* Question about the available tests for IMA apprise
@ 2021-04-02 0:12 Fan Wu
2021-04-08 18:34 ` Mimi Zohar
0 siblings, 1 reply; 2+ messages in thread
From: Fan Wu @ 2021-04-02 0:12 UTC (permalink / raw)
To: pvorel; +Cc: linux-integrity
Hello,
We are trying to extend the IMA apprise action. To prevent breaking the
system, we want to collect existing apprise-related tests, but I find
there are not many tests related in the LTP project.
As far as I am aware, only evm_overlay and kexec tests are testing with
a policy that contains a apprise rule. But they do not test the file
execution (exec/mmap/mproject syscalls with various args) we are
focusing on.
I am wondering, are all available tests in the LTP? Also, I am looking
for suggestions for testing apprise.
Thanks.
Fan
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Question about the available tests for IMA apprise
2021-04-02 0:12 Question about the available tests for IMA apprise Fan Wu
@ 2021-04-08 18:34 ` Mimi Zohar
0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2021-04-08 18:34 UTC (permalink / raw)
To: Fan Wu, pvorel; +Cc: linux-integrity
On Thu, 2021-04-01 at 17:12 -0700, Fan Wu wrote:
> Hello,
>
> We are trying to extend the IMA apprise action. To prevent breaking the
> system, we want to collect existing apprise-related tests, but I find
> there are not many tests related in the LTP project.
>
> As far as I am aware, only evm_overlay and kexec tests are testing with
> a policy that contains a apprise rule. But they do not test the file
> execution (exec/mmap/mproject syscalls with various args) we are
> focusing on.
>
> I am wondering, are all available tests in the LTP? Also, I am looking
> for suggestions for testing apprise.
Right. By "appraise", I assume you mean signed files. Until file data
and metadata are distributed together, the public key is loaded onto
the IMA keyring, and an appropriate IMA policy is loaded, generic
"appraise" testing is kind of difficult.
Distro kernel images is an exception as they are signed, the associated
public key may be loaded on the platform keyring, and the IMA arch
specific policies define IMA policy rules that require the kernel image
to be signed, with all of this in place there are kexec tests.
Once Nayna's "ima: kernel build support for loading the kernel module
signing key" patch set, generic kernel module tests could be written as
well.
In general, if additional IMA appraise policy rules need to be loaded,
they need to be limited to the test environment to avoid affecting the
running system. For example, both LTP and bpf IMA policy rules are
limited to the loopback mounted filesystems.
If you know how to generically solve the above requirements, adding
additional "appraise" tests would be very welcome.
thanks,
Mimi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-08 18:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-02 0:12 Question about the available tests for IMA apprise Fan Wu
2021-04-08 18:34 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).