[PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook

[PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Commit 98de59bfe4b2f ("take calculation of final prot in
security_mmap_file() into a helper") moved the code to update prot, to be
the actual protections applied to the kernel, to a new helper called
mmap_prot().

However, while without the helper ima_file_mmap() was getting the updated
prot, with the helper ima_file_mmap() gets the original prot, which
contains the protections requested by the application.

A possible consequence of this change is that, if an application calls
mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
that application would have access to executable memory without having this
event recorded in the IMA measurement list. This situation would occur for
example if the application, before mmap(), calls the personality() system
call with READ_IMPLIES_EXEC as the first argument.

Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
that IMA can receive both the requested prot and the final prot. Since the
requested protections are stored in a new variable, and the final
protections are stored in the existing variable, this effectively restores
the original behavior of the MMAP_CHECK hook.

Cc: stable@vger.kernel.org
Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/ima.h               | 6 ++++--
 security/integrity/ima/ima_main.c | 7 +++++--
 security/security.c               | 7 ++++---
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 5a0b2a285a18..d79fee67235e 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -21,7 +21,8 @@ extern int ima_file_check(struct file *file, int mask);
 extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
 				    struct inode *inode);
 extern void ima_file_free(struct file *file);
-extern int ima_file_mmap(struct file *file, unsigned long prot);
+extern int ima_file_mmap(struct file *file, unsigned long reqprot,
+			 unsigned long prot, unsigned long flags);
 extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
 extern int ima_load_data(enum kernel_load_data_id id, bool contents);
 extern int ima_post_load_data(char *buf, loff_t size,
@@ -76,7 +77,8 @@ static inline void ima_file_free(struct file *file)
 	return;
 }
 
-static inline int ima_file_mmap(struct file *file, unsigned long prot)
+static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
+				unsigned long prot, unsigned long flags)
 {
 	return 0;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 377300973e6c..f48f4e694921 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -397,7 +397,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
 /**
  * ima_file_mmap - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured (May be NULL)
- * @prot: contains the protection that will be applied by the kernel.
+ * @reqprot: protection requested by the application
+ * @prot: protection that will be applied by the kernel
+ * @flags: operational flags
  *
  * Measure files being mmapped executable based on the ima_must_measure()
  * policy decision.
@@ -405,7 +407,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
  * On success return 0.  On integrity appraisal error, assuming the file
  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  */
-int ima_file_mmap(struct file *file, unsigned long prot)
+int ima_file_mmap(struct file *file, unsigned long reqprot,
+		  unsigned long prot, unsigned long flags)
 {
 	u32 secid;
 
diff --git a/security/security.c b/security/security.c
index d1571900a8c7..174afa4fad81 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1661,12 +1661,13 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
 int security_mmap_file(struct file *file, unsigned long prot,
 			unsigned long flags)
 {
+	unsigned long prot_adj = mmap_prot(file, prot);
 	int ret;
-	ret = call_int_hook(mmap_file, 0, file, prot,
-					mmap_prot(file, prot), flags);
+
+	ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
 	if (ret)
 		return ret;
-	return ima_file_mmap(file, prot);
+	return ima_file_mmap(file, prot, prot_adj, flags);
 }
 
 int security_mmap_addr(unsigned long addr)
-- 
2.25.1

[PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Commit 98de59bfe4b2f ("take calculation of final prot in
security_mmap_file() into a helper") caused ima_file_mmap() to receive the
protections requested by the application and not those applied by the
kernel.

After restoring the original MMAP_CHECK behavior with a patch, existing
systems might be broken due to not being ready to handle new entries
(previously missing) in the IMA measurement list.

Restore the original correct MMAP_CHECK behavior instead of keeping the
current buggy one and introducing a new hook with the correct behavior. The
second option would have had the risk of IMA users not noticing the problem
at all, as they would actively have to update the IMA policy, to switch to
the correct behavior.

Also, introduce the new MMAP_CHECK_REQPROT hook to keep the current
behavior, so that IMA users could easily fix a broken system, although this
approach is discouraged due to potentially missing measurements.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 Documentation/ABI/testing/ima_policy  |  2 +-
 security/integrity/ima/ima.h          |  1 +
 security/integrity/ima/ima_api.c      |  3 ++-
 security/integrity/ima/ima_appraise.c |  3 +++
 security/integrity/ima/ima_main.c     | 27 ++++++++++++++++++++++-----
 security/integrity/ima/ima_policy.c   |  4 ++++
 6 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index db17fc8a0c9f..49db0ff288e5 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -35,7 +35,7 @@ Description:
 				[FIRMWARE_CHECK]
 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
 				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
-				[SETXATTR_CHECK]
+				[SETXATTR_CHECK][MMAP_CHECK_REQPROT]
 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 			       [[^]MAY_EXEC]
 			fsmagic:= hex value
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 03b440921e61..7186769d5e13 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -190,6 +190,7 @@ static inline unsigned int ima_hash_key(u8 *digest)
 	hook(NONE, none)				\
 	hook(FILE_CHECK, file)				\
 	hook(MMAP_CHECK, mmap)				\
+	hook(MMAP_CHECK_REQPROT, mmap_reqprot)		\
 	hook(BPRM_CHECK, bprm)				\
 	hook(CREDS_CHECK, creds)			\
 	hook(POST_SETATTR, post_setattr)		\
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c1e76282b5ee..3e134c900f0c 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -179,7 +179,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
  *		subj=, obj=, type=, func=, mask=, fsmagic=
  *	subj,obj, and type: are LSM specific.
  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
- *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA
+ *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA | SETXATTR_CHECK
+ *	| MMAP_CHECK_REQPROT
  *	mask: contains the permission mask
  *	fsmagic: hex value
  *
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index ee6f7e237f2e..97c7d247315c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -111,6 +111,7 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
 {
 	switch (func) {
 	case MMAP_CHECK:
+	case MMAP_CHECK_REQPROT:
 		return iint->ima_mmap_status;
 	case BPRM_CHECK:
 		return iint->ima_bprm_status;
@@ -131,6 +132,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
 {
 	switch (func) {
 	case MMAP_CHECK:
+	case MMAP_CHECK_REQPROT:
 		iint->ima_mmap_status = status;
 		break;
 	case BPRM_CHECK:
@@ -155,6 +157,7 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
 {
 	switch (func) {
 	case MMAP_CHECK:
+	case MMAP_CHECK_REQPROT:
 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
 		break;
 	case BPRM_CHECK:
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f48f4e694921..58c2fd5fe22c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -89,7 +89,8 @@ static int mmap_violation_check(enum ima_hooks func, struct file *file,
 	struct inode *inode;
 	int rc = 0;
 
-	if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {
+	if ((func == MMAP_CHECK || func == MMAP_CHECK_REQPROT) &&
+	    mapping_writably_mapped(file->f_mapping)) {
 		rc = -ETXTBSY;
 		inode = file_inode(file);
 
@@ -227,7 +228,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid,
 				mask, func, &pcr, &template_desc, NULL,
 				&allowed_algos);
-	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
+	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
+			    func == MMAP_CHECK_REQPROT) &&
 			   (ima_policy_flag & IMA_MEASURE));
 	if (!action && !violation_check)
 		return 0;
@@ -411,12 +413,23 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
 		  unsigned long prot, unsigned long flags)
 {
 	u32 secid;
+	int ret;
 
-	if (file && (prot & PROT_EXEC)) {
-		security_current_getsecid_subj(&secid);
+	if (!file)
+		return 0;
+
+	security_current_getsecid_subj(&secid);
+
+	if (reqprot & PROT_EXEC) {
+		ret = process_measurement(file, current_cred(), secid, NULL,
+					  0, MAY_EXEC, MMAP_CHECK_REQPROT);
+		if (ret)
+			return ret;
+	}
+
+	if (prot & PROT_EXEC)
 		return process_measurement(file, current_cred(), secid, NULL,
 					   0, MAY_EXEC, MMAP_CHECK);
-	}
 
 	return 0;
 }
@@ -457,6 +470,10 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 	action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
 				current_cred(), secid, MAY_EXEC, MMAP_CHECK,
 				&pcr, &template, NULL, NULL);
+	action |= ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
+				 current_cred(), secid, MAY_EXEC,
+				 MMAP_CHECK_REQPROT, &pcr, &template, NULL,
+				 NULL);
 
 	/* Is the mmap'ed file in policy? */
 	if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 6a68ec270822..419db81c4f67 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -697,6 +697,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 
 	switch (func) {
 	case MMAP_CHECK:
+	case MMAP_CHECK_REQPROT:
 		return IMA_MMAP_APPRAISE;
 	case BPRM_CHECK:
 		return IMA_BPRM_APPRAISE;
@@ -1266,6 +1267,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 	case NONE:
 	case FILE_CHECK:
 	case MMAP_CHECK:
+	case MMAP_CHECK_REQPROT:
 	case BPRM_CHECK:
 	case CREDS_CHECK:
 	case POST_SETATTR:
@@ -1504,6 +1506,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
 				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
 				entry->func = MMAP_CHECK;
+			else if ((strcmp(args[0].from, "MMAP_CHECK_REQPROT") == 0))
+				entry->func = MMAP_CHECK_REQPROT;
 			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
 				entry->func = BPRM_CHECK;
 			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
-- 
2.25.1

[PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add tests to ensure that, after applying the kernel patch 'ima: Align
ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
checks the protections applied by the kernel and not those requested by the
application.

Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
the MMAP_CHECK_REQPROT hook checks the protections requested by the
application.

Test both with the test_mmap application that by default requests the
PROT_READ protection flag. Its syntax is:

test_mmap <file> <mode>

where mode can be:
- exec: adds the PROT_EXEC protection flag to mmap()
- read_implies_exec: calls the personality() system call with
                     READ_IMPLIES_EXEC as the first argument before mmap()
- mprotect: adds the PROT_EXEC protection flag to a memory area in addition
            to PROT_READ
- exec_on_writable: calls mmap() with PROT_EXEC on a file which has a
                    writable mapping

Check the different combinations of hooks/modes and ensure that a
measurement entry is found in the IMA measurement list only when it is
expected. No measurement entry should be found when only the PROT_READ
protection flag is requested or the matching policy rule has the
MMAP_CHECK_REQPROT hook and the personality() system call was called with
READ_IMPLIES_EXEC.

mprotect() with PROT_EXEC on an existing memory area protected with
PROT_READ should be denied (with an appraisal rule), regardless of the MMAP
hook specified in the policy. The same applies for mmap() with PROT_EXEC on
a file with a writable mapping.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 tests/Makefile.am     |   4 +-
 tests/mmap_check.test | 282 ++++++++++++++++++++++++++++++++++++++++++
 tests/test_mmap.c     |  69 +++++++++++
 3 files changed, 354 insertions(+), 1 deletion(-)
 create mode 100755 tests/mmap_check.test
 create mode 100644 tests/test_mmap.c

diff --git a/tests/Makefile.am b/tests/Makefile.am
index a0463b7b5b5d..ca9c4ca18380 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -2,7 +2,9 @@ check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 
 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
-		 fsverity.test portable_signatures.test
+		 fsverity.test portable_signatures.test mmap_check.test
+
+check_PROGRAMS := test_mmap
 
 .PHONY: check_logs
 check_logs:
diff --git a/tests/mmap_check.test b/tests/mmap_check.test
new file mode 100755
index 000000000000..2efdd8e01785
--- /dev/null
+++ b/tests/mmap_check.test
@@ -0,0 +1,282 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Check the behavior of MMAP_CHECK and MMAP_CHECK_REQPROT
+
+trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+
+cd "$(dirname "$0")" || exit "$FAIL"
+export PATH=$PWD/../src:$PWD:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+
+cleanup() {
+	if [ "$g_loop_mounted" = "1" ]; then
+		popd > /dev/null || exit "$FAIL"
+		umount "$g_mountpoint"
+	fi
+
+	if [ -n "$g_dev" ]; then
+		losetup -d "$g_dev"
+	fi
+
+	if [ -n "$g_image" ]; then
+		rm -f "$g_image"
+	fi
+
+	if [ -n "$g_mountpoint" ]; then
+		rm -Rf "$g_mountpoint"
+	fi
+
+	if [ -n "$key_path_der" ]; then
+		rm -f "$key_path_der"
+	fi
+}
+
+# Use the fsuuid= IMA policy keyword to select only files created/used by the
+# tests below. Also use fowner= to differentiate between files created/used by
+# individual tests.
+IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26e"
+MMAP_CHECK_FOWNER=2000
+MMAP_CHECK_REQPROT_FOWNER=2001
+MEASURE_MMAP_CHECK_RULE="measure func=MMAP_CHECK fsuuid=$IMA_UUID fowner=$MMAP_CHECK_FOWNER"
+MEASURE_MMAP_CHECK_REQPROT_RULE="measure func=MMAP_CHECK_REQPROT fsuuid=$IMA_UUID fowner=$MMAP_CHECK_REQPROT_FOWNER"
+APPRAISE_MMAP_CHECK_RULE="appraise func=MMAP_CHECK fsuuid=$IMA_UUID fowner=$MMAP_CHECK_FOWNER"
+APPRAISE_MMAP_CHECK_REQPROT_RULE="appraise func=MMAP_CHECK_REQPROT fsuuid=$IMA_UUID fowner=$MMAP_CHECK_REQPROT_FOWNER"
+
+check_load_ima_rule() {
+	local rule_loaded
+	local result
+	local new_policy
+
+	rule_loaded=$(grep "$1" /sys/kernel/security/ima/policy)
+	if [ -z "$rule_loaded" ]; then
+		new_policy=$(mktemp -p "$g_mountpoint")
+		echo "$1" > "$new_policy"
+		echo "$new_policy" > /sys/kernel/security/ima/policy
+		result=$?
+		rm -f "$new_policy"
+
+		if [ "$result" -ne 0 ]; then
+			echo "${RED}Failed to set IMA policy${NORM}"
+			return "$FAIL"
+		fi
+	fi
+
+	return "$OK"
+}
+
+check_mmap() {
+	local hook="$1"
+	local arg="$2"
+	local test_file
+	local fowner
+	local rule
+	local result
+	local test_file_entry
+
+	if ! test_file=$(mktemp -p "$PWD"); then
+		echo "${RED}Cannot write $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	fowner="$MMAP_CHECK_FOWNER"
+	rule="$MEASURE_MMAP_CHECK_RULE"
+
+	if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
+		fowner="$MMAP_CHECK_REQPROT_FOWNER"
+		rule="$MEASURE_MMAP_CHECK_REQPROT_RULE"
+	fi
+
+	if ! chown "$fowner" "$test_file"; then
+		echo "${RED}Cannot change owner of $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	check_load_ima_rule "$rule"
+	result=$?
+	if [ $result -ne "$OK" ]; then
+		return $result
+	fi
+
+	test_mmap "$test_file" "$arg"
+
+	if [ "$TFAIL" != "yes" ]; then
+		echo -n "Test (expect: found): "
+	else
+		echo -n "Test (expect: not found): "
+	fi
+
+	echo -n "${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\") - "
+
+	test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements)
+	if [ -z "$test_file_entry" ]; then
+		echo "not found"
+		return "$FAIL"
+	fi
+
+	echo "found"
+	return "$OK"
+}
+
+check_deny() {
+	local hook="$1"
+	local arg="$2"
+	local test_file
+	local fowner
+	local rule
+	local result
+
+	if ! test_file=$(mktemp -p "$PWD"); then
+		echo "${RED}Cannot write $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	echo "test" > "$test_file"
+
+	if ! evmctl ima_sign -a sha256 --key "$key_path" "$test_file" &> /dev/null; then
+		echo "${RED}Cannot sign $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	fowner="$MMAP_CHECK_FOWNER"
+	rule="$APPRAISE_MMAP_CHECK_RULE"
+
+	if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
+		fowner="$MMAP_CHECK_REQPROT_FOWNER"
+		rule="$APPRAISE_MMAP_CHECK_REQPROT_RULE"
+	fi
+
+	if ! chown "$fowner" "$test_file"; then
+		echo "${RED}Cannot change owner of $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	check_load_ima_rule "$rule"
+	result=$?
+	if [ $result -ne "$OK" ]; then
+		return $result
+	fi
+
+	if ! test_mmap "$test_file" exec > /dev/null; then
+		echo "${RED}Cannot read $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	echo -n "Test (expect: denied): ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\") - "
+	if test_mmap "$test_file" "$arg"; then
+		echo "allowed"
+		return "$FAIL"
+	fi
+
+	echo "denied"
+
+	return "$OK"
+}
+
+# Run in the new environment if TST_ENV is set.
+_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
+
+# Exit from the creator of the new environment.
+_exit_env "$TST_KERNEL"
+
+# Mount filesystems in the new environment.
+_init_env
+
+if [ "$(whoami)" != "root" ]; then
+	echo "${CYAN}This script must be executed as root${NORM}"
+	exit "$SKIP"
+fi
+
+if [ ! -f /sys/kernel/security/ima/policy ]; then
+	echo "${CYAN}IMA policy file not found${NORM}"
+	exit "$SKIP"
+fi
+
+if ! cat /sys/kernel/security/ima/policy &> /dev/null; then
+	echo "${CYAN}IMA policy file is not readable${NORM}"
+	exit "$SKIP"
+fi
+
+if [ -n "$TST_KEY_PATH" ]; then
+	if [ "${TST_KEY_PATH:0:1}" != "/" ]; then
+		echo "${RED}Absolute path required for the signing key${NORM}"
+		exit "$FAIL"
+	fi
+
+	if [ ! -f "$TST_KEY_PATH" ]; then
+		echo "${RED}Kernel signing key not found in $TST_KEY_PATH${NORM}"
+		exit "$FAIL"
+	fi
+
+	key_path="$TST_KEY_PATH"
+elif [ -f "$PWD/../signing_key.pem" ]; then
+	key_path="$PWD/../signing_key.pem"
+elif [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then
+	key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
+elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then
+	key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem"
+else
+	echo "${CYAN}Kernel signing key not found${NORM}"
+	exit "$SKIP"
+fi
+
+key_path_der=$(mktemp)
+
+openssl x509 -in "$key_path" -out "$key_path_der" -outform der
+if ! keyctl padd asymmetric pubkey %keyring:.ima < "$key_path_der" &> /dev/null; then
+	echo "${RED}Public key cannot be added to the IMA keyring${NORM}"
+	exit "$FAIL"
+fi
+
+g_mountpoint=$(mktemp -d)
+g_image=$(mktemp)
+
+if [ -z "$g_mountpoint" ]; then
+	echo "${RED}Mountpoint directory not created${NORM}"
+	exit "$FAIL"
+fi
+
+if ! dd if=/dev/zero of="$g_image" bs=1M count=20 &> /dev/null; then
+	echo "${RED}Cannot create test image${NORM}"
+	exit "$FAIL"
+fi
+
+g_dev=$(losetup -f "$g_image" --show)
+if [ -z "$g_dev" ]; then
+	echo "${RED}Cannot create loop device${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+	echo "${RED}Cannot format $g_dev${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mount -o i_version "$g_dev" "$g_mountpoint"; then
+	echo "${RED}Cannot mount loop device${NORM}"
+	exit "$FAIL"
+fi
+
+g_loop_mounted=1
+pushd "$g_mountpoint" > /dev/null || exit "$FAIL"
+
+expect_fail check_mmap "MMAP_CHECK" ""
+expect_pass check_mmap "MMAP_CHECK" "exec"
+expect_pass check_mmap "MMAP_CHECK" "read_implies_exec"
+
+expect_fail check_mmap "MMAP_CHECK_REQPROT" ""
+expect_pass check_mmap "MMAP_CHECK_REQPROT" "exec"
+expect_fail check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"
+
+expect_pass check_deny "MMAP_CHECK" "mprotect"
+expect_pass check_deny "MMAP_CHECK_REQPROT" "mprotect"
+
+expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
+expect_pass check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"
diff --git a/tests/test_mmap.c b/tests/test_mmap.c
new file mode 100644
index 000000000000..c9396f66b3a9
--- /dev/null
+++ b/tests/test_mmap.c
@@ -0,0 +1,69 @@
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/personality.h>
+
+int main(int argc, char *argv[])
+{
+	struct stat st;
+	void *ptr, *ptr_write = NULL;
+	int ret, fd, fd_write, prot = PROT_READ;
+
+	if (!argv[1])
+		return -ENOENT;
+
+	if (argv[2] && !strcmp(argv[2], "read_implies_exec")) {
+		ret = personality(READ_IMPLIES_EXEC);
+		if (ret < 0)
+			return ret;
+	}
+
+	if (stat(argv[1], &st) == -1)
+		return -errno;
+
+	if (argv[2] && !strcmp(argv[2], "exec_on_writable")) {
+		fd_write = open(argv[1], O_RDWR);
+		if (fd_write == -1)
+			return -errno;
+
+		ptr_write = mmap(0, st.st_size, PROT_WRITE, MAP_SHARED,
+				 fd_write, 0);
+		close(fd_write);
+
+		if (ptr_write == (void *)-1)
+			return -errno;
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		if (ptr_write)
+			munmap(ptr_write, st.st_size);
+
+		return -errno;
+	}
+
+	if (argv[2] && !strncmp(argv[2], "exec", 4))
+		prot |= PROT_EXEC;
+
+	ptr = mmap(0, st.st_size, prot, MAP_PRIVATE, fd, 0);
+
+	close(fd);
+
+	if (ptr_write)
+		munmap(ptr_write, st.st_size);
+
+	if (ptr == (void *)-1)
+		return -errno;
+
+	ret = 0;
+
+	if (argv[2] && !strcmp(argv[2], "mprotect"))
+		ret = mprotect(ptr, st.st_size, PROT_EXEC);
+
+	munmap(ptr, st.st_size);
+	return ret;
+}
-- 
2.25.1

Re: [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook

[Stefan Berger]

On 1/26/23 11:38, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Commit 98de59bfe4b2f ("take calculation of final prot in
> security_mmap_file() into a helper") moved the code to update prot, to be
> the actual protections applied to the kernel, to a new helper called
> mmap_prot().
> 
> However, while without the helper ima_file_mmap() was getting the updated
> prot, with the helper ima_file_mmap() gets the original prot, which
> contains the protections requested by the application.
> 
> A possible consequence of this change is that, if an application calls
> mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
> that application would have access to executable memory without having this
> event recorded in the IMA measurement list. This situation would occur for
> example if the application, before mmap(), calls the personality() system
> call with READ_IMPLIES_EXEC as the first argument.
> 
> Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
> that IMA can receive both the requested prot and the final prot. Since the
> requested protections are stored in a new variable, and the final
> protections are stored in the existing variable, this effectively restores
> the original behavior of the MMAP_CHECK hook.
> 
And flags is being passed in preparation for IMA to meet the interface
requirements of the LSM hooks - I suppose in preparation for IMA to become an LSM.

> Cc: stable@vger.kernel.org
> Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   include/linux/ima.h               | 6 ++++--
>   security/integrity/ima/ima_main.c | 7 +++++--
>   security/security.c               | 7 ++++---
>   3 files changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 5a0b2a285a18..d79fee67235e 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -21,7 +21,8 @@ extern int ima_file_check(struct file *file, int mask);
>   extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
>   				    struct inode *inode);
>   extern void ima_file_free(struct file *file);
> -extern int ima_file_mmap(struct file *file, unsigned long prot);
> +extern int ima_file_mmap(struct file *file, unsigned long reqprot,
> +			 unsigned long prot, unsigned long flags);
>   extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
>   extern int ima_load_data(enum kernel_load_data_id id, bool contents);
>   extern int ima_post_load_data(char *buf, loff_t size,
> @@ -76,7 +77,8 @@ static inline void ima_file_free(struct file *file)
>   	return;
>   }
>   
> -static inline int ima_file_mmap(struct file *file, unsigned long prot)
> +static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
> +				unsigned long prot, unsigned long flags)
>   {
>   	return 0;
>   }
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 377300973e6c..f48f4e694921 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -397,7 +397,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
>   /**
>    * ima_file_mmap - based on policy, collect/store measurement.
>    * @file: pointer to the file to be measured (May be NULL)
> - * @prot: contains the protection that will be applied by the kernel.
> + * @reqprot: protection requested by the application
> + * @prot: protection that will be applied by the kernel
> + * @flags: operational flags
>    *
>    * Measure files being mmapped executable based on the ima_must_measure()
>    * policy decision.
> @@ -405,7 +407,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
>    * On success return 0.  On integrity appraisal error, assuming the file
>    * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
>    */
> -int ima_file_mmap(struct file *file, unsigned long prot)
> +int ima_file_mmap(struct file *file, unsigned long reqprot,
> +		  unsigned long prot, unsigned long flags)
>   {
>   	u32 secid;
>   
> diff --git a/security/security.c b/security/security.c
> index d1571900a8c7..174afa4fad81 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1661,12 +1661,13 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
>   int security_mmap_file(struct file *file, unsigned long prot,
>   			unsigned long flags)
>   {
> +	unsigned long prot_adj = mmap_prot(file, prot);
>   	int ret;
> -	ret = call_int_hook(mmap_file, 0, file, prot,
> -					mmap_prot(file, prot), flags);
> +
> +	ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
>   	if (ret)
>   		return ret;
> -	return ima_file_mmap(file, prot);
> +	return ima_file_mmap(file, prot, prot_adj, flags);
>   }
>   
>   int security_mmap_addr(unsigned long addr)

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Stefan Berger]

On 1/26/23 11:38, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add tests to ensure that, after applying the kernel patch 'ima: Align
> ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
> checks the protections applied by the kernel and not those requested by the
> application.
> 
> Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
> the MMAP_CHECK_REQPROT hook checks the protections requested by the
> application.

below LGTM

How do you tell the user that the patches need to be applied for the test to
succeed and not worry about it when the patches are not applied?


> 
> Test both with the test_mmap application that by default requests the
> PROT_READ protection flag. Its syntax is:
> 

> +
> +check_mmap() {
> +	local hook="$1"
> +	local arg="$2"
> +	local test_file
> +	local fowner
> +	local rule
> +	local result
> +	local test_file_entry
> +

you can write them all in one line: 'local test_file fowner rule result test_file_entry'

Re: [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook

[Roberto Sassu]

On Thu, 2023-01-26 at 14:37 -0500, Stefan Berger wrote:
> 
> On 1/26/23 11:38, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Commit 98de59bfe4b2f ("take calculation of final prot in
> > security_mmap_file() into a helper") moved the code to update prot, to be
> > the actual protections applied to the kernel, to a new helper called
> > mmap_prot().
> > 
> > However, while without the helper ima_file_mmap() was getting the updated
> > prot, with the helper ima_file_mmap() gets the original prot, which
> > contains the protections requested by the application.
> > 
> > A possible consequence of this change is that, if an application calls
> > mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
> > that application would have access to executable memory without having this
> > event recorded in the IMA measurement list. This situation would occur for
> > example if the application, before mmap(), calls the personality() system
> > call with READ_IMPLIES_EXEC as the first argument.
> > 
> > Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
> > that IMA can receive both the requested prot and the final prot. Since the
> > requested protections are stored in a new variable, and the final
> > protections are stored in the existing variable, this effectively restores
> > the original behavior of the MMAP_CHECK hook.
> > 
> And flags is being passed in preparation for IMA to meet the interface
> requirements of the LSM hooks - I suppose in preparation for IMA to become an LSM.

Yes, correct. I reused a patch from that patch set. Anyway reqprot was
needed for MMAP_CHECK_REQPROT.

> > Cc: stable@vger.kernel.org
> > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper")
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks

Roberto

> > ---
> >   include/linux/ima.h               | 6 ++++--
> >   security/integrity/ima/ima_main.c | 7 +++++--
> >   security/security.c               | 7 ++++---
> >   3 files changed, 13 insertions(+), 7 deletions(-)
> > 
> > diff --git a/include/linux/ima.h b/include/linux/ima.h
> > index 5a0b2a285a18..d79fee67235e 100644
> > --- a/include/linux/ima.h
> > +++ b/include/linux/ima.h
> > @@ -21,7 +21,8 @@ extern int ima_file_check(struct file *file, int mask);
> >   extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
> >   				    struct inode *inode);
> >   extern void ima_file_free(struct file *file);
> > -extern int ima_file_mmap(struct file *file, unsigned long prot);
> > +extern int ima_file_mmap(struct file *file, unsigned long reqprot,
> > +			 unsigned long prot, unsigned long flags);
> >   extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
> >   extern int ima_load_data(enum kernel_load_data_id id, bool contents);
> >   extern int ima_post_load_data(char *buf, loff_t size,
> > @@ -76,7 +77,8 @@ static inline void ima_file_free(struct file *file)
> >   	return;
> >   }
> >   
> > -static inline int ima_file_mmap(struct file *file, unsigned long prot)
> > +static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
> > +				unsigned long prot, unsigned long flags)
> >   {
> >   	return 0;
> >   }
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 377300973e6c..f48f4e694921 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -397,7 +397,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
> >   /**
> >    * ima_file_mmap - based on policy, collect/store measurement.
> >    * @file: pointer to the file to be measured (May be NULL)
> > - * @prot: contains the protection that will be applied by the kernel.
> > + * @reqprot: protection requested by the application
> > + * @prot: protection that will be applied by the kernel
> > + * @flags: operational flags
> >    *
> >    * Measure files being mmapped executable based on the ima_must_measure()
> >    * policy decision.
> > @@ -405,7 +407,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
> >    * On success return 0.  On integrity appraisal error, assuming the file
> >    * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
> >    */
> > -int ima_file_mmap(struct file *file, unsigned long prot)
> > +int ima_file_mmap(struct file *file, unsigned long reqprot,
> > +		  unsigned long prot, unsigned long flags)
> >   {
> >   	u32 secid;
> >   
> > diff --git a/security/security.c b/security/security.c
> > index d1571900a8c7..174afa4fad81 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -1661,12 +1661,13 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
> >   int security_mmap_file(struct file *file, unsigned long prot,
> >   			unsigned long flags)
> >   {
> > +	unsigned long prot_adj = mmap_prot(file, prot);
> >   	int ret;
> > -	ret = call_int_hook(mmap_file, 0, file, prot,
> > -					mmap_prot(file, prot), flags);
> > +
> > +	ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
> >   	if (ret)
> >   		return ret;
> > -	return ima_file_mmap(file, prot);
> > +	return ima_file_mmap(file, prot, prot_adj, flags);
> >   }
> >   
> >   int security_mmap_addr(unsigned long addr)

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> 
> On 1/26/23 11:38, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Add tests to ensure that, after applying the kernel patch 'ima: Align
> > ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
> > checks the protections applied by the kernel and not those requested by the
> > application.
> > 
> > Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
> > the MMAP_CHECK_REQPROT hook checks the protections requested by the
> > application.
> 
> below LGTM
> 
> How do you tell the user that the patches need to be applied for the test to
> succeed and not worry about it when the patches are not applied?

Uhm, I agree. I should at least write a comment as for EVM portable
signatures, and maybe display a message in the test logs.

> > Test both with the test_mmap application that by default requests the
> > PROT_READ protection flag. Its syntax is:
> > 
> > +
> > +check_mmap() {
> > +	local hook="$1"
> > +	local arg="$2"
> > +	local test_file
> > +	local fowner
> > +	local rule
> > +	local result
> > +	local test_file_entry
> > +
> 
> you can write them all in one line: 'local test_file fowner rule result test_file_entry'

Ok.

Thanks

Roberto

Re: [PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook

[Mimi Zohar]

On Thu, 2023-01-26 at 17:38 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Commit 98de59bfe4b2f ("take calculation of final prot in
> security_mmap_file() into a helper") caused ima_file_mmap() to receive the
> protections requested by the application and not those applied by the
> kernel.
> 
> After restoring the original MMAP_CHECK behavior with a patch, existing
> systems might be broken due to not being ready to handle new entries
> (previously missing) in the IMA measurement list.

Is this a broken system or a broken attestation server?  The
attestation server might not be able to handle the additional
measurements, but the system, itself, is not broken.

"with a patch" is unnecessary.

> 
> Restore the original correct MMAP_CHECK behavior instead of keeping the

^ add missing comma after "behavior"

> current buggy one and introducing a new hook with the correct behavior. The
> second option 

^ The second option -> Otherwise,

> would have had the risk of IMA users not noticing the problem
> at all, as they would actively have to update the IMA policy, to switch to
> the correct behavior.
> 
> Also, introduce the new MMAP_CHECK_REQPROT hook to keep the current
> behavior, so that IMA users could easily fix a broken system, although this
> approach is discouraged due to potentially missing measurements.

Again, is this a broken system or a broken attestation server? 

> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Otherwise, the patch looks good.

-- 
thanks,

Mimi

Re: [PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook

[Roberto Sassu]

On Sun, 2023-01-29 at 09:52 -0500, Mimi Zohar wrote:
> On Thu, 2023-01-26 at 17:38 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Commit 98de59bfe4b2f ("take calculation of final prot in
> > security_mmap_file() into a helper") caused ima_file_mmap() to receive the
> > protections requested by the application and not those applied by the
> > kernel.
> > 
> > After restoring the original MMAP_CHECK behavior with a patch, existing
> > systems might be broken due to not being ready to handle new entries
> > (previously missing) in the IMA measurement list.
> 
> Is this a broken system or a broken attestation server?  The
> attestation server might not be able to handle the additional
> measurements, but the system, itself, is not broken.

Ok, wasn't clear. I meant attestation server. The system itself is not
broken.

> "with a patch" is unnecessary.

Ok.

> > Restore the original correct MMAP_CHECK behavior instead of keeping the
> 
> ^ add missing comma after "behavior"
> 
> > current buggy one and introducing a new hook with the correct behavior. The
> > second option 
> 
> ^ The second option -> Otherwise,
> 
> > would have had the risk of IMA users not noticing the problem
> > at all, as they would actively have to update the IMA policy, to switch to
> > the correct behavior.
> > 
> > Also, introduce the new MMAP_CHECK_REQPROT hook to keep the current
> > behavior, so that IMA users could easily fix a broken system, although this
> > approach is discouraged due to potentially missing measurements.
> 
> Again, is this a broken system or a broken attestation server? 
> 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Otherwise, the patch looks good.

Ok, will make the changes.

Thanks

Roberto

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Mimi Zohar]

[Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
Petr.]

On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:

> > How do you tell the user that the patches need to be applied for the test to
> > succeed and not worry about it when the patches are not applied?
> 
> Uhm, I agree. I should at least write a comment as for EVM portable
> signatures, and maybe display a message in the test logs.

This is a generic problem that needs to be addressed.  FYI, LTP
addressed it by introducing "struct test_tag" in commit ca2c76990
("lib: Add support for test tags").

thanks,

Mimi

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> Petr.]
> 
> On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > How do you tell the user that the patches need to be applied for the test to
> > > succeed and not worry about it when the patches are not applied?
> > 
> > Uhm, I agree. I should at least write a comment as for EVM portable
> > signatures, and maybe display a message in the test logs.
> 
> This is a generic problem that needs to be addressed.  FYI, LTP
> addressed it by introducing "struct test_tag" in commit ca2c76990
> ("lib: Add support for test tags").

One idea could be to list all the patches the group of tests is going
to check, and add an argument to expect_pass and expect_fail to specify
the indexes of patches required for the test. We print the required
patches in an error message.

Roberto

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > Petr.]
> > 
> > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > How do you tell the user that the patches need to be applied for the test to
> > > > succeed and not worry about it when the patches are not applied?
> > > 
> > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > signatures, and maybe display a message in the test logs.
> > 
> > This is a generic problem that needs to be addressed.  FYI, LTP
> > addressed it by introducing "struct test_tag" in commit ca2c76990
> > ("lib: Add support for test tags").
> 
> One idea could be to list all the patches the group of tests is going
> to check, and add an argument to expect_pass and expect_fail to specify
> the indexes of patches required for the test. We print the required
> patches in an error message.

Ok, here is an example for this patch set. I added the following
changes to the mmap_check.test script:

PATCHES=(
'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
'ima: Introduce MMAP_CHECK_REQPROT hook'
)

[...]

expect_fail check_mmap "MMAP_CHECK" ""
expect_pass check_mmap "MMAP_CHECK" "exec"
expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"

expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" ""
expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"

expect_pass check_deny "MMAP_CHECK" "mprotect"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect"

expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"

I didn't add the _if suffix for the tests that are expected to
pass/fail without adding new patches.


I introduced expect_pass_if() and expect_fail_if() that call
respectively expect_pass() and expect_fail(), and additionally print an
error message with the patches that might be required.


The test results (without the two kernel patches applied) are:

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): not found
Possibly missing patches:
 - ima: Align ima_file_mmap() parameters with mmap_file LSM hook

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
 - ima: Introduce MMAP_CHECK_REQPROT hook

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
 - ima: Introduce MMAP_CHECK_REQPROT hook

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
 - ima: Introduce MMAP_CHECK_REQPROT hook

Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied

Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
 - ima: Introduce MMAP_CHECK_REQPROT hook

Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied

Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
 - ima: Introduce MMAP_CHECK_REQPROT hook
=================================
 Run with FAILEARLY=1 /home/roberto/repos/ima-evm-utils/tests/mmap_check.test _cleanup_env cleanup
 To stop after first failure
=================================
PASS: 4 SKIP: 0 FAIL: 6


The test results (with the two kernel patches applied) are:

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found

Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): found

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
Result (expect not found): not found

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
Result (expect found): found

Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
Result (expect not found): not found

Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied

Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
Result (expect denied): denied

Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied

Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
PASS: 10 SKIP: 0 FAIL: 0

Roberto

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Mimi Zohar]

On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > Petr.]
> > 
> > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > How do you tell the user that the patches need to be applied for the test to
> > > > succeed and not worry about it when the patches are not applied?
> > > 
> > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > signatures, and maybe display a message in the test logs.
> > 
> > This is a generic problem that needs to be addressed.  FYI, LTP
> > addressed it by introducing "struct test_tag" in commit ca2c76990
> > ("lib: Add support for test tags").
> 
> One idea could be to list all the patches the group of tests is going
> to check, and add an argument to expect_pass and expect_fail to specify
> the indexes of patches required for the test. We print the required
> patches in an error message.

It's not clear to me what is meant by "group of tests".   Is this at
the granularity of the test - portable signatures, fsverity,
boot_aggregate, etc?  Or, is this at a new grouping of tests?

-- 
Mimi

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

On Mon, 2023-01-30 at 11:26 -0500, Mimi Zohar wrote:
> On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> > On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > > Petr.]
> > > 
> > > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > > How do you tell the user that the patches need to be applied for the test to
> > > > > succeed and not worry about it when the patches are not applied?
> > > > 
> > > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > > signatures, and maybe display a message in the test logs.
> > > 
> > > This is a generic problem that needs to be addressed.  FYI, LTP
> > > addressed it by introducing "struct test_tag" in commit ca2c76990
> > > ("lib: Add support for test tags").
> > 
> > One idea could be to list all the patches the group of tests is going
> > to check, and add an argument to expect_pass and expect_fail to specify
> > the indexes of patches required for the test. We print the required
> > patches in an error message.
> 
> It's not clear to me what is meant by "group of tests".   Is this at
> the granularity of the test - portable signatures, fsverity,
> boot_aggregate, etc?  Or, is this at a new grouping of tests?

Sorry, it wasn't clear. I meant all the tests defined in a test script.

The idea is to associate a list of array indexes with each test
(argument of expect_pass() or expect_fail()). The indexes refer to the
PATCHES variable.

Theoretically, you could also define PATCHES in a common script, called
by all test scripts, and specify indexes of that array in the test
scripts.

I already have a patch, I could send it. Maybe it is more clear.

Roberto

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Mimi Zohar]

On Mon, 2023-01-30 at 17:07 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> > On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > > Petr.]
> > > 
> > > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > > How do you tell the user that the patches need to be applied for the test to
> > > > > succeed and not worry about it when the patches are not applied?
> > > > 
> > > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > > signatures, and maybe display a message in the test logs.
> > > 
> > > This is a generic problem that needs to be addressed.  FYI, LTP
> > > addressed it by introducing "struct test_tag" in commit ca2c76990
> > > ("lib: Add support for test tags").
> > 
> > One idea could be to list all the patches the group of tests is going
> > to check, and add an argument to expect_pass and expect_fail to specify
> > the indexes of patches required for the test. We print the required
> > patches in an error message.
> 
> Ok, here is an example for this patch set. I added the following
> changes to the mmap_check.test script:
> 
> PATCHES=(
> 'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
> 'ima: Introduce MMAP_CHECK_REQPROT hook'
> )

This works for bug fixes, where the patch list is relatively small. 
I'm not sure this will work so well for new kernel features.
-- 
Mimi

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Roberto Sassu]

On Mon, 2023-01-30 at 11:54 -0500, Mimi Zohar wrote:
> On Mon, 2023-01-30 at 17:07 +0100, Roberto Sassu wrote:
> > On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> > > On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > > > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > > > Petr.]
> > > > 
> > > > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > > > How do you tell the user that the patches need to be applied for the test to
> > > > > > succeed and not worry about it when the patches are not applied?
> > > > > 
> > > > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > > > signatures, and maybe display a message in the test logs.
> > > > 
> > > > This is a generic problem that needs to be addressed.  FYI, LTP
> > > > addressed it by introducing "struct test_tag" in commit ca2c76990
> > > > ("lib: Add support for test tags").
> > > 
> > > One idea could be to list all the patches the group of tests is going
> > > to check, and add an argument to expect_pass and expect_fail to specify
> > > the indexes of patches required for the test. We print the required
> > > patches in an error message.
> > 
> > Ok, here is an example for this patch set. I added the following
> > changes to the mmap_check.test script:
> > 
> > PATCHES=(
> > 'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
> > 'ima: Introduce MMAP_CHECK_REQPROT hook'
> > )
> 
> This works for bug fixes, where the patch list is relatively small. 
> I'm not sure this will work so well for new kernel features.

For new features, it is probably easier check at the beginning of the
tests if the feature is available and, if not, skip them.

Roberto

Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks

[Mimi Zohar]

On Mon, 2023-01-30 at 17:36 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 11:26 -0500, Mimi Zohar wrote:
> > On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> > > On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > > > [Trimmed Cc list, since this is an ima-evm-utils discussion.  Adding
> > > > Petr.]
> > > > 
> > > > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > > > How do you tell the user that the patches need to be applied for the test to
> > > > > > succeed and not worry about it when the patches are not applied?
> > > > > 
> > > > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > > > signatures, and maybe display a message in the test logs.
> > > > 
> > > > This is a generic problem that needs to be addressed.  FYI, LTP
> > > > addressed it by introducing "struct test_tag" in commit ca2c76990
> > > > ("lib: Add support for test tags").
> > > 
> > > One idea could be to list all the patches the group of tests is going
> > > to check, and add an argument to expect_pass and expect_fail to specify
> > > the indexes of patches required for the test. We print the required
> > > patches in an error message.
> > 
> > It's not clear to me what is meant by "group of tests".   Is this at
> > the granularity of the test - portable signatures, fsverity,
> > boot_aggregate, etc?  Or, is this at a new grouping of tests?
> 
> Sorry, it wasn't clear. I meant all the tests defined in a test script.

No problems.  I hadn't noticed your subsequent example.
> 
> The idea is to associate a list of array indexes with each test
> (argument of expect_pass() or expect_fail()). The indexes refer to the
> PATCHES variable.
> 
> Theoretically, you could also define PATCHES in a common script, called
> by all test scripts, and specify indexes of that array in the test
> scripts.
> 
> I already have a patch, I could send it. Maybe it is more clear.

Yes, I saw what you meant in the subsequent email.

Mimi