From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Ignaz Forster <iforster@suse.de>
Cc: Fabian Vogt <FVogt@suse.com>, Marcus Meissner <meissner@suse.com>,
linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs
Date: Tue, 14 May 2019 23:01:19 -0400 [thread overview]
Message-ID: <1557889279.4581.14.camel@linux.ibm.com> (raw)
In-Reply-To: <20190514121213.GA28655@dell5510>
On Tue, 2019-05-14 at 14:12 +0200, Petr Vorel wrote:
> Hi Mimi, Ignaz,
>
> Mimi, could you please have a second look on this [4] patchset? We've had a
> discussion about second patch [5], I can drop it if you don't like it, but
> that's not a main concern about this test. More important is whether the
> testcase looks valid for you. It's about overlayfs broken in IMA+EVM,
> which is currently broken on mainline.
The first two patches are fine. From the test, I'm seeing the
following results:
evm_overlay 1 TINFO: overwrite file in overlay
tst_rod: Failed to open '(null)' for writing: Operation not permitted
evm_overlay 1 TFAIL: echo overlay > mntpoint/merged/foo1.txt failed unexpectedly
evm_overlay 2 TINFO: append file in overlay: mntpoint/lower/foo2.txt
evm_overlay 2 TPASS: echo overlay >> mntpoint/merged/foo2.txt passed as expected
evm_overlay 3 TINFO: create a new file in overlay
evm_overlay 3 TPASS: echo overlay > mntpoint/merged/foo3.txt passed as expected
evm_overlay 4 TINFO: read all created files
evm_overlay 4 TFAIL: cat mntpoint/merged/foo1.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo2.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo3.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 5 TINFO: SELinux enabled in enforcing mode, this may affect test results
evm_overlay 5 TINFO: You can try to disable it with TST_DISABLE_SELINUX=1 (requires super/root)
evm_overlay 5 TINFO: loaded SELinux profiles: none
With "evm: instead of using the overlayfs i_ino, use the real i_ino"
patch, I'm only seeing the first failure.
Mimi
> There is different reproducer (C code) for a slightly different scenario,
> but I'm not going to port it before this got merged.
>
> Ignaz, could you please test this patchset? Could you, please, share your setup?
> ima_policy=appraise_tcb kernel parameter and loading IMA and EVM keys over
> dracut-ima scripts? (IMA appraisal and EVM using digital signatures? I guess
> using hashes for IMA appraisal would work as well).
>
> Kind regards,
> Petr
>
> > this is a second version of patch demonstrating a bug on overlayfs when
> > combining IMA with EVM. There is ongoing work made by Ignaz Forster and
> > Fabian Vogt [1] [2], IMA only behavior was already fixed [3].
>
> > Main patch is the last one (previous are just a cleanup and not changed).
>
> > [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> > [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> > [3] https://patchwork.kernel.org/patch/10776231/
>
> [4] https://patchwork.ozlabs.org/project/ltp/list/?series=101213&state=*
> [5] https://patchwork.ozlabs.org/patch/1078553/
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs
Date: Tue, 14 May 2019 23:01:19 -0400 [thread overview]
Message-ID: <1557889279.4581.14.camel@linux.ibm.com> (raw)
In-Reply-To: <20190514121213.GA28655@dell5510>
On Tue, 2019-05-14 at 14:12 +0200, Petr Vorel wrote:
> Hi Mimi, Ignaz,
>
> Mimi, could you please have a second look on this [4] patchset? We've had a
> discussion about second patch [5], I can drop it if you don't like it, but
> that's not a main concern about this test. More important is whether the
> testcase looks valid for you. It's about overlayfs broken in IMA+EVM,
> which is currently broken on mainline.
The first two patches are fine. Â From the test, I'm seeing the
following results:
evm_overlay 1 TINFO: overwrite file in overlay
tst_rod: Failed to open '(null)' for writing: Operation not permitted
evm_overlay 1 TFAIL: echo overlay > mntpoint/merged/foo1.txt failed unexpectedly
evm_overlay 2 TINFO: append file in overlay: mntpoint/lower/foo2.txt
evm_overlay 2 TPASS: echo overlay >> mntpoint/merged/foo2.txt passed as expected
evm_overlay 3 TINFO: create a new file in overlay
evm_overlay 3 TPASS: echo overlay > mntpoint/merged/foo3.txt passed as expected
evm_overlay 4 TINFO: read all created files
evm_overlay 4 TFAIL: cat mntpoint/merged/foo1.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo2.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 4 TFAIL: cat mntpoint/merged/foo3.txt > /dev/null 2> /dev/null failed unexpectedly
evm_overlay 5 TINFO: SELinux enabled in enforcing mode, this may affect test results
evm_overlay 5 TINFO: You can try to disable it with TST_DISABLE_SELINUX=1 (requires super/root)
evm_overlay 5 TINFO: loaded SELinux profiles: none
With "evm: instead of using the overlayfs i_ino, use the real i_ino"
patch, I'm only seeing the first failure.
Mimi
> There is different reproducer (C code) for a slightly different scenario,
> but I'm not going to port it before this got merged.
>
> Ignaz, could you please test this patchset? Could you, please, share your setup?
> ima_policy=appraise_tcb kernel parameter and loading IMA and EVM keys over
> dracut-ima scripts? (IMA appraisal and EVM using digital signatures? I guess
> using hashes for IMA appraisal would work as well).
>
> Kind regards,
> Petr
>
> > this is a second version of patch demonstrating a bug on overlayfs when
> > combining IMA with EVM. There is ongoing work made by Ignaz Forster and
> > Fabian Vogt [1] [2], IMA only behavior was already fixed [3].
>
> > Main patch is the last one (previous are just a cleanup and not changed).
>
> > [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> > [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> > [3] https://patchwork.kernel.org/patch/10776231/
>
> [4] https://patchwork.ozlabs.org/project/ltp/list/?series=101213&state=*
> [5] https://patchwork.ozlabs.org/patch/1078553/
>
next prev parent reply other threads:[~2019-05-15 3:01 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-05 16:52 [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-04-05 16:52 ` [LTP] " Petr Vorel
2019-04-05 16:52 ` [PATCH v2 1/3] ima: Call test's cleanup inside ima_setup.sh cleanup Petr Vorel
2019-04-05 16:52 ` [LTP] " Petr Vorel
2019-04-11 0:59 ` Mimi Zohar
2019-04-11 0:59 ` [LTP] " Mimi Zohar
2019-04-11 5:51 ` Petr Vorel
2019-04-11 5:51 ` [LTP] " Petr Vorel
2019-04-11 12:22 ` Mimi Zohar
2019-04-11 12:22 ` [LTP] " Mimi Zohar
2019-04-11 20:21 ` Petr Vorel
2019-04-11 20:21 ` [LTP] " Petr Vorel
2019-04-05 16:52 ` [PATCH v2 2/3] shell: Add $TST_DEVICE as default parameter to tst_umount Petr Vorel
2019-04-05 16:52 ` [LTP] " Petr Vorel
2019-04-05 16:52 ` [PATCH v2 3/3] ima: Add overlay test Petr Vorel
2019-04-05 16:52 ` [LTP] " Petr Vorel
2019-05-14 18:42 ` Ignaz Forster
2019-05-14 18:42 ` [LTP] " Ignaz Forster
2019-05-15 11:32 ` Petr Vorel
2019-05-15 11:32 ` [LTP] " Petr Vorel
2019-05-14 12:12 ` [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-05-14 12:12 ` [LTP] " Petr Vorel
2019-05-14 19:19 ` Ignaz Forster
2019-05-14 19:19 ` [LTP] " Ignaz Forster
2019-05-15 11:34 ` Petr Vorel
2019-05-15 11:34 ` [LTP] " Petr Vorel
2019-05-15 3:01 ` Mimi Zohar [this message]
2019-05-15 3:01 ` Mimi Zohar
2019-05-15 12:08 ` Petr Vorel
2019-05-15 12:08 ` [LTP] " Petr Vorel
2019-05-16 22:10 ` Mimi Zohar
2019-05-16 22:10 ` [LTP] " Mimi Zohar
2019-05-17 7:50 ` Petr Vorel
2019-05-17 7:50 ` [LTP] " Petr Vorel
2019-05-17 11:00 ` Mimi Zohar
2019-05-17 11:00 ` [LTP] " Mimi Zohar
2019-05-17 15:41 ` Petr Vorel
2019-05-17 15:41 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1557889279.4581.14.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=FVogt@suse.com \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=meissner@suse.com \
--cc=pvorel@suse.cz \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.