From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: pvorel@suse.cz, zohar@linux.ibm.com
Cc: tusharsu@linux.microsoft.com, ltp@lists.linux.it,
linux-integrity@vger.kernel.org
Subject: [PATCH v4] IMA: Allow only ima-buf template for key measurement
Date: Mon, 22 Mar 2021 10:37:09 -0700 [thread overview]
Message-ID: <20210322173709.22150-1-nramas@linux.microsoft.com> (raw)
ima-buf is the default IMA template used for all buffer measurements.
Therefore, IMA policy rule for measuring keys need not specify
an IMA template. But if a template is specified for key measurement
rule then it must be only ima-buf.
Update keys tests to not require a template to be specified for
key measurement rule, but if a template is specified verify it is
only ima-buf.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
.../kernel/security/integrity/ima/README.md | 9 +++++++++
.../security/integrity/ima/tests/ima_keys.sh | 20 ++++++++++++++++---
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 8f2249767..1aaa734a3 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -28,6 +28,15 @@ policy allowed in the kernel configuration:
```
CONFIG_IMA_READ_POLICY=y
```
+If the IMA key tests are executed on Linux kernel v5.6 through v5.10,
+`ima-buf` template should be specified in the IMA policy rule for
+key measurement. For example,
+`measure func=KEY_CHECK keyrings=key_import_test template=ima-buf`
+
+If the IMA key tests are executed on Linux kernel v5.11 or later,
+`template=ima-buf` is optional in the IMA policy rule for key measurement.
+For example,
+`measure func=KEY_CHECK keyrings=key_import_test`
### IMA kexec test
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index c9eef4b68..b9bef4feb 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -15,8 +15,7 @@ TST_CLEANUP=cleanup
. ima_setup.sh
FUNC_KEYCHECK='func=KEY_CHECK'
-TEMPLATE_BUF='template=ima-buf'
-REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)"
+REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
setup()
{
@@ -28,12 +27,23 @@ cleanup()
tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
}
+check_policy_template()
+{
+ while read line; do
+ if ( echo $line | grep -q 'template=') && ( ! echo $line | grep -q 'template=ima-buf' ); then
+ tst_res TCONF "only template=ima-buf can be specified for KEY_CHECK"
+ return 1
+ fi
+ done < $TST_TMPDIR/policy.txt
+ return 0
+}
+
check_keys_policy()
{
local pattern="$1"
if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then
- tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF"
+ tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK"
return 1
fi
return 0
@@ -49,6 +59,8 @@ test1()
tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
+ check_policy_template || return
+
check_keys_policy "$pattern" > $tmp_file || return
keycheck_lines=$(cat $tmp_file)
keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
@@ -101,6 +113,8 @@ test2()
tst_res TINFO "verify measurement of certificate imported into a keyring"
+ check_policy_template || return
+
check_keys_policy "$pattern" >/dev/null || return
KEYRING_ID=$(keyctl newring $keyring_name @s) || \
--
2.30.2
next reply other threads:[~2021-03-22 17:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-22 17:37 Lakshmi Ramasubramanian [this message]
2021-03-23 7:16 ` [PATCH v4] IMA: Allow only ima-buf template for key measurement Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210322173709.22150-1-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).