linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v6 0/3] IMA: Add tests for uid, gid, fowner, and fgroup options
@ 2021-09-22 11:53 Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Petr Vorel
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Petr Vorel @ 2021-09-22 11:53 UTC (permalink / raw)
  To: ltp; +Cc: Petr Vorel, Alex Henrie, alexhenrie24, linux-integrity, Mimi Zohar

Hi,

I've fixed Alex's v5.

changes v5->v6:
* add test_file parameter to ima_check() (using global for function is ugly)
* keep $TEST_FILE in ima_measurements.sh ]
* add verify_measurement() (DRY)

Alex Henrie (3):
  IMA: Move check_policy_writable() to ima_setup.sh and rename it
  IMA: Move ima_check to ima_setup.sh
  IMA: Add tests for uid, gid, fowner, and fgroup options

 runtest/ima                                   |  1 +
 .../integrity/ima/tests/ima_conditionals.sh   | 62 +++++++++++++++++++
 .../integrity/ima/tests/ima_measurements.sh   | 31 +---------
 .../integrity/ima/tests/ima_policy.sh         | 16 +----
 .../security/integrity/ima/tests/ima_setup.sh | 38 ++++++++++++
 5 files changed, 106 insertions(+), 42 deletions(-)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh

-- 
2.33.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v6 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it
  2021-09-22 11:53 [PATCH v6 0/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
@ 2021-09-22 11:53 ` Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 2/3] IMA: Move ima_check to ima_setup.sh Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
  2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-09-22 11:53 UTC (permalink / raw)
  To: ltp; +Cc: Alex Henrie, alexhenrie24, linux-integrity, Mimi Zohar, Petr Vorel

From: Alex Henrie <alexh@vpitech.com>

Suggested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../security/integrity/ima/tests/ima_policy.sh   | 16 +++-------------
 .../security/integrity/ima/tests/ima_setup.sh    | 10 ++++++++++
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 244cf081d..8924549df 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -11,19 +11,9 @@ TST_CNT=2
 
 . ima_setup.sh
 
-check_policy_writable()
-{
-	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
-
-	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
-	# CONFIG_IMA_READ_POLICY
-	echo "" 2> log > $IMA_POLICY
-	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
-}
-
 setup()
 {
-	check_policy_writable
+	require_policy_writable
 
 	VALID_POLICY="$TST_DATAROOT/measure.policy"
 	[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
@@ -55,7 +45,7 @@ test1()
 
 	local p1
 
-	check_policy_writable
+	require_policy_writable
 	load_policy $INVALID_POLICY & p1=$!
 	wait "$p1"
 	if [ $? -ne 0 ]; then
@@ -71,7 +61,7 @@ test2()
 
 	local p1 p2 rc1 rc2
 
-	check_policy_writable
+	require_policy_writable
 	load_policy $VALID_POLICY & p1=$!
 	load_policy $VALID_POLICY & p2=$!
 	wait "$p1"; rc1=$?
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 565f0bc3e..9c25d634d 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -73,6 +73,16 @@ require_policy_readable()
 	fi
 }
 
+require_policy_writable()
+{
+	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
+
+	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
+	# CONFIG_IMA_READ_POLICY
+	echo "" 2> log > $IMA_POLICY
+	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
+}
+
 check_ima_policy_content()
 {
 	local pattern="$1"
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH v6 2/3] IMA: Move ima_check to ima_setup.sh
  2021-09-22 11:53 [PATCH v6 0/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Petr Vorel
@ 2021-09-22 11:53 ` Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
  2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-09-22 11:53 UTC (permalink / raw)
  To: ltp; +Cc: Alex Henrie, alexhenrie24, linux-integrity, Mimi Zohar, Petr Vorel

From: Alex Henrie <alexh@vpitech.com>

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
[ pvorel: add test_file parameter to ima_check(), keep $TEST_FILE in
ima_measurements.sh ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_measurements.sh   | 31 ++-----------------
 .../security/integrity/ima/tests/ima_setup.sh | 28 +++++++++++++++++
 2 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index ef8577d30..a83c416de 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -21,33 +21,6 @@ setup()
 	[ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy"
 }
 
-ima_check()
-{
-	local algorithm digest expected_digest line tmp
-
-	# need to read file to get updated $ASCII_MEASUREMENTS
-	cat $TEST_FILE > /dev/null
-
-	line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
-
-	if tmp=$(get_algorithm_digest "$line"); then
-		algorithm=$(echo "$tmp" | cut -d'|' -f1)
-		digest=$(echo "$tmp" | cut -d'|' -f2)
-	else
-		tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
-	fi
-
-	tst_res TINFO "computing digest for $algorithm algorithm"
-	expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
-		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
-
-	if [ "$digest" = "$expected_digest" ]; then
-		tst_res TPASS "correct digest found"
-	else
-		tst_res TFAIL "digest not found"
-	fi
-}
-
 check_iversion_support()
 {
 	local device mount fs
@@ -83,7 +56,7 @@ test1()
 {
 	tst_res TINFO "verify adding record to the IMA measurement list"
 	ROD echo "$(date) this is a test file" \> $TEST_FILE
-	ima_check
+	ima_check $TEST_FILE
 }
 
 test2()
@@ -92,7 +65,7 @@ test2()
 	tst_res TINFO "verify updating record in the IMA measurement list"
 	check_iversion_support || return
 	ROD echo "$(date) modified file" \> $TEST_FILE
-	ima_check
+	ima_check $TEST_FILE
 }
 
 test3()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 9c25d634d..af7f3a5f5 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -279,6 +279,34 @@ get_algorithm_digest()
 	echo "$algorithm|$digest"
 }
 
+ima_check()
+{
+	local test_file="$1"
+	local algorithm digest expected_digest line tmp
+
+	# need to read file to get updated $ASCII_MEASUREMENTS
+	cat $test_file > /dev/null
+
+	line="$(grep $test_file $ASCII_MEASUREMENTS | tail -1)"
+
+	if tmp=$(get_algorithm_digest "$line"); then
+		algorithm=$(echo "$tmp" | cut -d'|' -f1)
+		digest=$(echo "$tmp" | cut -d'|' -f2)
+	else
+		tst_res TBROK "failed to get algorithm/digest for '$test_file': $tmp"
+	fi
+
+	tst_res TINFO "computing digest for $algorithm algorithm"
+	expected_digest="$(compute_digest $algorithm $test_file)" || \
+		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
+
+	if [ "$digest" = "$expected_digest" ]; then
+		tst_res TPASS "correct digest found"
+	else
+		tst_res TFAIL "digest not found"
+	fi
+}
+
 # check_evmctl REQUIRED_TPM_VERSION
 # return: 0: evmctl is new enough, 1: version older than required (or version < v0.9)
 check_evmctl()
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options
  2021-09-22 11:53 [PATCH v6 0/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Petr Vorel
  2021-09-22 11:53 ` [PATCH v6 2/3] IMA: Move ima_check to ima_setup.sh Petr Vorel
@ 2021-09-22 11:53 ` Petr Vorel
  2021-09-22 17:06   ` Alex Henrie
  2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2021-09-22 11:53 UTC (permalink / raw)
  To: ltp; +Cc: Alex Henrie, alexhenrie24, linux-integrity, Mimi Zohar, Petr Vorel

From: Alex Henrie <alexh@vpitech.com>

Requires "ima: add gid support".

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alex Henrie <alexh@vpitech.com>
[ pvorel: add test_file parameter to ima_check(), add
verify_measurement() (DRY) ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  1 +
 .../integrity/ima/tests/ima_conditionals.sh   | 62 +++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh

diff --git a/runtest/ima b/runtest/ima
index 29caa034a..01942eefa 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -6,4 +6,5 @@ ima_violations ima_violations.sh
 ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
 ima_selinux ima_selinux.sh
+ima_conditionals ima_conditionals.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
new file mode 100755
index 000000000..102d29756
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2021 VPI Technology
+# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Author: Alex Henrie <alexh@vpitech.com>
+#
+# Verify that conditional rules work.
+
+TST_NEEDS_CMDS="chgrp chown id sg sudo"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+verify_measurement()
+{
+	local request="$1"
+	local user="nobody"
+	local test_file="$PWD/test.txt"
+	local cmd="cat $test_file > /dev/null"
+
+	local value="$(id -u $user)"
+	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+
+	require_policy_writable
+
+	ROD rm -f $test_file
+
+	tst_res TINFO "verify measuring user files when requested via $request"
+	ROD echo "measure $request=$value" \> $IMA_POLICY
+	ROD echo "$(date) $request test" \> $test_file
+
+	case "$request" in
+	fgroup)
+		chgrp $user $test_file
+		$cmd
+	fowner)
+		chown $user $test_file
+		$cmd
+		;;
+	gid) sudo sg $user "sh -c '$cmd'";;
+	uid) sudo -n -u $user sh -c "$cmd";;
+	*) tst_brk TBROK "Invalid res type '$1'";;
+	esac
+
+	ima_check $test_file
+}
+
+test1()
+{
+	verify_measurement uid
+	verify_measurement fowner
+
+	if tst_kvcmp -lt 5.16; then
+		tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+	fi
+
+	verify_measurement gid
+	verify_measurement fgroup
+}
+
+tst_run
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options
  2021-09-22 11:53 ` [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
@ 2021-09-22 17:06   ` Alex Henrie
  2021-09-23  9:14     ` Petr Vorel
  0 siblings, 1 reply; 6+ messages in thread
From: Alex Henrie @ 2021-09-22 17:06 UTC (permalink / raw)
  To: Petr Vorel; +Cc: ltp, alexhenrie24, linux-integrity, Mimi Zohar

On Wed, 22 Sep 2021 13:53:10 +0200
Petr Vorel <pvorel@suse.cz> wrote:

> From: Alex Henrie <alexh@vpitech.com>
> 
> Requires "ima: add gid support".
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Alex Henrie <alexh@vpitech.com>
> [ pvorel: add test_file parameter to ima_check(), add
> verify_measurement() (DRY) ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks Petr for taking over and making the changes you want directly,
that makes my life much easier.

-Alex

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options
  2021-09-22 17:06   ` Alex Henrie
@ 2021-09-23  9:14     ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-09-23  9:14 UTC (permalink / raw)
  To: Alex Henrie; +Cc: ltp, alexhenrie24, linux-integrity, Mimi Zohar

> On Wed, 22 Sep 2021 13:53:10 +0200
> Petr Vorel <pvorel@suse.cz> wrote:

> > From: Alex Henrie <alexh@vpitech.com>

> > Requires "ima: add gid support".

> > Reviewed-by: Petr Vorel <pvorel@suse.cz>
> > Signed-off-by: Alex Henrie <alexh@vpitech.com>
> > [ pvorel: add test_file parameter to ima_check(), add
> > verify_measurement() (DRY) ]
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>

> Thanks Petr for taking over and making the changes you want directly,
> that makes my life much easier.
yw. FYI I'll merge v7 after it's merged into mainline, I expect it'll be in v5.16-rc1.
Could you please notify me if I forget?

I'll try to have look into kernel patch itself.

Kind regards,
Petr

> -Alex

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-09-23  9:14 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-22 11:53 [PATCH v6 0/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
2021-09-22 11:53 ` [PATCH v6 1/3] IMA: Move check_policy_writable() to ima_setup.sh and rename it Petr Vorel
2021-09-22 11:53 ` [PATCH v6 2/3] IMA: Move ima_check to ima_setup.sh Petr Vorel
2021-09-22 11:53 ` [PATCH v6 3/3] IMA: Add tests for uid, gid, fowner, and fgroup options Petr Vorel
2021-09-22 17:06   ` Alex Henrie
2021-09-23  9:14     ` Petr Vorel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).