From: Petr Vorel <pvorel@suse.cz>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
ltp@lists.linux.it, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 0/4] IMA: verify measurement of certificate imported into a keyring
Date: Mon, 17 Aug 2020 22:39:50 +0200 [thread overview]
Message-ID: <20200817203950.GA121577@x230> (raw)
In-Reply-To: <cdf45ba0-287b-8fa1-d067-1c6c4f386939@linux.microsoft.com>
> On 8/17/20 12:18 PM, Mimi Zohar wrote:
> > On Mon, 2020-08-17 at 15:09 +0200, Petr Vorel wrote:
> > > Hi Mimi, Lakshmi,
> > > changes v2->v3:
> > > fixed regression in my third commit.
> > > (please verify it on installed LTP, or at least run make install in
> > > testcases/kernel/security/integrity/ima/datafiles/ima_keys/)
> > I did, but nothing changed. I probably need to set an environment
> > variable.
> > After building and installing LTP, it's finding the file, but some of
> > the issues still exist:
> > ima_keys 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> > ima_keys 1 TINFO: Formatting /dev/loop0 with ext3 extra opts=''
> > ima_keys 1 TINFO: verify key measurement for keyrings and templates specified in IMA policy
> > grep: Unmatched ( or \(
> > ima_keys 1 TPASS: specified keyrings were measured correctly
> > ima_keys 2 TINFO: verify measurement of certificate imported into a keyring
> > keyctl_session_to_parent: Operation not permitted
> > ima_keys 2 TPASS: logged certificate matches the original
> > IMA policy:
> > measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
> > measure func=KEY_CHECK keyrings=key_import_test template=ima-buf
> I think I see the problem
> keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
> sed "s/\./\\\./g" | cut -d'=' -f2; done | sort -u
> The above line generates the list of keyrings (read from the IMA policy)
> with a newline after the first policy entry with "keyrings=". Please see
> below:
> ima_keys 1 TINFO: \.ima|\.builtin_trusted_keys
> key_import_test
> When this is checked in the "do-done" loop grep returns "mismatched (" due
> to the newline.
> I tried with "(" removed from the following line and that fixes the problem:
> grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
> But a better fix might be to remove the "newline" in $keyrings. I'll try
> that.
OK, I was too aggressive when removing tr dependency. I'll add another sed
command to remove new lines.
> Regarding the following error:
> keyctl_session_to_parent: Operation not permitted
I missed this problem.
> The following line in test2() can be removed. Not sure if this is needed.
> keyctl new_session > /dev/null
Not sure, I guess it'd work in existing session. But then it'd be good to
do cleanup.
> thanks,
> -lakshmi
Kind regards,
Petr
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v3 0/4] IMA: verify measurement of certificate imported into a keyring
Date: Mon, 17 Aug 2020 22:39:50 +0200 [thread overview]
Message-ID: <20200817203950.GA121577@x230> (raw)
In-Reply-To: <cdf45ba0-287b-8fa1-d067-1c6c4f386939@linux.microsoft.com>
> On 8/17/20 12:18 PM, Mimi Zohar wrote:
> > On Mon, 2020-08-17 at 15:09 +0200, Petr Vorel wrote:
> > > Hi Mimi, Lakshmi,
> > > changes v2->v3:
> > > fixed regression in my third commit.
> > > (please verify it on installed LTP, or at least run make install in
> > > testcases/kernel/security/integrity/ima/datafiles/ima_keys/)
> > I did, but nothing changed. I probably need to set an environment
> > variable.
> > After building and installing LTP, it's finding the file, but some of
> > the issues still exist:
> > ima_keys 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> > ima_keys 1 TINFO: Formatting /dev/loop0 with ext3 extra opts=''
> > ima_keys 1 TINFO: verify key measurement for keyrings and templates specified in IMA policy
> > grep: Unmatched ( or \(
> > ima_keys 1 TPASS: specified keyrings were measured correctly
> > ima_keys 2 TINFO: verify measurement of certificate imported into a keyring
> > keyctl_session_to_parent: Operation not permitted
> > ima_keys 2 TPASS: logged certificate matches the original
> > IMA policy:
> > measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
> > measure func=KEY_CHECK keyrings=key_import_test template=ima-buf
> I think I see the problem
> keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
> sed "s/\./\\\./g" | cut -d'=' -f2; done | sort -u
> The above line generates the list of keyrings (read from the IMA policy)
> with a newline after the first policy entry with "keyrings=". Please see
> below:
> ima_keys 1 TINFO: \.ima|\.builtin_trusted_keys
> key_import_test
> When this is checked in the "do-done" loop grep returns "mismatched (" due
> to the newline.
> I tried with "(" removed from the following line and that fixes the problem:
> grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
> But a better fix might be to remove the "newline" in $keyrings. I'll try
> that.
OK, I was too aggressive when removing tr dependency. I'll add another sed
command to remove new lines.
> Regarding the following error:
> keyctl_session_to_parent: Operation not permitted
I missed this problem.
> The following line in test2() can be removed. Not sure if this is needed.
> keyctl new_session > /dev/null
Not sure, I guess it'd work in existing session. But then it'd be good to
do cleanup.
> thanks,
> -lakshmi
Kind regards,
Petr
next prev parent reply other threads:[~2020-08-17 20:39 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 13:09 [PATCH v3 0/4] IMA: verify measurement of certificate imported into a keyring Petr Vorel
2020-08-17 13:09 ` [LTP] " Petr Vorel
2020-08-17 13:09 ` [PATCH v3 1/4] IMA/ima_keys.sh: Fix policy content check usage Petr Vorel
2020-08-17 13:09 ` [LTP] " Petr Vorel
2020-08-17 13:09 ` [PATCH v3 2/4] IMA: Refactor datafiles directory Petr Vorel
2020-08-17 13:09 ` [LTP] " Petr Vorel
2020-08-17 13:09 ` [PATCH v3 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring Petr Vorel
2020-08-17 13:09 ` [LTP] " Petr Vorel
2020-08-17 13:09 ` [PATCH v3 4/4] IMA/ima_keys.sh: Enhance policy checks Petr Vorel
2020-08-17 13:09 ` [LTP] " Petr Vorel
2020-08-17 14:37 ` [PATCH v3 0/4] IMA: verify measurement of certificate imported into a keyring Lakshmi Ramasubramanian
2020-08-17 14:37 ` [LTP] " Lakshmi Ramasubramanian
2020-08-17 19:18 ` Mimi Zohar
2020-08-17 19:18 ` [LTP] " Mimi Zohar
2020-08-17 19:52 ` Petr Vorel
2020-08-17 19:52 ` [LTP] " Petr Vorel
2020-08-17 20:02 ` Lakshmi Ramasubramanian
2020-08-17 20:02 ` [LTP] " Lakshmi Ramasubramanian
2020-08-17 20:39 ` Petr Vorel [this message]
2020-08-17 20:39 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200817203950.GA121577@x230 \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.