[LTP] [PATCH 1/1] ima/ima_measurements.sh: Improve digest and algorithm detection

[Mimi Zohar <zohar@linux.vnet.ibm.com>]

Hi Petr,

On Mon, 2018-04-30 at 19:33 +0200, Petr Vorel wrote:
> Previous detection didn't work for 'ima-sig' template descriptor in case
> where measurement line contained signature (worked for record without
> signature). Problem was caused by using index from the end of the
> record [1]:
> Sample ima-sig template measurements with/without the signature:
> line="10 ee788468d1b416a394feb9f4e5650302d9cd5574 ima-sig sha256:866c2542efd5c7528591eb3bb2861a1994a655da47732ccf28f7f4b1ce42d564 /usr/lib64/libpam.so.0.84.1"
> 
> line="10 d3afb4df5fe42485b99677f4b68a04692977b4bc ima-sig sha256:7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891 /etc/profile.d/less.sh 0302046e6c104601008bd533707b34a9e896d3d530a88e9af517fb7e8cf79e9e55064a577fcbcdb81236ede6fec0638d357e4c2ed9b261320f8789378d1e58af8e1c6f40ebdf080759be2c633b27bc8aed85af0620fa27700c68fdf31d33b2f9e36432a1e7d7eb8dbf20b9474d332deb9697767ee13e13c116544a843b54fce842d24ea485bb41f6f7b1e9fa3faed0c591f5243cee008b9499e48064141662d3c4d002b07448ae54dc8d8674437143d73c4e34f5b416300ba890dc391eae9e5b1e89190790d0ea77d1dc57e07dae9ca003294a36fda09c31f8afa347701bfcf5aed0fda9cf7a37f734ba80fc10f2d60409f0beba532f3e5cc15ae995128e466b20fdadef789e285519"
> 
> Detection also fails when used non-standard order of template fields
> configured via ima_template_fmt kernel parameter.
> 
> Don't assume sha1 as default algorithm for old IMA format ('ima'
> template descriptor) and determine it from digest length (these can be
> only md5 or sha1 [2]).
> 
> Other minor changes
> * rename variables:
>   s/digest/algorithm/
>   s/hash/digest/
> * introduce cut dependency (ima-sig template with no signature use empty
>   space instead of it)
> * code cleanup
> 
> [1] https://lists.linux.it/pipermail/ltp/2018-April/007930.html
> [2] https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
> 

Sorry for the long delay.  The patch looks good!

thanks,

Mimi

> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
>  .../integrity/ima/tests/ima_measurements.sh        | 108 ++++++++++++++++-----
>  1 file changed, 83 insertions(+), 25 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 88eabd2a3..80fbf627a 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -19,7 +19,7 @@
>  #
>  # Verify that measurements are added to the measurement list based on policy.
> 
> -TST_NEEDS_CMDS="awk"
> +TST_NEEDS_CMDS="awk cut"
>  TST_SETUP="setup"
>  TST_CNT=3
>  TST_NEEDS_DEVICE=1
> @@ -28,64 +28,122 @@ TST_NEEDS_DEVICE=1
> 
>  setup()
>  {
> -	DEFAULT_DIGEST_OLD_FORMAT="sha1"
>  	TEST_FILE="$PWD/test.txt"
> 
>  	POLICY="$IMA_DIR/policy"
>  	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> 
>  	DIGEST_INDEX=
> -	grep -q "ima-ng" $ASCII_MEASUREMENTS && DIGEST_INDEX=1
> -	grep -q "ima-sig" $ASCII_MEASUREMENTS && DIGEST_INDEX=2
> +
> +	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
> +	local i
> +
> +	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
> +	case "$template" in
> +	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> +	*)
> +		# using ima_template_fmt kernel parameter
> +		local IFS="|"
> +		i=4
> +		for word in $template; do
> +			if [ "$word" = 'd' -o "$word" = 'd-ng' ]; then
> +				DIGEST_INDEX=$i
> +				break
> +			fi
> +			i=$((i+1))
> +		done
> +	esac
> +
> +	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
> +		"Cannot find digest index (template: '$template')"
> 
>  	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tbc)"
>  }
> 
>  # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> -compute_hash()
> +compute_digest()
>  {
> -	local digest="$1"
> +	local algorithm="$1"
>  	local file="$2"
> +	local digest
> 
> -	hash="$(${digest}sum $file 2>/dev/null | cut -f1 -d ' ')"
> -	[ -n "$hash" ] && { echo $hash; return; }
> +	digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')"
> +	if [ -n "$digest" ]; then
> +		echo "$digest"
> +		return 0
> +	fi
> 
> -	hash="$(openssl $digest $file 2>/dev/null | cut -f2 -d ' ')"
> -	[ -n "$hash" ] && { echo $hash; return; }
> +	digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')"
> +	if [ -n "$digest" ]; then
> +		echo "$digest"
> +		return 0
> +	fi
> 
>  	# uncommon ciphers
> -	local arg="$digest"
> -	case "$digest" in
> +	local arg="$algorithm"
> +	case "$algorithm" in
>  	tgr192) arg="tiger" ;;
>  	wp512) arg="whirlpool" ;;
>  	esac
> 
> -	hash="$(rhash --$arg $file 2>/dev/null | cut -f1 -d ' ')"
> -	[ -n "$hash" ] && { echo $hash; return; }
> +	digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')"
> +	if [ -n "$digest" ]; then
> +		echo "$digest"
> +		return 0
> +	fi
> +	return 1
>  }
> 
>  ima_check()
>  {
> -	local digest="$DEFAULT_DIGEST_OLD_FORMAT"
> -	local hash expected_hash line
> +	local delimiter=':'
> +	local algorithm digest expected_digest line
> 
>  	# need to read file to get updated $ASCII_MEASUREMENTS
>  	cat $TEST_FILE > /dev/null
> 
>  	line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
> -	[ -n "$line" ] || tst_res TFAIL "cannot find measurement for '$TEST_FILE'"
> +	if [ -z "$line" ]; then
> +		tst_res TBROK "cannot find measurement record for '$TEST_FILE'"
> +		return
> +	fi
> +	tst_res TINFO "measurement record: '$line'"
> 
> -	[ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)"
> -	hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)"
> +	digest=$(echo "$line" | cut -d' ' -f $DIGEST_INDEX)
> +	if [ -z "$digest" ]; then
> +		tst_res TBROK "cannot find digest (index: $DIGEST_INDEX)"
> +		return
> +	fi
> +
> +	if [ "${digest#*$delimiter}" != "$digest" ]; then
> +		algorithm=$(echo "$digest" | cut -d $delimiter -f 1)
> +		digest=$(echo "$digest" | cut -d $delimiter -f 2)
> +	else
> +		case "${#digest}" in
> +		32) algorithm="md5" ;;
> +		40) algorithm="sha1" ;;
> +		*)
> +			tst_res TBROK "algorithm must be either md5 or sha1 (digest: '$digest')"
> +			return ;;
> +		esac
> +	fi
> +	if [ -z "$algorithm" ]; then
> +		tst_res TBROK "cannot find algorithm"
> +		return
> +	fi
> +	if [ -z "$digest" ]; then
> +		tst_res TBROK "cannot find digest"
> +		return
> +	fi
> 
> -	tst_res TINFO "computing hash for $digest digest"
> -	expected_hash="$(compute_hash $digest $TEST_FILE)" || \
> -		{ tst_res TCONF "cannot compute hash for '$digest' digest"; return; }
> +	tst_res TINFO "computing digest for $algorithm algorithm"
> +	expected_digest="$(compute_digest $algorithm $TEST_FILE)" || \
> +		tst_brk TCONF "cannot compute digest for $algorithm algorithm"
> 
> -	if [ "$hash" = "$expected_hash" ]; then
> -		tst_res TPASS "correct hash found"
> +	if [ "$digest" = "$expected_digest" ]; then
> +		tst_res TPASS "correct digest found"
>  	else
> -		tst_res TFAIL "hash not found"
> +		tst_res TFAIL "digest not found"
>  	fi
>  }
>