From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Petr Vorel <pvorel@suse.cz>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Ignaz Forster <iforster@suse.de>,
linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH v4 4/4] ima: Add overlay test + doc
Date: Thu, 13 Jun 2019 18:14:14 +0200 [thread overview]
Message-ID: <20190613161414.29161-5-pvorel@suse.cz> (raw)
In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz>
test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.
Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].
NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.
Documentation is based on Ignaz Forster instructions for openSUSE [4].
[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
runtest/ima | 1 +
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../security/integrity/ima/tests/ima_setup.sh | 4 +-
4 files changed, 179 insertions(+), 2 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+ (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+ (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+ EVM_FILE="/sys/kernel/security/evm"
+
+ [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+ [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+ check_ima_policy "appraise_tcb"
+
+ lower="$TST_MNTPOINT/lower"
+ upper="$TST_MNTPOINT/upper"
+ work="$TST_MNTPOINT/work"
+ merged="$TST_MNTPOINT/merged"
+ mkdir -p $lower $upper $work $merged
+
+ device_backup="$TST_DEVICE"
+ TST_DEVICE="overlay"
+
+ fs_type_backup="$TST_FS_TYPE"
+ TST_FS_TYPE="overlay"
+
+ mntpoint_backup="$TST_MNTPOINT"
+ TST_MNTPOINT="$merged"
+
+ params_backup="$TST_MNT_PARAMS"
+ TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+ tst_mount
+ mounted=1
+}
+
+test1()
+{
+ local file="foo1.txt"
+
+ tst_res TINFO "overwrite file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+ local file="foo2.txt"
+
+ tst_res TINFO "append file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+ local file="foo3.txt"
+
+ tst_res TINFO "create a new file in overlay"
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+ local f
+
+ tst_res TINFO "read all created files"
+ for f in $(find $TST_MNTPOINT -type f); do
+ EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+ done
+}
+
+cleanup()
+{
+ [ -n "$mounted" ] || return 0
+
+ tst_umount $TST_DEVICE
+
+ TST_DEVICE="$device_backup"
+ TST_FS_TYPE="$fs_type_backup"
+ TST_MNTPOINT="$mntpoint_backup"
+ TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
local config="/boot/config-$(uname -r)"
local i
- tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
if [ -r "$config" ]; then
tst_res TINFO "IMA kernel config:"
for i in $(grep ^CONFIG_IMA $config); do
tst_res TINFO "$i"
done
fi
+
+ tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
}
ima_setup()
--
2.21.0
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v4 4/4] ima: Add overlay test + doc
Date: Thu, 13 Jun 2019 18:14:14 +0200 [thread overview]
Message-ID: <20190613161414.29161-5-pvorel@suse.cz> (raw)
In-Reply-To: <20190613161414.29161-1-pvorel@suse.cz>
test demonstrate a bug on overlayfs on current mainline kernel when
combining IMA with EVM.
Based on reproducer made by Ignaz Forster <iforster@suse.de>
used for not upstreamed patchset [1] and previous report [2].
IMA only behavior has already been fixed [3].
NOTE: backup variables are needed because ima_setup.sh calling
tst_mount as well when TMPDIR is on tmpfs device.
Documentation is based on Ignaz Forster instructions for openSUSE [4].
[1] https://www.spinics.net/lists/linux-integrity/msg05926.html
[2] https://www.spinics.net/lists/linux-integrity/msg03593.html
[3] https://patchwork.kernel.org/patch/10776231/
[4] http://lists.linux.it/pipermail/ltp/2019-May/011956.html
Tested-by: Ignaz Forster <iforster@suse.de>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
runtest/ima | 1 +
.../security/integrity/ima/tests/README.md | 83 +++++++++++++++++
.../integrity/ima/tests/evm_overlay.sh | 93 +++++++++++++++++++
.../security/integrity/ima/tests/ima_setup.sh | 4 +-
4 files changed, 179 insertions(+), 2 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/tests/README.md
create mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
diff --git a/runtest/ima b/runtest/ima
index bcae16bb7..f3ea88cf0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,3 +3,4 @@ ima_measurements ima_measurements.sh
ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
+evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/README.md b/testcases/kernel/security/integrity/ima/tests/README.md
new file mode 100644
index 000000000..961b68a38
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/README.md
@@ -0,0 +1,83 @@
+IMA + EVM testing
+=================
+
+IMA tests
+---------
+
+`ima_measurements.sh` require builtin IMA tcb policy to be loaded
+(`ima_policy=tcb` or `ima_policy=appraise_tcb` kernel parameter).
+Although custom policy which contains which may contain the equivalent
+measurement tcb rules can be loaded via dracut, systemd or later manually
+from user space, detecting it would require `IMA_READ_POLICY=y` therefore
+ignore this option.
+
+Mandatory kernel configuration for IMA:
+```
+CONFIG_INTEGRITY=y
+CONFIG_IMA=y
+```
+
+EVM tests
+---------
+
+`evm_overlay.sh` requires to builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
+kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
+Again, for simplicity ignore possibility to load reuired rules via custom policy.
+
+Mandatory kernel configuration for IMA & EVM:
+```
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IMA=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_EVM=y
+CONFIG_KEYS=y
+CONFIG_TRUSTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+```
+
+Example of installing IMA + EVM on openSUSE:
+
+* Boot install system with `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters
+ (for IMA measurement, IMA appraisal and EVM protection)
+* Proceed with installation until summary screen, but do not start the installation yet
+* Select package `dracut-ima` (required for early boot EVM support) for installation
+ (Debian based distros already contain IMA + EVM support in `dracut` package)
+* Change to a console window and run commands to generate keys required by EVM:
+```
+# mkdir /etc/keys
+# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
+# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
+# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
+# keyctl pipe "$evm_key" >/etc/keys/evm.blob
+# cat <<END >/etc/sysconfig/masterkey
+MASTERKEYTYPE="user"
+MASTERKEY="/etc/keys/kmk-user.blob"
+END
+# cat <<END >/etc/sysconfig/evm
+EVMKEY="/etc/keys/evm.blob"
+END
+# mount -t securityfs security /sys/kernel/security
+# echo 1 >/sys/kernel/security/evm
+```
+
+* Go back to the installation summary screen and start the installation
+* During the installation execute the following commands from the console:
+```
+# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
+# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
+```
+
+This should work on any distribution using dracut.
+Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
+
+Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
+```
+evmctl -r ima_fix /
+```
+
+or with `find` if evmctl not available:
+```
+find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
+```
+Again, fixing requires `ima_policy=appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
new file mode 100755
index 000000000..024b03917
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
+# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
+# Reproducer for not upstreamed patchset [1] and previous report [2].
+# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
+# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
+
+TST_SETUP="setup"
+TST_CLEANUP="cleanup"
+TST_NEEDS_DEVICE=1
+TST_CNT=4
+. ima_setup.sh
+
+setup()
+{
+ EVM_FILE="/sys/kernel/security/evm"
+
+ [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
+ [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
+
+ check_ima_policy "appraise_tcb"
+
+ lower="$TST_MNTPOINT/lower"
+ upper="$TST_MNTPOINT/upper"
+ work="$TST_MNTPOINT/work"
+ merged="$TST_MNTPOINT/merged"
+ mkdir -p $lower $upper $work $merged
+
+ device_backup="$TST_DEVICE"
+ TST_DEVICE="overlay"
+
+ fs_type_backup="$TST_FS_TYPE"
+ TST_FS_TYPE="overlay"
+
+ mntpoint_backup="$TST_MNTPOINT"
+ TST_MNTPOINT="$merged"
+
+ params_backup="$TST_MNT_PARAMS"
+ TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
+
+ tst_mount
+ mounted=1
+}
+
+test1()
+{
+ local file="foo1.txt"
+
+ tst_res TINFO "overwrite file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test2()
+{
+ local file="foo2.txt"
+
+ tst_res TINFO "append file in overlay"
+ EXPECT_PASS echo lower \> $lower/$file
+ EXPECT_PASS echo overlay \>\> $merged/$file
+}
+
+test3()
+{
+ local file="foo3.txt"
+
+ tst_res TINFO "create a new file in overlay"
+ EXPECT_PASS echo overlay \> $merged/$file
+}
+
+test4()
+{
+ local f
+
+ tst_res TINFO "read all created files"
+ for f in $(find $TST_MNTPOINT -type f); do
+ EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
+ done
+}
+
+cleanup()
+{
+ [ -n "$mounted" ] || return 0
+
+ tst_umount $TST_DEVICE
+
+ TST_DEVICE="$device_backup"
+ TST_FS_TYPE="$fs_type_backup"
+ TST_MNTPOINT="$mntpoint_backup"
+ TST_MNT_PARAMS="$params_backup"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 606034fec..529b77529 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -66,14 +66,14 @@ print_ima_config()
local config="/boot/config-$(uname -r)"
local i
- tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
-
if [ -r "$config" ]; then
tst_res TINFO "IMA kernel config:"
for i in $(grep ^CONFIG_IMA $config); do
tst_res TINFO "$i"
done
fi
+
+ tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
}
ima_setup()
--
2.21.0
next prev parent reply other threads:[~2019-06-13 16:14 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-13 16:14 [PATCH v4 0/4] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 1/4] ima: Call test's cleanup inside ima_setup.sh cleanup Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 2/4] shell: Add $TST_DEVICE as default parameter to tst_umount Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:14 ` [PATCH v4 3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy Petr Vorel
2019-06-13 16:14 ` [LTP] " Petr Vorel
2019-06-13 16:42 ` Ignaz Forster
2019-06-13 16:42 ` [LTP] " Ignaz Forster
2019-06-13 16:14 ` Petr Vorel [this message]
2019-06-13 16:14 ` [LTP] [PATCH v4 4/4] ima: Add overlay test + doc Petr Vorel
2019-06-13 17:00 ` Ignaz Forster
2019-06-13 17:00 ` [LTP] " Ignaz Forster
2019-06-14 14:14 ` Petr Vorel
2019-06-14 14:14 ` [LTP] " Petr Vorel
2019-06-14 14:37 ` Ignaz Forster
2019-06-14 14:37 ` [LTP] " Ignaz Forster
2019-06-14 14:46 ` Petr Vorel
2019-06-14 14:46 ` [LTP] " Petr Vorel
2019-06-18 13:59 ` Petr Vorel
2019-06-18 13:59 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190613161414.29161-5-pvorel@suse.cz \
--to=pvorel@suse.cz \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.