From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v3 01/10] security/ima: Rewrite tests into new API + fixes
Date: Fri, 27 Apr 2018 10:13:15 -0400 [thread overview]
Message-ID: <1524838395.3416.65.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180419195503.7194-2-pvorel@suse.cz>
On Thu, 2018-04-19 at 21:54 +0200, Petr Vorel wrote:
> -# Function: test02
> -# Description - Verify modifying, then reading, a file causes a new
> -# measurement to be added to the IMA measurement list.
> -test02()
> +ima_check()
> {
> - # Modify test.txt
> - echo $(date) - file modified >> test.txt
> + local digest="$DEFAULT_DIGEST_OLD_FORMAT"
> + local hash expected_hash line
> +
> + # need to read file to get updated $ASCII_MEASUREMENTS
> + cat $TEST_FILE > /dev/null
> +
> + line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
> + [ -n "$line" ] || tst_res TFAIL "cannot find measurement for '$TEST_FILE'"
>
> - # Calculating the sha1sum of test.txt should add
> - # the new measurement to the measurement list
> - hash=$(sha1sum test.txt | sed 's/ -//')
> + [ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)"
> + hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)"
With the "ima-sig" template, with a measurement that does not contain
the signature, this works fine. There's a problem with lines
containing the signature.
Sample ima-sig template measurements with/without the signature:
line="10 ee788468d1b416a394feb9f4e5650302d9cd5574 ima-sig sha256:866c2542efd5c7528591eb3bb2861a1994a655da47732ccf28f7f4b1ce42d564 /usr/lib64/libpam.so.0.84.1"
line="10 d3afb4df5fe42485b99677f4b68a04692977b4bc ima-sig sha256:7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891 /etc/profile.d/less.sh 0302046e6c104601008bd533707b34a9e896d3d530a88e9af517fb7e8cf79e9e55064a577fcbcdb81236ede6fec0638d357e4c2ed9b261320f8789378d1e58af8e1c6f40ebdf080759be2c633b27bc8aed85af0620fa27700c68fdf31d33b2f9e36432a1e7d7eb8dbf20b9474d332deb9697767ee13e13c116544a843b54fce842d24ea485bb41f6f7b1e9fa3faed0c591f5243cee008b9499e48064141662d3c4d002b07448ae54dc8d8674437143d73c4e34f5b416300ba890dc391eae9e5b1e89190790d0ea77d1dc57e07dae9ca003294a36fda09c31f8afa347701bfcf5aed0fda9cf7a37f734ba80fc10f2d60409f0beba532f3e5cc15ae995128e466b20fdadef789e285519"
>
> - # Check if the new measurement exists
> - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> - $(grep $hash measurements > /dev/null)
> + tst_res TINFO "computing hash for $digest digest"
> + expected_hash="$(compute_hash $digest $TEST_FILE)" || \
> + { tst_res TCONF "cannot compute hash for '$digest' digest"; return; }
>
> - if [ $? -ne 0 ]; then
> - tst_resm TFAIL "Modified file not measured"
> - tst_resm TINFO "iversion not supported; or not mounted with iversion"
> + if [ "$hash" = "$expected_hash" ]; then
> + tst_res TPASS "correct hash found"
> else
> - tst_resm TPASS "Modified file measured"
> + tst_res TFAIL "hash not found"
> fi
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH v3 01/10] security/ima: Rewrite tests into new API + fixes
Date: Fri, 27 Apr 2018 10:13:15 -0400 [thread overview]
Message-ID: <1524838395.3416.65.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180419195503.7194-2-pvorel@suse.cz>
On Thu, 2018-04-19 at 21:54 +0200, Petr Vorel wrote:
> -# Function: test02
> -# Description - Verify modifying, then reading, a file causes a new
> -# measurement to be added to the IMA measurement list.
> -test02()
> +ima_check()
> {
> - # Modify test.txt
> - echo $(date) - file modified >> test.txt
> + local digest="$DEFAULT_DIGEST_OLD_FORMAT"
> + local hash expected_hash line
> +
> + # need to read file to get updated $ASCII_MEASUREMENTS
> + cat $TEST_FILE > /dev/null
> +
> + line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
> + [ -n "$line" ] || tst_res TFAIL "cannot find measurement for '$TEST_FILE'"
>
> - # Calculating the sha1sum of test.txt should add
> - # the new measurement to the measurement list
> - hash=$(sha1sum test.txt | sed 's/ -//')
> + [ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)"
> + hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)"
With the "ima-sig" template, with a measurement that does not contain
the signature, this works fine. Â There's a problem with lines
containing the signature.
Sample ima-sig template measurements with/without the signature:
line="10 ee788468d1b416a394feb9f4e5650302d9cd5574 ima-sig sha256:866c2542efd5c7528591eb3bb2861a1994a655da47732ccf28f7f4b1ce42d564 /usr/lib64/libpam.so.0.84.1"
line="10 d3afb4df5fe42485b99677f4b68a04692977b4bc ima-sig sha256:7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891 /etc/profile.d/less.sh 0302046e6c104601008bd533707b34a9e896d3d530a88e9af517fb7e8cf79e9e55064a577fcbcdb81236ede6fec0638d357e4c2ed9b261320f8789378d1e58af8e1c6f40ebdf080759be2c633b27bc8aed85af0620fa27700c68fdf31d33b2f9e36432a1e7d7eb8dbf20b9474d332deb9697767ee13e13c116544a843b54fce842d24ea485bb41f6f7b1e9fa3faed0c591f5243cee008b9499e48064141662d3c4d002b07448ae54dc8d8674437143d73c4e34f5b416300ba890dc391eae9e5b1e89190790d0ea77d1dc57e07dae9ca003294a36fda09c31f8afa347701bfcf5aed0fda9cf7a37f734ba80fc10f2d60409f0beba532f3e5cc15ae995128e466b20fdadef789e285519"
>
> - # Check if the new measurement exists
> - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> - $(grep $hash measurements > /dev/null)
> + tst_res TINFO "computing hash for $digest digest"
> + expected_hash="$(compute_hash $digest $TEST_FILE)" || \
> + { tst_res TCONF "cannot compute hash for '$digest' digest"; return; }
>
> - if [ $? -ne 0 ]; then
> - tst_resm TFAIL "Modified file not measured"
> - tst_resm TINFO "iversion not supported; or not mounted with iversion"
> + if [ "$hash" = "$expected_hash" ]; then
> + tst_res TPASS "correct hash found"
> else
> - tst_resm TPASS "Modified file measured"
> + tst_res TFAIL "hash not found"
> fi
> }
>
next prev parent reply other threads:[~2018-04-27 14:13 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:54 [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 01/10] security/ima: " Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-27 14:13 ` Mimi Zohar [this message]
2018-04-27 14:13 ` Mimi Zohar
2018-04-28 15:09 ` Petr Vorel
2018-04-28 15:09 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 02/10] security/ima: Change order of tests Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-24 18:09 ` Petr Vorel
2018-04-26 14:32 ` Mimi Zohar
2018-04-26 16:20 ` Mimi Zohar
2018-04-27 0:03 ` Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 04/10] ima/ima_policy.sh: Load whole policy with cat Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 05/10] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 1MB Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-20 11:02 ` Cyril Hrubis
2018-04-20 11:02 ` Cyril Hrubis
2018-04-19 19:54 ` [RFC PATCH v3 06/10] ima/tpm.sh: Use evmctl + other fixes Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 07/10] ima/ima_mmap: Reduce sleep + log it Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-20 11:36 ` Cyril Hrubis
2018-04-20 11:36 ` Cyril Hrubis
2018-04-19 19:55 ` [RFC PATCH v3 08/10] ima/{ima_measurements,ima_violations}.sh: Avoid running on tmpfs Petr Vorel
2018-04-19 19:55 ` [LTP] [RFC PATCH v3 08/10] ima/{ima_measurements, ima_violations}.sh: " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 09/10] ima: CRYPTO_LIBS are needed only for ima_boot_aggregate Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 10/10] ima/ima_mmap: Rewrite to new library Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-20 11:42 ` Cyril Hrubis
2018-04-20 11:42 ` Cyril Hrubis
2018-04-26 16:18 ` [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Mimi Zohar
2018-04-26 16:18 ` [LTP] " Mimi Zohar
2018-04-27 9:32 ` Petr Vorel
2018-04-27 9:32 ` [LTP] " Petr Vorel
2018-04-27 9:51 ` Petr Vorel
2018-04-27 9:51 ` Petr Vorel
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:51 ` Petr Vorel
2018-04-27 12:51 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524838395.3416.65.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.