[PATCH v1 0/1] ima: Add test for selinux measurement

[PATCH v1 0/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by Linux Security Modules (LSM). Currently one
such LSM namely selinux is being updated to use this functionality.
This new functionality needs test automation in LTP.

This patch set adds tests which verify that the IMA subsystem correctly
measures the data provided by selinux.

This patch is based on 
commit 286401a1c1f3 ("thp04: Add linux tag")
in "master" branch in https://github.com/linux-test-project/ltp

This patch is dependent on the following patch series in LTP
https://patchwork.kernel.org/patch/11802771/

This series needs a kernel built on the following repo/branch/patches:
repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
branch: next
commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")

And the following patch series should be applied in the following order:
  1, https://patchwork.kernel.org/patch/11709527/
  2, https://patchwork.kernel.org/patch/11795559/
  3, https://patchwork.kernel.org/patch/11801525/
  4, https://patchwork.kernel.org/patch/11801585/

Lakshmi Ramasubramanian (1):
  ima: Add test for selinux measurement

 runtest/ima                                   |   2 +
 .../kernel/security/integrity/ima/README.md   |  19 +++
 .../integrity/ima/tests/ima_selinux_policy.sh |  72 ++++++++++
 .../integrity/ima/tests/ima_selinux_state.sh  | 136 ++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  28 ++++
 5 files changed, 257 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh

-- 
2.28.0

[LTP] [PATCH v1 0/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by Linux Security Modules (LSM). Currently one
such LSM namely selinux is being updated to use this functionality.
This new functionality needs test automation in LTP.

This patch set adds tests which verify that the IMA subsystem correctly
measures the data provided by selinux.

This patch is based on 
commit 286401a1c1f3 ("thp04: Add linux tag")
in "master" branch in https://github.com/linux-test-project/ltp

This patch is dependent on the following patch series in LTP
https://patchwork.kernel.org/patch/11802771/

This series needs a kernel built on the following repo/branch/patches:
repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
branch: next
commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")

And the following patch series should be applied in the following order:
  1, https://patchwork.kernel.org/patch/11709527/
  2, https://patchwork.kernel.org/patch/11795559/
  3, https://patchwork.kernel.org/patch/11801525/
  4, https://patchwork.kernel.org/patch/11801585/

Lakshmi Ramasubramanian (1):
  ima: Add test for selinux measurement

 runtest/ima                                   |   2 +
 .../kernel/security/integrity/ima/README.md   |  19 +++
 .../integrity/ima/tests/ima_selinux_policy.sh |  72 ++++++++++
 .../integrity/ima/tests/ima_selinux_state.sh  | 136 ++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  28 ++++
 5 files changed, 257 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh

-- 
2.28.0

[PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by Linux Security Modules (LSM). Currently one
such LSM namely selinux is being updated to use this functionality.
This new functionality needs test automation in LTP.

Add test cases which verify that the IMA subsystem correctly measures
the data provided by selinux.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 runtest/ima                                   |   2 +
 .../kernel/security/integrity/ima/README.md   |  19 +++
 .../integrity/ima/tests/ima_selinux_policy.sh |  72 ++++++++++
 .../integrity/ima/tests/ima_selinux_state.sh  | 136 ++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  28 ++++
 5 files changed, 257 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh

diff --git a/runtest/ima b/runtest/ima
index 123b6c8b0..8e60bf629 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -5,5 +5,7 @@ ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
 ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
+ima_selinux_state ima_selinux_state.sh
+ima_selinux_policy ima_selinux_policy.sh
 ima_dm_crypt ima_dm_crypt.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 007662fae..c0644b083 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -37,6 +37,25 @@ see example in `kexec.policy`.
 The test attempts to kexec the existing running kernel image.
 To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
 
+### IMA SELinux test
+
+To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
+and `ima_selinux_state.sh` require a readable IMA policy, as well as
+a loaded measure policy with
+`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
+
+As well as what's required for the IMA tests, SELinux tests require reading
+the IMA policy allowed in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+
+```
+The following kernel configuration is also required. It enables compiling
+the Linux Security Module (LSM) namely SELinux.
+```
+CONFIG_SECURITY_SELINUX=y
+```
+
 ### IMA DM target (dm-crypt) measurement test
 
 To enable IMA to measure device-mapper target - dm-crypt,
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
new file mode 100755
index 000000000..c1e81bdde
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
+#
+# Verify measurement of selinux policy
+
+TST_NEEDS_CMDS="cut grep tail"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)"
+
+setup()
+{
+	check_selinux_state
+
+	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+}
+
+#
+# Trigger measurement of selinux constructs and verify that
+# the measured selinux policy matches the current policy loaded
+# for selinux.
+#
+test1()
+{
+	local policy_digest expected_policy_digest algorithm
+	local data_source_name="selinux"
+	local pattern="data_sources=[^[:space:]]*$data_source_name"
+	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
+
+	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
+
+	tst_res TINFO "Verifying selinux policy measurement"
+
+	#
+	# Trigger a measurement by changing selinux state
+	#
+	update_selinux_state
+
+	#
+	# Verify selinux policy is measured and then validate that 
+	# the measured policy matches the policy currently loaded
+	# for selinux
+	#
+	line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1)
+	if [ -z "$line" ]; then
+		tst_res TFAIL "selinux policy not measured"
+		return
+	fi
+
+	algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+	policy_digest=$(echo "$line" | cut -d' ' -f6)
+
+	expected_policy_digest="$(compute_digest $algorithm $SELINUX_FOLDER/policy)" || \
+		tst_brk TCONF "cannot compute digest for $algorithm"
+
+	if [ "$policy_digest" != "$expected_policy_digest" ]; then
+		tst_res TFAIL "Digest mismatch. Expected $expected_policy_digest, Actual $policy_digest"
+		return
+	fi
+
+	tst_res TPASS "selinux policy measured correctly"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh
new file mode 100755
index 000000000..077de5081
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh
@@ -0,0 +1,136 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
+#
+# Verify measurement of selinux state
+
+TST_NEEDS_CMDS="awk cut grep tail xxd"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)"
+
+setup()
+{
+	check_selinux_state
+
+	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+}
+
+#
+# Format of the measured selinux state data.
+#
+# initialized=1;enabled=1;enforcing=0;checkreqprot=1;
+# network_peer_controls=1;open_perms=1;extended_socket_class=1;
+# always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;
+# genfs_seclabel_symlinks=0;
+#
+validate_policy_capabilities()
+{
+	local measured_cap measured_value expected_value inx result
+
+	result=1
+
+	#
+	# Policy capabilities flags start from "network_peer_controls"
+	# in the measured selinux state at offset 9 for 'awk'
+	#
+	inx=9
+	while [ $inx -lt 22 ]
+	do
+		measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
+		inx=$(( $inx + 1 ))
+
+		measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
+		expected_value=$(cat "$SELINUX_FOLDER/policy_capabilities/$measured_cap")
+		if [ "$measured_value" != "$expected_value" ];then
+			tst_res TWARN "$measured_cap: Expected $expected_value, Actual $measured_value"
+			result=0
+		fi
+
+		inx=$(( $inx + 1 ))
+	done
+
+	return $result
+}
+
+#
+# Trigger measurement of selinux constructs and verify that
+# the measured selinux state matches the current selinux
+# configuration.
+#
+test1()
+{
+	local measured_data state_file="$TST_TMPDIR/selinux_state.txt"
+	local digest expected_digest algorithm
+	local enforced_value expected_enforced_value
+	local checkreqprot_value expected_checkreqprot_value
+	local data_source_name="selinux"
+	local pattern="data_sources=[^[:space:]]*$data_source_name"
+	local tmp_file="$TST_TMPDIR/selinux_state_tmp_file.txt"
+
+	tst_res TINFO "Verifying selinux state measurement"
+
+	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
+
+	#
+	# Trigger a measurement by changing selinux state
+	#
+	update_selinux_state
+
+	#
+	# Verify selinux state is measured and then validate the measured
+	# state matches that currently set for selinux
+	#
+	line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1)
+	if [ -z "$line" ]; then
+		tst_res TFAIL "selinux state not measured"
+		return
+	fi
+
+	digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
+	algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+
+	echo "$line" | cut -d' ' -f6 | xxd -r -p > $state_file
+
+	expected_digest="$(compute_digest $algorithm $state_file)" || \
+	tst_brk TCONF "cannot compute digest for $algorithm"
+
+	if [ "$digest" != "$expected_digest" ]; then
+		tst_res TFAIL "Digest mismatch. Expected $expected_digest, Actual $digest"
+		return
+	fi
+
+	measured_data=$(cat $state_file)
+
+	enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $6}')
+	expected_enforced_value=$(cat $SELINUX_FOLDER/enforce)
+	if [ "$expected_enforced_value" != "$enforced_value" ];then
+		tst_res TFAIL "enforce: Expected $expected_enforced_value, Actual $enforced_value"
+		return
+	fi
+
+	checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $8}')
+	expected_checkreqprot_value=$(cat $SELINUX_FOLDER/checkreqprot)
+	if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ];then
+		tst_res TFAIL "checkreqprot. Expected $expected_checkreqprot_value, Actual $checkreqprot_value"
+		return
+	fi
+
+	validate_policy_capabilities $measured_data
+	result=$?
+	if [ $result = 0 ]; then
+		tst_res TFAIL "Policy capabilities did not match"
+		return
+	fi
+
+	tst_res TPASS "selinux state measured correctly"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 2841d7df5..1d7dca086 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -186,6 +186,33 @@ require_ima_policy_cmdline()
 	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
 }
 
+#
+# Update selinux state. This is used for validating IMA
+# measurement of selinux constructs.
+#
+update_selinux_state()
+{
+	local cur_val new_val
+
+	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
+
+	if [ $cur_val = 1 ]; then
+		new_val=0
+	else
+		new_val=1
+	fi
+
+	echo $new_val > $SELINUX_FOLDER/checkreqprot
+}
+
+#
+# Verify selinux is enabled in the system
+#
+check_selinux_state()
+{
+	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
+}
+
 mount_helper()
 {
 	local type="$1"
@@ -238,6 +265,7 @@ ima_setup()
 	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
 	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
 	IMA_POLICY="$IMA_DIR/policy"
+	SELINUX_FOLDER="$SYSFS/fs/selinux"
 
 	# hack to support running tests locally from ima/tests directory
 	if [ ! -d "$TST_DATAROOT" ]; then
-- 
2.28.0

[LTP] [PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by Linux Security Modules (LSM). Currently one
such LSM namely selinux is being updated to use this functionality.
This new functionality needs test automation in LTP.

Add test cases which verify that the IMA subsystem correctly measures
the data provided by selinux.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 runtest/ima                                   |   2 +
 .../kernel/security/integrity/ima/README.md   |  19 +++
 .../integrity/ima/tests/ima_selinux_policy.sh |  72 ++++++++++
 .../integrity/ima/tests/ima_selinux_state.sh  | 136 ++++++++++++++++++
 .../security/integrity/ima/tests/ima_setup.sh |  28 ++++
 5 files changed, 257 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh

diff --git a/runtest/ima b/runtest/ima
index 123b6c8b0..8e60bf629 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -5,5 +5,7 @@ ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
 ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
+ima_selinux_state ima_selinux_state.sh
+ima_selinux_policy ima_selinux_policy.sh
 ima_dm_crypt ima_dm_crypt.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 007662fae..c0644b083 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -37,6 +37,25 @@ see example in `kexec.policy`.
 The test attempts to kexec the existing running kernel image.
 To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
 
+### IMA SELinux test
+
+To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
+and `ima_selinux_state.sh` require a readable IMA policy, as well as
+a loaded measure policy with
+`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
+
+As well as what's required for the IMA tests, SELinux tests require reading
+the IMA policy allowed in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+
+```
+The following kernel configuration is also required. It enables compiling
+the Linux Security Module (LSM) namely SELinux.
+```
+CONFIG_SECURITY_SELINUX=y
+```
+
 ### IMA DM target (dm-crypt) measurement test
 
 To enable IMA to measure device-mapper target - dm-crypt,
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
new file mode 100755
index 000000000..c1e81bdde
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
+#
+# Verify measurement of selinux policy
+
+TST_NEEDS_CMDS="cut grep tail"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)"
+
+setup()
+{
+	check_selinux_state
+
+	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+}
+
+#
+# Trigger measurement of selinux constructs and verify that
+# the measured selinux policy matches the current policy loaded
+# for selinux.
+#
+test1()
+{
+	local policy_digest expected_policy_digest algorithm
+	local data_source_name="selinux"
+	local pattern="data_sources=[^[:space:]]*$data_source_name"
+	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
+
+	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
+
+	tst_res TINFO "Verifying selinux policy measurement"
+
+	#
+	# Trigger a measurement by changing selinux state
+	#
+	update_selinux_state
+
+	#
+	# Verify selinux policy is measured and then validate that 
+	# the measured policy matches the policy currently loaded
+	# for selinux
+	#
+	line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1)
+	if [ -z "$line" ]; then
+		tst_res TFAIL "selinux policy not measured"
+		return
+	fi
+
+	algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+	policy_digest=$(echo "$line" | cut -d' ' -f6)
+
+	expected_policy_digest="$(compute_digest $algorithm $SELINUX_FOLDER/policy)" || \
+		tst_brk TCONF "cannot compute digest for $algorithm"
+
+	if [ "$policy_digest" != "$expected_policy_digest" ]; then
+		tst_res TFAIL "Digest mismatch. Expected $expected_policy_digest, Actual $policy_digest"
+		return
+	fi
+
+	tst_res TPASS "selinux policy measured correctly"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh
new file mode 100755
index 000000000..077de5081
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh
@@ -0,0 +1,136 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
+#
+# Verify measurement of selinux state
+
+TST_NEEDS_CMDS="awk cut grep tail xxd"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)"
+
+setup()
+{
+	check_selinux_state
+
+	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+}
+
+#
+# Format of the measured selinux state data.
+#
+# initialized=1;enabled=1;enforcing=0;checkreqprot=1;
+# network_peer_controls=1;open_perms=1;extended_socket_class=1;
+# always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;
+# genfs_seclabel_symlinks=0;
+#
+validate_policy_capabilities()
+{
+	local measured_cap measured_value expected_value inx result
+
+	result=1
+
+	#
+	# Policy capabilities flags start from "network_peer_controls"
+	# in the measured selinux state at offset 9 for 'awk'
+	#
+	inx=9
+	while [ $inx -lt 22 ]
+	do
+		measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
+		inx=$(( $inx + 1 ))
+
+		measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
+		expected_value=$(cat "$SELINUX_FOLDER/policy_capabilities/$measured_cap")
+		if [ "$measured_value" != "$expected_value" ];then
+			tst_res TWARN "$measured_cap: Expected $expected_value, Actual $measured_value"
+			result=0
+		fi
+
+		inx=$(( $inx + 1 ))
+	done
+
+	return $result
+}
+
+#
+# Trigger measurement of selinux constructs and verify that
+# the measured selinux state matches the current selinux
+# configuration.
+#
+test1()
+{
+	local measured_data state_file="$TST_TMPDIR/selinux_state.txt"
+	local digest expected_digest algorithm
+	local enforced_value expected_enforced_value
+	local checkreqprot_value expected_checkreqprot_value
+	local data_source_name="selinux"
+	local pattern="data_sources=[^[:space:]]*$data_source_name"
+	local tmp_file="$TST_TMPDIR/selinux_state_tmp_file.txt"
+
+	tst_res TINFO "Verifying selinux state measurement"
+
+	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
+
+	#
+	# Trigger a measurement by changing selinux state
+	#
+	update_selinux_state
+
+	#
+	# Verify selinux state is measured and then validate the measured
+	# state matches that currently set for selinux
+	#
+	line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1)
+	if [ -z "$line" ]; then
+		tst_res TFAIL "selinux state not measured"
+		return
+	fi
+
+	digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
+	algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+
+	echo "$line" | cut -d' ' -f6 | xxd -r -p > $state_file
+
+	expected_digest="$(compute_digest $algorithm $state_file)" || \
+	tst_brk TCONF "cannot compute digest for $algorithm"
+
+	if [ "$digest" != "$expected_digest" ]; then
+		tst_res TFAIL "Digest mismatch. Expected $expected_digest, Actual $digest"
+		return
+	fi
+
+	measured_data=$(cat $state_file)
+
+	enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $6}')
+	expected_enforced_value=$(cat $SELINUX_FOLDER/enforce)
+	if [ "$expected_enforced_value" != "$enforced_value" ];then
+		tst_res TFAIL "enforce: Expected $expected_enforced_value, Actual $enforced_value"
+		return
+	fi
+
+	checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $8}')
+	expected_checkreqprot_value=$(cat $SELINUX_FOLDER/checkreqprot)
+	if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ];then
+		tst_res TFAIL "checkreqprot. Expected $expected_checkreqprot_value, Actual $checkreqprot_value"
+		return
+	fi
+
+	validate_policy_capabilities $measured_data
+	result=$?
+	if [ $result = 0 ]; then
+		tst_res TFAIL "Policy capabilities did not match"
+		return
+	fi
+
+	tst_res TPASS "selinux state measured correctly"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 2841d7df5..1d7dca086 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -186,6 +186,33 @@ require_ima_policy_cmdline()
 	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
 }
 
+#
+# Update selinux state. This is used for validating IMA
+# measurement of selinux constructs.
+#
+update_selinux_state()
+{
+	local cur_val new_val
+
+	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
+
+	if [ $cur_val = 1 ]; then
+		new_val=0
+	else
+		new_val=1
+	fi
+
+	echo $new_val > $SELINUX_FOLDER/checkreqprot
+}
+
+#
+# Verify selinux is enabled in the system
+#
+check_selinux_state()
+{
+	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
+}
+
 mount_helper()
 {
 	local type="$1"
@@ -238,6 +265,7 @@ ima_setup()
 	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
 	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
 	IMA_POLICY="$IMA_DIR/policy"
+	SELINUX_FOLDER="$SYSFS/fs/selinux"
 
 	# hack to support running tests locally from ima/tests directory
 	if [ ! -d "$TST_DATAROOT" ]; then
-- 
2.28.0

Re: [PATCH v1 0/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi,

Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP
freeze and work needed to review fixes before release I'll probably review this
after the release (1, max. 2 weeks).

Could you please have a look at fix planned to be part of the release?
https://patchwork.ozlabs.org/project/ltp/list/?series=204230

Kind regards,
Petr

> New functionality is being added to IMA to measure data provided by
> kernel components. With this feature, IMA policy can be set to enable
> measuring data provided by Linux Security Modules (LSM). Currently one
> such LSM namely selinux is being updated to use this functionality.
> This new functionality needs test automation in LTP.

> This patch set adds tests which verify that the IMA subsystem correctly
> measures the data provided by selinux.

> This patch is based on 
> commit 286401a1c1f3 ("thp04: Add linux tag")
> in "master" branch in https://github.com/linux-test-project/ltp

> This patch is dependent on the following patch series in LTP
> https://patchwork.kernel.org/patch/11802771/
I put link to LTP patchwork to avoid the confusion.
https://patchwork.ozlabs.org/project/ltp/list/?series=204486

> This series needs a kernel built on the following repo/branch/patches:
> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> branch: next
> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")
Thanks for adding this info. It'd be great if it were part of kernel commit
message and also added as a comment in the test itself (we don't want to get it
lost).

BTW LTP has 2 kind ways of handling of kernel versions:

* fixes which are meant to be backported to the stable trees:
In C API it looks like (here also with CVE entry):
https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187
.tags = (const struct tst_tag[]) {
		{"linux-git", "95a762e2c8c9"},
		{"CVE", "2017-16995"},
		{}
This is not part of shell API, but I'll add it after the release. Thus we don't
want to loose this info.

* new kernel features, which are likely not to be backported
You either have some way to detect this feature is presented (ideally) or you
specify kernel version since it should be run
This is used in shell API as:
https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8
TST_MIN_KVER="4.13"

> And the following patch series should be applied in the following order:
>   1, https://patchwork.kernel.org/patch/11709527/
>   2, https://patchwork.kernel.org/patch/11795559/
>   3, https://patchwork.kernel.org/patch/11801525/
>   4, https://patchwork.kernel.org/patch/11801585/

Kind regards,
Petr

[LTP] [PATCH v1 0/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi,

Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP
freeze and work needed to review fixes before release I'll probably review this
after the release (1, max. 2 weeks).

Could you please have a look at fix planned to be part of the release?
https://patchwork.ozlabs.org/project/ltp/list/?series=204230

Kind regards,
Petr

> New functionality is being added to IMA to measure data provided by
> kernel components. With this feature, IMA policy can be set to enable
> measuring data provided by Linux Security Modules (LSM). Currently one
> such LSM namely selinux is being updated to use this functionality.
> This new functionality needs test automation in LTP.

> This patch set adds tests which verify that the IMA subsystem correctly
> measures the data provided by selinux.

> This patch is based on 
> commit 286401a1c1f3 ("thp04: Add linux tag")
> in "master" branch in https://github.com/linux-test-project/ltp

> This patch is dependent on the following patch series in LTP
> https://patchwork.kernel.org/patch/11802771/
I put link to LTP patchwork to avoid the confusion.
https://patchwork.ozlabs.org/project/ltp/list/?series=204486

> This series needs a kernel built on the following repo/branch/patches:
> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> branch: next
> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")
Thanks for adding this info. It'd be great if it were part of kernel commit
message and also added as a comment in the test itself (we don't want to get it
lost).

BTW LTP has 2 kind ways of handling of kernel versions:

* fixes which are meant to be backported to the stable trees:
In C API it looks like (here also with CVE entry):
https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187
.tags = (const struct tst_tag[]) {
		{"linux-git", "95a762e2c8c9"},
		{"CVE", "2017-16995"},
		{}
This is not part of shell API, but I'll add it after the release. Thus we don't
want to loose this info.

* new kernel features, which are likely not to be backported
You either have some way to detect this feature is presented (ideally) or you
specify kernel version since it should be run
This is used in shell API as:
https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8
TST_MIN_KVER="4.13"

> And the following patch series should be applied in the following order:
>   1, https://patchwork.kernel.org/patch/11709527/
>   2, https://patchwork.kernel.org/patch/11795559/
>   3, https://patchwork.kernel.org/patch/11801525/
>   4, https://patchwork.kernel.org/patch/11801585/

Kind regards,
Petr

Re: [PATCH v1 0/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 9/28/20 10:23 PM, Petr Vorel wrote:
> Hi Lakshmi,
> 
> Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP
> freeze and work needed to review fixes before release I'll probably review this
> after the release (1, max. 2 weeks).
> 
> Could you please have a look at fix planned to be part of the release?
> https://patchwork.ozlabs.org/project/ltp/list/?series=204230
> 

Will do Petr.

> 
>> New functionality is being added to IMA to measure data provided by
>> kernel components. With this feature, IMA policy can be set to enable
>> measuring data provided by Linux Security Modules (LSM). Currently one
>> such LSM namely selinux is being updated to use this functionality.
>> This new functionality needs test automation in LTP.
> 
>> This patch set adds tests which verify that the IMA subsystem correctly
>> measures the data provided by selinux.
> 
>> This patch is based on
>> commit 286401a1c1f3 ("thp04: Add linux tag")
>> in "master" branch in https://github.com/linux-test-project/ltp
> 
>> This patch is dependent on the following patch series in LTP
>> https://patchwork.kernel.org/patch/11802771/
> I put link to LTP patchwork to avoid the confusion.
> https://patchwork.ozlabs.org/project/ltp/list/?series=204486

Thanks. On the next update I'll add the LTP patchwork URL.

> 
>> This series needs a kernel built on the following repo/branch/patches:
>> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
>> branch: next
>> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")
> Thanks for adding this info. It'd be great if it were part of kernel commit
> message and also added as a comment in the test itself (we don't want to get it
> lost).
> 
> BTW LTP has 2 kind ways of handling of kernel versions:
> 
> * fixes which are meant to be backported to the stable trees:
> In C API it looks like (here also with CVE entry):
> https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187
> .tags = (const struct tst_tag[]) {
> 		{"linux-git", "95a762e2c8c9"},
> 		{"CVE", "2017-16995"},
> 		{}
> This is not part of shell API, but I'll add it after the release. Thus we don't
> want to loose this info.
> 
> * new kernel features, which are likely not to be backported
> You either have some way to detect this feature is presented (ideally) or you
> specify kernel version since it should be run
> This is used in shell API as:
> https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8
> TST_MIN_KVER="4.13"

Thanks for the info.

  -lakshmi

> 
>> And the following patch series should be applied in the following order:
>>    1, https://patchwork.kernel.org/patch/11709527/
>>    2, https://patchwork.kernel.org/patch/11795559/
>>    3, https://patchwork.kernel.org/patch/11801525/
>>    4, https://patchwork.kernel.org/patch/11801585/
> 

[LTP] [PATCH v1 0/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 9/28/20 10:23 PM, Petr Vorel wrote:
> Hi Lakshmi,
> 
> Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP
> freeze and work needed to review fixes before release I'll probably review this
> after the release (1, max. 2 weeks).
> 
> Could you please have a look at fix planned to be part of the release?
> https://patchwork.ozlabs.org/project/ltp/list/?series=204230
> 

Will do Petr.

> 
>> New functionality is being added to IMA to measure data provided by
>> kernel components. With this feature, IMA policy can be set to enable
>> measuring data provided by Linux Security Modules (LSM). Currently one
>> such LSM namely selinux is being updated to use this functionality.
>> This new functionality needs test automation in LTP.
> 
>> This patch set adds tests which verify that the IMA subsystem correctly
>> measures the data provided by selinux.
> 
>> This patch is based on
>> commit 286401a1c1f3 ("thp04: Add linux tag")
>> in "master" branch in https://github.com/linux-test-project/ltp
> 
>> This patch is dependent on the following patch series in LTP
>> https://patchwork.kernel.org/patch/11802771/
> I put link to LTP patchwork to avoid the confusion.
> https://patchwork.ozlabs.org/project/ltp/list/?series=204486

Thanks. On the next update I'll add the LTP patchwork URL.

> 
>> This series needs a kernel built on the following repo/branch/patches:
>> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
>> branch: next
>> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")
> Thanks for adding this info. It'd be great if it were part of kernel commit
> message and also added as a comment in the test itself (we don't want to get it
> lost).
> 
> BTW LTP has 2 kind ways of handling of kernel versions:
> 
> * fixes which are meant to be backported to the stable trees:
> In C API it looks like (here also with CVE entry):
> https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187
> .tags = (const struct tst_tag[]) {
> 		{"linux-git", "95a762e2c8c9"},
> 		{"CVE", "2017-16995"},
> 		{}
> This is not part of shell API, but I'll add it after the release. Thus we don't
> want to loose this info.
> 
> * new kernel features, which are likely not to be backported
> You either have some way to detect this feature is presented (ideally) or you
> specify kernel version since it should be run
> This is used in shell API as:
> https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8
> TST_MIN_KVER="4.13"

Thanks for the info.

  -lakshmi

> 
>> And the following patch series should be applied in the following order:
>>    1, https://patchwork.kernel.org/patch/11709527/
>>    2, https://patchwork.kernel.org/patch/11795559/
>>    3, https://patchwork.kernel.org/patch/11801525/
>>    4, https://patchwork.kernel.org/patch/11801585/
> 

Re: [PATCH v1 1/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi, Mimi, all,

@Lakshmi
TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
https://github.com/pevik/ltp/commits/ima/selinux.v2.draft

+ added 3 additional commits, one of them as you as the author.
I moved some functions to testcases/lib/tst_security.sh, renamed them.
Can you please have a look and test? I don't have any SELinux machine.

@Mimi, all: any comment to this test? My changes are just LTP cleanup
so you can comment it on this patchset.
I suppose you get to this in January.

Some notes for my changes:

As files are quite similar (checks etc), I put both tests into single
file ima_selinux.sh.

> New functionality is being added to IMA to measure data provided by
> kernel components. With this feature, IMA policy can be set to enable
> measuring data provided by Linux Security Modules (LSM). Currently one
> such LSM namely selinux is being updated to use this functionality.
> This new functionality needs test automation in LTP.

> Add test cases which verify that the IMA subsystem correctly measures
> the data provided by selinux.

Could you please put into commit message and test kernel commit hash relevant
for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
v5.10-rc1) or there are more relevant commits?

...
> +### IMA SELinux test
> +
> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
> +a loaded measure policy with
> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
I put this into
testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
and mention it in docs.

> +test1()
> +{
> +	local policy_digest expected_policy_digest algorithm
> +	local data_source_name="selinux"
> +	local pattern="data_sources=[^[:space:]]*$data_source_name"
> +	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
> +
> +	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
> +
> +	tst_res TINFO "Verifying selinux policy measurement"
> +
> +	#
> +	# Trigger a measurement by changing selinux state
> +	#
> +	update_selinux_state
Here I used tst_update_selinux_state.

...
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh

> +#
> +# Update selinux state. This is used for validating IMA
> +# measurement of selinux constructs.
> +#
> +update_selinux_state()
> +{
> +	local cur_val new_val
> +
> +	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
> +
> +	if [ $cur_val = 1 ]; then
> +		new_val=0
> +	else
> +		new_val=1
> +	fi
> +
> +	echo $new_val > $SELINUX_FOLDER/checkreqprot
> +}
> +
> +#
> +# Verify selinux is enabled in the system
> +#
> +check_selinux_state()
> +{
> +	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
> +}

As I mentioned above, this is not needed as I put them under different names in
testcases/lib/tst_security.sh.

>  mount_helper()
>  {
>  	local type="$1"
> @@ -238,6 +265,7 @@ ima_setup()
>  	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
>  	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>  	IMA_POLICY="$IMA_DIR/policy"
> +	SELINUX_FOLDER="$SYSFS/fs/selinux"

nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR)
and moved to ima_selinux.sh.

Kind regards,
Petr

[LTP] [PATCH v1 1/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi, Mimi, all,

@Lakshmi
TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
https://github.com/pevik/ltp/commits/ima/selinux.v2.draft

+ added 3 additional commits, one of them as you as the author.
I moved some functions to testcases/lib/tst_security.sh, renamed them.
Can you please have a look and test? I don't have any SELinux machine.

@Mimi, all: any comment to this test? My changes are just LTP cleanup
so you can comment it on this patchset.
I suppose you get to this in January.

Some notes for my changes:

As files are quite similar (checks etc), I put both tests into single
file ima_selinux.sh.

> New functionality is being added to IMA to measure data provided by
> kernel components. With this feature, IMA policy can be set to enable
> measuring data provided by Linux Security Modules (LSM). Currently one
> such LSM namely selinux is being updated to use this functionality.
> This new functionality needs test automation in LTP.

> Add test cases which verify that the IMA subsystem correctly measures
> the data provided by selinux.

Could you please put into commit message and test kernel commit hash relevant
for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
v5.10-rc1) or there are more relevant commits?

...
> +### IMA SELinux test
> +
> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
> +a loaded measure policy with
> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
I put this into
testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
and mention it in docs.

> +test1()
> +{
> +	local policy_digest expected_policy_digest algorithm
> +	local data_source_name="selinux"
> +	local pattern="data_sources=[^[:space:]]*$data_source_name"
> +	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
> +
> +	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
> +
> +	tst_res TINFO "Verifying selinux policy measurement"
> +
> +	#
> +	# Trigger a measurement by changing selinux state
> +	#
> +	update_selinux_state
Here I used tst_update_selinux_state.

...
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh

> +#
> +# Update selinux state. This is used for validating IMA
> +# measurement of selinux constructs.
> +#
> +update_selinux_state()
> +{
> +	local cur_val new_val
> +
> +	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
> +
> +	if [ $cur_val = 1 ]; then
> +		new_val=0
> +	else
> +		new_val=1
> +	fi
> +
> +	echo $new_val > $SELINUX_FOLDER/checkreqprot
> +}
> +
> +#
> +# Verify selinux is enabled in the system
> +#
> +check_selinux_state()
> +{
> +	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
> +}

As I mentioned above, this is not needed as I put them under different names in
testcases/lib/tst_security.sh.

>  mount_helper()
>  {
>  	local type="$1"
> @@ -238,6 +265,7 @@ ima_setup()
>  	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
>  	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>  	IMA_POLICY="$IMA_DIR/policy"
> +	SELINUX_FOLDER="$SYSFS/fs/selinux"

nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR)
and moved to ima_selinux.sh.

Kind regards,
Petr

Re: [PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 12/18/20 10:37 AM, Petr Vorel wrote:

Hi Petr,

> 
> @Lakshmi
> TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
> https://github.com/pevik/ltp/commits/ima/selinux.v2.draft
> 
> + added 3 additional commits, one of them as you as the author.
> I moved some functions to testcases/lib/tst_security.sh, renamed them.
> Can you please have a look and test? I don't have any SELinux machine.

I'll take a look at the changes in your branch and test it with SELinux 
enabled.

> 
> @Mimi, all: any comment to this test? My changes are just LTP cleanup
> so you can comment it on this patchset.
> I suppose you get to this in January.
> 
> Some notes for my changes:
> 
> As files are quite similar (checks etc), I put both tests into single
> file ima_selinux.sh.
This should be fine.

The reason I put the tests in different files was because I couldn't 
find a way to run the tests independently (i mean - say, run the SELinux 
policy measurement test but not the state measurement test or vice-versa).

> 
>> New functionality is being added to IMA to measure data provided by
>> kernel components. With this feature, IMA policy can be set to enable
>> measuring data provided by Linux Security Modules (LSM). Currently one
>> such LSM namely selinux is being updated to use this functionality.
>> This new functionality needs test automation in LTP.
> 
>> Add test cases which verify that the IMA subsystem correctly measures
>> the data provided by selinux.
> 
> Could you please put into commit message and test kernel commit hash relevant
> for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
> v5.10-rc1) or there are more relevant commits?

The IMA hook to measure kernel critical data + SELinux measurement 
changes are still being reviewed. Tushar has posted v9 of the patch set.

> 
> ...
>> +### IMA SELinux test
>> +
>> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
>> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
>> +a loaded measure policy with
>> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
> I put this into
> testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
> and mention it in docs.
Sounds good - Thanks.

"template=ima_buf" is no longer needed in the IMA policy rule since 
"ima_buf" is the default template for buffer measurement now. I will 
update "datafiles/ima_selinux/selinux.policy" file.

> 
>> +test1()
>> +{
>> +	local policy_digest expected_policy_digest algorithm
>> +	local data_source_name="selinux"
>> +	local pattern="data_sources=[^[:space:]]*$data_source_name"
>> +	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
>> +
>> +	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
>> +
>> +	tst_res TINFO "Verifying selinux policy measurement"
>> +
>> +	#
>> +	# Trigger a measurement by changing selinux state
>> +	#
>> +	update_selinux_state
> Here I used tst_update_selinux_state.
okay.

> 
> ...
>> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> 
>> +#
>> +# Update selinux state. This is used for validating IMA
>> +# measurement of selinux constructs.
>> +#
>> +update_selinux_state()
>> +{
>> +	local cur_val new_val
>> +
>> +	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
>> +
>> +	if [ $cur_val = 1 ]; then
>> +		new_val=0
>> +	else
>> +		new_val=1
>> +	fi
>> +
>> +	echo $new_val > $SELINUX_FOLDER/checkreqprot
>> +}
>> +
>> +#
>> +# Verify selinux is enabled in the system
>> +#
>> +check_selinux_state()
>> +{
>> +	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
>> +}
> 
> As I mentioned above, this is not needed as I put them under different names in
> testcases/lib/tst_security.sh.
okay.

> 
>>   mount_helper()
>>   {
>>   	local type="$1"
>> @@ -238,6 +265,7 @@ ima_setup()
>>   	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
>>   	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>>   	IMA_POLICY="$IMA_DIR/policy"
>> +	SELINUX_FOLDER="$SYSFS/fs/selinux"
> 
> nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR)
> and moved to ima_selinux.sh.
okay.

Thanks a lot for your help Petr. Appreciate it.

  -lakshmi

[LTP] [PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 12/18/20 10:37 AM, Petr Vorel wrote:

Hi Petr,

> 
> @Lakshmi
> TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
> https://github.com/pevik/ltp/commits/ima/selinux.v2.draft
> 
> + added 3 additional commits, one of them as you as the author.
> I moved some functions to testcases/lib/tst_security.sh, renamed them.
> Can you please have a look and test? I don't have any SELinux machine.

I'll take a look at the changes in your branch and test it with SELinux 
enabled.

> 
> @Mimi, all: any comment to this test? My changes are just LTP cleanup
> so you can comment it on this patchset.
> I suppose you get to this in January.
> 
> Some notes for my changes:
> 
> As files are quite similar (checks etc), I put both tests into single
> file ima_selinux.sh.
This should be fine.

The reason I put the tests in different files was because I couldn't 
find a way to run the tests independently (i mean - say, run the SELinux 
policy measurement test but not the state measurement test or vice-versa).

> 
>> New functionality is being added to IMA to measure data provided by
>> kernel components. With this feature, IMA policy can be set to enable
>> measuring data provided by Linux Security Modules (LSM). Currently one
>> such LSM namely selinux is being updated to use this functionality.
>> This new functionality needs test automation in LTP.
> 
>> Add test cases which verify that the IMA subsystem correctly measures
>> the data provided by selinux.
> 
> Could you please put into commit message and test kernel commit hash relevant
> for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
> v5.10-rc1) or there are more relevant commits?

The IMA hook to measure kernel critical data + SELinux measurement 
changes are still being reviewed. Tushar has posted v9 of the patch set.

> 
> ...
>> +### IMA SELinux test
>> +
>> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
>> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
>> +a loaded measure policy with
>> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
> I put this into
> testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
> and mention it in docs.
Sounds good - Thanks.

"template=ima_buf" is no longer needed in the IMA policy rule since 
"ima_buf" is the default template for buffer measurement now. I will 
update "datafiles/ima_selinux/selinux.policy" file.

> 
>> +test1()
>> +{
>> +	local policy_digest expected_policy_digest algorithm
>> +	local data_source_name="selinux"
>> +	local pattern="data_sources=[^[:space:]]*$data_source_name"
>> +	local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt"
>> +
>> +	check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return
>> +
>> +	tst_res TINFO "Verifying selinux policy measurement"
>> +
>> +	#
>> +	# Trigger a measurement by changing selinux state
>> +	#
>> +	update_selinux_state
> Here I used tst_update_selinux_state.
okay.

> 
> ...
>> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> 
>> +#
>> +# Update selinux state. This is used for validating IMA
>> +# measurement of selinux constructs.
>> +#
>> +update_selinux_state()
>> +{
>> +	local cur_val new_val
>> +
>> +	cur_val=$(cat $SELINUX_FOLDER/checkreqprot)
>> +
>> +	if [ $cur_val = 1 ]; then
>> +		new_val=0
>> +	else
>> +		new_val=1
>> +	fi
>> +
>> +	echo $new_val > $SELINUX_FOLDER/checkreqprot
>> +}
>> +
>> +#
>> +# Verify selinux is enabled in the system
>> +#
>> +check_selinux_state()
>> +{
>> +	[ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled"
>> +}
> 
> As I mentioned above, this is not needed as I put them under different names in
> testcases/lib/tst_security.sh.
okay.

> 
>>   mount_helper()
>>   {
>>   	local type="$1"
>> @@ -238,6 +265,7 @@ ima_setup()
>>   	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
>>   	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>>   	IMA_POLICY="$IMA_DIR/policy"
>> +	SELINUX_FOLDER="$SYSFS/fs/selinux"
> 
> nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR)
> and moved to ima_selinux.sh.
okay.

Thanks a lot for your help Petr. Appreciate it.

  -lakshmi

Re: [PATCH v1 1/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi,

> On 12/18/20 10:37 AM, Petr Vorel wrote:

> Hi Petr,

> > @Lakshmi
> > TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
> > https://github.com/pevik/ltp/commits/ima/selinux.v2.draft

> > + added 3 additional commits, one of them as you as the author.
> > I moved some functions to testcases/lib/tst_security.sh, renamed them.
> > Can you please have a look and test? I don't have any SELinux machine.

> I'll take a look at the changes in your branch and test it with SELinux
> enabled.
Thanks!

> > @Mimi, all: any comment to this test? My changes are just LTP cleanup
> > so you can comment it on this patchset.
> > I suppose you get to this in January.

> > Some notes for my changes:

> > As files are quite similar (checks etc), I put both tests into single
> > file ima_selinux.sh.
> This should be fine.

> The reason I put the tests in different files was because I couldn't find a
> way to run the tests independently (i mean - say, run the SELinux policy
> measurement test but not the state measurement test or vice-versa).

Why do you need to run just one of them?
If you really need to separate them (e.g. to require different OS setup for
each) you could have 2 functions in single file, but run only one of them
(TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch?
https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters

> > > New functionality is being added to IMA to measure data provided by
> > > kernel components. With this feature, IMA policy can be set to enable
> > > measuring data provided by Linux Security Modules (LSM). Currently one
> > > such LSM namely selinux is being updated to use this functionality.
> > > This new functionality needs test automation in LTP.

> > > Add test cases which verify that the IMA subsystem correctly measures
> > > the data provided by selinux.

> > Could you please put into commit message and test kernel commit hash relevant
> > for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
> > v5.10-rc1) or there are more relevant commits?

> The IMA hook to measure kernel critical data + SELinux measurement changes
> are still being reviewed. Tushar has posted v9 of the patch set.
Thanks for info (note for myself:
https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/)
OK, not yet merged to mainline. It's good you send patches early (speed up the
inclusion to LTP), but we should merge them into LTP once it's at least
already in Mimi tree prepared for sending to Linus.

Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP).

> > ...
> > > +### IMA SELinux test
> > > +
> > > +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
> > > +and `ima_selinux_state.sh` require a readable IMA policy, as well as
> > > +a loaded measure policy with
> > > +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
> > I put this into
> > testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
> > and mention it in docs.
> Sounds good - Thanks.

> "template=ima_buf" is no longer needed in the IMA policy rule since
> "ima_buf" is the default template for buffer measurement now. I will update
> "datafiles/ima_selinux/selinux.policy" file.

+1

...

> Thanks a lot for your help Petr. Appreciate it.
yw, thanks for your contributions.

>  -lakshmi
Petr

[LTP] [PATCH v1 1/1] ima: Add test for selinux measurement

[Petr Vorel]

Hi Lakshmi,

> On 12/18/20 10:37 AM, Petr Vorel wrote:

> Hi Petr,

> > @Lakshmi
> > TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
> > https://github.com/pevik/ltp/commits/ima/selinux.v2.draft

> > + added 3 additional commits, one of them as you as the author.
> > I moved some functions to testcases/lib/tst_security.sh, renamed them.
> > Can you please have a look and test? I don't have any SELinux machine.

> I'll take a look at the changes in your branch and test it with SELinux
> enabled.
Thanks!

> > @Mimi, all: any comment to this test? My changes are just LTP cleanup
> > so you can comment it on this patchset.
> > I suppose you get to this in January.

> > Some notes for my changes:

> > As files are quite similar (checks etc), I put both tests into single
> > file ima_selinux.sh.
> This should be fine.

> The reason I put the tests in different files was because I couldn't find a
> way to run the tests independently (i mean - say, run the SELinux policy
> measurement test but not the state measurement test or vice-versa).

Why do you need to run just one of them?
If you really need to separate them (e.g. to require different OS setup for
each) you could have 2 functions in single file, but run only one of them
(TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch?
https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters

> > > New functionality is being added to IMA to measure data provided by
> > > kernel components. With this feature, IMA policy can be set to enable
> > > measuring data provided by Linux Security Modules (LSM). Currently one
> > > such LSM namely selinux is being updated to use this functionality.
> > > This new functionality needs test automation in LTP.

> > > Add test cases which verify that the IMA subsystem correctly measures
> > > the data provided by selinux.

> > Could you please put into commit message and test kernel commit hash relevant
> > for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
> > v5.10-rc1) or there are more relevant commits?

> The IMA hook to measure kernel critical data + SELinux measurement changes
> are still being reviewed. Tushar has posted v9 of the patch set.
Thanks for info (note for myself:
https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/)
OK, not yet merged to mainline. It's good you send patches early (speed up the
inclusion to LTP), but we should merge them into LTP once it's at least
already in Mimi tree prepared for sending to Linus.

Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP).

> > ...
> > > +### IMA SELinux test
> > > +
> > > +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
> > > +and `ima_selinux_state.sh` require a readable IMA policy, as well as
> > > +a loaded measure policy with
> > > +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
> > I put this into
> > testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
> > and mention it in docs.
> Sounds good - Thanks.

> "template=ima_buf" is no longer needed in the IMA policy rule since
> "ima_buf" is the default template for buffer measurement now. I will update
> "datafiles/ima_selinux/selinux.policy" file.

+1

...

> Thanks a lot for your help Petr. Appreciate it.
yw, thanks for your contributions.

>  -lakshmi
Petr

Re: [PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 12/22/20 11:50 AM, Petr Vorel wrote:

> 
>>> @Lakshmi
>>> TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
>>> https://github.com/pevik/ltp/commits/ima/selinux.v2.draft
> 
>>> + added 3 additional commits, one of them as you as the author.
>>> I moved some functions to testcases/lib/tst_security.sh, renamed them.
>>> Can you please have a look and test? I don't have any SELinux machine.
> 
>> I'll take a look at the changes in your branch and test it with SELinux
>> enabled.
> Thanks!
> 
>>> @Mimi, all: any comment to this test? My changes are just LTP cleanup
>>> so you can comment it on this patchset.
>>> I suppose you get to this in January.
> 
>>> Some notes for my changes:
> 
>>> As files are quite similar (checks etc), I put both tests into single
>>> file ima_selinux.sh.
>> This should be fine.
> 
>> The reason I put the tests in different files was because I couldn't find a
>> way to run the tests independently (i mean - say, run the SELinux policy
>> measurement test but not the state measurement test or vice-versa).
> 
> Why do you need to run just one of them?
> If you really need to separate them (e.g. to require different OS setup for
> each) you could have 2 functions in single file, but run only one of them
> (TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch?
> https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters

This is good to know Petr. Thanks for the info.

> 
>>>> New functionality is being added to IMA to measure data provided by
>>>> kernel components. With this feature, IMA policy can be set to enable
>>>> measuring data provided by Linux Security Modules (LSM). Currently one
>>>> such LSM namely selinux is being updated to use this functionality.
>>>> This new functionality needs test automation in LTP.
> 
>>>> Add test cases which verify that the IMA subsystem correctly measures
>>>> the data provided by selinux.
> 
>>> Could you please put into commit message and test kernel commit hash relevant
>>> for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
>>> v5.10-rc1) or there are more relevant commits?
> 
>> The IMA hook to measure kernel critical data + SELinux measurement changes
>> are still being reviewed. Tushar has posted v9 of the patch set.
> Thanks for info (note for myself:
> https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/)
> OK, not yet merged to mainline. It's good you send patches early (speed up the
> inclusion to LTP), but we should merge them into LTP once it's at least
> already in Mimi tree prepared for sending to Linus.
> 
> Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP).

Definitely.

> 
>>> ...
>>>> +### IMA SELinux test
>>>> +
>>>> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
>>>> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
>>>> +a loaded measure policy with
>>>> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
>>> I put this into
>>> testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
>>> and mention it in docs.
>> Sounds good - Thanks.
> 
>> "template=ima_buf" is no longer needed in the IMA policy rule since
>> "ima_buf" is the default template for buffer measurement now. I will update
>> "datafiles/ima_selinux/selinux.policy" file.
> 
> +1
> 
> ...
> 
>> Thanks a lot for your help Petr. Appreciate it.
> yw, thanks for your contributions.
> 

thanks,
  -lakshmi

[LTP] [PATCH v1 1/1] ima: Add test for selinux measurement

[Lakshmi Ramasubramanian]

On 12/22/20 11:50 AM, Petr Vorel wrote:

> 
>>> @Lakshmi
>>> TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft,
>>> https://github.com/pevik/ltp/commits/ima/selinux.v2.draft
> 
>>> + added 3 additional commits, one of them as you as the author.
>>> I moved some functions to testcases/lib/tst_security.sh, renamed them.
>>> Can you please have a look and test? I don't have any SELinux machine.
> 
>> I'll take a look at the changes in your branch and test it with SELinux
>> enabled.
> Thanks!
> 
>>> @Mimi, all: any comment to this test? My changes are just LTP cleanup
>>> so you can comment it on this patchset.
>>> I suppose you get to this in January.
> 
>>> Some notes for my changes:
> 
>>> As files are quite similar (checks etc), I put both tests into single
>>> file ima_selinux.sh.
>> This should be fine.
> 
>> The reason I put the tests in different files was because I couldn't find a
>> way to run the tests independently (i mean - say, run the SELinux policy
>> measurement test but not the state measurement test or vice-versa).
> 
> Why do you need to run just one of them?
> If you really need to separate them (e.g. to require different OS setup for
> each) you could have 2 functions in single file, but run only one of them
> (TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch?
> https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters

This is good to know Petr. Thanks for the info.

> 
>>>> New functionality is being added to IMA to measure data provided by
>>>> kernel components. With this feature, IMA policy can be set to enable
>>>> measuring data provided by Linux Security Modules (LSM). Currently one
>>>> such LSM namely selinux is being updated to use this functionality.
>>>> This new functionality needs test automation in LTP.
> 
>>>> Add test cases which verify that the IMA subsystem correctly measures
>>>> the data provided by selinux.
> 
>>> Could you please put into commit message and test kernel commit hash relevant
>>> for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into
>>> v5.10-rc1) or there are more relevant commits?
> 
>> The IMA hook to measure kernel critical data + SELinux measurement changes
>> are still being reviewed. Tushar has posted v9 of the patch set.
> Thanks for info (note for myself:
> https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/)
> OK, not yet merged to mainline. It's good you send patches early (speed up the
> inclusion to LTP), but we should merge them into LTP once it's at least
> already in Mimi tree prepared for sending to Linus.
> 
> Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP).

Definitely.

> 
>>> ...
>>>> +### IMA SELinux test
>>>> +
>>>> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh`
>>>> +and `ima_selinux_state.sh` require a readable IMA policy, as well as
>>>> +a loaded measure policy with
>>>> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf`
>>> I put this into
>>> testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy
>>> and mention it in docs.
>> Sounds good - Thanks.
> 
>> "template=ima_buf" is no longer needed in the IMA policy rule since
>> "ima_buf" is the default template for buffer measurement now. I will update
>> "datafiles/ima_selinux/selinux.policy" file.
> 
> +1
> 
> ...
> 
>> Thanks a lot for your help Petr. Appreciate it.
> yw, thanks for your contributions.
> 

thanks,
  -lakshmi