From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v3 01/10] security/ima: Rewrite tests into new API + fixes
Date: Fri, 27 Apr 2018 10:13:15 -0400 [thread overview]
Message-ID: <1524838395.3416.65.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180419195503.7194-2-pvorel@suse.cz>
On Thu, 2018-04-19 at 21:54 +0200, Petr Vorel wrote:
> -# Function: test02
> -# Description - Verify modifying, then reading, a file causes a new
> -# measurement to be added to the IMA measurement list.
> -test02()
> +ima_check()
> {
> - # Modify test.txt
> - echo $(date) - file modified >> test.txt
> + local digest="$DEFAULT_DIGEST_OLD_FORMAT"
> + local hash expected_hash line
> +
> + # need to read file to get updated $ASCII_MEASUREMENTS
> + cat $TEST_FILE > /dev/null
> +
> + line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
> + [ -n "$line" ] || tst_res TFAIL "cannot find measurement for '$TEST_FILE'"
>
> - # Calculating the sha1sum of test.txt should add
> - # the new measurement to the measurement list
> - hash=$(sha1sum test.txt | sed 's/ -//')
> + [ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)"
> + hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)"
With the "ima-sig" template, with a measurement that does not contain
the signature, this works fine. There's a problem with lines
containing the signature.
Sample ima-sig template measurements with/without the signature:
line="10 ee788468d1b416a394feb9f4e5650302d9cd5574 ima-sig sha256:866c2542efd5c7528591eb3bb2861a1994a655da47732ccf28f7f4b1ce42d564 /usr/lib64/libpam.so.0.84.1"
line="10 d3afb4df5fe42485b99677f4b68a04692977b4bc ima-sig sha256:7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891 /etc/profile.d/less.sh 0302046e6c104601008bd533707b34a9e896d3d530a88e9af517fb7e8cf79e9e55064a577fcbcdb81236ede6fec0638d357e4c2ed9b261320f8789378d1e58af8e1c6f40ebdf080759be2c633b27bc8aed85af0620fa27700c68fdf31d33b2f9e36432a1e7d7eb8dbf20b9474d332deb9697767ee13e13c116544a843b54fce842d24ea485bb41f6f7b1e9fa3faed0c591f5243cee008b9499e48064141662d3c4d002b07448ae54dc8d8674437143d73c4e34f5b416300ba890dc391eae9e5b1e89190790d0ea77d1dc57e07dae9ca003294a36fda09c31f8afa347701bfcf5aed0fda9cf7a37f734ba80fc10f2d60409f0beba532f3e5cc15ae995128e466b20fdadef789e285519"
>
> - # Check if the new measurement exists
> - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements
> - $(grep $hash measurements > /dev/null)
> + tst_res TINFO "computing hash for $digest digest"
> + expected_hash="$(compute_hash $digest $TEST_FILE)" || \
> + { tst_res TCONF "cannot compute hash for '$digest' digest"; return; }
>
> - if [ $? -ne 0 ]; then
> - tst_resm TFAIL "Modified file not measured"
> - tst_resm TINFO "iversion not supported; or not mounted with iversion"
> + if [ "$hash" = "$expected_hash" ]; then
> + tst_res TPASS "correct hash found"
> else
> - tst_resm TPASS "Modified file measured"
> + tst_res TFAIL "hash not found"
> fi
> }
>
next prev parent reply other threads:[~2018-04-27 14:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:54 [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 01/10] security/ima: " Petr Vorel
2018-04-27 14:13 ` Mimi Zohar [this message]
2018-04-28 15:09 ` Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 02/10] security/ima: Change order of tests Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 04/10] ima/ima_policy.sh: Load whole policy with cat Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 05/10] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 1MB Petr Vorel
2018-04-20 11:02 ` [LTP] " Cyril Hrubis
2018-04-19 19:54 ` [RFC PATCH v3 06/10] ima/tpm.sh: Use evmctl + other fixes Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 07/10] ima/ima_mmap: Reduce sleep + log it Petr Vorel
2018-04-20 11:36 ` [LTP] " Cyril Hrubis
2018-04-19 19:55 ` [RFC PATCH v3 08/10] ima/{ima_measurements,ima_violations}.sh: Avoid running on tmpfs Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 09/10] ima: CRYPTO_LIBS are needed only for ima_boot_aggregate Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 10/10] ima/ima_mmap: Rewrite to new library Petr Vorel
2018-04-20 11:42 ` [LTP] " Cyril Hrubis
2018-04-26 16:18 ` [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Mimi Zohar
2018-04-27 9:32 ` Petr Vorel
2018-04-27 9:51 ` [LTP] " Petr Vorel
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:51 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524838395.3416.65.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).