* [PATCH v1 0/1] ima: Add test for selinux measurement @ 2020-09-28 19:47 Lakshmi Ramasubramanian 2020-09-28 19:47 ` [PATCH v1 1/1] " Lakshmi Ramasubramanian 2020-09-29 5:23 ` [PATCH v1 0/1] " Petr Vorel 0 siblings, 2 replies; 8+ messages in thread From: Lakshmi Ramasubramanian @ 2020-09-28 19:47 UTC (permalink / raw) To: pvorel, zohar, stephen.smalley.work, paul; +Cc: tusharsu, ltp, linux-integrity New functionality is being added to IMA to measure data provided by kernel components. With this feature, IMA policy can be set to enable measuring data provided by Linux Security Modules (LSM). Currently one such LSM namely selinux is being updated to use this functionality. This new functionality needs test automation in LTP. This patch set adds tests which verify that the IMA subsystem correctly measures the data provided by selinux. This patch is based on commit 286401a1c1f3 ("thp04: Add linux tag") in "master" branch in https://github.com/linux-test-project/ltp This patch is dependent on the following patch series in LTP https://patchwork.kernel.org/patch/11802771/ This series needs a kernel built on the following repo/branch/patches: repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git branch: next commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") And the following patch series should be applied in the following order: 1, https://patchwork.kernel.org/patch/11709527/ 2, https://patchwork.kernel.org/patch/11795559/ 3, https://patchwork.kernel.org/patch/11801525/ 4, https://patchwork.kernel.org/patch/11801585/ Lakshmi Ramasubramanian (1): ima: Add test for selinux measurement runtest/ima | 2 + .../kernel/security/integrity/ima/README.md | 19 +++ .../integrity/ima/tests/ima_selinux_policy.sh | 72 ++++++++++ .../integrity/ima/tests/ima_selinux_state.sh | 136 ++++++++++++++++++ .../security/integrity/ima/tests/ima_setup.sh | 28 ++++ 5 files changed, 257 insertions(+) create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh -- 2.28.0 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v1 1/1] ima: Add test for selinux measurement 2020-09-28 19:47 [PATCH v1 0/1] ima: Add test for selinux measurement Lakshmi Ramasubramanian @ 2020-09-28 19:47 ` Lakshmi Ramasubramanian 2020-12-18 18:37 ` Petr Vorel 2020-09-29 5:23 ` [PATCH v1 0/1] " Petr Vorel 1 sibling, 1 reply; 8+ messages in thread From: Lakshmi Ramasubramanian @ 2020-09-28 19:47 UTC (permalink / raw) To: pvorel, zohar, stephen.smalley.work, paul; +Cc: tusharsu, ltp, linux-integrity New functionality is being added to IMA to measure data provided by kernel components. With this feature, IMA policy can be set to enable measuring data provided by Linux Security Modules (LSM). Currently one such LSM namely selinux is being updated to use this functionality. This new functionality needs test automation in LTP. Add test cases which verify that the IMA subsystem correctly measures the data provided by selinux. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- runtest/ima | 2 + .../kernel/security/integrity/ima/README.md | 19 +++ .../integrity/ima/tests/ima_selinux_policy.sh | 72 ++++++++++ .../integrity/ima/tests/ima_selinux_state.sh | 136 ++++++++++++++++++ .../security/integrity/ima/tests/ima_setup.sh | 28 ++++ 5 files changed, 257 insertions(+) create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh diff --git a/runtest/ima b/runtest/ima index 123b6c8b0..8e60bf629 100644 --- a/runtest/ima +++ b/runtest/ima @@ -5,5 +5,7 @@ ima_tpm ima_tpm.sh ima_violations ima_violations.sh ima_keys ima_keys.sh ima_kexec ima_kexec.sh +ima_selinux_state ima_selinux_state.sh +ima_selinux_policy ima_selinux_policy.sh ima_dm_crypt ima_dm_crypt.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 007662fae..c0644b083 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -37,6 +37,25 @@ see example in `kexec.policy`. The test attempts to kexec the existing running kernel image. To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`. +### IMA SELinux test + +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` +and `ima_selinux_state.sh` require a readable IMA policy, as well as +a loaded measure policy with +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` + +As well as what's required for the IMA tests, SELinux tests require reading +the IMA policy allowed in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y + +``` +The following kernel configuration is also required. It enables compiling +the Linux Security Module (LSM) namely SELinux. +``` +CONFIG_SECURITY_SELINUX=y +``` + ### IMA DM target (dm-crypt) measurement test To enable IMA to measure device-mapper target - dm-crypt, diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh new file mode 100755 index 000000000..c1e81bdde --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> +# +# Verify measurement of selinux policy + +TST_NEEDS_CMDS="cut grep tail" +TST_CNT=1 +TST_NEEDS_DEVICE=1 +TST_SETUP="setup" + +. ima_setup.sh + +FUNC_CRITICAL_DATA='func=CRITICAL_DATA' +TEMPLATE_BUF='template=ima-buf' +REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)" + +setup() +{ + check_selinux_state + + require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt +} + +# +# Trigger measurement of selinux constructs and verify that +# the measured selinux policy matches the current policy loaded +# for selinux. +# +test1() +{ + local policy_digest expected_policy_digest algorithm + local data_source_name="selinux" + local pattern="data_sources=[^[:space:]]*$data_source_name" + local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt" + + check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return + + tst_res TINFO "Verifying selinux policy measurement" + + # + # Trigger a measurement by changing selinux state + # + update_selinux_state + + # + # Verify selinux policy is measured and then validate that + # the measured policy matches the policy currently loaded + # for selinux + # + line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1) + if [ -z "$line" ]; then + tst_res TFAIL "selinux policy not measured" + return + fi + + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + policy_digest=$(echo "$line" | cut -d' ' -f6) + + expected_policy_digest="$(compute_digest $algorithm $SELINUX_FOLDER/policy)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$policy_digest" != "$expected_policy_digest" ]; then + tst_res TFAIL "Digest mismatch. Expected $expected_policy_digest, Actual $policy_digest" + return + fi + + tst_res TPASS "selinux policy measured correctly" +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh new file mode 100755 index 000000000..077de5081 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh @@ -0,0 +1,136 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> +# +# Verify measurement of selinux state + +TST_NEEDS_CMDS="awk cut grep tail xxd" +TST_CNT=1 +TST_NEEDS_DEVICE=1 +TST_SETUP="setup" + +. ima_setup.sh + +FUNC_CRITICAL_DATA='func=CRITICAL_DATA' +TEMPLATE_BUF='template=ima-buf' +REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRITICAL_DATA)" + +setup() +{ + check_selinux_state + + require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt +} + +# +# Format of the measured selinux state data. +# +# initialized=1;enabled=1;enforcing=0;checkreqprot=1; +# network_peer_controls=1;open_perms=1;extended_socket_class=1; +# always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1; +# genfs_seclabel_symlinks=0; +# +validate_policy_capabilities() +{ + local measured_cap measured_value expected_value inx result + + result=1 + + # + # Policy capabilities flags start from "network_peer_controls" + # in the measured selinux state at offset 9 for 'awk' + # + inx=9 + while [ $inx -lt 22 ] + do + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}') + inx=$(( $inx + 1 )) + + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}') + expected_value=$(cat "$SELINUX_FOLDER/policy_capabilities/$measured_cap") + if [ "$measured_value" != "$expected_value" ];then + tst_res TWARN "$measured_cap: Expected $expected_value, Actual $measured_value" + result=0 + fi + + inx=$(( $inx + 1 )) + done + + return $result +} + +# +# Trigger measurement of selinux constructs and verify that +# the measured selinux state matches the current selinux +# configuration. +# +test1() +{ + local measured_data state_file="$TST_TMPDIR/selinux_state.txt" + local digest expected_digest algorithm + local enforced_value expected_enforced_value + local checkreqprot_value expected_checkreqprot_value + local data_source_name="selinux" + local pattern="data_sources=[^[:space:]]*$data_source_name" + local tmp_file="$TST_TMPDIR/selinux_state_tmp_file.txt" + + tst_res TINFO "Verifying selinux state measurement" + + check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return + + # + # Trigger a measurement by changing selinux state + # + update_selinux_state + + # + # Verify selinux state is measured and then validate the measured + # state matches that currently set for selinux + # + line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1) + if [ -z "$line" ]; then + tst_res TFAIL "selinux state not measured" + return + fi + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $state_file + + expected_digest="$(compute_digest $algorithm $state_file)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$digest" != "$expected_digest" ]; then + tst_res TFAIL "Digest mismatch. Expected $expected_digest, Actual $digest" + return + fi + + measured_data=$(cat $state_file) + + enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $6}') + expected_enforced_value=$(cat $SELINUX_FOLDER/enforce) + if [ "$expected_enforced_value" != "$enforced_value" ];then + tst_res TFAIL "enforce: Expected $expected_enforced_value, Actual $enforced_value" + return + fi + + checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $8}') + expected_checkreqprot_value=$(cat $SELINUX_FOLDER/checkreqprot) + if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ];then + tst_res TFAIL "checkreqprot. Expected $expected_checkreqprot_value, Actual $checkreqprot_value" + return + fi + + validate_policy_capabilities $measured_data + result=$? + if [ $result = 0 ]; then + tst_res TFAIL "Policy capabilities did not match" + return + fi + + tst_res TPASS "selinux state measured correctly" +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 2841d7df5..1d7dca086 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -186,6 +186,33 @@ require_ima_policy_cmdline() tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)" } +# +# Update selinux state. This is used for validating IMA +# measurement of selinux constructs. +# +update_selinux_state() +{ + local cur_val new_val + + cur_val=$(cat $SELINUX_FOLDER/checkreqprot) + + if [ $cur_val = 1 ]; then + new_val=0 + else + new_val=1 + fi + + echo $new_val > $SELINUX_FOLDER/checkreqprot +} + +# +# Verify selinux is enabled in the system +# +check_selinux_state() +{ + [ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled" +} + mount_helper() { local type="$1" @@ -238,6 +265,7 @@ ima_setup() ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" IMA_POLICY="$IMA_DIR/policy" + SELINUX_FOLDER="$SYSFS/fs/selinux" # hack to support running tests locally from ima/tests directory if [ ! -d "$TST_DATAROOT" ]; then -- 2.28.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] ima: Add test for selinux measurement 2020-09-28 19:47 ` [PATCH v1 1/1] " Lakshmi Ramasubramanian @ 2020-12-18 18:37 ` Petr Vorel 2020-12-22 18:37 ` Lakshmi Ramasubramanian 0 siblings, 1 reply; 8+ messages in thread From: Petr Vorel @ 2020-12-18 18:37 UTC (permalink / raw) To: Lakshmi Ramasubramanian Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity Hi Lakshmi, Mimi, all, @Lakshmi TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft, https://github.com/pevik/ltp/commits/ima/selinux.v2.draft + added 3 additional commits, one of them as you as the author. I moved some functions to testcases/lib/tst_security.sh, renamed them. Can you please have a look and test? I don't have any SELinux machine. @Mimi, all: any comment to this test? My changes are just LTP cleanup so you can comment it on this patchset. I suppose you get to this in January. Some notes for my changes: As files are quite similar (checks etc), I put both tests into single file ima_selinux.sh. > New functionality is being added to IMA to measure data provided by > kernel components. With this feature, IMA policy can be set to enable > measuring data provided by Linux Security Modules (LSM). Currently one > such LSM namely selinux is being updated to use this functionality. > This new functionality needs test automation in LTP. > Add test cases which verify that the IMA subsystem correctly measures > the data provided by selinux. Could you please put into commit message and test kernel commit hash relevant for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into v5.10-rc1) or there are more relevant commits? ... > +### IMA SELinux test > + > +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` > +and `ima_selinux_state.sh` require a readable IMA policy, as well as > +a loaded measure policy with > +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` I put this into testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy and mention it in docs. > +test1() > +{ > + local policy_digest expected_policy_digest algorithm > + local data_source_name="selinux" > + local pattern="data_sources=[^[:space:]]*$data_source_name" > + local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt" > + > + check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return > + > + tst_res TINFO "Verifying selinux policy measurement" > + > + # > + # Trigger a measurement by changing selinux state > + # > + update_selinux_state Here I used tst_update_selinux_state. ... > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +# > +# Update selinux state. This is used for validating IMA > +# measurement of selinux constructs. > +# > +update_selinux_state() > +{ > + local cur_val new_val > + > + cur_val=$(cat $SELINUX_FOLDER/checkreqprot) > + > + if [ $cur_val = 1 ]; then > + new_val=0 > + else > + new_val=1 > + fi > + > + echo $new_val > $SELINUX_FOLDER/checkreqprot > +} > + > +# > +# Verify selinux is enabled in the system > +# > +check_selinux_state() > +{ > + [ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled" > +} As I mentioned above, this is not needed as I put them under different names in testcases/lib/tst_security.sh. > mount_helper() > { > local type="$1" > @@ -238,6 +265,7 @@ ima_setup() > ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" > BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" > IMA_POLICY="$IMA_DIR/policy" > + SELINUX_FOLDER="$SYSFS/fs/selinux" nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR) and moved to ima_selinux.sh. Kind regards, Petr ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] ima: Add test for selinux measurement 2020-12-18 18:37 ` Petr Vorel @ 2020-12-22 18:37 ` Lakshmi Ramasubramanian 2020-12-22 19:50 ` Petr Vorel 0 siblings, 1 reply; 8+ messages in thread From: Lakshmi Ramasubramanian @ 2020-12-22 18:37 UTC (permalink / raw) To: Petr Vorel Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity On 12/18/20 10:37 AM, Petr Vorel wrote: Hi Petr, > > @Lakshmi > TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft, > https://github.com/pevik/ltp/commits/ima/selinux.v2.draft > > + added 3 additional commits, one of them as you as the author. > I moved some functions to testcases/lib/tst_security.sh, renamed them. > Can you please have a look and test? I don't have any SELinux machine. I'll take a look at the changes in your branch and test it with SELinux enabled. > > @Mimi, all: any comment to this test? My changes are just LTP cleanup > so you can comment it on this patchset. > I suppose you get to this in January. > > Some notes for my changes: > > As files are quite similar (checks etc), I put both tests into single > file ima_selinux.sh. This should be fine. The reason I put the tests in different files was because I couldn't find a way to run the tests independently (i mean - say, run the SELinux policy measurement test but not the state measurement test or vice-versa). > >> New functionality is being added to IMA to measure data provided by >> kernel components. With this feature, IMA policy can be set to enable >> measuring data provided by Linux Security Modules (LSM). Currently one >> such LSM namely selinux is being updated to use this functionality. >> This new functionality needs test automation in LTP. > >> Add test cases which verify that the IMA subsystem correctly measures >> the data provided by selinux. > > Could you please put into commit message and test kernel commit hash relevant > for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into > v5.10-rc1) or there are more relevant commits? The IMA hook to measure kernel critical data + SELinux measurement changes are still being reviewed. Tushar has posted v9 of the patch set. > > ... >> +### IMA SELinux test >> + >> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` >> +and `ima_selinux_state.sh` require a readable IMA policy, as well as >> +a loaded measure policy with >> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` > I put this into > testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy > and mention it in docs. Sounds good - Thanks. "template=ima_buf" is no longer needed in the IMA policy rule since "ima_buf" is the default template for buffer measurement now. I will update "datafiles/ima_selinux/selinux.policy" file. > >> +test1() >> +{ >> + local policy_digest expected_policy_digest algorithm >> + local data_source_name="selinux" >> + local pattern="data_sources=[^[:space:]]*$data_source_name" >> + local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt" >> + >> + check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return >> + >> + tst_res TINFO "Verifying selinux policy measurement" >> + >> + # >> + # Trigger a measurement by changing selinux state >> + # >> + update_selinux_state > Here I used tst_update_selinux_state. okay. > > ... >> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > >> +# >> +# Update selinux state. This is used for validating IMA >> +# measurement of selinux constructs. >> +# >> +update_selinux_state() >> +{ >> + local cur_val new_val >> + >> + cur_val=$(cat $SELINUX_FOLDER/checkreqprot) >> + >> + if [ $cur_val = 1 ]; then >> + new_val=0 >> + else >> + new_val=1 >> + fi >> + >> + echo $new_val > $SELINUX_FOLDER/checkreqprot >> +} >> + >> +# >> +# Verify selinux is enabled in the system >> +# >> +check_selinux_state() >> +{ >> + [ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled" >> +} > > As I mentioned above, this is not needed as I put them under different names in > testcases/lib/tst_security.sh. okay. > >> mount_helper() >> { >> local type="$1" >> @@ -238,6 +265,7 @@ ima_setup() >> ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" >> BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" >> IMA_POLICY="$IMA_DIR/policy" >> + SELINUX_FOLDER="$SYSFS/fs/selinux" > > nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR) > and moved to ima_selinux.sh. okay. Thanks a lot for your help Petr. Appreciate it. -lakshmi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] ima: Add test for selinux measurement 2020-12-22 18:37 ` Lakshmi Ramasubramanian @ 2020-12-22 19:50 ` Petr Vorel 2020-12-22 21:05 ` Lakshmi Ramasubramanian 0 siblings, 1 reply; 8+ messages in thread From: Petr Vorel @ 2020-12-22 19:50 UTC (permalink / raw) To: Lakshmi Ramasubramanian Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity Hi Lakshmi, > On 12/18/20 10:37 AM, Petr Vorel wrote: > Hi Petr, > > @Lakshmi > > TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft, > > https://github.com/pevik/ltp/commits/ima/selinux.v2.draft > > + added 3 additional commits, one of them as you as the author. > > I moved some functions to testcases/lib/tst_security.sh, renamed them. > > Can you please have a look and test? I don't have any SELinux machine. > I'll take a look at the changes in your branch and test it with SELinux > enabled. Thanks! > > @Mimi, all: any comment to this test? My changes are just LTP cleanup > > so you can comment it on this patchset. > > I suppose you get to this in January. > > Some notes for my changes: > > As files are quite similar (checks etc), I put both tests into single > > file ima_selinux.sh. > This should be fine. > The reason I put the tests in different files was because I couldn't find a > way to run the tests independently (i mean - say, run the SELinux policy > measurement test but not the state measurement test or vice-versa). Why do you need to run just one of them? If you really need to separate them (e.g. to require different OS setup for each) you could have 2 functions in single file, but run only one of them (TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch? https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters > > > New functionality is being added to IMA to measure data provided by > > > kernel components. With this feature, IMA policy can be set to enable > > > measuring data provided by Linux Security Modules (LSM). Currently one > > > such LSM namely selinux is being updated to use this functionality. > > > This new functionality needs test automation in LTP. > > > Add test cases which verify that the IMA subsystem correctly measures > > > the data provided by selinux. > > Could you please put into commit message and test kernel commit hash relevant > > for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into > > v5.10-rc1) or there are more relevant commits? > The IMA hook to measure kernel critical data + SELinux measurement changes > are still being reviewed. Tushar has posted v9 of the patch set. Thanks for info (note for myself: https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/) OK, not yet merged to mainline. It's good you send patches early (speed up the inclusion to LTP), but we should merge them into LTP once it's at least already in Mimi tree prepared for sending to Linus. Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP). > > ... > > > +### IMA SELinux test > > > + > > > +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` > > > +and `ima_selinux_state.sh` require a readable IMA policy, as well as > > > +a loaded measure policy with > > > +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` > > I put this into > > testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy > > and mention it in docs. > Sounds good - Thanks. > "template=ima_buf" is no longer needed in the IMA policy rule since > "ima_buf" is the default template for buffer measurement now. I will update > "datafiles/ima_selinux/selinux.policy" file. +1 ... > Thanks a lot for your help Petr. Appreciate it. yw, thanks for your contributions. > -lakshmi Petr ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] ima: Add test for selinux measurement 2020-12-22 19:50 ` Petr Vorel @ 2020-12-22 21:05 ` Lakshmi Ramasubramanian 0 siblings, 0 replies; 8+ messages in thread From: Lakshmi Ramasubramanian @ 2020-12-22 21:05 UTC (permalink / raw) To: Petr Vorel Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity On 12/22/20 11:50 AM, Petr Vorel wrote: > >>> @Lakshmi >>> TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft, >>> https://github.com/pevik/ltp/commits/ima/selinux.v2.draft > >>> + added 3 additional commits, one of them as you as the author. >>> I moved some functions to testcases/lib/tst_security.sh, renamed them. >>> Can you please have a look and test? I don't have any SELinux machine. > >> I'll take a look at the changes in your branch and test it with SELinux >> enabled. > Thanks! > >>> @Mimi, all: any comment to this test? My changes are just LTP cleanup >>> so you can comment it on this patchset. >>> I suppose you get to this in January. > >>> Some notes for my changes: > >>> As files are quite similar (checks etc), I put both tests into single >>> file ima_selinux.sh. >> This should be fine. > >> The reason I put the tests in different files was because I couldn't find a >> way to run the tests independently (i mean - say, run the SELinux policy >> measurement test but not the state measurement test or vice-versa). > > Why do you need to run just one of them? > If you really need to separate them (e.g. to require different OS setup for > each) you could have 2 functions in single file, but run only one of them > (TST_CNT not set, which means TST_CNT=1), doing selection with getopt switch? > https://github.com/linux-test-project/ltp/wiki/Test-Writing-Guidelines#233-optional-command-line-parameters This is good to know Petr. Thanks for the info. > >>>> New functionality is being added to IMA to measure data provided by >>>> kernel components. With this feature, IMA policy can be set to enable >>>> measuring data provided by Linux Security Modules (LSM). Currently one >>>> such LSM namely selinux is being updated to use this functionality. >>>> This new functionality needs test automation in LTP. > >>>> Add test cases which verify that the IMA subsystem correctly measures >>>> the data provided by selinux. > >>> Could you please put into commit message and test kernel commit hash relevant >>> for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into >>> v5.10-rc1) or there are more relevant commits? > >> The IMA hook to measure kernel critical data + SELinux measurement changes >> are still being reviewed. Tushar has posted v9 of the patch set. > Thanks for info (note for myself: > https://lore.kernel.org/linux-integrity/20201212180251.9943-1-tusharsu@linux.microsoft.com/) > OK, not yet merged to mainline. It's good you send patches early (speed up the > inclusion to LTP), but we should merge them into LTP once it's at least > already in Mimi tree prepared for sending to Linus. > > Feel free to Cc me in your next kernel patches (It *can* help to speedup the inclusion to LTP). Definitely. > >>> ... >>>> +### IMA SELinux test >>>> + >>>> +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` >>>> +and `ima_selinux_state.sh` require a readable IMA policy, as well as >>>> +a loaded measure policy with >>>> +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` >>> I put this into >>> testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy >>> and mention it in docs. >> Sounds good - Thanks. > >> "template=ima_buf" is no longer needed in the IMA policy rule since >> "ima_buf" is the default template for buffer measurement now. I will update >> "datafiles/ima_selinux/selinux.policy" file. > > +1 > > ... > >> Thanks a lot for your help Petr. Appreciate it. > yw, thanks for your contributions. > thanks, -lakshmi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 0/1] ima: Add test for selinux measurement 2020-09-28 19:47 [PATCH v1 0/1] ima: Add test for selinux measurement Lakshmi Ramasubramanian 2020-09-28 19:47 ` [PATCH v1 1/1] " Lakshmi Ramasubramanian @ 2020-09-29 5:23 ` Petr Vorel 2020-09-30 14:26 ` Lakshmi Ramasubramanian 1 sibling, 1 reply; 8+ messages in thread From: Petr Vorel @ 2020-09-29 5:23 UTC (permalink / raw) To: Lakshmi Ramasubramanian Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity Hi Lakshmi, Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP freeze and work needed to review fixes before release I'll probably review this after the release (1, max. 2 weeks). Could you please have a look at fix planned to be part of the release? https://patchwork.ozlabs.org/project/ltp/list/?series=204230 Kind regards, Petr > New functionality is being added to IMA to measure data provided by > kernel components. With this feature, IMA policy can be set to enable > measuring data provided by Linux Security Modules (LSM). Currently one > such LSM namely selinux is being updated to use this functionality. > This new functionality needs test automation in LTP. > This patch set adds tests which verify that the IMA subsystem correctly > measures the data provided by selinux. > This patch is based on > commit 286401a1c1f3 ("thp04: Add linux tag") > in "master" branch in https://github.com/linux-test-project/ltp > This patch is dependent on the following patch series in LTP > https://patchwork.kernel.org/patch/11802771/ I put link to LTP patchwork to avoid the confusion. https://patchwork.ozlabs.org/project/ltp/list/?series=204486 > This series needs a kernel built on the following repo/branch/patches: > repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git > branch: next > commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") Thanks for adding this info. It'd be great if it were part of kernel commit message and also added as a comment in the test itself (we don't want to get it lost). BTW LTP has 2 kind ways of handling of kernel versions: * fixes which are meant to be backported to the stable trees: In C API it looks like (here also with CVE entry): https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187 .tags = (const struct tst_tag[]) { {"linux-git", "95a762e2c8c9"}, {"CVE", "2017-16995"}, {} This is not part of shell API, but I'll add it after the release. Thus we don't want to loose this info. * new kernel features, which are likely not to be backported You either have some way to detect this feature is presented (ideally) or you specify kernel version since it should be run This is used in shell API as: https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8 TST_MIN_KVER="4.13" > And the following patch series should be applied in the following order: > 1, https://patchwork.kernel.org/patch/11709527/ > 2, https://patchwork.kernel.org/patch/11795559/ > 3, https://patchwork.kernel.org/patch/11801525/ > 4, https://patchwork.kernel.org/patch/11801585/ Kind regards, Petr ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 0/1] ima: Add test for selinux measurement 2020-09-29 5:23 ` [PATCH v1 0/1] " Petr Vorel @ 2020-09-30 14:26 ` Lakshmi Ramasubramanian 0 siblings, 0 replies; 8+ messages in thread From: Lakshmi Ramasubramanian @ 2020-09-30 14:26 UTC (permalink / raw) To: Petr Vorel Cc: zohar, stephen.smalley.work, paul, tusharsu, ltp, linux-integrity On 9/28/20 10:23 PM, Petr Vorel wrote: > Hi Lakshmi, > > Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP > freeze and work needed to review fixes before release I'll probably review this > after the release (1, max. 2 weeks). > > Could you please have a look at fix planned to be part of the release? > https://patchwork.ozlabs.org/project/ltp/list/?series=204230 > Will do Petr. > >> New functionality is being added to IMA to measure data provided by >> kernel components. With this feature, IMA policy can be set to enable >> measuring data provided by Linux Security Modules (LSM). Currently one >> such LSM namely selinux is being updated to use this functionality. >> This new functionality needs test automation in LTP. > >> This patch set adds tests which verify that the IMA subsystem correctly >> measures the data provided by selinux. > >> This patch is based on >> commit 286401a1c1f3 ("thp04: Add linux tag") >> in "master" branch in https://github.com/linux-test-project/ltp > >> This patch is dependent on the following patch series in LTP >> https://patchwork.kernel.org/patch/11802771/ > I put link to LTP patchwork to avoid the confusion. > https://patchwork.ozlabs.org/project/ltp/list/?series=204486 Thanks. On the next update I'll add the LTP patchwork URL. > >> This series needs a kernel built on the following repo/branch/patches: >> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git >> branch: next >> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") > Thanks for adding this info. It'd be great if it were part of kernel commit > message and also added as a comment in the test itself (we don't want to get it > lost). > > BTW LTP has 2 kind ways of handling of kernel versions: > > * fixes which are meant to be backported to the stable trees: > In C API it looks like (here also with CVE entry): > https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187 > .tags = (const struct tst_tag[]) { > {"linux-git", "95a762e2c8c9"}, > {"CVE", "2017-16995"}, > {} > This is not part of shell API, but I'll add it after the release. Thus we don't > want to loose this info. > > * new kernel features, which are likely not to be backported > You either have some way to detect this feature is presented (ideally) or you > specify kernel version since it should be run > This is used in shell API as: > https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8 > TST_MIN_KVER="4.13" Thanks for the info. -lakshmi > >> And the following patch series should be applied in the following order: >> 1, https://patchwork.kernel.org/patch/11709527/ >> 2, https://patchwork.kernel.org/patch/11795559/ >> 3, https://patchwork.kernel.org/patch/11801525/ >> 4, https://patchwork.kernel.org/patch/11801585/ > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-12-22 21:06 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-09-28 19:47 [PATCH v1 0/1] ima: Add test for selinux measurement Lakshmi Ramasubramanian 2020-09-28 19:47 ` [PATCH v1 1/1] " Lakshmi Ramasubramanian 2020-12-18 18:37 ` Petr Vorel 2020-12-22 18:37 ` Lakshmi Ramasubramanian 2020-12-22 19:50 ` Petr Vorel 2020-12-22 21:05 ` Lakshmi Ramasubramanian 2020-09-29 5:23 ` [PATCH v1 0/1] " Petr Vorel 2020-09-30 14:26 ` Lakshmi Ramasubramanian
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).