* [PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, Ignaz Forster, linux-integrity
Hi Mimi, Ignaz,
changes v3->v4:
* Add helper check_ima_policy() and use it in ima_measurements.sh and
evm_overlay.sh
* Rephrase commit message for ima_measurements.sh changes and docs
* Use SPDX-License-Identifier: GPL-2.0-or-later
Anything wrong in docs / commit message?
Kind regards,
Petr
Petr Vorel (4):
ima: Call test's cleanup inside ima_setup.sh cleanup
shell: Add $TST_DEVICE as default parameter to tst_umount
ima/ima_measurements.sh: Require builtin IMA tcb policy
ima: Add overlay test + doc
doc/test-writing-guidelines.txt | 4 +-
runtest/ima | 1 +
testcases/commands/df/df01.sh | 7 +-
testcases/commands/mkfs/mkfs01.sh | 2 +-
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../integrity/ima/tests/ima_measurements.sh | 23 +----
.../security/integrity/ima/tests/ima_setup.sh | 42 +++++----
.../integrity/ima/tests/ima_violations.sh | 2 -
testcases/lib/tst_test.sh | 2 +-
10 files changed, 211 insertions(+), 48 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
--
2.21.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp
Hi Mimi, Ignaz,
changes v3->v4:
* Add helper check_ima_policy() and use it in ima_measurements.sh and
evm_overlay.sh
* Rephrase commit message for ima_measurements.sh changes and docs
* Use SPDX-License-Identifier: GPL-2.0-or-later
Anything wrong in docs / commit message?
Kind regards,
Petr
Petr Vorel (4):
ima: Call test's cleanup inside ima_setup.sh cleanup
shell: Add $TST_DEVICE as default parameter to tst_umount
ima/ima_measurements.sh: Require builtin IMA tcb policy
ima: Add overlay test + doc
doc/test-writing-guidelines.txt | 4 +-
runtest/ima | 1 +
testcases/commands/df/df01.sh | 7 +-
testcases/commands/mkfs/mkfs01.sh | 2 +-
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../integrity/ima/tests/ima_measurements.sh | 23 +----
.../security/integrity/ima/tests/ima_setup.sh | 42 +++++----
.../integrity/ima/tests/ima_violations.sh | 2 -
testcases/lib/tst_test.sh | 2 +-
10 files changed, 211 insertions(+), 48 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
--
2.21.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 16:14 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, Ignaz Forster, linux-integrity, Mimi Zohar
to work the same way as setup
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 +++++-
.../kernel/security/integrity/ima/tests/ima_violations.sh | 2 --
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 52551190a..cbded42c2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,7 +20,8 @@
TST_TESTFUNC="test"
TST_SETUP_CALLER="$TST_SETUP"
TST_SETUP="ima_setup"
-TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}"
+TST_CLEANUP_CALLER="$TST_CLEANUP"
+TST_CLEANUP="ima_cleanup"
TST_NEEDS_TMPDIR=1
TST_NEEDS_ROOT=1
@@ -95,6 +96,9 @@ ima_setup()
ima_cleanup()
{
local dir
+
+ [ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
+
for dir in $UMOUNT; do
umount $dir
done
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 74223c221..a44bd1230 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -51,8 +51,6 @@ cleanup()
{
[ "$PRINTK_RATE_LIMIT" != "0" ] && \
sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT
-
- ima_cleanup
}
open_file_read()
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp
to work the same way as setup
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 +++++-
.../kernel/security/integrity/ima/tests/ima_violations.sh | 2 --
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 52551190a..cbded42c2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,7 +20,8 @@
TST_TESTFUNC="test"
TST_SETUP_CALLER="$TST_SETUP"
TST_SETUP="ima_setup"
-TST_CLEANUP="${TST_CLEANUP:-ima_cleanup}"
+TST_CLEANUP_CALLER="$TST_CLEANUP"
+TST_CLEANUP="ima_cleanup"
TST_NEEDS_TMPDIR=1
TST_NEEDS_ROOT=1
@@ -95,6 +96,9 @@ ima_setup()
ima_cleanup()
{
local dir
+
+ [ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
+
for dir in $UMOUNT; do
umount $dir
done
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 74223c221..a44bd1230 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -51,8 +51,6 @@ cleanup()
{
[ "$PRINTK_RATE_LIMIT" != "0" ] && \
sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT
-
- ima_cleanup
}
open_file_read()
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 16:14 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, Ignaz Forster, linux-integrity, Mimi Zohar
+ use it directly as a cleanup function in df01.sh
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
doc/test-writing-guidelines.txt | 4 ++--
testcases/commands/df/df01.sh | 7 +------
testcases/commands/mkfs/mkfs01.sh | 2 +-
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
testcases/lib/tst_test.sh | 2 +-
5 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt
index f1912dc12..fc64b418b 100644
--- a/doc/test-writing-guidelines.txt
+++ b/doc/test-writing-guidelines.txt
@@ -2115,8 +2115,8 @@ The 'tst_mount' mounts '$TST_DEVICE' of '$TST_FS_TYPE' (optional) to
'$TST_MNT_PARAMS'. The '$TST_MNTPOINT' directory is created if it didn't
exist prior to the function call.
-If the path passed to the 'tst_umount' is not mounted (present in '/proc/mounts')
-it's noop.
+If the path passed (optional, defaults to '$TST_DEVICE') to the 'tst_umount' is
+not mounted (present in '/proc/mounts') it's noop.
Otherwise it retries to umount the filesystem a few times on a failure, which
is a workaround since there are a daemons dumb enough to probe all newly
mounted filesystems, which prevents them from umounting shortly after they
diff --git a/testcases/commands/df/df01.sh b/testcases/commands/df/df01.sh
index 9b0be76fe..3876816dc 100755
--- a/testcases/commands/df/df01.sh
+++ b/testcases/commands/df/df01.sh
@@ -18,7 +18,7 @@
TST_CNT=12
TST_SETUP=setup
-TST_CLEANUP=cleanup
+TST_CLEANUP=tst_umount
TST_TESTFUNC=test
TST_OPTS="f:"
TST_USAGE=usage
@@ -54,11 +54,6 @@ setup()
DF_FS_TYPE=$(mount | grep "$TST_DEVICE" | awk '{print $5}')
}
-cleanup()
-{
- tst_umount $TST_DEVICE
-}
-
df_test()
{
local cmd="$1 -P"
diff --git a/testcases/commands/mkfs/mkfs01.sh b/testcases/commands/mkfs/mkfs01.sh
index 88f7f0baa..28af890b3 100755
--- a/testcases/commands/mkfs/mkfs01.sh
+++ b/testcases/commands/mkfs/mkfs01.sh
@@ -71,7 +71,7 @@ mkfs_verify_size()
{
tst_mount
local blocknum=`df -P -B 1k mntpoint | tail -n1 | awk '{print $2}'`
- tst_umount "$TST_DEVICE"
+ tst_umount
if [ $blocknum -gt "$2" ]; then
return 1
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cbded42c2..da49eb1b2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -105,7 +105,7 @@ ima_cleanup()
if [ "$TST_NEEDS_DEVICE" = 1 ]; then
cd $TST_TMPDIR
- tst_umount $TST_DEVICE
+ tst_umount
fi
}
diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
index 512732315..740253df1 100644
--- a/testcases/lib/tst_test.sh
+++ b/testcases/lib/tst_test.sh
@@ -259,7 +259,7 @@ tst_mount()
tst_umount()
{
- local device="$1"
+ local device="${1:-$TST_DEVICE}"
local i=0
if ! grep -q "$device" /proc/mounts; then
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp
+ use it directly as a cleanup function in df01.sh
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
doc/test-writing-guidelines.txt | 4 ++--
testcases/commands/df/df01.sh | 7 +------
testcases/commands/mkfs/mkfs01.sh | 2 +-
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
testcases/lib/tst_test.sh | 2 +-
5 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt
index f1912dc12..fc64b418b 100644
--- a/doc/test-writing-guidelines.txt
+++ b/doc/test-writing-guidelines.txt
@@ -2115,8 +2115,8 @@ The 'tst_mount' mounts '$TST_DEVICE' of '$TST_FS_TYPE' (optional) to
'$TST_MNT_PARAMS'. The '$TST_MNTPOINT' directory is created if it didn't
exist prior to the function call.
-If the path passed to the 'tst_umount' is not mounted (present in '/proc/mounts')
-it's noop.
+If the path passed (optional, defaults to '$TST_DEVICE') to the 'tst_umount' is
+not mounted (present in '/proc/mounts') it's noop.
Otherwise it retries to umount the filesystem a few times on a failure, which
is a workaround since there are a daemons dumb enough to probe all newly
mounted filesystems, which prevents them from umounting shortly after they
diff --git a/testcases/commands/df/df01.sh b/testcases/commands/df/df01.sh
index 9b0be76fe..3876816dc 100755
--- a/testcases/commands/df/df01.sh
+++ b/testcases/commands/df/df01.sh
@@ -18,7 +18,7 @@
TST_CNT=12
TST_SETUP=setup
-TST_CLEANUP=cleanup
+TST_CLEANUP=tst_umount
TST_TESTFUNC=test
TST_OPTS="f:"
TST_USAGE=usage
@@ -54,11 +54,6 @@ setup()
DF_FS_TYPE=$(mount | grep "$TST_DEVICE" | awk '{print $5}')
}
-cleanup()
-{
- tst_umount $TST_DEVICE
-}
-
df_test()
{
local cmd="$1 -P"
diff --git a/testcases/commands/mkfs/mkfs01.sh b/testcases/commands/mkfs/mkfs01.sh
index 88f7f0baa..28af890b3 100755
--- a/testcases/commands/mkfs/mkfs01.sh
+++ b/testcases/commands/mkfs/mkfs01.sh
@@ -71,7 +71,7 @@ mkfs_verify_size()
{
tst_mount
local blocknum=`df -P -B 1k mntpoint | tail -n1 | awk '{print $2}'`
- tst_umount "$TST_DEVICE"
+ tst_umount
if [ $blocknum -gt "$2" ]; then
return 1
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cbded42c2..da49eb1b2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -105,7 +105,7 @@ ima_cleanup()
if [ "$TST_NEEDS_DEVICE" = 1 ]; then
cd $TST_TMPDIR
- tst_umount $TST_DEVICE
+ tst_umount
fi
}
diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
index 512732315..740253df1 100644
--- a/testcases/lib/tst_test.sh
+++ b/testcases/lib/tst_test.sh
@@ -259,7 +259,7 @@ tst_mount()
tst_umount()
{
- local device="$1"
+ local device="${1:-$TST_DEVICE}"
local i=0
if ! grep -q "$device" /proc/mounts; then
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 16:14 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, Ignaz Forster, linux-integrity
Although custom policy which may contain the equivalent measurement
tcb rules can be loaded via dracut, systemd or later manually from
user space, detecting it would require IMA_READ_POLICY=y. In order
to simplify the check and avoid false positives lets ignore this
option and require builtin IMA tcb policy.
Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
other tests.
+ Use SPDX license identifier
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../integrity/ima/tests/ima_measurements.sh | 23 ++++----------
.../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
2 files changed, 21 insertions(+), 32 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 328affc43..1b9ed85b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,7 @@
#!/bin/sh
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
#
# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
#
@@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
setup()
{
- TEST_FILE="$PWD/test.txt"
+ check_ima_policy "tcb"
+ TEST_FILE="$PWD/test.txt"
POLICY="$IMA_DIR/policy"
[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
-
DIGEST_INDEX=
local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
local i
+ # parse digest index
# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
case "$template" in
ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
@@ -56,8 +45,6 @@ setup()
[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
"Cannot find digest index (template: '$template')"
-
- tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
}
# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index da49eb1b2..606034fec 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,19 +1,7 @@
#!/bin/sh
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
#
# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
@@ -31,6 +19,20 @@ SYSFS="/sys"
UMOUNT=
TST_FS_TYPE="ext3"
+check_ima_policy()
+{
+ local policy="$1"
+ local i
+
+ grep -q "ima_$policy" /proc/cmdline && return
+ for i in $(cat /proc/cmdline); do
+ if grep -q '^ima_policy=' $i; then
+ grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
+ fi
+ done
+ tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+}
+
mount_helper()
{
local type="$1"
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp
Although custom policy which may contain the equivalent measurement
tcb rules can be loaded via dracut, systemd or later manually from
user space, detecting it would require IMA_READ_POLICY=y. In order
to simplify the check and avoid false positives lets ignore this
option and require builtin IMA tcb policy.
Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
other tests.
+ Use SPDX license identifier
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../integrity/ima/tests/ima_measurements.sh | 23 ++++----------
.../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
2 files changed, 21 insertions(+), 32 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 328affc43..1b9ed85b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,7 @@
#!/bin/sh
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
#
# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
#
@@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
setup()
{
- TEST_FILE="$PWD/test.txt"
+ check_ima_policy "tcb"
+ TEST_FILE="$PWD/test.txt"
POLICY="$IMA_DIR/policy"
[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
-
DIGEST_INDEX=
local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
local i
+ # parse digest index
# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
case "$template" in
ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
@@ -56,8 +45,6 @@ setup()
[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
"Cannot find digest index (template: '$template')"
-
- tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
}
# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index da49eb1b2..606034fec 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,19 +1,7 @@
#!/bin/sh
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
#
# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
@@ -31,6 +19,20 @@ SYSFS="/sys"
UMOUNT=
TST_FS_TYPE="ext3"
+check_ima_policy()
+{
+ local policy="$1"
+ local i
+
+ grep -q "ima_$policy" /proc/cmdline && return
+ for i in $(cat /proc/cmdline); do
+ if grep -q '^ima_policy=' $i; then
+ grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
+ fi
+ done
+ tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+}
+
mount_helper()
{
local type="$1"
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 16:14 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, Ignaz Forster, linux-integrity, Mimi Zohar
test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.
Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].
NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.
Documentation is based on Ignaz Forster instructions for openSUSE [4].
[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
runtest/ima | 1 +
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../security/integrity/ima/tests/ima_setup.sh | 4 +-
4 files changed, 179 insertions(+), 2 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+ (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+ (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+ EVM_FILE="/sys/kernel/security/evm"
+
+ [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+ [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+ check_ima_policy "appraise_tcb"
+
+ lower="$TST_MNTPOINT/lower"
+ upper="$TST_MNTPOINT/upper"
+ work="$TST_MNTPOINT/work"
+ merged="$TST_MNTPOINT/merged"
+ mkdir -p $lower $upper $work $merged
+
+ device_backup="$TST_DEVICE"
+ TST_DEVICE="overlay"
+
+ fs_type_backup="$TST_FS_TYPE"
+ TST_FS_TYPE="overlay"
+
+ mntpoint_backup="$TST_MNTPOINT"
+ TST_MNTPOINT="$merged"
+
+ params_backup="$TST_MNT_PARAMS"
+ TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+ tst_mount
+ mounted=1
+}
+
+test1()
+{
+ local file="foo1.txt"
+
+ tst_res TINFO "overwrite file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+ local file="foo2.txt"
+
+ tst_res TINFO "append file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+ local file="foo3.txt"
+
+ tst_res TINFO "create a new file in overlay"
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+ local f
+
+ tst_res TINFO "read all created files"
+ for f in $(find $TST_MNTPOINT -type f); do
+ EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+ done
+}
+
+cleanup()
+{
+ [ -n "$mounted" ] || return 0
+
+ tst_umount $TST_DEVICE
+
+ TST_DEVICE="$device_backup"
+ TST_FS_TYPE="$fs_type_backup"
+ TST_MNTPOINT="$mntpoint_backup"
+ TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
local config="/boot/config-$(uname -r)"
local i
- tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
if [ -r "$config" ]; then
tst_res TINFO "IMA kernel config:"
for i in $(grep ^CONFIG_IMA $config); do
tst_res TINFO "$i"
done
fi
+
+ tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
}
ima_setup()
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-13 16:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-13 16:14 UTC (permalink / raw)
To: ltp
test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.
Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].
NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.
Documentation is based on Ignaz Forster instructions for openSUSE [4].
[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
runtest/ima | 1 +
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../security/integrity/ima/tests/ima_setup.sh | 4 +-
4 files changed, 179 insertions(+), 2 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+ (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+ (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+ EVM_FILE="/sys/kernel/security/evm"
+
+ [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+ [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+ check_ima_policy "appraise_tcb"
+
+ lower="$TST_MNTPOINT/lower"
+ upper="$TST_MNTPOINT/upper"
+ work="$TST_MNTPOINT/work"
+ merged="$TST_MNTPOINT/merged"
+ mkdir -p $lower $upper $work $merged
+
+ device_backup="$TST_DEVICE"
+ TST_DEVICE="overlay"
+
+ fs_type_backup="$TST_FS_TYPE"
+ TST_FS_TYPE="overlay"
+
+ mntpoint_backup="$TST_MNTPOINT"
+ TST_MNTPOINT="$merged"
+
+ params_backup="$TST_MNT_PARAMS"
+ TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+ tst_mount
+ mounted=1
+}
+
+test1()
+{
+ local file="foo1.txt"
+
+ tst_res TINFO "overwrite file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+ local file="foo2.txt"
+
+ tst_res TINFO "append file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+ local file="foo3.txt"
+
+ tst_res TINFO "create a new file in overlay"
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+ local f
+
+ tst_res TINFO "read all created files"
+ for f in $(find $TST_MNTPOINT -type f); do
+ EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+ done
+}
+
+cleanup()
+{
+ [ -n "$mounted" ] || return 0
+
+ tst_umount $TST_DEVICE
+
+ TST_DEVICE="$device_backup"
+ TST_FS_TYPE="$fs_type_backup"
+ TST_MNTPOINT="$mntpoint_backup"
+ TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
local config="/boot/config-$(uname -r)"
local i
- tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
if [ -r "$config" ]; then
tst_res TINFO "IMA kernel config:"
for i in $(grep ^CONFIG_IMA $config); do
tst_res TINFO "$i"
done
fi
+
+ tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
}
ima_setup()
--
2.21.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 16:42 ` Ignaz Forster
-1 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-13 16:42 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: Mimi Zohar, linux-integrity
Hi Petr,
Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> Although custom policy which may contain the equivalent measurement
> tcb rules can be loaded via dracut, systemd or later manually from
> user space, detecting it would require IMA_READ_POLICY=y. In order
> to simplify the check and avoid false positives lets ignore this
> option and require builtin IMA tcb policy.
>
> Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
> other tests.
>
> + Use SPDX license identifier
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> .../integrity/ima/tests/ima_measurements.sh | 23 ++++----------
> .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
> 2 files changed, 21 insertions(+), 32 deletions(-)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 328affc43..1b9ed85b8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -1,19 +1,7 @@
> #!/bin/sh
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
> #
> # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
> #
> @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
>
> setup()
> {
> - TEST_FILE="$PWD/test.txt"
> + check_ima_policy "tcb"
>
> + TEST_FILE="$PWD/test.txt"
> POLICY="$IMA_DIR/policy"
> [ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> -
> DIGEST_INDEX=
>
> local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
> local i
>
> + # parse digest index
> # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
> case "$template" in
> ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> @@ -56,8 +45,6 @@ setup()
>
> [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
> "Cannot find digest index (template: '$template')"
> -
> - tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
> }
>
> # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index da49eb1b2..606034fec 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,19 +1,7 @@
> #!/bin/sh
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
> #
> # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>
> @@ -31,6 +19,20 @@ SYSFS="/sys"
> UMOUNT=
> TST_FS_TYPE="ext3"
>
> +check_ima_policy()
> +{
> + local policy="$1"
> + local i
> +
> + grep -q "ima_$policy" /proc/cmdline && return
> + for i in $(cat /proc/cmdline); do
> + if grep -q '^ima_policy=' $i; then
$i will not contain a file, which grep will expect here. I guess you
meant to echo the variable instead?
Ignaz
> + grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
> + fi
> + done
> + tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
> +}
> +
> mount_helper()
> {
> local type="$1"
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy
@ 2019-06-13 16:42 ` Ignaz Forster
0 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-13 16:42 UTC (permalink / raw)
To: ltp
Hi Petr,
Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> Although custom policy which may contain the equivalent measurement
> tcb rules can be loaded via dracut, systemd or later manually from
> user space, detecting it would require IMA_READ_POLICY=y. In order
> to simplify the check and avoid false positives lets ignore this
> option and require builtin IMA tcb policy.
>
> Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
> other tests.
>
> + Use SPDX license identifier
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> .../integrity/ima/tests/ima_measurements.sh | 23 ++++----------
> .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
> 2 files changed, 21 insertions(+), 32 deletions(-)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 328affc43..1b9ed85b8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -1,19 +1,7 @@
> #!/bin/sh
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
> #
> # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
> #
> @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
>
> setup()
> {
> - TEST_FILE="$PWD/test.txt"
> + check_ima_policy "tcb"
>
> + TEST_FILE="$PWD/test.txt"
> POLICY="$IMA_DIR/policy"
> [ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> -
> DIGEST_INDEX=
>
> local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
> local i
>
> + # parse digest index
> # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
> case "$template" in
> ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> @@ -56,8 +45,6 @@ setup()
>
> [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
> "Cannot find digest index (template: '$template')"
> -
> - tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
> }
>
> # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index da49eb1b2..606034fec 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,19 +1,7 @@
> #!/bin/sh
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
> #
> # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>
> @@ -31,6 +19,20 @@ SYSFS="/sys"
> UMOUNT=
> TST_FS_TYPE="ext3"
>
> +check_ima_policy()
> +{
> + local policy="$1"
> + local i
> +
> + grep -q "ima_$policy" /proc/cmdline && return
> + for i in $(cat /proc/cmdline); do
> + if grep -q '^ima_policy=' $i; then
$i will not contain a file, which grep will expect here. I guess you
meant to echo the variable instead?
Ignaz
> + grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
> + fi
> + done
> + tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
> +}
> +
> mount_helper()
> {
> local type="$1"
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-13 16:14 ` [LTP] " Petr Vorel
@ 2019-06-13 17:00 ` Ignaz Forster
-1 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-13 17:00 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: linux-integrity, Mimi Zohar
Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> test demonstrate a bug on overlayfs on current mainline kernel when
> combining IMA with EVM.
>
> Based on reproducer made by Ignaz Forster <iforster@suse.de>
> used for not upstreamed patchset [1] and previous report [2].
> IMA only behavior has already been fixed [3].
>
> NOTE: backup variables are needed because ima_setup.sh calling
> tst_mount as well when TMPDIR is on tmpfs device.
>
> Documentation is based on Ignaz Forster instructions for openSUSE [4].
>
> [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> [3] https://patchwork.kernel.org/patch/10776231/
> [4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
>
> Tested-by: Ignaz Forster <iforster@suse.de>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> runtest/ima | 1 +
> .../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
> .../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
> .../security/integrity/ima/tests/ima_setup.sh | 4 +-
> 4 files changed, 179 insertions(+), 2 deletions(-)
> create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
> create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
>
> diff --git a/runtest/ima b/runtest/ima
> index bcae16bb7..f3ea88cf0 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
> ima_policy ima_policy.sh
> ima_tpm ima_tpm.sh
> ima_violations ima_violations.sh
> +evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
> new file mode 100644
> index 000000000..961b68a38
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> @@ -0,0 +1,83 @@
> +IMA + EVM testing
> +=================
> +
> +IMA tests
> +---------
> +
> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
This test requires "appraise_tcb" ("tcb" is not enough), as the errors
only occur during appraisal.
> +Although custom policy which contains which may contain the equivalent
> +measurement tcb rules can be loaded via dracut, systemd or later manually
> +from user space, detecting it would require `IMA_READ_POLICY=y` therefore
> +ignore this option.
I guess this should be
"Although a custom policy, loaded via dracut, systemd or manually from
user space, may contain equivalent measurement tcb rules, detecting them
would [...]"
> +Mandatory kernel configuration for IMA:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_IMA=y
> +```
> +
> +EVM tests
> +---------
> +
> +`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` ^^
a
> +kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> +Again, for simplicity ignore possibility to load reuired rules via custom policy.
^q
> +Mandatory kernel configuration for IMA & EVM:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_IMA=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_EVM=y
> +CONFIG_KEYS=y
> +CONFIG_TRUSTED_KEYS=y
> +CONFIG_ENCRYPTED_KEYS=y
> +```
> +
> +Example of installing IMA + EVM on openSUSE:
> +
> +* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
I was missing the measurement option. ima_policy should have been
ima_policy='tcb|appraise_tcb' for the statement below to be true.
> + (for IMA measurement, IMA appraisal and EVM protection)
> +* Proceed with installation until summary screen, but do not start the installation yet
> +* Select package `dracut-ima` (required for early boot EVM support) for installation
> + (Debian based distros already contain IMA + EVM support in `dracut` package)
> +* Change to a console window and run commands to generate keys required by EVM:
> +```
> +# mkdir /etc/keys
> +# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> +# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> +# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> +# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> +# cat <<END >/etc/sysconfig/masterkey
> +MASTERKEYTYPE="user"
> +MASTERKEY="/etc/keys/kmk-user.blob"
> +END
> +# cat <<END >/etc/sysconfig/evm
> +EVMKEY="/etc/keys/evm.blob"
> +END
> +# mount -t securityfs security /sys/kernel/security
> +# echo 1 >/sys/kernel/security/evm
> +```
> +
> +* Go back to the installation summary screen and start the installation
> +* During the installation execute the following commands from the console:
> +```
> +# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> +# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> +```
> +
> +This should work on any distribution using dracut.
> +Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> +
> +Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> +```
> +evmctl -r ima_fix /
> +```
> +
> +or with `find` if evmctl not available:
^
is
> +```
> +find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> +```
> +Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
Maybe also add the tcb option for measurement here.
Ignaz
> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> new file mode 100755
> index 000000000..024b03917
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> @@ -0,0 +1,93 @@
> +#!/bin/sh
> +# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> +# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> +# Reproducer for not upstreamed patchset [1] and previous report [2].
> +# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> +# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> +
> +TST_SETUP="setup"
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_DEVICE=1
> +TST_CNT=4
> +. ima_setup.sh
> +
> +setup()
> +{
> + EVM_FILE="/sys/kernel/security/evm"
> +
> + [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> + [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> +
> + check_ima_policy "appraise_tcb"
> +
> + lower="$TST_MNTPOINT/lower"
> + upper="$TST_MNTPOINT/upper"
> + work="$TST_MNTPOINT/work"
> + merged="$TST_MNTPOINT/merged"
> + mkdir -p $lower $upper $work $merged
> +
> + device_backup="$TST_DEVICE"
> + TST_DEVICE="overlay"
> +
> + fs_type_backup="$TST_FS_TYPE"
> + TST_FS_TYPE="overlay"
> +
> + mntpoint_backup="$TST_MNTPOINT"
> + TST_MNTPOINT="$merged"
> +
> + params_backup="$TST_MNT_PARAMS"
> + TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> +
> + tst_mount
> + mounted=1
> +}
> +
> +test1()
> +{
> + local file="foo1.txt"
> +
> + tst_res TINFO "overwrite file in overlay"
> + EXPECT_PASS echo lower \> $lower/$file
> + EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test2()
> +{
> + local file="foo2.txt"
> +
> + tst_res TINFO "append file in overlay"
> + EXPECT_PASS echo lower \> $lower/$file
> + EXPECT_PASS echo overlay \>\> $merged/$file
> +}
> +
> +test3()
> +{
> + local file="foo3.txt"
> +
> + tst_res TINFO "create a new file in overlay"
> + EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test4()
> +{
> + local f
> +
> + tst_res TINFO "read all created files"
> + for f in $(find $TST_MNTPOINT -type f); do
> + EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> + done
> +}
> +
> +cleanup()
> +{
> + [ -n "$mounted" ] || return 0
> +
> + tst_umount $TST_DEVICE
> +
> + TST_DEVICE="$device_backup"
> + TST_FS_TYPE="$fs_type_backup"
> + TST_MNTPOINT="$mntpoint_backup"
> + TST_MNT_PARAMS="$params_backup"
> +}
> +
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 606034fec..529b77529 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -66,14 +66,14 @@ print_ima_config()
> local config="/boot/config-$(uname -r)"
> local i
>
> - tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> -
> if [ -r "$config" ]; then
> tst_res TINFO "IMA kernel config:"
> for i in $(grep ^CONFIG_IMA $config); do
> tst_res TINFO "$i"
> done
> fi
> +
> + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> }
>
> ima_setup()
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-13 17:00 ` Ignaz Forster
0 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-13 17:00 UTC (permalink / raw)
To: ltp
Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> test demonstrate a bug on overlayfs on current mainline kernel when
> combining IMA with EVM.
>
> Based on reproducer made by Ignaz Forster <iforster@suse.de>
> used for not upstreamed patchset [1] and previous report [2].
> IMA only behavior has already been fixed [3].
>
> NOTE: backup variables are needed because ima_setup.sh calling
> tst_mount as well when TMPDIR is on tmpfs device.
>
> Documentation is based on Ignaz Forster instructions for openSUSE [4].
>
> [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> [3] https://patchwork.kernel.org/patch/10776231/
> [4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
>
> Tested-by: Ignaz Forster <iforster@suse.de>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> runtest/ima | 1 +
> .../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
> .../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
> .../security/integrity/ima/tests/ima_setup.sh | 4 +-
> 4 files changed, 179 insertions(+), 2 deletions(-)
> create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
> create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
>
> diff --git a/runtest/ima b/runtest/ima
> index bcae16bb7..f3ea88cf0 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
> ima_policy ima_policy.sh
> ima_tpm ima_tpm.sh
> ima_violations ima_violations.sh
> +evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
> new file mode 100644
> index 000000000..961b68a38
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> @@ -0,0 +1,83 @@
> +IMA + EVM testing
> +=================
> +
> +IMA tests
> +---------
> +
> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
This test requires "appraise_tcb" ("tcb" is not enough), as the errors
only occur during appraisal.
> +Although custom policy which contains which may contain the equivalent
> +measurement tcb rules can be loaded via dracut, systemd or later manually
> +from user space, detecting it would require `IMA_READ_POLICY=y` therefore
> +ignore this option.
I guess this should be
"Although a custom policy, loaded via dracut, systemd or manually from
user space, may contain equivalent measurement tcb rules, detecting them
would [...]"
> +Mandatory kernel configuration for IMA:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_IMA=y
> +```
> +
> +EVM tests
> +---------
> +
> +`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` ^^
a
> +kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> +Again, for simplicity ignore possibility to load reuired rules via custom policy.
^q
> +Mandatory kernel configuration for IMA & EVM:
> +```
> +CONFIG_INTEGRITY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_IMA=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_EVM=y
> +CONFIG_KEYS=y
> +CONFIG_TRUSTED_KEYS=y
> +CONFIG_ENCRYPTED_KEYS=y
> +```
> +
> +Example of installing IMA + EVM on openSUSE:
> +
> +* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
I was missing the measurement option. ima_policy should have been
ima_policy='tcb|appraise_tcb' for the statement below to be true.
> + (for IMA measurement, IMA appraisal and EVM protection)
> +* Proceed with installation until summary screen, but do not start the installation yet
> +* Select package `dracut-ima` (required for early boot EVM support) for installation
> + (Debian based distros already contain IMA + EVM support in `dracut` package)
> +* Change to a console window and run commands to generate keys required by EVM:
> +```
> +# mkdir /etc/keys
> +# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> +# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> +# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> +# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> +# cat <<END >/etc/sysconfig/masterkey
> +MASTERKEYTYPE="user"
> +MASTERKEY="/etc/keys/kmk-user.blob"
> +END
> +# cat <<END >/etc/sysconfig/evm
> +EVMKEY="/etc/keys/evm.blob"
> +END
> +# mount -t securityfs security /sys/kernel/security
> +# echo 1 >/sys/kernel/security/evm
> +```
> +
> +* Go back to the installation summary screen and start the installation
> +* During the installation execute the following commands from the console:
> +```
> +# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> +# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> +```
> +
> +This should work on any distribution using dracut.
> +Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> +
> +Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> +```
> +evmctl -r ima_fix /
> +```
> +
> +or with `find` if evmctl not available:
^
is
> +```
> +find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> +```
> +Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
Maybe also add the tcb option for measurement here.
Ignaz
> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> new file mode 100755
> index 000000000..024b03917
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> @@ -0,0 +1,93 @@
> +#!/bin/sh
> +# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> +# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> +# Reproducer for not upstreamed patchset [1] and previous report [2].
> +# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> +# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> +
> +TST_SETUP="setup"
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_DEVICE=1
> +TST_CNT=4
> +. ima_setup.sh
> +
> +setup()
> +{
> + EVM_FILE="/sys/kernel/security/evm"
> +
> + [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> + [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> +
> + check_ima_policy "appraise_tcb"
> +
> + lower="$TST_MNTPOINT/lower"
> + upper="$TST_MNTPOINT/upper"
> + work="$TST_MNTPOINT/work"
> + merged="$TST_MNTPOINT/merged"
> + mkdir -p $lower $upper $work $merged
> +
> + device_backup="$TST_DEVICE"
> + TST_DEVICE="overlay"
> +
> + fs_type_backup="$TST_FS_TYPE"
> + TST_FS_TYPE="overlay"
> +
> + mntpoint_backup="$TST_MNTPOINT"
> + TST_MNTPOINT="$merged"
> +
> + params_backup="$TST_MNT_PARAMS"
> + TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> +
> + tst_mount
> + mounted=1
> +}
> +
> +test1()
> +{
> + local file="foo1.txt"
> +
> + tst_res TINFO "overwrite file in overlay"
> + EXPECT_PASS echo lower \> $lower/$file
> + EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test2()
> +{
> + local file="foo2.txt"
> +
> + tst_res TINFO "append file in overlay"
> + EXPECT_PASS echo lower \> $lower/$file
> + EXPECT_PASS echo overlay \>\> $merged/$file
> +}
> +
> +test3()
> +{
> + local file="foo3.txt"
> +
> + tst_res TINFO "create a new file in overlay"
> + EXPECT_PASS echo overlay \> $merged/$file
> +}
> +
> +test4()
> +{
> + local f
> +
> + tst_res TINFO "read all created files"
> + for f in $(find $TST_MNTPOINT -type f); do
> + EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> + done
> +}
> +
> +cleanup()
> +{
> + [ -n "$mounted" ] || return 0
> +
> + tst_umount $TST_DEVICE
> +
> + TST_DEVICE="$device_backup"
> + TST_FS_TYPE="$fs_type_backup"
> + TST_MNTPOINT="$mntpoint_backup"
> + TST_MNT_PARAMS="$params_backup"
> +}
> +
> +tst_run
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 606034fec..529b77529 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -66,14 +66,14 @@ print_ima_config()
> local config="/boot/config-$(uname -r)"
> local i
>
> - tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> -
> if [ -r "$config" ]; then
> tst_res TINFO "IMA kernel config:"
> for i in $(grep ^CONFIG_IMA $config); do
> tst_res TINFO "$i"
> done
> fi
> +
> + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> }
>
> ima_setup()
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-13 17:00 ` [LTP] " Ignaz Forster
@ 2019-06-14 14:14 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-14 14:14 UTC (permalink / raw)
To: Ignaz Forster; +Cc: ltp, linux-integrity, Mimi Zohar
Hi Ignaz,
thanks for pointing out all the typos and wrong grep (previous patch).
Going to sent v5 with fixes. Just one question below.
...
> > +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> > @@ -0,0 +1,83 @@
> > +IMA + EVM testing
> > +=================
> > +
> > +IMA tests
> > +---------
> > +
> > +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> > +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> occur during appraisal.
Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
I require ima_policy=tcb here, according to Mimi [1]
Kind regards,
Petr
[1] http://lists.linux.it/pipermail/ltp/2019-June/012363.html
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-14 14:14 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-14 14:14 UTC (permalink / raw)
To: ltp
Hi Ignaz,
thanks for pointing out all the typos and wrong grep (previous patch).
Going to sent v5 with fixes. Just one question below.
...
> > +++ b/testcases/kernel/security/integrity/ima/tests/README.md
> > @@ -0,0 +1,83 @@
> > +IMA + EVM testing
> > +=================
> > +
> > +IMA tests
> > +---------
> > +
> > +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
> > +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> occur during appraisal.
Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
I require ima_policy=tcb here, according to Mimi [1]
Kind regards,
Petr
[1] http://lists.linux.it/pipermail/ltp/2019-June/012363.html
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-14 14:14 ` [LTP] " Petr Vorel
@ 2019-06-14 14:37 ` Ignaz Forster
-1 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-14 14:37 UTC (permalink / raw)
To: Petr Vorel; +Cc: ltp, linux-integrity, Mimi Zohar
Am 14.06.19 um 16:14 Uhr schrieb Petr Vorel:
>>> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
>>> @@ -0,0 +1,83 @@
>>> +IMA + EVM testing
>>> +=================
>>> +
>>> +IMA tests
>>> +---------
>>> +
>>> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
>>> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
>
>> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
>> occur during appraisal.
> Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> I require ima_policy=tcb here, according to Mimi [1]
Oh, sorry, you are correct - "tcb" is correct in this case. I got
confused as the documentation is included in the overlayfs reproducer patch.
Ignaz
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-14 14:37 ` Ignaz Forster
0 siblings, 0 replies; 22+ messages in thread
From: Ignaz Forster @ 2019-06-14 14:37 UTC (permalink / raw)
To: ltp
Am 14.06.19 um 16:14 Uhr schrieb Petr Vorel:
>>> +++ b/testcases/kernel/security/integrity/ima/tests/README.md
>>> @@ -0,0 +1,83 @@
>>> +IMA + EVM testing
>>> +=================
>>> +
>>> +IMA tests
>>> +---------
>>> +
>>> +`ima_measurements.sh` require builtin IMA tcb policy to be loaded
>>> +(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
>
>> This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
>> occur during appraisal.
> Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> I require ima_policy=tcb here, according to Mimi [1]
Oh, sorry, you are correct - "tcb" is correct in this case. I got
confused as the documentation is included in the overlayfs reproducer patch.
Ignaz
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-14 14:37 ` [LTP] " Ignaz Forster
@ 2019-06-14 14:46 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-14 14:46 UTC (permalink / raw)
To: Ignaz Forster; +Cc: ltp, linux-integrity, Mimi Zohar
Hi Ignaz,
> > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > occur during appraisal.
> > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > I require ima_policy=tcb here, according to Mimi [1]
> Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> as the documentation is included in the overlayfs reproducer patch.
Maybe I should put it into separate commit.
> Ignaz
Kind regards,
Petr
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-14 14:46 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-14 14:46 UTC (permalink / raw)
To: ltp
Hi Ignaz,
> > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > occur during appraisal.
> > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > I require ima_policy=tcb here, according to Mimi [1]
> Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> as the documentation is included in the overlayfs reproducer patch.
Maybe I should put it into separate commit.
> Ignaz
Kind regards,
Petr
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
2019-06-14 14:46 ` [LTP] " Petr Vorel
@ 2019-06-18 13:59 ` Petr Vorel
-1 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-18 13:59 UTC (permalink / raw)
To: Ignaz Forster; +Cc: linux-integrity, Mimi Zohar, ltp
Hi Mimi, Ignaz,
> > > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > > occur during appraisal.
> > > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > > I require ima_policy=tcb here, according to Mimi [1]
> > Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> > as the documentation is included in the overlayfs reproducer patch.
> Maybe I should put it into separate commit.
Whole patchset merged.
Thanks a lot both for your help!
Kind regards,
Petr
^ permalink raw reply [flat|nested] 22+ messages in thread
* [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
@ 2019-06-18 13:59 ` Petr Vorel
0 siblings, 0 replies; 22+ messages in thread
From: Petr Vorel @ 2019-06-18 13:59 UTC (permalink / raw)
To: ltp
Hi Mimi, Ignaz,
> > > > This test requires "appraise_tcb" ("tcb" is not enough), as the errors only
> > > > occur during appraisal.
> > > Are you sure? This is a note for ima_measurements.sh test (not for evm_overlay.sh).
> > > I require ima_policy=tcb here, according to Mimi [1]
> > Oh, sorry, you are correct - "tcb" is correct in this case. I got confused
> > as the documentation is included in the overlayfs reproducer patch.
> Maybe I should put it into separate commit.
Whole patchset merged.
Thanks a lot both for your help!
Kind regards,
Petr
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2019-06-18 13:59 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-13 16:14 [PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:42 ` Ignaz Forster
2019-06-13 16:42 ` [LTP] " Ignaz Forster
2019-06-13 16:14 ` [PATCH v4 4/4] ima: Add overlay test + doc Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 17:00 ` Ignaz Forster
2019-06-13 17:00 ` [LTP] " Ignaz Forster
2019-06-14 14:14 ` Petr Vorel
2019-06-14 14:14 ` [LTP] " Petr Vorel
2019-06-14 14:37 ` Ignaz Forster
2019-06-14 14:37 ` [LTP] " Ignaz Forster
2019-06-14 14:46 ` Petr Vorel
2019-06-14 14:46 ` [LTP] " Petr Vorel
2019-06-18 13:59 ` Petr Vorel
2019-06-18 13:59 ` Petr Vorel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.