* [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
linux-integrity
Hi,
sending enhanced Lachlan's version.
I haven't tested this patchset, could please anybody test it?
Kind regards,
Petr
Lachlan Sneff (1):
IMA: Add a test to verify measurement of certificate imported into a
keyring
Petr Vorel (3):
IMA/ima_keys.sh Fix policy content check usage
IMA: Refactor datafiles directory
IMA/ima_keys.sh: Enhance policy checks
.../kernel/security/integrity/ima/README.md | 12 ++-
.../security/integrity/ima/datafiles/Makefile | 10 +-
.../ima/datafiles/ima_kexec/Makefile | 11 ++
.../datafiles/{ => ima_kexec}/kexec.policy | 0
.../integrity/ima/datafiles/ima_keys/Makefile | 11 ++
.../datafiles/{ => ima_keys}/keycheck.policy | 2 +-
.../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
.../ima/datafiles/ima_policy/Makefile | 11 ++
.../datafiles/{ => ima_policy}/measure.policy | 0
.../{ => ima_policy}/measure.policy-invalid | 0
.../security/integrity/ima/tests/ima_keys.sh | 96 +++++++++++++++---
11 files changed, 129 insertions(+), 24 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (59%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)
--
2.28.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Hi,
sending enhanced Lachlan's version.
I haven't tested this patchset, could please anybody test it?
Kind regards,
Petr
Lachlan Sneff (1):
IMA: Add a test to verify measurement of certificate imported into a
keyring
Petr Vorel (3):
IMA/ima_keys.sh Fix policy content check usage
IMA: Refactor datafiles directory
IMA/ima_keys.sh: Enhance policy checks
.../kernel/security/integrity/ima/README.md | 12 ++-
.../security/integrity/ima/datafiles/Makefile | 10 +-
.../ima/datafiles/ima_kexec/Makefile | 11 ++
.../datafiles/{ => ima_kexec}/kexec.policy | 0
.../integrity/ima/datafiles/ima_keys/Makefile | 11 ++
.../datafiles/{ => ima_keys}/keycheck.policy | 2 +-
.../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
.../ima/datafiles/ima_policy/Makefile | 11 ++
.../datafiles/{ => ima_policy}/measure.policy | 0
.../{ => ima_policy}/measure.policy-invalid | 0
.../security/integrity/ima/tests/ima_keys.sh | 96 +++++++++++++++---
11 files changed, 129 insertions(+), 24 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (59%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)
--
2.28.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v2 1/4] IMA/ima_keys.sh Fix policy content check usage
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-07 20:46 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
linux-integrity
require_ima_policy_content cannot be used in subshell $() evaluation,
because tst_brk does not quit the test. It calls cleanup for the
subshell process and main process then continue:
ima_keys 1 TCONF: IMA policy does not specify 'func=KEY_CHECK'
=> Here it's running first cleanup. umount errors are because parent
shell process still has $PWD in directory to be unmounted:
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 1 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests.
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
...
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 50 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests.
ima_keys 1 TWARN: Failed to umount(/dev/loop0) after 50 retries
tst_device.c:222: WARN: ioctl(/dev/loop0, LOOP_CLR_FD, 0) no ENXIO for too long
Usage: tst_device acquire [size [filename]]
or: tst_device release /path/to/device
ima_keys 1 TWARN: Failed to release device '/dev/loop0'
rm: cannot remove '/tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint': Device or resource busy
ima_keys 1 TINFO: AppArmor enabled, this may affect test results
ima_keys 1 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)
ima_keys 1 TINFO: loaded AppArmor profiles: none
/opt/ltp/testcases/bin/ima_keys.sh: line 25: 6166 Terminated sleep $sec && tst_res TBROK "test killed, timeout! If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1" && kill -9 -$pid (wd: ~)
=> Here it should quit after running cleanup, but instead continue running:
ima_keys 1 TCONF: ima policy does not specify a keyrings to check
Fixes: f20f44d72 ("IMA/ima_keys.sh: Fix policy readability check")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Originally sent as
https://patchwork.ozlabs.org/project/ltp/patch/20200807112929.8984-1-pvorel@suse.cz/
testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 3aea26056..53c289054 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -16,11 +16,14 @@ TST_NEEDS_DEVICE=1
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_lines keycheck_line templates test_file="file.txt"
+ local keyrings keycheck_lines keycheck_line templates
+ local pattern="func=KEY_CHECK"
+ local test_file="file.txt"
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
- keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
+ require_ima_policy_content "$pattern"
+ keycheck_lines=$(check_ima_policy_content "$pattern" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 1/4] IMA/ima_keys.sh Fix policy content check usage
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
require_ima_policy_content cannot be used in subshell $() evaluation,
because tst_brk does not quit the test. It calls cleanup for the
subshell process and main process then continue:
ima_keys 1 TCONF: IMA policy does not specify 'func=KEY_CHECK'
=> Here it's running first cleanup. umount errors are because parent
shell process still has $PWD in directory to be unmounted:
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 1 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests.
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
...
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 50 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests.
ima_keys 1 TWARN: Failed to umount(/dev/loop0) after 50 retries
tst_device.c:222: WARN: ioctl(/dev/loop0, LOOP_CLR_FD, 0) no ENXIO for too long
Usage: tst_device acquire [size [filename]]
or: tst_device release /path/to/device
ima_keys 1 TWARN: Failed to release device '/dev/loop0'
rm: cannot remove '/tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint': Device or resource busy
ima_keys 1 TINFO: AppArmor enabled, this may affect test results
ima_keys 1 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)
ima_keys 1 TINFO: loaded AppArmor profiles: none
/opt/ltp/testcases/bin/ima_keys.sh: line 25: 6166 Terminated sleep $sec && tst_res TBROK "test killed, timeout! If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1" && kill -9 -$pid (wd: ~)
=> Here it should quit after running cleanup, but instead continue running:
ima_keys 1 TCONF: ima policy does not specify a keyrings to check
Fixes: f20f44d72 ("IMA/ima_keys.sh: Fix policy readability check")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Originally sent as
https://patchwork.ozlabs.org/project/ltp/patch/20200807112929.8984-1-pvorel@suse.cz/
testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 3aea26056..53c289054 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -16,11 +16,14 @@ TST_NEEDS_DEVICE=1
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_lines keycheck_line templates test_file="file.txt"
+ local keyrings keycheck_lines keycheck_line templates
+ local pattern="func=KEY_CHECK"
+ local test_file="file.txt"
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
- keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
+ require_ima_policy_content "$pattern"
+ keycheck_lines=$(check_ima_policy_content "$pattern" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v2 2/4] IMA: Refactor datafiles directory
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-07 20:46 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
linux-integrity
The IMA datafiles directory is structured so that it cannot be directly
expanded to include datafiles for tests other than `ima_policy.sh`
as it's installed into /opt/ltp/testcases/data/ima_policy.
Also not all policies are meant to be for ima_policy.sh, thus
move policies into their own directories based on the test which they
belong to. Rename policy directory to ima_policy to follow the
pattern that directory in sources match the installed directory.
Reported-by: Lachlan Sneff <t-josne@linux.microsoft.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: based on Lachlan's patch, rewritten ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
I rewritten this patch, but used Lachlan's Signed-off-by and copyright
for his changes in datafiles/Makefile.
Kind regards,
Petr
.../kernel/security/integrity/ima/datafiles/Makefile | 10 +++++-----
.../integrity/ima/datafiles/ima_kexec/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_kexec}/kexec.policy | 0
.../integrity/ima/datafiles/ima_keys/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_keys}/keycheck.policy | 0
.../integrity/ima/datafiles/ima_policy/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_policy}/measure.policy | 0
.../datafiles/{ => ima_policy}/measure.policy-invalid | 0
8 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)
diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 369407112..6857ccfee 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -1,6 +1,8 @@
#
# testcases/kernel/security/integrity/ima/policy testcases Makefile.
#
+# Copyright (c) Linux Test Project, 2019-2020
+# Copyright (c) 2020 Microsoft Corporation
# Copyright (C) 2009, Cisco Systems Inc.
#
# This program is free software; you can redistribute it and/or modify
@@ -20,12 +22,10 @@
# Ngie Cooper, July 2009
#
-top_srcdir ?= ../../../../../..
+top_srcdir ?= ../../../../../..
include $(top_srcdir)/include/mk/env_pre.mk
-INSTALL_DIR := testcases/data/ima_policy
+SUBDIRS := ima_*
-INSTALL_TARGETS := measure.policy-invalid *.policy
-
-include $(top_srcdir)/include/mk/generic_leaf_target.mk
+include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
new file mode 100644
index 000000000..5e0d632a7
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_kexec
+INSTALL_TARGETS := *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/kexec.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
new file mode 100644
index 000000000..452321843
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_keys
+INSTALL_TARGETS := *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
new file mode 100644
index 000000000..953e21556
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_policy
+INSTALL_TARGETS := *.policy-invalid *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 2/4] IMA: Refactor datafiles directory
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
The IMA datafiles directory is structured so that it cannot be directly
expanded to include datafiles for tests other than `ima_policy.sh`
as it's installed into /opt/ltp/testcases/data/ima_policy.
Also not all policies are meant to be for ima_policy.sh, thus
move policies into their own directories based on the test which they
belong to. Rename policy directory to ima_policy to follow the
pattern that directory in sources match the installed directory.
Reported-by: Lachlan Sneff <t-josne@linux.microsoft.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: based on Lachlan's patch, rewritten ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
I rewritten this patch, but used Lachlan's Signed-off-by and copyright
for his changes in datafiles/Makefile.
Kind regards,
Petr
.../kernel/security/integrity/ima/datafiles/Makefile | 10 +++++-----
.../integrity/ima/datafiles/ima_kexec/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_kexec}/kexec.policy | 0
.../integrity/ima/datafiles/ima_keys/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_keys}/keycheck.policy | 0
.../integrity/ima/datafiles/ima_policy/Makefile | 11 +++++++++++
.../ima/datafiles/{ => ima_policy}/measure.policy | 0
.../datafiles/{ => ima_policy}/measure.policy-invalid | 0
8 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (100%)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)
diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 369407112..6857ccfee 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -1,6 +1,8 @@
#
# testcases/kernel/security/integrity/ima/policy testcases Makefile.
#
+# Copyright (c) Linux Test Project, 2019-2020
+# Copyright (c) 2020 Microsoft Corporation
# Copyright (C) 2009, Cisco Systems Inc.
#
# This program is free software; you can redistribute it and/or modify
@@ -20,12 +22,10 @@
# Ngie Cooper, July 2009
#
-top_srcdir ?= ../../../../../..
+top_srcdir ?= ../../../../../..
include $(top_srcdir)/include/mk/env_pre.mk
-INSTALL_DIR := testcases/data/ima_policy
+SUBDIRS := ima_*
-INSTALL_TARGETS := measure.policy-invalid *.policy
-
-include $(top_srcdir)/include/mk/generic_leaf_target.mk
+include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
new file mode 100644
index 000000000..5e0d632a7
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_kexec
+INSTALL_TARGETS := *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/kexec.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
new file mode 100644
index 000000000..452321843
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_keys
+INSTALL_TARGETS := *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
new file mode 100644
index 000000000..953e21556
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_policy
+INSTALL_TARGETS := *.policy-invalid *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-07 20:46 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
linux-integrity, Petr Vorel
From: Lachlan Sneff <t-josne@linux.microsoft.com>
The IMA subsystem supports measuring certificates that have been
imported into either system built-in or user-defined keyrings.
A test to verify measurement of a certificate imported
into a keyring is required.
Add an IMA measurement test that verifies that an x509 certificate
can be imported into a newly-created, user-defined keyring and measured
correctly by the IMA subsystem.
A certificate used by the test is included in the `datafiles/keys`
directory.
There can be restrictions on importing a certificate into a builtin
trusted keyring. For example, the `.ima` keyring requires that
imported certs be signed by a kernel private key in certain
kernel configurations. For this reason, this test defines
a user-defined keyring and imports a certificate into that.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: Added key_import_test into keycheck.policy, reword
instructions in README.md, LTP API related fixes ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
I did various changes:
* fix error check in pipe command (grep $keyring_name
$ASCII_MEASUREMENTS ...) $? contains exit code just of last command
(xxd) => check for empty file.
* use more propriate error flags (TCONF => TFAIL, but some of them could
be also TBROK)
* tst_brk => tst_res && return in test1 (to give chance test2 to be run)
* add TINFO message about test
* remove obvious comment
Kind regards,
Petr
.../kernel/security/integrity/ima/README.md | 12 ++--
.../ima/datafiles/ima_keys/keycheck.policy | 2 +-
.../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
.../security/integrity/ima/tests/ima_keys.sh | 68 +++++++++++++++---
4 files changed, 69 insertions(+), 13 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 392e1e868..68d046678 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would
require `IMA_READ_POLICY=y` therefore ignore this option.
### IMA key test
-`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
-with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA
+policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`.
-As well as what's required for the IMA tests, the following are also required
--in the kernel configuration:
+The certificate import test (second test) require measure policy with
+`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in
+`keycheck.policy`.
+
+As well as what's required for the IMA tests, key tests require reading the IMA
+policy allowed in the kernel configuration:
```
CONFIG_IMA_READ_POLICY=y
```
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
index 3f1934a3d..623162002 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
@@ -1 +1 @@
-measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
+measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
new file mode 100644
index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd
GIT binary patch
literal 650
zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W
zvoaV27z!HjvoVLVaPe?t<QJFZCFZ6YN*hRmgqV4R$}{p4b2Al+Gt=`j^U@WvQ!5SS
z3}oO&a59SVLzFncG#ki?^BP(jSQr@@7#Ud_7)6Qm8W{k&hEOgIY;2s5>?=lA2Ij_I
z27|^<rp88wchfeduxmMW^j9qUxkIugeev4q7u7yrJR_rW$*!>VOo=tim8DK0r^FsU
zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU<d=4Z>6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{
zVTqGwuK95LlFE)6i{@=vlP6!2`Y}x<BF&oXU_nlDxy@C+CNp&=W=00a#jys_20XwZ
zl@(@W{LjK<z+k`);_<VvFf*|?7|4P+d@N!tBCNWX-0#?!UAx9s`mgFmW+nI2#6kmk
zkhC(3gn?Lt$m4W@56wQ)?QVKW<nOtpT)HJrB?Q^`z&K?FdV8b(y8m)~mOOvswu^9m
z-o7mOwCAzaT*~`Y4wxFtmNA_89`W;j{r#iww*5OC5vgEziqD_%=ki$*`;s}`Pfwi{
zbotZ0X`ckHOmaVLm85n@E9hN_K;~PUB>DFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY
WBem{7L5JThS+;$vggi%(*E;~nlJ80Y
literal 0
HcmV?d00001
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 53c289054..30950904e 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -6,8 +6,8 @@
#
# Verify that keys are measured correctly based on policy.
-TST_NEEDS_CMDS="cut grep sed tr xxd"
-TST_CNT=1
+TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
+TST_CNT=2
TST_NEEDS_DEVICE=1
. ima_setup.sh
@@ -20,20 +20,22 @@ test1()
local pattern="func=KEY_CHECK"
local test_file="file.txt"
- tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
+ tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
require_ima_policy_content "$pattern"
keycheck_lines=$(check_ima_policy_content "$pattern" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
- tst_brk TCONF "ima policy does not specify a keyrings to check"
+ tst_res TCONF "IMA policy does not specify a keyrings to check"
+ return
fi
keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
sed "s/\./\\\./g" | cut -d'=' -f2)
if [ -z "$keyrings" ]; then
- tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
+ tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
+ return
fi
templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
@@ -49,11 +51,13 @@ test1()
echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
- expected_digest="$(compute_digest $algorithm $test_file)" || \
- tst_brk TCONF "cannot compute digest for $algorithm"
+ if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
+ tst_res TCONF "cannot compute digest for $algorithm"
+ return
+ fi
if [ "$digest" != "$expected_digest" ]; then
- tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+ tst_res TFAIL "incorrect digest was found for $keyring keyring"
return
fi
done
@@ -61,4 +65,52 @@ test1()
tst_res TPASS "specified keyrings were measured correctly"
}
+# Create a new keyring, import a certificate into it, and verify
+# that the certificate is measured correctly by IMA.
+test2()
+{
+ tst_require_cmds evmctl keyctl openssl
+
+ local cert_file="$TST_DATAROOT/x509_ima.der"
+ local keyring_name="key_import_test"
+ local temp_file="file.txt"
+ local keyring_id
+
+ tst_res TINFO "verify measurement of certificate imported into a keyring"
+
+ if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
+ tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
+ fi
+
+ keyctl new_session > /dev/null
+
+ keyring_id=$(keyctl newring $keyring_name @s) || \
+ tst_brk TBROK "unable to create a new keyring"
+
+ tst_is_num $keyring_id || \
+ tst_brk TBROK "unable to parse the new keyring id"
+
+ evmctl import $cert_file $keyring_id > /dev/null || \
+ tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
+
+ grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
+ xxd -r -p > $temp_file
+
+ if [ ! -s $temp_file ]; then
+ tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
+ return
+ fi
+
+ if ! openssl x509 -in $temp_file -inform der > /dev/null; then
+ tst_res TFAIL "logged certificate is not a valid x509 certificate"
+ return
+ fi
+
+ if cmp -s $temp_file $cert_file; then
+ tst_res TPASS "logged certificate matches the original"
+ else
+ tst_res TFAIL "logged certificate does not match original"
+ fi
+}
+
tst_run
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
From: Lachlan Sneff <t-josne@linux.microsoft.com>
The IMA subsystem supports measuring certificates that have been
imported into either system built-in or user-defined keyrings.
A test to verify measurement of a certificate imported
into a keyring is required.
Add an IMA measurement test that verifies that an x509 certificate
can be imported into a newly-created, user-defined keyring and measured
correctly by the IMA subsystem.
A certificate used by the test is included in the `datafiles/keys`
directory.
There can be restrictions on importing a certificate into a builtin
trusted keyring. For example, the `.ima` keyring requires that
imported certs be signed by a kernel private key in certain
kernel configurations. For this reason, this test defines
a user-defined keyring and imports a certificate into that.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: Added key_import_test into keycheck.policy, reword
instructions in README.md, LTP API related fixes ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
I did various changes:
* fix error check in pipe command (grep $keyring_name
$ASCII_MEASUREMENTS ...) $? contains exit code just of last command
(xxd) => check for empty file.
* use more propriate error flags (TCONF => TFAIL, but some of them could
be also TBROK)
* tst_brk => tst_res && return in test1 (to give chance test2 to be run)
* add TINFO message about test
* remove obvious comment
Kind regards,
Petr
.../kernel/security/integrity/ima/README.md | 12 ++--
.../ima/datafiles/ima_keys/keycheck.policy | 2 +-
.../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
.../security/integrity/ima/tests/ima_keys.sh | 68 +++++++++++++++---
4 files changed, 69 insertions(+), 13 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 392e1e868..68d046678 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would
require `IMA_READ_POLICY=y` therefore ignore this option.
### IMA key test
-`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
-with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA
+policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`.
-As well as what's required for the IMA tests, the following are also required
--in the kernel configuration:
+The certificate import test (second test) require measure policy with
+`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in
+`keycheck.policy`.
+
+As well as what's required for the IMA tests, key tests require reading the IMA
+policy allowed in the kernel configuration:
```
CONFIG_IMA_READ_POLICY=y
```
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
index 3f1934a3d..623162002 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
@@ -1 +1 @@
-measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
+measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
new file mode 100644
index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd
GIT binary patch
literal 650
zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W
zvoaV27z!HjvoVLVaPe?t<QJFZCFZ6YN*hRmgqV4R$}{p4b2Al+Gt=`j^U@WvQ!5SS
z3}oO&a59SVLzFncG#ki?^BP(jSQr@@7#Ud_7)6Qm8W{k&hEOgIY;2s5>?=lA2Ij_I
z27|^<rp88wchfeduxmMW^j9qUxkIugeev4q7u7yrJR_rW$*!>VOo=tim8DK0r^FsU
zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU<d=4Z>6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{
zVTqGwuK95LlFE)6i{@=vlP6!2`Y}x<BF&oXU_nlDxy@C+CNp&=W=00a#jys_20XwZ
zl@(@W{LjK<z+k`);_<VvFf*|?7|4P+d@N!tBCNWX-0#?!UAx9s`mgFmW+nI2#6kmk
zkhC(3gn?Lt$m4W@56wQ)?QVKW<nOtpT)HJrB?Q^`z&K?FdV8b(y8m)~mOOvswu^9m
z-o7mOwCAzaT*~`Y4wxFtmNA_89`W;j{r#iww*5OC5vgEziqD_%=ki$*`;s}`Pfwi{
zbotZ0X`ckHOmaVLm85n@E9hN_K;~PUB>DFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY
WBem{7L5JThS+;$vggi%(*E;~nlJ80Y
literal 0
HcmV?d00001
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 53c289054..30950904e 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -6,8 +6,8 @@
#
# Verify that keys are measured correctly based on policy.
-TST_NEEDS_CMDS="cut grep sed tr xxd"
-TST_CNT=1
+TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
+TST_CNT=2
TST_NEEDS_DEVICE=1
. ima_setup.sh
@@ -20,20 +20,22 @@ test1()
local pattern="func=KEY_CHECK"
local test_file="file.txt"
- tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
+ tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
require_ima_policy_content "$pattern"
keycheck_lines=$(check_ima_policy_content "$pattern" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
- tst_brk TCONF "ima policy does not specify a keyrings to check"
+ tst_res TCONF "IMA policy does not specify a keyrings to check"
+ return
fi
keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
sed "s/\./\\\./g" | cut -d'=' -f2)
if [ -z "$keyrings" ]; then
- tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
+ tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
+ return
fi
templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
@@ -49,11 +51,13 @@ test1()
echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
- expected_digest="$(compute_digest $algorithm $test_file)" || \
- tst_brk TCONF "cannot compute digest for $algorithm"
+ if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
+ tst_res TCONF "cannot compute digest for $algorithm"
+ return
+ fi
if [ "$digest" != "$expected_digest" ]; then
- tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+ tst_res TFAIL "incorrect digest was found for $keyring keyring"
return
fi
done
@@ -61,4 +65,52 @@ test1()
tst_res TPASS "specified keyrings were measured correctly"
}
+# Create a new keyring, import a certificate into it, and verify
+# that the certificate is measured correctly by IMA.
+test2()
+{
+ tst_require_cmds evmctl keyctl openssl
+
+ local cert_file="$TST_DATAROOT/x509_ima.der"
+ local keyring_name="key_import_test"
+ local temp_file="file.txt"
+ local keyring_id
+
+ tst_res TINFO "verify measurement of certificate imported into a keyring"
+
+ if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
+ tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
+ fi
+
+ keyctl new_session > /dev/null
+
+ keyring_id=$(keyctl newring $keyring_name @s) || \
+ tst_brk TBROK "unable to create a new keyring"
+
+ tst_is_num $keyring_id || \
+ tst_brk TBROK "unable to parse the new keyring id"
+
+ evmctl import $cert_file $keyring_id > /dev/null || \
+ tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
+
+ grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
+ xxd -r -p > $temp_file
+
+ if [ ! -s $temp_file ]; then
+ tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
+ return
+ fi
+
+ if ! openssl x509 -in $temp_file -inform der > /dev/null; then
+ tst_res TFAIL "logged certificate is not a valid x509 certificate"
+ return
+ fi
+
+ if cmp -s $temp_file $cert_file; then
+ tst_res TPASS "logged certificate matches the original"
+ else
+ tst_res TFAIL "logged certificate does not match original"
+ fi
+}
+
tst_run
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v2 4/4] IMA/ima_keys.sh: Enhance policy checks
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-07 20:46 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
linux-integrity
Reuse policy check code.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../security/integrity/ima/tests/ima_keys.sh | 39 ++++++++++++-------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 30950904e..5735568ee 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -9,27 +9,41 @@
TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
TST_CNT=2
TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
. ima_setup.sh
+KEYCHECK_POLICY='func=KEY_CHECK'
+
+setup()
+{
+ require_ima_policy_content "^measure.*$KEYCHECK_POLICY"
+}
+
+check_keys_policy()
+{
+ local pattern="$1"
+
+ pattern="^measure.*($KEYCHECK_POLICY.*$pattern|$pattern.*$KEYCHECK_POLICY)"
+ if ! check_ima_policy_content "$pattern" '-E'; then
+ tst_res TCONF "IMA policy does not specify '$pattern'"
+ return 1
+ fi
+ return 0
+}
+
+
# Based on https://lkml.org/lkml/2019/12/13/564.
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_lines keycheck_line templates
- local pattern="func=KEY_CHECK"
+ local keycheck_line keyrings templates
+ local pattern='keyrings=[^[:space:]]+'
local test_file="file.txt"
tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
- require_ima_policy_content "$pattern"
- keycheck_lines=$(check_ima_policy_content "$pattern" "")
- keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
-
- if [ -z "$keycheck_line" ]; then
- tst_res TCONF "IMA policy does not specify a keyrings to check"
- return
- fi
+ keycheck_line=$(check_keys_policy "$pattern") || return
keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
sed "s/\./\\\./g" | cut -d'=' -f2)
@@ -73,14 +87,13 @@ test2()
local cert_file="$TST_DATAROOT/x509_ima.der"
local keyring_name="key_import_test"
+ local pattern="keyrings=[^[:space:]]*$keyring_name"
local temp_file="file.txt"
local keyring_id
tst_res TINFO "verify measurement of certificate imported into a keyring"
- if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
- tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
- fi
+ check_keys_policy "$pattern" >/dev/null || return
keyctl new_session > /dev/null
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 4/4] IMA/ima_keys.sh: Enhance policy checks
@ 2020-08-07 20:46 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-07 20:46 UTC (permalink / raw)
To: ltp
Reuse policy check code.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../security/integrity/ima/tests/ima_keys.sh | 39 ++++++++++++-------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 30950904e..5735568ee 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -9,27 +9,41 @@
TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
TST_CNT=2
TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
. ima_setup.sh
+KEYCHECK_POLICY='func=KEY_CHECK'
+
+setup()
+{
+ require_ima_policy_content "^measure.*$KEYCHECK_POLICY"
+}
+
+check_keys_policy()
+{
+ local pattern="$1"
+
+ pattern="^measure.*($KEYCHECK_POLICY.*$pattern|$pattern.*$KEYCHECK_POLICY)"
+ if ! check_ima_policy_content "$pattern" '-E'; then
+ tst_res TCONF "IMA policy does not specify '$pattern'"
+ return 1
+ fi
+ return 0
+}
+
+
# Based on https://lkml.org/lkml/2019/12/13/564.
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_lines keycheck_line templates
- local pattern="func=KEY_CHECK"
+ local keycheck_line keyrings templates
+ local pattern='keyrings=[^[:space:]]+'
local test_file="file.txt"
tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
- require_ima_policy_content "$pattern"
- keycheck_lines=$(check_ima_policy_content "$pattern" "")
- keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
-
- if [ -z "$keycheck_line" ]; then
- tst_res TCONF "IMA policy does not specify a keyrings to check"
- return
- fi
+ keycheck_line=$(check_keys_policy "$pattern") || return
keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
sed "s/\./\\\./g" | cut -d'=' -f2)
@@ -73,14 +87,13 @@ test2()
local cert_file="$TST_DATAROOT/x509_ima.der"
local keyring_name="key_import_test"
+ local pattern="keyrings=[^[:space:]]*$keyring_name"
local temp_file="file.txt"
local keyring_id
tst_res TINFO "verify measurement of certificate imported into a keyring"
- if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
- tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
- fi
+ check_keys_policy "$pattern" >/dev/null || return
keyctl new_session > /dev/null
--
2.28.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-07 21:12 ` Lakshmi Ramasubramanian
-1 siblings, 0 replies; 20+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-07 21:12 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: Lachlan Sneff, Mimi Zohar, linux-integrity
On 8/7/20 1:46 PM, Petr Vorel wrote:
Hi Petr,
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> The IMA subsystem supports measuring certificates that have been
> imported into either system built-in or user-defined keyrings.
> A test to verify measurement of a certificate imported
> into a keyring is required.
>
> Add an IMA measurement test that verifies that an x509 certificate
> can be imported into a newly-created, user-defined keyring and measured
> correctly by the IMA subsystem.
>
> A certificate used by the test is included in the `datafiles/keys`
> directory.
>
> There can be restrictions on importing a certificate into a builtin
> trusted keyring. For example, the `.ima` keyring requires that
> imported certs be signed by a kernel private key in certain
> kernel configurations. For this reason, this test defines
> a user-defined keyring and imports a certificate into that.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> [ pvorel: Added key_import_test into keycheck.policy, reword
> instructions in README.md, LTP API related fixes ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> I did various changes:
> * fix error check in pipe command (grep $keyring_name
> $ASCII_MEASUREMENTS ...) $? contains exit code just of last command
> (xxd) => check for empty file.
> * use more propriate error flags (TCONF => TFAIL, but some of them could
> be also TBROK)
> * tst_brk => tst_res && return in test1 (to give chance test2 to be run)
> * add TINFO message about test
> * remove obvious comment
Thanks for updating the patches.
In testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
the following change (include x509_ima.der) needed to be made to run
ima_keys.sh tests
INSTALL_TARGETS := *.policy x509_ima.der
Other than that the patches look good.
thanks,
-lakshmi
>
> .../kernel/security/integrity/ima/README.md | 12 ++--
> .../ima/datafiles/ima_keys/keycheck.policy | 2 +-
> .../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
> .../security/integrity/ima/tests/ima_keys.sh | 68 +++++++++++++++---
> 4 files changed, 69 insertions(+), 13 deletions(-)
> create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
>
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 392e1e868..68d046678 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would
> require `IMA_READ_POLICY=y` therefore ignore this option.
>
> ### IMA key test
> -`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
> -with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
> +The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA
> +policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`.
>
> -As well as what's required for the IMA tests, the following are also required
> --in the kernel configuration:
> +The certificate import test (second test) require measure policy with
> +`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in
> +`keycheck.policy`.
> +
> +As well as what's required for the IMA tests, key tests require reading the IMA
> +policy allowed in the kernel configuration:
> ```
> CONFIG_IMA_READ_POLICY=y
> ```
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> index 3f1934a3d..623162002 100644
> --- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> @@ -1 +1 @@
> -measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
> +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
> new file mode 100644
> index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd
> GIT binary patch
> literal 650
> zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W
> zvoaV27z!HjvoVLVaPe?t<QJFZCFZ6YN*hRmgqV4R$}{p4b2Al+Gt=`j^U@WvQ!5SS
> z3}oO&a59SVLzFncG#ki?^BP(jSQr@@7#Ud_7)6Qm8W{k&hEOgIY;2s5>?=lA2Ij_I
> z27|^<rp88wchfeduxmMW^j9qUxkIugeev4q7u7yrJR_rW$*!>VOo=tim8DK0r^FsU
> zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU<d=4Z>6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{
> zVTqGwuK95LlFE)6i{@=vlP6!2`Y}x<BF&oXU_nlDxy@C+CNp&=W=00a#jys_20XwZ
> zl@(@W{LjK<z+k`);_<VvFf*|?7|4P+d@N!tBCNWX-0#?!UAx9s`mgFmW+nI2#6kmk
> zkhC(3gn?Lt$m4W@56wQ)?QVKW<nOtpT)HJrB?Q^`z&K?FdV8b(y8m)~mOOvswu^9m
> z-o7mOwCAzaT*~`Y4wxFtmNA_89`W;j{r#iww*5OC5vgEziqD_%=ki$*`;s}`Pfwi{
> zbotZ0X`ckHOmaVLm85n@E9hN_K;~PUB>DFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY
> WBem{7L5JThS+;$vggi%(*E;~nlJ80Y
>
> literal 0
> HcmV?d00001
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 53c289054..30950904e 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -6,8 +6,8 @@
> #
> # Verify that keys are measured correctly based on policy.
>
> -TST_NEEDS_CMDS="cut grep sed tr xxd"
> -TST_CNT=1
> +TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
> +TST_CNT=2
> TST_NEEDS_DEVICE=1
>
> . ima_setup.sh
> @@ -20,20 +20,22 @@ test1()
> local pattern="func=KEY_CHECK"
> local test_file="file.txt"
>
> - tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> + tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
>
> require_ima_policy_content "$pattern"
> keycheck_lines=$(check_ima_policy_content "$pattern" "")
> keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
>
> if [ -z "$keycheck_line" ]; then
> - tst_brk TCONF "ima policy does not specify a keyrings to check"
> + tst_res TCONF "IMA policy does not specify a keyrings to check"
> + return
> fi
>
> keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
> sed "s/\./\\\./g" | cut -d'=' -f2)
> if [ -z "$keyrings" ]; then
> - tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
> + tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
> + return
> fi
>
> templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
> @@ -49,11 +51,13 @@ test1()
>
> echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
>
> - expected_digest="$(compute_digest $algorithm $test_file)" || \
> - tst_brk TCONF "cannot compute digest for $algorithm"
> + if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
> + tst_res TCONF "cannot compute digest for $algorithm"
> + return
> + fi
>
> if [ "$digest" != "$expected_digest" ]; then
> - tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> + tst_res TFAIL "incorrect digest was found for $keyring keyring"
> return
> fi
> done
> @@ -61,4 +65,52 @@ test1()
> tst_res TPASS "specified keyrings were measured correctly"
> }
>
> +# Create a new keyring, import a certificate into it, and verify
> +# that the certificate is measured correctly by IMA.
> +test2()
> +{
> + tst_require_cmds evmctl keyctl openssl
> +
> + local cert_file="$TST_DATAROOT/x509_ima.der"
> + local keyring_name="key_import_test"
> + local temp_file="file.txt"
> + local keyring_id
> +
> + tst_res TINFO "verify measurement of certificate imported into a keyring"
> +
> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> + fi
> +
> + keyctl new_session > /dev/null
> +
> + keyring_id=$(keyctl newring $keyring_name @s) || \
> + tst_brk TBROK "unable to create a new keyring"
> +
> + tst_is_num $keyring_id || \
> + tst_brk TBROK "unable to parse the new keyring id"
> +
> + evmctl import $cert_file $keyring_id > /dev/null || \
> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
> +
> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
> + xxd -r -p > $temp_file
> +
> + if [ ! -s $temp_file ]; then
> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
> + return
> + fi
> +
> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
> + return
> + fi
> +
> + if cmp -s $temp_file $cert_file; then
> + tst_res TPASS "logged certificate matches the original"
> + else
> + tst_res TFAIL "logged certificate does not match original"
> + fi
> +}
> +
> tst_run
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
@ 2020-08-07 21:12 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 20+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-07 21:12 UTC (permalink / raw)
To: ltp
On 8/7/20 1:46 PM, Petr Vorel wrote:
Hi Petr,
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> The IMA subsystem supports measuring certificates that have been
> imported into either system built-in or user-defined keyrings.
> A test to verify measurement of a certificate imported
> into a keyring is required.
>
> Add an IMA measurement test that verifies that an x509 certificate
> can be imported into a newly-created, user-defined keyring and measured
> correctly by the IMA subsystem.
>
> A certificate used by the test is included in the `datafiles/keys`
> directory.
>
> There can be restrictions on importing a certificate into a builtin
> trusted keyring. For example, the `.ima` keyring requires that
> imported certs be signed by a kernel private key in certain
> kernel configurations. For this reason, this test defines
> a user-defined keyring and imports a certificate into that.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> [ pvorel: Added key_import_test into keycheck.policy, reword
> instructions in README.md, LTP API related fixes ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> I did various changes:
> * fix error check in pipe command (grep $keyring_name
> $ASCII_MEASUREMENTS ...) $? contains exit code just of last command
> (xxd) => check for empty file.
> * use more propriate error flags (TCONF => TFAIL, but some of them could
> be also TBROK)
> * tst_brk => tst_res && return in test1 (to give chance test2 to be run)
> * add TINFO message about test
> * remove obvious comment
Thanks for updating the patches.
In testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
the following change (include x509_ima.der) needed to be made to run
ima_keys.sh tests
INSTALL_TARGETS := *.policy x509_ima.der
Other than that the patches look good.
thanks,
-lakshmi
>
> .../kernel/security/integrity/ima/README.md | 12 ++--
> .../ima/datafiles/ima_keys/keycheck.policy | 2 +-
> .../ima/datafiles/ima_keys/x509_ima.der | Bin 0 -> 650 bytes
> .../security/integrity/ima/tests/ima_keys.sh | 68 +++++++++++++++---
> 4 files changed, 69 insertions(+), 13 deletions(-)
> create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
>
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 392e1e868..68d046678 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would
> require `IMA_READ_POLICY=y` therefore ignore this option.
>
> ### IMA key test
> -`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
> -with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
> +The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA
> +policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`.
>
> -As well as what's required for the IMA tests, the following are also required
> --in the kernel configuration:
> +The certificate import test (second test) require measure policy with
> +`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in
> +`keycheck.policy`.
> +
> +As well as what's required for the IMA tests, key tests require reading the IMA
> +policy allowed in the kernel configuration:
> ```
> CONFIG_IMA_READ_POLICY=y
> ```
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> index 3f1934a3d..623162002 100644
> --- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
> @@ -1 +1 @@
> -measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
> +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
> new file mode 100644
> index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd
> GIT binary patch
> literal 650
> zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W
> zvoaV27z!HjvoVLVaPe?t<QJFZCFZ6YN*hRmgqV4R$}{p4b2Al+Gt=`j^U@WvQ!5SS
> z3}oO&a59SVLzFncG#ki?^BP(jSQr@@7#Ud_7)6Qm8W{k&hEOgIY;2s5>?=lA2Ij_I
> z27|^<rp88wchfeduxmMW^j9qUxkIugeev4q7u7yrJR_rW$*!>VOo=tim8DK0r^FsU
> zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU<d=4Z>6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{
> zVTqGwuK95LlFE)6i{@=vlP6!2`Y}x<BF&oXU_nlDxy@C+CNp&=W=00a#jys_20XwZ
> zl@(@W{LjK<z+k`);_<VvFf*|?7|4P+d@N!tBCNWX-0#?!UAx9s`mgFmW+nI2#6kmk
> zkhC(3gn?Lt$m4W@56wQ)?QVKW<nOtpT)HJrB?Q^`z&K?FdV8b(y8m)~mOOvswu^9m
> z-o7mOwCAzaT*~`Y4wxFtmNA_89`W;j{r#iww*5OC5vgEziqD_%=ki$*`;s}`Pfwi{
> zbotZ0X`ckHOmaVLm85n@E9hN_K;~PUB>DFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY
> WBem{7L5JThS+;$vggi%(*E;~nlJ80Y
>
> literal 0
> HcmV?d00001
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 53c289054..30950904e 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -6,8 +6,8 @@
> #
> # Verify that keys are measured correctly based on policy.
>
> -TST_NEEDS_CMDS="cut grep sed tr xxd"
> -TST_CNT=1
> +TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
> +TST_CNT=2
> TST_NEEDS_DEVICE=1
>
> . ima_setup.sh
> @@ -20,20 +20,22 @@ test1()
> local pattern="func=KEY_CHECK"
> local test_file="file.txt"
>
> - tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> + tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
>
> require_ima_policy_content "$pattern"
> keycheck_lines=$(check_ima_policy_content "$pattern" "")
> keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
>
> if [ -z "$keycheck_line" ]; then
> - tst_brk TCONF "ima policy does not specify a keyrings to check"
> + tst_res TCONF "IMA policy does not specify a keyrings to check"
> + return
> fi
>
> keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
> sed "s/\./\\\./g" | cut -d'=' -f2)
> if [ -z "$keyrings" ]; then
> - tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
> + tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
> + return
> fi
>
> templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
> @@ -49,11 +51,13 @@ test1()
>
> echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
>
> - expected_digest="$(compute_digest $algorithm $test_file)" || \
> - tst_brk TCONF "cannot compute digest for $algorithm"
> + if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
> + tst_res TCONF "cannot compute digest for $algorithm"
> + return
> + fi
>
> if [ "$digest" != "$expected_digest" ]; then
> - tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> + tst_res TFAIL "incorrect digest was found for $keyring keyring"
> return
> fi
> done
> @@ -61,4 +65,52 @@ test1()
> tst_res TPASS "specified keyrings were measured correctly"
> }
>
> +# Create a new keyring, import a certificate into it, and verify
> +# that the certificate is measured correctly by IMA.
> +test2()
> +{
> + tst_require_cmds evmctl keyctl openssl
> +
> + local cert_file="$TST_DATAROOT/x509_ima.der"
> + local keyring_name="key_import_test"
> + local temp_file="file.txt"
> + local keyring_id
> +
> + tst_res TINFO "verify measurement of certificate imported into a keyring"
> +
> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> + fi
> +
> + keyctl new_session > /dev/null
> +
> + keyring_id=$(keyctl newring $keyring_name @s) || \
> + tst_brk TBROK "unable to create a new keyring"
> +
> + tst_is_num $keyring_id || \
> + tst_brk TBROK "unable to parse the new keyring id"
> +
> + evmctl import $cert_file $keyring_id > /dev/null || \
> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
> +
> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
> + xxd -r -p > $temp_file
> +
> + if [ ! -s $temp_file ]; then
> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
> + return
> + fi
> +
> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
> + return
> + fi
> +
> + if cmp -s $temp_file $cert_file; then
> + tst_res TPASS "logged certificate matches the original"
> + else
> + tst_res TFAIL "logged certificate does not match original"
> + fi
> +}
> +
> tst_run
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-12 13:35 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-12 13:35 UTC (permalink / raw)
To: ltp; +Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, linux-integrity
Hi Mimi,
> sending enhanced Lachlan's version.
> I haven't tested this patchset, could please anybody test it?
@Mimi FYI, I'm waiting for your review to merge this patchset (when you have
time).
Kind regards,
Petr
> Lachlan Sneff (1):
> IMA: Add a test to verify measurement of certificate imported into a
> keyring
I guess I should shorten this message.
> Petr Vorel (3):
> IMA/ima_keys.sh Fix policy content check usage
> IMA: Refactor datafiles directory
> IMA/ima_keys.sh: Enhance policy checks
Kind regards,
Petr
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring
@ 2020-08-12 13:35 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-12 13:35 UTC (permalink / raw)
To: ltp
Hi Mimi,
> sending enhanced Lachlan's version.
> I haven't tested this patchset, could please anybody test it?
@Mimi FYI, I'm waiting for your review to merge this patchset (when you have
time).
Kind regards,
Petr
> Lachlan Sneff (1):
> IMA: Add a test to verify measurement of certificate imported into a
> keyring
I guess I should shorten this message.
> Petr Vorel (3):
> IMA/ima_keys.sh Fix policy content check usage
> IMA: Refactor datafiles directory
> IMA/ima_keys.sh: Enhance policy checks
Kind regards,
Petr
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
2020-08-07 20:46 ` [LTP] " Petr Vorel
@ 2020-08-17 3:21 ` Mimi Zohar
-1 siblings, 0 replies; 20+ messages in thread
From: Mimi Zohar @ 2020-08-17 3:21 UTC (permalink / raw)
To: Petr Vorel, ltp
Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, linux-integrity
Hi Petr, Lachlan,
On Fri, 2020-08-07 at 22:46 +0200, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 53c289054..30950904e 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>
> @@ -61,4 +65,52 @@ test1()
> tst_res TPASS "specified keyrings were measured correctly"
> }
>
> +# Create a new keyring, import a certificate into it, and verify
> +# that the certificate is measured correctly by IMA.
> +test2()
> +{
> + tst_require_cmds evmctl keyctl openssl
> +
> + local cert_file="$TST_DATAROOT/x509_ima.der"
> + local keyring_name="key_import_test"
> + local temp_file="file.txt"
> + local keyring_id
> +
> + tst_res TINFO "verify measurement of certificate imported into a keyring"
> +
> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> + fi
> +
If the IMA policy contains multiple KEY_CHECK measurement policy rules
it complains about "grep: Unmatched ( or \(".
Sample rules:
measure func=KEY_CHECK template=ima-buf
keyrings=.ima|.builtin_trusted_keys
measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
> + keyctl new_session > /dev/null
> +
> + keyring_id=$(keyctl newring $keyring_name @s) || \
> + tst_brk TBROK "unable to create a new keyring"
> +
> + tst_is_num $keyring_id || \
> + tst_brk TBROK "unable to parse the new keyring id"
> +
> + evmctl import $cert_file $keyring_id > /dev/null || \
> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
"cert_file" needs to be updated from
"ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
er" to
"ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
s/x509_ima.der".
On failure to open the file,
errno: No such file or directory (2)
ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
ima_keys 2 TINFO: install seinfo to find used SELinux profiles
ima_keys 2 TINFO: loaded SELinux profiles: none
Mimi
> +
> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
> + xxd -r -p > $temp_file
> +
> + if [ ! -s $temp_file ]; then
> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
> + return
> + fi
> +
> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
> + return
> + fi
> +
> + if cmp -s $temp_file $cert_file; then
> + tst_res TPASS "logged certificate matches the original"
> + else
> + tst_res TFAIL "logged certificate does not match original"
> + fi
> +}
> +
> tst_run
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
@ 2020-08-17 3:21 ` Mimi Zohar
0 siblings, 0 replies; 20+ messages in thread
From: Mimi Zohar @ 2020-08-17 3:21 UTC (permalink / raw)
To: ltp
Hi Petr, Lachlan,
On Fri, 2020-08-07 at 22:46 +0200, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 53c289054..30950904e 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>
> @@ -61,4 +65,52 @@ test1()
> tst_res TPASS "specified keyrings were measured correctly"
> }
>
> +# Create a new keyring, import a certificate into it, and verify
> +# that the certificate is measured correctly by IMA.
> +test2()
> +{
> + tst_require_cmds evmctl keyctl openssl
> +
> + local cert_file="$TST_DATAROOT/x509_ima.der"
> + local keyring_name="key_import_test"
> + local temp_file="file.txt"
> + local keyring_id
> +
> + tst_res TINFO "verify measurement of certificate imported into a keyring"
> +
> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> + fi
> +
If the IMA policy contains multiple KEY_CHECK measurement policy rules
it complains about "grep: Unmatched ( or \(".
Sample rules:
measure func=KEY_CHECK template=ima-buf
keyrings=.ima|.builtin_trusted_keys
measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
> + keyctl new_session > /dev/null
> +
> + keyring_id=$(keyctl newring $keyring_name @s) || \
> + tst_brk TBROK "unable to create a new keyring"
> +
> + tst_is_num $keyring_id || \
> + tst_brk TBROK "unable to parse the new keyring id"
> +
> + evmctl import $cert_file $keyring_id > /dev/null || \
> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
"cert_file" needs to be updated from
"ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
er" to
"ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
s/x509_ima.der".
On failure to open the file,
errno: No such file or directory (2)
ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
ima_keys 2 TINFO: install seinfo to find used SELinux profiles
ima_keys 2 TINFO: loaded SELinux profiles: none
Mimi
> +
> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
> + xxd -r -p > $temp_file
> +
> + if [ ! -s $temp_file ]; then
> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
> + return
> + fi
> +
> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
> + return
> + fi
> +
> + if cmp -s $temp_file $cert_file; then
> + tst_res TPASS "logged certificate matches the original"
> + else
> + tst_res TFAIL "logged certificate does not match original"
> + fi
> +}
> +
> tst_run
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
2020-08-17 3:21 ` [LTP] " Mimi Zohar
@ 2020-08-17 5:13 ` Lakshmi Ramasubramanian
-1 siblings, 0 replies; 20+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-17 5:13 UTC (permalink / raw)
To: Mimi Zohar, Petr Vorel, ltp; +Cc: Mimi Zohar, linux-integrity
On 8/16/20 8:21 PM, Mimi Zohar wrote:
Hi Mimi,
>> +# Create a new keyring, import a certificate into it, and verify
>> +# that the certificate is measured correctly by IMA.
>> +test2()
>> +{
>> + tst_require_cmds evmctl keyctl openssl
>> +
>> + local cert_file="$TST_DATAROOT/x509_ima.der"
>> + local keyring_name="key_import_test"
>> + local temp_file="file.txt"
>> + local keyring_id
>> +
>> + tst_res TINFO "verify measurement of certificate imported into a keyring"
>> +
>> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
>> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
>> + fi
>> +
>
> If the IMA policy contains multiple KEY_CHECK measurement policy rules
> it complains about "grep: Unmatched ( or \(".
>
> Sample rules:
> measure func=KEY_CHECK template=ima-buf
> keyrings=.ima|.builtin_trusted_keys
> measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
>
I tried with the above policy entries, but am unable to reproduce the
error you are seeing.
ima_keys 1 TINFO: verifying key measurement for keyrings and templates
specified in IMA policy file
ima_keys 1 TPASS: specified keyrings were measured correctly
ima_keys 2 TPASS: logged cert matches original cert
>> + keyctl new_session > /dev/null
>> +
>> + keyring_id=$(keyctl newring $keyring_name @s) || \
>> + tst_brk TBROK "unable to create a new keyring"
>> +
>> + tst_is_num $keyring_id || \
>> + tst_brk TBROK "unable to parse the new keyring id"
>> +
>> + evmctl import $cert_file $keyring_id > /dev/null || \
>> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
>
> "cert_file" needs to be updated from
> "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
> er" to
> "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
> s/x509_ima.der".
>
The problem is actually due to missing "x509_ima.der" in
"INSTALL_TARGETS" in datafiles/keys/Makefile
Adding the following line in the Makefile fixes the problem
INSTALL_TARGETS := x509_ima.der
-lakshmi
> On failure to open the file,
> errno: No such file or directory (2)
> ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
> ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
> ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
> ima_keys 2 TINFO: install seinfo to find used SELinux profiles
> ima_keys 2 TINFO: loaded SELinux profiles: none
>
> Mimi
>
>> +
>> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
>> + xxd -r -p > $temp_file
>> +
>> + if [ ! -s $temp_file ]; then
>> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
>> + return
>> + fi
>> +
>> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
>> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
>> + return
>> + fi
>> +
>> + if cmp -s $temp_file $cert_file; then
>> + tst_res TPASS "logged certificate matches the original"
>> + else
>> + tst_res TFAIL "logged certificate does not match original"
>> + fi
>> +}
>> +
>> tst_run
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
@ 2020-08-17 5:13 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 20+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-17 5:13 UTC (permalink / raw)
To: ltp
On 8/16/20 8:21 PM, Mimi Zohar wrote:
Hi Mimi,
>> +# Create a new keyring, import a certificate into it, and verify
>> +# that the certificate is measured correctly by IMA.
>> +test2()
>> +{
>> + tst_require_cmds evmctl keyctl openssl
>> +
>> + local cert_file="$TST_DATAROOT/x509_ima.der"
>> + local keyring_name="key_import_test"
>> + local temp_file="file.txt"
>> + local keyring_id
>> +
>> + tst_res TINFO "verify measurement of certificate imported into a keyring"
>> +
>> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
>> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
>> + fi
>> +
>
> If the IMA policy contains multiple KEY_CHECK measurement policy rules
> it complains about "grep: Unmatched ( or \(".
>
> Sample rules:
> measure func=KEY_CHECK template=ima-buf
> keyrings=.ima|.builtin_trusted_keys
> measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
>
I tried with the above policy entries, but am unable to reproduce the
error you are seeing.
ima_keys 1 TINFO: verifying key measurement for keyrings and templates
specified in IMA policy file
ima_keys 1 TPASS: specified keyrings were measured correctly
ima_keys 2 TPASS: logged cert matches original cert
>> + keyctl new_session > /dev/null
>> +
>> + keyring_id=$(keyctl newring $keyring_name @s) || \
>> + tst_brk TBROK "unable to create a new keyring"
>> +
>> + tst_is_num $keyring_id || \
>> + tst_brk TBROK "unable to parse the new keyring id"
>> +
>> + evmctl import $cert_file $keyring_id > /dev/null || \
>> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
>
> "cert_file" needs to be updated from
> "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
> er" to
> "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
> s/x509_ima.der".
>
The problem is actually due to missing "x509_ima.der" in
"INSTALL_TARGETS" in datafiles/keys/Makefile
Adding the following line in the Makefile fixes the problem
INSTALL_TARGETS := x509_ima.der
-lakshmi
> On failure to open the file,
> errno: No such file or directory (2)
> ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
> ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
> ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
> ima_keys 2 TINFO: install seinfo to find used SELinux profiles
> ima_keys 2 TINFO: loaded SELinux profiles: none
>
> Mimi
>
>> +
>> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
>> + xxd -r -p > $temp_file
>> +
>> + if [ ! -s $temp_file ]; then
>> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
>> + return
>> + fi
>> +
>> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then
>> + tst_res TFAIL "logged certificate is not a valid x509 certificate"
>> + return
>> + fi
>> +
>> + if cmp -s $temp_file $cert_file; then
>> + tst_res TPASS "logged certificate matches the original"
>> + else
>> + tst_res TFAIL "logged certificate does not match original"
>> + fi
>> +}
>> +
>> tst_run
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
2020-08-17 3:21 ` [LTP] " Mimi Zohar
@ 2020-08-17 11:09 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-17 11:09 UTC (permalink / raw)
To: Mimi Zohar
Cc: ltp, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, linux-integrity
Hi Mimi, Lakshmi,
> On Fri, 2020-08-07 at 22:46 +0200, Petr Vorel wrote:
> > From: Lachlan Sneff <t-josne@linux.microsoft.com>
> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > index 53c289054..30950904e 100755
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > @@ -61,4 +65,52 @@ test1()
> > tst_res TPASS "specified keyrings were measured correctly"
> > }
> > +# Create a new keyring, import a certificate into it, and verify
> > +# that the certificate is measured correctly by IMA.
> > +test2()
> > +{
> > + tst_require_cmds evmctl keyctl openssl
> > +
> > + local cert_file="$TST_DATAROOT/x509_ima.der"
> > + local keyring_name="key_import_test"
> > + local temp_file="file.txt"
> > + local keyring_id
> > +
> > + tst_res TINFO "verify measurement of certificate imported into a keyring"
> > +
> > + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> > + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> > + fi
> > +
> If the IMA policy contains multiple KEY_CHECK measurement policy rules
> it complains about "grep: Unmatched ( or \(".
> Sample rules:
> measure func=KEY_CHECK template=ima-buf
> keyrings=.ima|.builtin_trusted_keys
> measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
Good catch, reproduced, working on fix (NOTE 2nd line is obviously joined to the
first one).
Caused by later code:
grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
> > + keyctl new_session > /dev/null
> > +
> > + keyring_id=$(keyctl newring $keyring_name @s) || \
> > + tst_brk TBROK "unable to create a new keyring"
> > +
> > + tst_is_num $keyring_id || \
> > + tst_brk TBROK "unable to parse the new keyring id"
> > +
> > + evmctl import $cert_file $keyring_id > /dev/null || \
> > + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
> "cert_file" needs to be updated from
> "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
> er" to
> "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
> s/x509_ima.der".
As Lakshmi wrote if you apply the fix, which I included in my branch
Lachlan_Sneff/ima_keys.sh-second-test.v1.fixes [1] it'd work.
Unlike kselftest, LTP requires installing and running from installed
directory. There was fix in the past allow running uninstalled test:
435d2fd82 ("ima: Rename the folder name for policy files to datafiles"), but I
broke that in this patchset ("IMA: Refactor datafiles directory").
Maybe fixing a code in tst_test.sh
if [ -z "$LTPROOT" ]; then
export LTPROOT="$PWD"
export TST_DATAROOT="$LTPROOT/datafiles"
else
export TST_DATAROOT="$LTPROOT/testcases/data/$TST_ID"
fi
To allow to redefine it, for local testing:
if [ -z "$TST_DATAROOT" ]; then
if [ -z "$LTPROOT" ]; then
export LTPROOT="$PWD"
export TST_DATAROOT="$LTPROOT/datafiles"
else
export TST_DATAROOT="$LTPROOT/testcases/data/$TST_ID"
fi
fi
because datafile layout does not expect subdirectory. I also hate the makefile
helper, which requires to have special directory, datafiles just require some
rethinking.
> On failure to open the file,
> errno: No such file or directory (2)
The rest is obviously not relevant (was just a hint for problems caused with
other LSM).
> ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
> ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
> ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
> ima_keys 2 TINFO: install seinfo to find used SELinux profiles
> ima_keys 2 TINFO: loaded SELinux profiles: none
Kind regards,
Petr
[1] https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v1.fixes
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring
@ 2020-08-17 11:09 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-08-17 11:09 UTC (permalink / raw)
To: ltp
Hi Mimi, Lakshmi,
> On Fri, 2020-08-07 at 22:46 +0200, Petr Vorel wrote:
> > From: Lachlan Sneff <t-josne@linux.microsoft.com>
> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > index 53c289054..30950904e 100755
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > @@ -61,4 +65,52 @@ test1()
> > tst_res TPASS "specified keyrings were measured correctly"
> > }
> > +# Create a new keyring, import a certificate into it, and verify
> > +# that the certificate is measured correctly by IMA.
> > +test2()
> > +{
> > + tst_require_cmds evmctl keyctl openssl
> > +
> > + local cert_file="$TST_DATAROOT/x509_ima.der"
> > + local keyring_name="key_import_test"
> > + local temp_file="file.txt"
> > + local keyring_id
> > +
> > + tst_res TINFO "verify measurement of certificate imported into a keyring"
> > +
> > + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> > + tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> > + fi
> > +
> If the IMA policy contains multiple KEY_CHECK measurement policy rules
> it complains about "grep: Unmatched ( or \(".
> Sample rules:
> measure func=KEY_CHECK template=ima-buf
> keyrings=.ima|.builtin_trusted_keys
> measure func=KEY_CHECK template=ima-buf keyrings=key_import_test
Good catch, reproduced, working on fix (NOTE 2nd line is obviously joined to the
first one).
Caused by later code:
grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
> > + keyctl new_session > /dev/null
> > +
> > + keyring_id=$(keyctl newring $keyring_name @s) || \
> > + tst_brk TBROK "unable to create a new keyring"
> > +
> > + tst_is_num $keyring_id || \
> > + tst_brk TBROK "unable to parse the new keyring id"
> > +
> > + evmctl import $cert_file $keyring_id > /dev/null || \
> > + tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
> "cert_file" needs to be updated from
> "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d
> er" to
> "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key
> s/x509_ima.der".
As Lakshmi wrote if you apply the fix, which I included in my branch
Lachlan_Sneff/ima_keys.sh-second-test.v1.fixes [1] it'd work.
Unlike kselftest, LTP requires installing and running from installed
directory. There was fix in the past allow running uninstalled test:
435d2fd82 ("ima: Rename the folder name for policy files to datafiles"), but I
broke that in this patchset ("IMA: Refactor datafiles directory").
Maybe fixing a code in tst_test.sh
if [ -z "$LTPROOT" ]; then
export LTPROOT="$PWD"
export TST_DATAROOT="$LTPROOT/datafiles"
else
export TST_DATAROOT="$LTPROOT/testcases/data/$TST_ID"
fi
To allow to redefine it, for local testing:
if [ -z "$TST_DATAROOT" ]; then
if [ -z "$LTPROOT" ]; then
export LTPROOT="$PWD"
export TST_DATAROOT="$LTPROOT/datafiles"
else
export TST_DATAROOT="$LTPROOT/testcases/data/$TST_ID"
fi
fi
because datafile layout does not expect subdirectory. I also hate the makefile
helper, which requires to have special directory, datafiles just require some
rethinking.
> On failure to open the file,
> errno: No such file or directory (2)
The rest is obviously not relevant (was just a hint for problems caused with
other LSM).
> ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring
> ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results
> ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root)
> ima_keys 2 TINFO: install seinfo to find used SELinux profiles
> ima_keys 2 TINFO: loaded SELinux profiles: none
Kind regards,
Petr
[1] https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v1.fixes
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2020-08-17 11:09 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-07 20:46 [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring Petr Vorel
2020-08-07 20:46 ` [LTP] " Petr Vorel
2020-08-07 20:46 ` [PATCH v2 1/4] IMA/ima_keys.sh Fix policy content check usage Petr Vorel
2020-08-07 20:46 ` [LTP] " Petr Vorel
2020-08-07 20:46 ` [PATCH v2 2/4] IMA: Refactor datafiles directory Petr Vorel
2020-08-07 20:46 ` [LTP] " Petr Vorel
2020-08-07 20:46 ` [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring Petr Vorel
2020-08-07 20:46 ` [LTP] " Petr Vorel
2020-08-07 21:12 ` Lakshmi Ramasubramanian
2020-08-07 21:12 ` [LTP] " Lakshmi Ramasubramanian
2020-08-17 3:21 ` Mimi Zohar
2020-08-17 3:21 ` [LTP] " Mimi Zohar
2020-08-17 5:13 ` Lakshmi Ramasubramanian
2020-08-17 5:13 ` [LTP] " Lakshmi Ramasubramanian
2020-08-17 11:09 ` Petr Vorel
2020-08-17 11:09 ` [LTP] " Petr Vorel
2020-08-07 20:46 ` [PATCH v2 4/4] IMA/ima_keys.sh: Enhance policy checks Petr Vorel
2020-08-07 20:46 ` [LTP] " Petr Vorel
2020-08-12 13:35 ` [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring Petr Vorel
2020-08-12 13:35 ` [LTP] " Petr Vorel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.