From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests
Date: Thu, 20 Feb 2025 19:16:04 +0100 [thread overview]
Message-ID: <20250220181604.GA2709977@pevik> (raw)
In-Reply-To: <20250220160054.12149-3-zohar@linux.ibm.com>
Hi Mimi,
> Kernel patch "ima: limit the number of ToMToU integrity violations"
> prevents superfluous ToMToU violations. Add corresponding LTP tests.
> Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Unfortunately tests fail on both mainline kernel and kernel with your patches.
Any hint what could be wrong?
Mainline kernel (on kernel with your patches it looks the same):
ima_violations 1 TINFO: Running: ima_violations.sh
ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: SUT has required policy content
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added
ima_mmap.c:41: TPASS: test completed
Summary:
passed 1
failed 0
broken 0
skipped 0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TFAIL: open_writers too many violations added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TFAIL: open_writers too many violations added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TFAIL: open_writers too many violations added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TFAIL: ToMToU too many violations added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TFAIL: ToMToU too many violations added
Kind regards,
Petr
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [LTP] [RFC PATCH 3/3] ima: additional ToMToU violation tests
Date: Thu, 20 Feb 2025 19:16:04 +0100 [thread overview]
Message-ID: <20250220181604.GA2709977@pevik> (raw)
In-Reply-To: <20250220160054.12149-3-zohar@linux.ibm.com>
Hi Mimi,
> Kernel patch "ima: limit the number of ToMToU integrity violations"
> prevents superfluous ToMToU violations. Add corresponding LTP tests.
> Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Unfortunately tests fail on both mainline kernel and kernel with your patches.
Any hint what could be wrong?
Mainline kernel (on kernel with your patches it looks the same):
ima_violations 1 TINFO: Running: ima_violations.sh
ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: SUT has required policy content
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added
ima_mmap.c:41: TPASS: test completed
Summary:
passed 1
failed 0
broken 0
skipped 0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TFAIL: open_writers too many violations added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TFAIL: open_writers too many violations added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TFAIL: open_writers too many violations added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TFAIL: ToMToU too many violations added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TFAIL: ToMToU too many violations added
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-02-20 18:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 16:00 [RFC PATCH 1/3] Update validate() to support multiple violations Mimi Zohar
2025-02-20 16:00 ` [LTP] " Mimi Zohar
2025-02-20 16:00 ` [RFC PATCH 2/3] ima: additional open-writer violation tests Mimi Zohar
2025-02-20 16:00 ` [LTP] " Mimi Zohar
2025-02-20 19:02 ` Petr Vorel
2025-02-20 19:02 ` [LTP] " Petr Vorel
2025-02-20 16:00 ` [RFC PATCH 3/3] ima: additional ToMToU " Mimi Zohar
2025-02-20 16:00 ` [LTP] " Mimi Zohar
2025-02-20 18:16 ` Petr Vorel [this message]
2025-02-20 18:16 ` Petr Vorel
2025-02-20 18:46 ` Petr Vorel
2025-02-20 18:46 ` [LTP] " Petr Vorel
2025-02-20 21:15 ` Mimi Zohar
2025-02-20 21:15 ` [LTP] " Mimi Zohar
2025-02-20 18:59 ` Mimi Zohar
2025-02-20 18:59 ` [LTP] " Mimi Zohar
2025-02-20 19:13 ` Petr Vorel
2025-02-20 19:13 ` [LTP] " Petr Vorel
2025-02-20 20:22 ` Mimi Zohar
2025-02-20 20:22 ` [LTP] " Mimi Zohar
2025-02-20 21:18 ` Mimi Zohar
2025-02-20 21:18 ` [LTP] " Mimi Zohar
2025-02-20 21:43 ` Petr Vorel
2025-02-20 21:43 ` [LTP] " Petr Vorel
2025-02-21 2:07 ` Mimi Zohar
2025-02-21 2:07 ` [LTP] " Mimi Zohar
2025-02-21 8:16 ` Petr Vorel
2025-02-21 8:16 ` [LTP] " Petr Vorel
2025-02-24 18:48 ` Mimi Zohar
2025-02-24 18:48 ` [LTP] " Mimi Zohar
2025-02-25 7:45 ` Petr Vorel
2025-02-25 7:45 ` [LTP] " Petr Vorel
2025-02-20 18:50 ` [RFC PATCH 1/3] Update validate() to support multiple violations Petr Vorel
2025-02-20 18:50 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250220181604.GA2709977@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.