From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy
Date: Fri, 3 Jan 2025 13:18:58 +0100 [thread overview]
Message-ID: <20250103121858.GC211314@pevik> (raw)
In-Reply-To: <b577405f0c6d2af8de6650eb1cd8c69305f616bf.camel@linux.ibm.com>
Hi Mimi,
...
> > Do I understand correctly you talk about policy containing func=POLICY_CHECK [1]?
> Yes. On a secure boot enabled system, the architecture specific policy might
> require the IMA policy itself to be signed.
> Snippet from ima_fs.c:
> #if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) &&
> IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
> "appraise func=POLICY_CHECK appraise_type=imasig",
> #endif
> > Maybe there could be a test based on example [2].
> > echo /home/user/tmpfile > /sys/kernel/security/ima/policy
> > cp tmpfile /sys/kernel/security/ima/policy
> > cat tmpfile > /sys/kernel/security/ima/policy
> All of the above will load a policy, assuming the policy itself doesn't need to
> be signed. Only "echo /home/user/tmpfile > /sys/kernel/security/ima/policy" can
> load a signed policy.
> Loading a CA key (mokutil), signing (evmctl)[1] and loading (keyctl) an IMA
> policy is probably beyond LTP. The purpose of this test would be to detect
> whether policies need to be signed.
The most advanced for LTP is currently solving reboot [3].
FYI we plan to add support [4] to our kirk tool [5] (currently supports running LTP,
kselftest and liburing, testing via SSH, qemu).
I suppose given how sparse is IMA/EVM testing in LTP this can wait (there are
more basic features not covered by testing). I suppose most of the testing you
have in ima-evm-utils repo (at least I found only IMA related code in kselftest
in BPF tests).
> Going forward what's probably needed is a new package containing a set of pre-
> defined sample custom policies, which are signed by the distro.
Please let me now once you or other IMA devs are doing any work in this.
Kind regards,
Petr
> [1] Directions for signing and loading a custom policy,
> https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#sign-and-install-a-custom-policy
> Thanks,
> Mimi
> > Kind regards,
> > Petr
> > [1] https://ima-doc.readthedocs.io/en/latest/policy-syntax.html#func-policy-check
> > [2] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#runtime-custom-policy
[3] https://github.com/linux-test-project/ltp/issues/868
[4] https://github.com/linux-test-project/kirk/issues/12
[5] https://github.com/linux-test-project/kirk
> > > > +}
> > > Mimi
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-01-03 12:19 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 22:20 [LTP] [PATCH v2 0/8] LTP tests: load predefined policy, enhancements Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh Petr Vorel
2024-12-31 16:01 ` Mimi Zohar
2025-01-03 11:57 ` Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy Petr Vorel
2024-12-30 20:43 ` Mimi Zohar
2024-12-31 10:00 ` Petr Vorel
2024-12-31 14:54 ` Mimi Zohar
2025-01-03 12:09 ` Petr Vorel
2025-01-03 12:18 ` Petr Vorel [this message]
2025-01-03 15:31 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 4/8] ima_setup: Print warning when policy not readable Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh Petr Vorel
2024-12-31 3:43 ` Mimi Zohar
2024-12-31 10:40 ` Petr Vorel
2024-12-31 12:23 ` Petr Vorel
2024-12-31 15:34 ` Mimi Zohar
2025-01-03 19:02 ` Petr Vorel
2025-01-07 18:29 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 7/8] ima_violations.sh: Check for a required policy Petr Vorel
2024-12-31 3:42 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 8/8] [RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250103121858.GC211314@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox