linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Ignaz Forster <iforster@suse.de>
Cc: Fabian Vogt <FVogt@suse.com>, Marcus Meissner <meissner@suse.com>,
	linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs
Date: Tue, 14 May 2019 23:01:19 -0400	[thread overview]
Message-ID: <1557889279.4581.14.camel@linux.ibm.com> (raw)
In-Reply-To: <20190514121213.GA28655@dell5510>

On Tue, 2019-05-14 at 14:12 +0200, Petr Vorel wrote:
> Hi Mimi, Ignaz,
> 
> Mimi, could you please have a second look on this [4] patchset? We've had a
> discussion about second patch [5], I can drop it if you don't like it, but
> that's not a main concern about this test. More important is whether the
> testcase looks valid for you. It's about overlayfs broken in IMA+EVM,
> which is currently broken on mainline.

The first two patches are fine.  From the test, I'm seeing the
following results:

evm_overlay 1 TINFO: overwrite file in overlay
tst_rod: Failed to open '(null)' for writing: Operation not permitted
evm_overlay 1 TFAIL: echo overlay > mntpoint/merged/foo1.txt failed unexpectedly
evm_overlay 2 TINFO: append file in overlay: mntpoint/lower/foo2.txt
evm_overlay 2 TPASS: echo overlay >> mntpoint/merged/foo2.txt passed as expected
evm_overlay 3 TINFO: create a new file in overlay
evm_overlay 3 TPASS: echo overlay > mntpoint/merged/foo3.txt passed as expected
evm_overlay 4 TINFO: read all created files
evm_overlay 4 TFAIL: cat mntpoint/merged/foo1.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo2.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo3.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 5 TINFO: SELinux enabled in enforcing mode, this may affect test results
evm_overlay 5 TINFO: You can try to disable it with TST_DISABLE_SELINUX=1 (requires super/root)
evm_overlay 5 TINFO: loaded SELinux profiles: none

With "evm: instead of using the overlayfs i_ino, use the real i_ino"
patch, I'm only seeing the first failure.

Mimi


> There is different reproducer (C code) for a slightly different scenario,
> but I'm not going to port it before this got merged.
> 
> Ignaz, could you please test this patchset? Could you, please, share your setup?
> ima_policy=appraise_tcb kernel parameter and loading IMA and EVM keys over
> dracut-ima scripts? (IMA appraisal and EVM using digital signatures? I guess
> using hashes for IMA appraisal would work as well).
> 
> Kind regards,
> Petr
> 
> > this is a second version of patch demonstrating a bug on overlayfs when
> > combining IMA with EVM. There is ongoing work made by Ignaz Forster and
> > Fabian Vogt [1] [2], IMA only behavior was already fixed [3].
> 
> > Main patch is the last one (previous are just a cleanup and not changed).
> 
> > [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> > [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> > [3] https://patchwork.kernel.org/patch/10776231/
> 
> [4] https://patchwork.ozlabs.org/project/ltp/list/?series=101213&state=*
> [5] https://patchwork.ozlabs.org/patch/1078553/
> 


  parent reply	other threads:[~2019-05-15  3:01 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-05 16:52 [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-04-05 16:52 ` [PATCH v2 1/3] ima: Call test's cleanup inside ima_setup.sh cleanup Petr Vorel
2019-04-11  0:59   ` Mimi Zohar
2019-04-11  5:51     ` Petr Vorel
2019-04-11 12:22       ` Mimi Zohar
2019-04-11 20:21         ` Petr Vorel
2019-04-05 16:52 ` [PATCH v2 2/3] shell: Add $TST_DEVICE as default parameter to tst_umount Petr Vorel
2019-04-05 16:52 ` [PATCH v2 3/3] ima: Add overlay test Petr Vorel
2019-05-14 18:42   ` Ignaz Forster
2019-05-15 11:32     ` Petr Vorel
2019-05-14 12:12 ` [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-05-14 19:19   ` Ignaz Forster
2019-05-15 11:34     ` Petr Vorel
2019-05-15  3:01   ` Mimi Zohar [this message]
2019-05-15 12:08     ` Petr Vorel
2019-05-16 22:10       ` Mimi Zohar
2019-05-17  7:50         ` Petr Vorel
2019-05-17 11:00           ` Mimi Zohar
2019-05-17 15:41             ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1557889279.4581.14.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=FVogt@suse.com \
    --cc=iforster@suse.de \
    --cc=linux-integrity@vger.kernel.org \
    --cc=ltp@lists.linux.it \
    --cc=meissner@suse.com \
    --cc=pvorel@suse.cz \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).