From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Mimi Zohar <zohar@linux.ibm.com>, Stefan Berger <stefanb@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
Petr Vorel <pvorel@suse.cz>
Subject: Re: [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks
Date: Mon, 30 Jan 2023 17:07:18 +0100 [thread overview]
Message-ID: <7779927be4c5506172c5a64e3cea37ad9c285356.camel@huaweicloud.com> (raw)
In-Reply-To: <c5b46ac1e81b60aefebcf81dabe9e5a911a259a4.camel@huaweicloud.com>
On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > [Trimmed Cc list, since this is an ima-evm-utils discussion. Adding
> > Petr.]
> >
> > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > How do you tell the user that the patches need to be applied for the test to
> > > > succeed and not worry about it when the patches are not applied?
> > >
> > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > signatures, and maybe display a message in the test logs.
> >
> > This is a generic problem that needs to be addressed. FYI, LTP
> > addressed it by introducing "struct test_tag" in commit ca2c76990
> > ("lib: Add support for test tags").
>
> One idea could be to list all the patches the group of tests is going
> to check, and add an argument to expect_pass and expect_fail to specify
> the indexes of patches required for the test. We print the required
> patches in an error message.
Ok, here is an example for this patch set. I added the following
changes to the mmap_check.test script:
PATCHES=(
'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
'ima: Introduce MMAP_CHECK_REQPROT hook'
)
[...]
expect_fail check_mmap "MMAP_CHECK" ""
expect_pass check_mmap "MMAP_CHECK" "exec"
expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" ""
expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"
expect_pass check_deny "MMAP_CHECK" "mprotect"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect"
expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"
I didn't add the _if suffix for the tests that are expected to
pass/fail without adding new patches.
I introduced expect_pass_if() and expect_fail_if() that call
respectively expect_pass() and expect_fail(), and additionally print an
error message with the patches that might be required.
The test results (without the two kernel patches applied) are:
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): not found
Possibly missing patches:
- ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
=================================
Run with FAILEARLY=1 /home/roberto/repos/ima-evm-utils/tests/mmap_check.test _cleanup_env cleanup
To stop after first failure
=================================
PASS: 4 SKIP: 0 FAIL: 6
The test results (with the two kernel patches applied) are:
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
Result (expect not found): not found
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
PASS: 10 SKIP: 0 FAIL: 0
Roberto
next prev parent reply other threads:[~2023-01-30 16:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 16:38 [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook Roberto Sassu
2023-01-26 16:38 ` [PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook Roberto Sassu
2023-01-29 14:52 ` Mimi Zohar
2023-01-30 10:37 ` Roberto Sassu
2023-01-26 16:38 ` [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks Roberto Sassu
2023-01-26 22:25 ` Stefan Berger
2023-01-27 7:57 ` Roberto Sassu
2023-01-30 13:28 ` Mimi Zohar
2023-01-30 14:02 ` Roberto Sassu
2023-01-30 16:07 ` Roberto Sassu [this message]
2023-01-30 16:54 ` Mimi Zohar
2023-01-30 16:56 ` Roberto Sassu
2023-01-30 16:26 ` Mimi Zohar
2023-01-30 16:36 ` Roberto Sassu
2023-01-30 17:00 ` Mimi Zohar
2023-01-26 19:37 ` [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook Stefan Berger
2023-01-27 7:55 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7779927be4c5506172c5a64e3cea37ad9c285356.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=roberto.sassu@huawei.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.