From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Petr Vorel <pvorel@suse.cz>
Cc: zohar@linux.ibm.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, tusharsu@linux.microsoft.com,
ltp@lists.linux.it, linux-integrity@vger.kernel.org,
selinux@vger.kernel.org
Subject: Re: [PATCH] IMA: Add test for selinux measurement
Date: Tue, 23 Feb 2021 15:01:47 -0800 [thread overview]
Message-ID: <21490e27-a965-7d25-4c44-07bd89d0ac40@linux.microsoft.com> (raw)
In-Reply-To: <YDV+SdQqGnCoykph@pevik>
On 2/23/21 2:14 PM, Petr Vorel wrote:
>> On 2/23/21 10:00 AM, Petr Vorel wrote:
>
>
>>>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> ...
>>>> +validate_policy_capabilities()
>>>> +{
>>>> + local measured_cap measured_value expected_value
>>>> + local result=1
>>>> + local inx=7
>>>> +
>>>> + # Policy capabilities flags start from "network_peer_controls"
>>>> + # in the measured SELinux state at offset 7 for 'awk'
>>>> + while [ $inx -lt 20 ]; do
>>>> + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + inx=$(( $inx + 1 ))
>>>> +
>>>> + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
>>>> + if [ "$measured_value" != "$expected_value" ];then
>>>> + tst_res TWARN "$measured_cap: expected: $expected_value, got: $digest"
>>> We rarely use TWARN in the tests, only when the error is not related to the test result.
>>> Otherwise we use TFAIL.
>> ok - I will change it to TFAIL.
> Thanks!
> But I've noticed that this error is handled twice, first in validate_policy_capabilities()
> as TWARN (or TFAIL) and then in test2(). Let's use TPASS/TFAIL in
> validate_policy_capabilities():
Sure - will make that change.
>
> validate_policy_capabilities()
> {
> local measured_cap measured_value expected_value
> local inx=7
>
> # Policy capabilities flags start from "network_peer_controls"
> # in the measured SELinux state at offset 7 for 'awk'
> while [ $inx -lt 20 ]; do
> measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> inx=$(($inx + 1))
>
> measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
> if [ "$measured_value" != "$expected_value" ]; then
> tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
> return
> fi
>
> inx=$(($inx + 1))
> done
>
> tst_res TPASS "SELinux state measured correctly"
> }
>
> test2()
> {
> ...
> validate_policy_capabilities $measured_data
> }
>
> ...
>>> As we discuss, I'm going tom merge test when patchset is merged in maintainers tree,
>>> please ping me. And ideally we should mention kernel commit hash as a comment in
>>> the test.
>> Will do. Thank you.
> Thanks!
>
> ...
>>> +++ testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> @@ -13,16 +13,14 @@ TST_SETUP="setup"
>>> . ima_setup.sh
>>> FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
>>> -REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA)"
>>> +REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
>>> setup()
>>> {
>>> - SELINUX_DIR=$(tst_get_selinux_dir)
>>> - if [ -z "$SELINUX_DIR" ]; then
>>> - tst_brk TCONF "SELinux is not enabled"
>>> - return
>>> - fi
>>> + tst_require_selinux_enabled
>> Please correct me if I have misunderstood this one:
>
>> tst_require_selinux_enabled is checking if SELinux is enabled in "enforce"
>> mode. Would this check fail if SELinux is enabled in "permissive" mode?
>
>> For running the test, we just need SELinux to be enabled. I verify that by
>> checking for the presence of SELINUX_DIR.
>
> Good catch. Your original version is correct (put it back into ima/selinux.v2.fixes).
> I didn't put a helper for it, because you need $SELINUX_DIR anyway.
> Thus removed tst_require_selinux_enabled() as not needed.
Thanks
>
> I renamed tst_selinux_enabled() to tst_selinux_enforced() to make the purpose clearer
> (commit 82b598ea1 IMA: Add test for selinux measurement).
>
> I've updated branch ima/selinux.v2.fixes with all mentioned changes
> https://github.com/pevik/ltp/commits/ima/selinux.v2.fixes
>
Thanks again. I'll make my changes in this branch and post the patches
later this week.
-lakshmi
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] IMA: Add test for selinux measurement
Date: Tue, 23 Feb 2021 15:01:47 -0800 [thread overview]
Message-ID: <21490e27-a965-7d25-4c44-07bd89d0ac40@linux.microsoft.com> (raw)
In-Reply-To: <YDV+SdQqGnCoykph@pevik>
On 2/23/21 2:14 PM, Petr Vorel wrote:
>> On 2/23/21 10:00 AM, Petr Vorel wrote:
>
>
>>>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> ...
>>>> +validate_policy_capabilities()
>>>> +{
>>>> + local measured_cap measured_value expected_value
>>>> + local result=1
>>>> + local inx=7
>>>> +
>>>> + # Policy capabilities flags start from "network_peer_controls"
>>>> + # in the measured SELinux state at offset 7 for 'awk'
>>>> + while [ $inx -lt 20 ]; do
>>>> + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + inx=$(( $inx + 1 ))
>>>> +
>>>> + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
>>>> + if [ "$measured_value" != "$expected_value" ];then
>>>> + tst_res TWARN "$measured_cap: expected: $expected_value, got: $digest"
>>> We rarely use TWARN in the tests, only when the error is not related to the test result.
>>> Otherwise we use TFAIL.
>> ok - I will change it to TFAIL.
> Thanks!
> But I've noticed that this error is handled twice, first in validate_policy_capabilities()
> as TWARN (or TFAIL) and then in test2(). Let's use TPASS/TFAIL in
> validate_policy_capabilities():
Sure - will make that change.
>
> validate_policy_capabilities()
> {
> local measured_cap measured_value expected_value
> local inx=7
>
> # Policy capabilities flags start from "network_peer_controls"
> # in the measured SELinux state at offset 7 for 'awk'
> while [ $inx -lt 20 ]; do
> measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> inx=$(($inx + 1))
>
> measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
> if [ "$measured_value" != "$expected_value" ]; then
> tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
> return
> fi
>
> inx=$(($inx + 1))
> done
>
> tst_res TPASS "SELinux state measured correctly"
> }
>
> test2()
> {
> ...
> validate_policy_capabilities $measured_data
> }
>
> ...
>>> As we discuss, I'm going tom merge test when patchset is merged in maintainers tree,
>>> please ping me. And ideally we should mention kernel commit hash as a comment in
>>> the test.
>> Will do. Thank you.
> Thanks!
>
> ...
>>> +++ testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> @@ -13,16 +13,14 @@ TST_SETUP="setup"
>>> . ima_setup.sh
>>> FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
>>> -REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA)"
>>> +REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
>>> setup()
>>> {
>>> - SELINUX_DIR=$(tst_get_selinux_dir)
>>> - if [ -z "$SELINUX_DIR" ]; then
>>> - tst_brk TCONF "SELinux is not enabled"
>>> - return
>>> - fi
>>> + tst_require_selinux_enabled
>> Please correct me if I have misunderstood this one:
>
>> tst_require_selinux_enabled is checking if SELinux is enabled in "enforce"
>> mode. Would this check fail if SELinux is enabled in "permissive" mode?
>
>> For running the test, we just need SELinux to be enabled. I verify that by
>> checking for the presence of SELINUX_DIR.
>
> Good catch. Your original version is correct (put it back into ima/selinux.v2.fixes).
> I didn't put a helper for it, because you need $SELINUX_DIR anyway.
> Thus removed tst_require_selinux_enabled() as not needed.
Thanks
>
> I renamed tst_selinux_enabled() to tst_selinux_enforced() to make the purpose clearer
> (commit 82b598ea1 IMA: Add test for selinux measurement).
>
> I've updated branch ima/selinux.v2.fixes with all mentioned changes
> https://github.com/pevik/ltp/commits/ima/selinux.v2.fixes
>
Thanks again. I'll make my changes in this branch and post the patches
later this week.
-lakshmi
next prev parent reply other threads:[~2021-02-23 23:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 2:38 [PATCH] IMA: Add test for selinux measurement Lakshmi Ramasubramanian
2021-02-22 2:38 ` [LTP] " Lakshmi Ramasubramanian
2021-02-23 18:00 ` Petr Vorel
2021-02-23 18:00 ` [LTP] " Petr Vorel
2021-02-23 18:26 ` Lakshmi Ramasubramanian
2021-02-23 18:26 ` [LTP] " Lakshmi Ramasubramanian
2021-02-23 22:14 ` Petr Vorel
2021-02-23 22:14 ` [LTP] " Petr Vorel
2021-02-23 23:01 ` Lakshmi Ramasubramanian [this message]
2021-02-23 23:01 ` Lakshmi Ramasubramanian
2021-03-16 11:54 ` Petr Vorel
2021-03-16 11:54 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21490e27-a965-7d25-4c44-07bd89d0ac40@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.