* [PATCH v4 0/3] IMA: Add test for dm-crypt measurement
@ 2021-05-07 19:14 Petr Vorel
2021-05-07 19:14 ` [PATCH v4 1/3] ima_keys.sh: Check policy only once Petr Vorel
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Petr Vorel @ 2021-05-07 19:14 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, Lakshmi Ramasubramanian, Tushar Sugandhi,
linux-integrity
Hi Mimi, Lakshmi, Tushar,
rebased v3 [1], hope everything correct.
Could you please review and test it?
v3->v4:
* rewritten "IMA: Generalize key measurement tests"
* new commit "ima_keys.sh: Check policy only once"
Kind regards,
Petr
[1] https://patchwork.ozlabs.org/project/ltp/list/?series=230766&state=*
Petr Vorel (2):
ima_keys.sh: Check policy only once
IMA: Generalize key measurement tests
Tushar Sugandhi (1):
IMA: Add test for dm-crypt measurement
.../kernel/security/integrity/ima/README.md | 20 +++++
.../security/integrity/ima/datafiles/Makefile | 2 +-
.../ima/datafiles/ima_dm_crypt/Makefile | 11 +++
.../ima_dm_crypt/ima_dm_crypt.policy | 1 +
.../integrity/ima/tests/ima_dm_crypt.sh | 47 +++++++++++
.../security/integrity/ima/tests/ima_keys.sh | 84 +++----------------
.../security/integrity/ima/tests/ima_setup.sh | 76 ++++++++++++++++-
7 files changed, 168 insertions(+), 73 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
--
2.31.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v4 1/3] ima_keys.sh: Check policy only once
2021-05-07 19:14 [PATCH v4 0/3] IMA: Add test for dm-crypt measurement Petr Vorel
@ 2021-05-07 19:14 ` Petr Vorel
2021-05-10 14:47 ` Lakshmi Ramasubramanian
2021-05-07 19:14 ` [PATCH v4 2/3] IMA: Generalize key measurement tests Petr Vorel
2021-05-07 19:14 ` [PATCH v4 3/3] IMA: Add test for dm-crypt measurement Petr Vorel
2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2021-05-07 19:14 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, Lakshmi Ramasubramanian, Tushar Sugandhi,
linux-integrity
Not needed to check the same policy twice.
Rename to contain 'require' as we use tst_brk.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
new in v4
.../security/integrity/ima/tests/ima_keys.sh | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 9951ab999..3476b8007 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2020 Microsoft Corporation
-# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2020-2021 Petr Vorel <pvorel@suse.cz>
# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
#
# Verify that keys are measured correctly based on policy.
@@ -20,6 +20,7 @@ REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
setup()
{
require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+ require_valid_policy_template
}
cleanup()
@@ -27,15 +28,14 @@ cleanup()
tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
}
-check_policy_template()
+
+require_valid_policy_template()
{
while read line; do
if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
- tst_res TCONF "only template=ima-buf can be specified for KEY_CHECK"
- return 1
+ tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK"
fi
done < $TST_TMPDIR/policy.txt
- return 0
}
check_keys_policy()
@@ -59,8 +59,6 @@ test1()
tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
- check_policy_template || return
-
check_keys_policy "$pattern" > $tmp_file || return
keycheck_lines=$(cat $tmp_file)
keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
@@ -115,8 +113,6 @@ test2()
tst_res TINFO "verify measurement of certificate imported into a keyring"
- check_policy_template || return
-
check_keys_policy "$pattern" >/dev/null || return
KEYRING_ID=$(keyctl newring $keyring_name @s) || \
--
2.31.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v4 2/3] IMA: Generalize key measurement tests
2021-05-07 19:14 [PATCH v4 0/3] IMA: Add test for dm-crypt measurement Petr Vorel
2021-05-07 19:14 ` [PATCH v4 1/3] ima_keys.sh: Check policy only once Petr Vorel
@ 2021-05-07 19:14 ` Petr Vorel
2021-05-07 19:14 ` [PATCH v4 3/3] IMA: Add test for dm-crypt measurement Petr Vorel
2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-05-07 19:14 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, Lakshmi Ramasubramanian, Tushar Sugandhi,
linux-integrity
Based on previous Tushar's work.
Co-developed-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Rewritten
.../security/integrity/ima/tests/ima_keys.sh | 78 +++----------------
.../security/integrity/ima/tests/ima_setup.sh | 76 +++++++++++++++++-
2 files changed, 87 insertions(+), 67 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 3476b8007..571f72d2d 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -6,7 +6,7 @@
#
# Verify that keys are measured correctly based on policy.
-TST_NEEDS_CMDS="cmp cut grep sed xxd"
+TST_NEEDS_CMDS="cmp cut grep xxd"
TST_CNT=2
TST_NEEDS_DEVICE=1
TST_SETUP=setup
@@ -14,13 +14,14 @@ TST_CLEANUP=cleanup
. ima_setup.sh
-FUNC_KEYCHECK='func=KEY_CHECK'
-REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
+POLICY_FUNC='func=KEY_CHECK'
+REQUIRED_POLICY="^measure.*$POLICY_FUNC"
+POLICY_FILE="$TST_TMPDIR/policy.txt"
setup()
{
- require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
- require_valid_policy_template
+ require_ima_policy_content "$REQUIRED_POLICY" '-E' > $POLICY_FILE
+ require_valid_policy_template $FUNC $POLICY_FILE
}
cleanup()
@@ -28,74 +29,19 @@ cleanup()
tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
}
-
-require_valid_policy_template()
-{
- while read line; do
- if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
- tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK"
- fi
- done < $TST_TMPDIR/policy.txt
-}
-
-check_keys_policy()
-{
- local pattern="$1"
-
- if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then
- tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK"
- return 1
- fi
- return 0
-}
-
# Based on https://lkml.org/lkml/2019/12/13/564.
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
local keycheck_lines i keyrings templates
local pattern='keyrings=[^[:space:]]+'
- local test_file="file.txt" tmp_file="file2.txt"
+ local policy="keyrings"
+ local tmp_file="$TST_TMPDIR/keycheck_tmp_file.txt"
tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
- check_keys_policy "$pattern" > $tmp_file || return
- keycheck_lines=$(cat $tmp_file)
- keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
- sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
- if [ -z "$keyrings" ]; then
- tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
- return
- fi
-
- templates=$(for i in $keycheck_lines; do echo "$i" | grep "template" | \
- cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
-
- tst_res TINFO "keyrings: '$keyrings'"
- tst_res TINFO "templates: '$templates'"
-
- grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line
- do
- local digest expected_digest algorithm
-
- digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
- algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
- keyring=$(echo "$line" | cut -d' ' -f5)
-
- echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
-
- if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
- tst_res TCONF "cannot compute digest for $algorithm"
- return
- fi
-
- if [ "$digest" != "$expected_digest" ]; then
- tst_res TFAIL "incorrect digest was found for $keyring keyring"
- return
- fi
- done
-
- tst_res TPASS "specified keyrings were measured correctly"
+ check_policy_pattern "$pattern" $POLICY_FUNC $POLICY_FILE > $tmp_file || return
+ test_policy_measurement $policy $temp_file
}
# Create a new keyring, import a certificate into it, and verify
@@ -109,11 +55,11 @@ test2()
local cert_file="$TST_DATAROOT/x509_ima.der"
local keyring_name="key_import_test"
local pattern="keyrings=[^[:space:]]*$keyring_name"
- local temp_file="file.txt"
+ local temp_file="$TST_TMPDIR/key_import_test_file.txt"
tst_res TINFO "verify measurement of certificate imported into a keyring"
- check_keys_policy "$pattern" >/dev/null || return
+ check_policy_pattern "$pattern" $POLICY_FUNC $POLICY_FILE >/dev/null || return
KEYRING_ID=$(keyctl newring $keyring_name @s) || \
tst_brk TBROK "unable to create a new keyring"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 565f0bc3e..b442d49be 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2021 Petr Vorel <pvorel@suse.cz>
# Author: Mimi Zohar <zohar@linux.ibm.com>
TST_TESTFUNC="test"
@@ -54,6 +54,80 @@ compute_digest()
return 1
}
+require_valid_policy_template()
+{
+ local func="$1"
+ local policy_file="$2"
+
+ while read line; do
+ if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
+ tst_brk TCONF "only template=ima-buf can be specified for $func"
+ fi
+ done < $policy_file
+}
+
+check_policy_pattern()
+{
+ local pattern="$1"
+ local func="$2"
+ local policy_file="$3"
+
+ if ! grep -E "$pattern" $policy_file; then
+ tst_res TCONF "IMA policy must specify $pattern, $func"
+ return 1
+ fi
+ return 0
+}
+
+test_policy_measurement()
+{
+ local policy_option="$1"
+ local lines="$(cat $2)"
+ local input_digest="$3"
+ local test_file="$TST_TMPDIR/test.txt"
+ local grep_file="$TST_TMPDIR/grep.txt"
+ local i sources templates
+
+ tst_require_cmds cut sed xxd
+
+ sources=$(for i in $lines; do echo "$i" | grep "$policy_option" | \
+ sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
+ if [ -z "$sources" ]; then
+ tst_res TCONF "IMA policy $policy_option is a key-value specifier, but no values specified"
+ return
+ fi
+
+ templates=$(for i in $lines; do echo "$i" | grep "template" | \
+ cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
+
+ tst_res TINFO "policy sources: '$sources'"
+ tst_res TINFO "templates: '$templates'"
+
+ grep -E "($templates).*($sources)" $ASCII_MEASUREMENTS > $grep_file
+
+ while read line; do
+ local algorithm digest expected_digest src_line
+
+ digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
+ algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+ src_line=$(echo "$line" | cut -d' ' -f5)
+
+ echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
+
+ if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
+ tst_res TCONF "cannot compute digest for $algorithm"
+ return
+ fi
+
+ if [ "$digest" != "$expected_digest" ]; then
+ tst_res TFAIL "incorrect digest was found for $src_line $policy_option"
+ return
+ fi
+ done < $grep_file
+
+ tst_res TPASS "$policy_option measured correctly"
+}
+
check_policy_readable()
{
if [ ! -f $IMA_POLICY ]; then
--
2.31.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v4 3/3] IMA: Add test for dm-crypt measurement
2021-05-07 19:14 [PATCH v4 0/3] IMA: Add test for dm-crypt measurement Petr Vorel
2021-05-07 19:14 ` [PATCH v4 1/3] ima_keys.sh: Check policy only once Petr Vorel
2021-05-07 19:14 ` [PATCH v4 2/3] IMA: Generalize key measurement tests Petr Vorel
@ 2021-05-07 19:14 ` Petr Vorel
2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-05-07 19:14 UTC (permalink / raw)
To: ltp
Cc: Tushar Sugandhi, Mimi Zohar, Lakshmi Ramasubramanian,
linux-integrity, Petr Vorel
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by device-mapper targets. Currently one such
device-mapper target - dm-crypt, is being updated to use this
functionality. This new functionality needs test automation in LTP.
Add a testcase which verifies that the IMA subsystem correctly measures
the data coming from a device-mapper target - dm-crypt.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
[ pvorel: rebased: removed template=ima-buf, added policy example, cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
The same as in v3.
.../kernel/security/integrity/ima/README.md | 20 ++++++++
.../security/integrity/ima/datafiles/Makefile | 2 +-
.../ima/datafiles/ima_dm_crypt/Makefile | 11 +++++
.../ima_dm_crypt/ima_dm_crypt.policy | 1 +
.../integrity/ima/tests/ima_dm_crypt.sh | 47 +++++++++++++++++++
5 files changed, 80 insertions(+), 1 deletion(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 5b261a191..767d98a22 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -65,6 +65,26 @@ CONFIG_SECURITY_SELINUX=y
CONFIG_IMA_READ_POLICY=y
```
+### IMA DM target (dm-crypt) measurement test
+
+To enable IMA to measure device-mapper target - dm-crypt,
+`ima_dm_crypt.sh` requires a readable IMA policy, as well as
+a loaded measure policy with `func=CRITICAL_DATA data_sources=dm-crypt`,
+see example in `ima_dm_crypt.policy`.
+
+As well as what's required for the IMA tests, dm-crypt measurement test require
+reading the IMA policy allowed in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+```
+
+The following kernel configuration is also required. It enables compiling
+the device-mapper target module dm-crypt, which allows to create a device
+that transparently encrypts the data on it.
+```
+CONFIG_DM_CRYPT
+```
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 280175b17..eef857c41 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -26,6 +26,6 @@ top_srcdir ?= ../../../../../..
include $(top_srcdir)/include/mk/env_pre.mk
-SUBDIRS := ima_kexec ima_keys ima_policy ima_selinux
+SUBDIRS := ima_dm_crypt ima_kexec ima_keys ima_policy
include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile
new file mode 100644
index 000000000..d9efdce3f
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2021
+
+top_srcdir ?= ../../../../../../..
+
+include $(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR := testcases/data/ima_dm_crypt
+INSTALL_TARGETS := *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy
new file mode 100644
index 000000000..226b6a4b7
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy
@@ -0,0 +1 @@
+measure func=CRITICAL_DATA data_sources=dm-crypt template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
new file mode 100755
index 000000000..5c4842245
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2021 Microsoft Corporation
+# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Author: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+#
+# Verify that DM target dm-crypt are measured correctly based on policy.
+#
+# fdd1ffe8a812 ("selinux: include a consumer of the new IMA critical data hook")
+# from v5.12
+
+TST_NEEDS_CMDS="dmsetup"
+TST_NEEDS_DEVICE=1
+TST_SETUP=setup
+TST_CLEANUP=cleanup
+
+. ima_setup.sh
+
+POLICY_FUNC='func=CRITICAL_DATA'
+PATTERN='data_sources=[^[:space:]]+'
+REQUIRED_POLICY="^measure.*($FUNC.*$PATTERN|$PATTERN.*$FUNC)"
+POLICY_FILE="$TST_TMPDIR/policy.txt"
+
+setup()
+{
+ require_ima_policy_content "$REQUIRED_POLICY" '-E' > $POLICY_FILE
+ require_valid_policy_template $FUNC $POLICY_FILE
+}
+
+cleanup()
+{
+ [ "$dmsetup_run" ] || return
+ dmsetup remove test-crypt
+}
+
+test1()
+{
+ local input_digest="039d8ff71918608d585adca3e5aab2e3f41f84d6"
+ local key="faf453b4ee938cff2f0d2c869a0b743f59125c0a37f5bcd8f1dbbd911a78abaa"
+
+ tst_res TINFO "verifying dm-crypt target measurement"
+
+ ROD dmsetup create test-crypt --table "0 1953125 crypt aes-xts-plain64 $key 0 /dev/loop0 0 1 allow_discards"
+ check_policy_measurement $policy $POLICY_FILE $input_digest
+}
+
+tst_run
--
2.31.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v4 1/3] ima_keys.sh: Check policy only once
2021-05-07 19:14 ` [PATCH v4 1/3] ima_keys.sh: Check policy only once Petr Vorel
@ 2021-05-10 14:47 ` Lakshmi Ramasubramanian
2021-05-10 17:28 ` Petr Vorel
0 siblings, 1 reply; 6+ messages in thread
From: Lakshmi Ramasubramanian @ 2021-05-10 14:47 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: Mimi Zohar, Tushar Sugandhi, linux-integrity
On 5/7/21 12:14 PM, Petr Vorel wrote:
> Not needed to check the same policy twice.
> Rename to contain 'require' as we use tst_brk.
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> new in v4
>
> .../security/integrity/ima/tests/ima_keys.sh | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 9951ab999..3476b8007 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -1,7 +1,7 @@
> #!/bin/sh
> # SPDX-License-Identifier: GPL-2.0-or-later
> # Copyright (c) 2020 Microsoft Corporation
> -# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +# Copyright (c) 2020-2021 Petr Vorel <pvorel@suse.cz>
> # Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> #
> # Verify that keys are measured correctly based on policy.
> @@ -20,6 +20,7 @@ REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
> setup()
> {
> require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
> + require_valid_policy_template
> }
>
> cleanup()
> @@ -27,15 +28,14 @@ cleanup()
> tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
> }
>
> -check_policy_template()
> +
> +require_valid_policy_template()
> {
> while read line; do
> if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
> - tst_res TCONF "only template=ima-buf can be specified for KEY_CHECK"
> - return 1
> + tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK"
> fi
> done < $TST_TMPDIR/policy.txt
> - return 0
> }
>
> check_keys_policy()
> @@ -59,8 +59,6 @@ test1()
>
> tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
>
> - check_policy_template || return
> -
> check_keys_policy "$pattern" > $tmp_file || return
> keycheck_lines=$(cat $tmp_file)
> keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
> @@ -115,8 +113,6 @@ test2()
>
> tst_res TINFO "verify measurement of certificate imported into a keyring"
>
> - check_policy_template || return
> -
> check_keys_policy "$pattern" >/dev/null || return
>
> KEYRING_ID=$(keyctl newring $keyring_name @s) || \
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v4 1/3] ima_keys.sh: Check policy only once
2021-05-10 14:47 ` Lakshmi Ramasubramanian
@ 2021-05-10 17:28 ` Petr Vorel
0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-05-10 17:28 UTC (permalink / raw)
To: Lakshmi Ramasubramanian; +Cc: ltp, Mimi Zohar, Tushar Sugandhi, linux-integrity
Hi all,
> On 5/7/21 12:14 PM, Petr Vorel wrote:
> > Not needed to check the same policy twice.
> > Rename to contain 'require' as we use tst_brk.
> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Thanks Lakshmi, merged this one.
And waiting for the other two till Tushar manage to get
the dm-crypt related code to mainline. Good luck!
Kind regards,
Petr
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-10 17:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-07 19:14 [PATCH v4 0/3] IMA: Add test for dm-crypt measurement Petr Vorel
2021-05-07 19:14 ` [PATCH v4 1/3] ima_keys.sh: Check policy only once Petr Vorel
2021-05-10 14:47 ` Lakshmi Ramasubramanian
2021-05-10 17:28 ` Petr Vorel
2021-05-07 19:14 ` [PATCH v4 2/3] IMA: Generalize key measurement tests Petr Vorel
2021-05-07 19:14 ` [PATCH v4 3/3] IMA: Add test for dm-crypt measurement Petr Vorel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).