From: Petr Vorel <pvorel@suse.cz>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: zohar@linux.ibm.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, tusharsu@linux.microsoft.com,
ltp@lists.linux.it, linux-integrity@vger.kernel.org,
selinux@vger.kernel.org
Subject: Re: [PATCH] IMA: Add test for selinux measurement
Date: Tue, 23 Feb 2021 23:14:33 +0100 [thread overview]
Message-ID: <YDV+SdQqGnCoykph@pevik> (raw)
In-Reply-To: <fdda206c-e156-d66b-7f53-0ee9c1417597@linux.microsoft.com>
> On 2/23/21 10:00 AM, Petr Vorel wrote:
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > ...
> > > +validate_policy_capabilities()
> > > +{
> > > + local measured_cap measured_value expected_value
> > > + local result=1
> > > + local inx=7
> > > +
> > > + # Policy capabilities flags start from "network_peer_controls"
> > > + # in the measured SELinux state at offset 7 for 'awk'
> > > + while [ $inx -lt 20 ]; do
> > > + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> > > + inx=$(( $inx + 1 ))
> > > +
> > > + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> > > + expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
> > > + if [ "$measured_value" != "$expected_value" ];then
> > > + tst_res TWARN "$measured_cap: expected: $expected_value, got: $digest"
> > We rarely use TWARN in the tests, only when the error is not related to the test result.
> > Otherwise we use TFAIL.
> ok - I will change it to TFAIL.
Thanks!
But I've noticed that this error is handled twice, first in validate_policy_capabilities()
as TWARN (or TFAIL) and then in test2(). Let's use TPASS/TFAIL in
validate_policy_capabilities():
validate_policy_capabilities()
{
local measured_cap measured_value expected_value
local inx=7
# Policy capabilities flags start from "network_peer_controls"
# in the measured SELinux state at offset 7 for 'awk'
while [ $inx -lt 20 ]; do
measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
inx=$(($inx + 1))
measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
if [ "$measured_value" != "$expected_value" ]; then
tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
return
fi
inx=$(($inx + 1))
done
tst_res TPASS "SELinux state measured correctly"
}
test2()
{
...
validate_policy_capabilities $measured_data
}
...
> > As we discuss, I'm going tom merge test when patchset is merged in maintainers tree,
> > please ping me. And ideally we should mention kernel commit hash as a comment in
> > the test.
> Will do. Thank you.
Thanks!
...
> > +++ testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > @@ -13,16 +13,14 @@ TST_SETUP="setup"
> > . ima_setup.sh
> > FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> > -REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA)"
> > +REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> > setup()
> > {
> > - SELINUX_DIR=$(tst_get_selinux_dir)
> > - if [ -z "$SELINUX_DIR" ]; then
> > - tst_brk TCONF "SELinux is not enabled"
> > - return
> > - fi
> > + tst_require_selinux_enabled
> Please correct me if I have misunderstood this one:
> tst_require_selinux_enabled is checking if SELinux is enabled in "enforce"
> mode. Would this check fail if SELinux is enabled in "permissive" mode?
> For running the test, we just need SELinux to be enabled. I verify that by
> checking for the presence of SELINUX_DIR.
Good catch. Your original version is correct (put it back into ima/selinux.v2.fixes).
I didn't put a helper for it, because you need $SELINUX_DIR anyway.
Thus removed tst_require_selinux_enabled() as not needed.
I renamed tst_selinux_enabled() to tst_selinux_enforced() to make the purpose clearer
(commit 82b598ea1 IMA: Add test for selinux measurement).
I've updated branch ima/selinux.v2.fixes with all mentioned changes
https://github.com/pevik/ltp/commits/ima/selinux.v2.fixes
Kind regards,
Petr
> thanks,
> -lakshmi
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] IMA: Add test for selinux measurement
Date: Tue, 23 Feb 2021 23:14:33 +0100 [thread overview]
Message-ID: <YDV+SdQqGnCoykph@pevik> (raw)
In-Reply-To: <fdda206c-e156-d66b-7f53-0ee9c1417597@linux.microsoft.com>
> On 2/23/21 10:00 AM, Petr Vorel wrote:
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > ...
> > > +validate_policy_capabilities()
> > > +{
> > > + local measured_cap measured_value expected_value
> > > + local result=1
> > > + local inx=7
> > > +
> > > + # Policy capabilities flags start from "network_peer_controls"
> > > + # in the measured SELinux state at offset 7 for 'awk'
> > > + while [ $inx -lt 20 ]; do
> > > + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> > > + inx=$(( $inx + 1 ))
> > > +
> > > + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> > > + expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
> > > + if [ "$measured_value" != "$expected_value" ];then
> > > + tst_res TWARN "$measured_cap: expected: $expected_value, got: $digest"
> > We rarely use TWARN in the tests, only when the error is not related to the test result.
> > Otherwise we use TFAIL.
> ok - I will change it to TFAIL.
Thanks!
But I've noticed that this error is handled twice, first in validate_policy_capabilities()
as TWARN (or TFAIL) and then in test2(). Let's use TPASS/TFAIL in
validate_policy_capabilities():
validate_policy_capabilities()
{
local measured_cap measured_value expected_value
local inx=7
# Policy capabilities flags start from "network_peer_controls"
# in the measured SELinux state at offset 7 for 'awk'
while [ $inx -lt 20 ]; do
measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
inx=$(($inx + 1))
measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
if [ "$measured_value" != "$expected_value" ]; then
tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
return
fi
inx=$(($inx + 1))
done
tst_res TPASS "SELinux state measured correctly"
}
test2()
{
...
validate_policy_capabilities $measured_data
}
...
> > As we discuss, I'm going tom merge test when patchset is merged in maintainers tree,
> > please ping me. And ideally we should mention kernel commit hash as a comment in
> > the test.
> Will do. Thank you.
Thanks!
...
> > +++ testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > @@ -13,16 +13,14 @@ TST_SETUP="setup"
> > . ima_setup.sh
> > FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> > -REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA)"
> > +REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> > setup()
> > {
> > - SELINUX_DIR=$(tst_get_selinux_dir)
> > - if [ -z "$SELINUX_DIR" ]; then
> > - tst_brk TCONF "SELinux is not enabled"
> > - return
> > - fi
> > + tst_require_selinux_enabled
> Please correct me if I have misunderstood this one:
> tst_require_selinux_enabled is checking if SELinux is enabled in "enforce"
> mode. Would this check fail if SELinux is enabled in "permissive" mode?
> For running the test, we just need SELinux to be enabled. I verify that by
> checking for the presence of SELINUX_DIR.
Good catch. Your original version is correct (put it back into ima/selinux.v2.fixes).
I didn't put a helper for it, because you need $SELINUX_DIR anyway.
Thus removed tst_require_selinux_enabled() as not needed.
I renamed tst_selinux_enabled() to tst_selinux_enforced() to make the purpose clearer
(commit 82b598ea1 IMA: Add test for selinux measurement).
I've updated branch ima/selinux.v2.fixes with all mentioned changes
https://github.com/pevik/ltp/commits/ima/selinux.v2.fixes
Kind regards,
Petr
> thanks,
> -lakshmi
next prev parent reply other threads:[~2021-02-23 22:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 2:38 [PATCH] IMA: Add test for selinux measurement Lakshmi Ramasubramanian
2021-02-22 2:38 ` [LTP] " Lakshmi Ramasubramanian
2021-02-23 18:00 ` Petr Vorel
2021-02-23 18:00 ` [LTP] " Petr Vorel
2021-02-23 18:26 ` Lakshmi Ramasubramanian
2021-02-23 18:26 ` [LTP] " Lakshmi Ramasubramanian
2021-02-23 22:14 ` Petr Vorel [this message]
2021-02-23 22:14 ` Petr Vorel
2021-02-23 23:01 ` Lakshmi Ramasubramanian
2021-02-23 23:01 ` [LTP] " Lakshmi Ramasubramanian
2021-03-16 11:54 ` Petr Vorel
2021-03-16 11:54 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YDV+SdQqGnCoykph@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.