From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, stefanb@linux.ibm.com,
viro@zeniv.linux.org.uk, pvorel@suse.cz,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH ima-evm-utils v2] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks
Date: Wed, 01 Feb 2023 12:54:26 -0500 [thread overview]
Message-ID: <acc5495c0bef99f255c4e16f47c2a23dd450d5ad.camel@linux.ibm.com> (raw)
In-Reply-To: <4a01d975f20f842284da4f46da4eee8c0091f354.camel@huaweicloud.com>
On Wed, 2023-02-01 at 18:29 +0100, Roberto Sassu wrote:
> On Tue, 2023-01-31 at 22:02 -0500, Mimi Zohar wrote:
> > Hi Roberto,
> >
> > > +check_mmap() {
> > > + local hook="$1"
> > > + local arg="$2"
> > > + local test_file fowner rule result test_file_entry
> > > +
> > > + echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
> > > +
> > > + if ! test_file=$(mktemp -p "$PWD"); then
> > > + echo "${RED}Cannot write $test_file${NORM}"
> > > + return "$HARDFAIL"
> > > + fi
> > > +
> > > + fowner="$MMAP_CHECK_FOWNER"
> > > + rule="$MEASURE_MMAP_CHECK_RULE"
> > > +
> > > + if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
> > > + fowner="$MMAP_CHECK_REQPROT_FOWNER"
> > > + rule="$MEASURE_MMAP_CHECK_REQPROT_RULE"
> > > + fi
> > > +
> > > + if ! chown "$fowner" "$test_file"; then
> > > + echo "${RED}Cannot change owner of $test_file${NORM}"
> > > + return "$HARDFAIL"
> > > + fi
> > > +
> > > + check_load_ima_rule "$rule"
> > > + result=$?
> > > + if [ $result -ne "$OK" ]; then
> > > + return $result
> > > + fi
> > > +
> > > + test_mmap "$test_file" "$arg"
> > > +
> > > + if [ "$TFAIL" != "yes" ]; then
> > > + echo -n "Result (expect found): "
> > > + else
> > > + echo -n "Result (expect not found): "
> > > + fi
> > > +
> > > + test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements)
> > > + if [ -z "$test_file_entry" ]; then
> > > + echo "not found"
> > > + return "$FAIL"
> > > + fi
> >
> > Using temporary files should prevent having multiple records. Having a
> > verbose option to show the actual matching measurement list record
> > would be nice.
> >
> > > +
> > > + echo "found"
> > > + return "$OK"
> > > +}
> > > +
> >
> >
> > > +
> > > +# Run in the new environment if TST_ENV is set.
> > > +_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
> > > +
> > > +# Exit from the creator of the new environment.
> > > +_exit_env "$TST_KERNEL"
> > > +
> > > +# Mount filesystems in the new environment.
> > > +_init_env
> > > +
> > > +if [ "$(whoami)" != "root" ]; then
> > > + echo "${CYAN}This script must be executed as root${NORM}"
> > > + exit "$SKIP"
> > > +fi
> > > +
> > > +if [ ! -f /sys/kernel/security/ima/policy ]; then
> > > + echo "${CYAN}IMA policy file not found${NORM}"
> > > + exit "$SKIP"
> > > +fi
> > > +
> > > +if ! cat /sys/kernel/security/ima/policy &> /dev/null; then
> > > + echo "${CYAN}IMA policy file is not readable${NORM}"
> > > + exit "$SKIP"
> > > +fi
> >
> > An existing policy with an mmap rule would affect this test. Check to
> > see if one already exists.
>
> Not sure about this. We are specifying the filesystem UUID and the file
> owner. Should be enough to avoid interferences. Also
> check_load_ima_rule() avoids duplicated rules.
Since the policy rules are walked sequentially, existing mmap rules
without the uuid or owner qualifiers will interfere with the test
policy rules. To see the problem load a custom policy containing an
mmap rule, without any qualifiers. Then run the mmap_check test.
>
> > > +
> > > +if [ -n "$TST_KEY_PATH" ]; then
> > > + if [ "${TST_KEY_PATH:0:1}" != "/" ]; then
> > > + echo "${RED}Absolute path required for the signing key${NORM}"
> > > + exit "$FAIL"
> > > + fi
> > >
>
prev parent reply other threads:[~2023-02-01 17:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-31 17:42 [PATCH v4 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook Roberto Sassu
2023-01-31 17:42 ` [PATCH v4 2/2] ima: Introduce MMAP_CHECK_REQPROT hook Roberto Sassu
2023-01-31 17:42 ` [PATCH ima-evm-utils v2] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks Roberto Sassu
2023-01-31 22:39 ` Stefan Berger
2023-02-01 16:05 ` Roberto Sassu
2023-02-01 0:00 ` Mimi Zohar
2023-02-01 13:48 ` Mimi Zohar
2023-02-01 16:06 ` Roberto Sassu
2023-02-01 3:02 ` Mimi Zohar
2023-02-01 17:29 ` Roberto Sassu
2023-02-01 17:54 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acc5495c0bef99f255c4e16f47c2a23dd450d5ad.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).