Although a custom policy, loaded via dracut, systemd or manually from 
user space, may contain equivalent measurement tcb rules, detecting them 
would [...]"

> +Mandatory kernel configuration for IMA:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_IMA=y
> +```
> +
> +EVM tests
> +---------
> +
> +`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`                              ^^
                              a

> +kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> +Again, for simplicity ignore possibility to load reuired rules via custom policy.
                                                       ^q

> +Mandatory kernel configuration for IMA & EVM:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_IMA=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_EVM=y
> +CONFIG_KEYS=y
> +CONFIG_TRUSTED_KEYS=y
> +CONFIG_ENCRYPTED_KEYS=y
> +```
> +
> +Example of installing IMA + EVM on openSUSE:
> +
> +* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters

I was missing the measurement option. ima_policy should have been
ima_policy='tcb|appraise_tcb' for the statement below to be true.

> +  (for IMA measurement, IMA appraisal and EVM protection)
> +* Proceed with installation until summary screen, but do not start the installation yet
> +* Select package `dracut-ima` (required for early boot EVM support) for installation
> +  (Debian based distros already contain IMA + EVM support in `dracut` package)
> +* Change to a console window and run commands to generate keys required by EVM:
> +```
> +# mkdir /etc/keys
> +# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> +# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> +# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> +# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> +# cat <<END >/etc/sysconfig/masterkey
> +MASTERKEYTYPE="user"
> +MASTERKEY="/etc/keys/kmk-user.blob"
> +END
> +# cat <<END >/etc/sysconfig/evm
> +EVMKEY="/etc/keys/evm.blob"
> +END
> +# mount -t securityfs security /sys/kernel/security
> +# echo 1 >/sys/kernel/security/evm
> +```
> +
> +* Go back to the installation summary screen and start the installation
> +* During the installation execute the following commands from the console:
> +```
> +# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> +# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> +```
> +
> +This should work on any distribution using dracut.
> +Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> +
> +Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> +```
> +evmctl -r ima_fix /
> +```
> +
> +or with `find` if evmctl not available:
                            ^
                            is

> +```
> +find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> +```
> +Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.

Maybe also add the tcb option for measurement here.

Ignaz

> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> new file mode 100755
> index 000000000..024b03917
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> @@ -0,0 +1,93 @@
> +#!/bin/sh
> +# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> +# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> +# Reproducer for not upstreamed patchset [1] and previous report [2].
> +# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> +# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> +
> +TST_SETUP="setup"
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_DEVICE=1
> +TST_CNT=4
> +. ima_setup.sh
> +
> +setup()
> +{
> +	EVM_FILE="/sys/kernel/security/evm"
> +
> +	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> +	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> +
> +	check_ima_policy "appraise_tcb"
> +
> +	lower="$TST_MNTPOINT/lower"
> +	upper="$TST_MNTPOINT/upper"
> +	work="$TST_MNTPOINT/work"
> +	merged="$TST_MNTPOINT/merged"
> +	mkdir -p $lower $upper $work $merged
> +
> +	device_backup="$TST_DEVICE"
> +	TST_DEVICE="overlay"
> +
> +	fs_type_backup="$TST_FS_TYPE"
> +	TST_FS_TYPE="overlay"
> +
> +	mntpoint_backup="$TST_MNTPOINT"
> +	TST_MNTPOINT="$merged"
> +
> +	params_backup="$TST_MNT_PARAMS"
> +	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> +
> +	tst_mount
> +	mounted=1
> +}
> +
> +test1()
> +{
> +	local file="foo1.txt"
> +
> +	tst_res TINFO "overwrite file in overlay"
> +	EXPECT_PASS echo lower \> $lower/$file
> +	EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test2()
> +{
> +	local file="foo2.txt"
> +
> +	tst_res TINFO "append file in overlay"
> +	EXPECT_PASS echo lower \> $lower/$file
> +	EXPECT_PASS echo overlay \>\> $merged/$file
> +}
> +
> +test3()
> +{
> +	local file="foo3.txt"
> +
> +	tst_res TINFO "create a new file in overlay"
> +	EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test4()
> +{
> +	local f
> +
> +	tst_res TINFO "read all created files"
> +	for f in $(find $TST_MNTPOINT -type f); do
> +		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> +	done
> +}
> +
> +cleanup()
> +{
> +	[ -n "$mounted" ] || return 0
> +
> +	tst_umount $TST_DEVICE
> +
> +	TST_DEVICE="$device_backup"
> +	TST_FS_TYPE="$fs_type_backup"
> +	TST_MNTPOINT="$mntpoint_backup"
> +	TST_MNT_PARAMS="$params_backup"
> +}
> +
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 606034fec..529b77529 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -66,14 +66,14 @@ print_ima_config()
>   	local config="/boot/config-$(uname -r)"
>   	local i
>   
> -	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> -
>   	if [ -r "$config" ]; then
>   		tst_res TINFO "IMA kernel config:"
>   		for i in $(grep ^CONFIG_IMA $config); do
>   			tst_res TINFO "$i"
>   		done
>   	fi
> +
> +	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
>   }
>   
>   ima_setup()
> 

Re: [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Ignaz,

thanks for pointing out all the typos and wrong grep (previous patch).
Going to sent v5 with fixes. Just one question below.

...
> > +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> > @@ -0,0 +1,83 @@
> > +IMA + EVM testing
> > +=================
> > +
> > +IMA tests
> > +---------
> > +
> > +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> > +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).

> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> occur during appraisal.
Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
I require ima_policy=tcb here, according to Mimi [1]

Kind regards,
Petr

[1] http://lists.linux.it/pipermail/ltp/2019-June/012363.html

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Ignaz,

thanks for pointing out all the typos and wrong grep (previous patch).
Going to sent v5 with fixes. Just one question below.

...
> > +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> > @@ -0,0 +1,83 @@
> > +IMA + EVM testing
> > +=================
> > +
> > +IMA tests
> > +---------
> > +
> > +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> > +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).

> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> occur during appraisal.
Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
I require ima_policy=tcb here, according to Mimi [1]

Kind regards,
Petr

[1] http://lists.linux.it/pipermail/ltp/2019-June/012363.html

Re: [PATCH v4 4/4] ima: Add overlay test + doc

[Ignaz Forster]

Am 14.06.19 um 16:14 Uhr schrieb Petr Vorel:
>>> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
>>> @@ -0,0 +1,83 @@
>>> +IMA + EVM testing
>>> +=================
>>> +
>>> +IMA tests
>>> +---------
>>> +
>>> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
>>> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
> 
>> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
>> occur during appraisal.
> Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> I require ima_policy=tcb here, according to Mimi [1]

Oh, sorry, you are correct - "tcb" is correct in this case. I got 
confused as the documentation is included in the overlayfs reproducer patch.

Ignaz

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Ignaz Forster]

Am 14.06.19 um 16:14 Uhr schrieb Petr Vorel:
>>> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
>>> @@ -0,0 +1,83 @@
>>> +IMA + EVM testing
>>> +=================
>>> +
>>> +IMA tests
>>> +---------
>>> +
>>> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
>>> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
> 
>> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
>> occur during appraisal.
> Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> I require ima_policy=tcb here, according to Mimi [1]

Oh, sorry, you are correct - "tcb" is correct in this case. I got 
confused as the documentation is included in the overlayfs reproducer patch.

Ignaz

Re: [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Ignaz,

> > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > occur during appraisal.
> > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > I require ima_policy=tcb here, according to Mimi [1]

> Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> as the documentation is included in the overlayfs reproducer patch.
Maybe I should put it into separate commit.

> Ignaz

Kind regards,
Petr

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Ignaz,

> > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > occur during appraisal.
> > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > I require ima_policy=tcb here, according to Mimi [1]

> Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> as the documentation is included in the overlayfs reproducer patch.
Maybe I should put it into separate commit.

> Ignaz

Kind regards,
Petr

Re: [LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Mimi, Ignaz,

> > > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > > occur during appraisal.
> > > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > > I require ima_policy=tcb here, according to Mimi [1]

> > Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> > as the documentation is included in the overlayfs reproducer patch.
> Maybe I should put it into separate commit.
Whole patchset merged.

Thanks a lot both for your help!


Kind regards,
Petr

[LTP] [PATCH v4 4/4] ima: Add overlay test + doc

[Petr Vorel]

Hi Mimi, Ignaz,

> > > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > > occur during appraisal.
> > > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > > I require ima_policy=tcb here, according to Mimi [1]

> > Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> > as the documentation is included in the overlayfs reproducer patch.
> Maybe I should put it into separate commit.
Whole patchset merged.

Thanks a lot both for your help!


Kind regards,
Petr