Re: [LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID

[Petr Vorel <pvorel@suse.cz>]

Hi Mimi,

> On Mon, 2022-10-10 at 13:43 +0200, Petr Vorel wrote:
> > Hi Mimi,

> > FYI I have problems with ima_violations.sh, when run whole runtest/ima:

> > tst_device.c:89: TINFO: Found free device 0 '/dev/loop0'
> > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.Og149san78/mntpoint
> > ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> > ima_violations 1 TINFO: IMA kernel config:
> > ima_violations 1 TINFO: CONFIG_IMA=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> > ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y
> > ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

> > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-
> > 5.19.12-1-default root=UUID=6de93d21-b5ed-4aa4-a9e4-00a7ab77c6d9
> > splash=silent video=1024x768 plymouth.ignore-serial-consoles
> > console=ttyS0 console=tty kernel.softlockup_panic=1
> > resume=/dev/disk/by-uuid/570474ff-969e-41e6-883e-ecff2fd15015
> > security=apparmor mitigations=auto ignore_loglevel lsm=integrity
> > ima_policy=tcb

> I would use either use the original "security=" or the new "lsm=" boot
> command line option.
FYI lsm= ima_policy=tcb would break booting, although on 5.19 I don't se the
warning lsm asking to have integrity among the values. That's the old problem,
it'd be good to move integrity off the security hook as you suggested [2].
Therefore only "security=" or without both "lsm" or "security" kernel boots.

BTW security=apparmor is in the result of the setup from openSUSE installer. It
got back to using security, due previously mentioned problem with boot..

Although "security=apparmor lsm=integrity ima_policy=tcb" might not be a good
idea, it does not cause ima_violations.sh. Actually with all of these fails
ima_violations.sh fails:
* lsm=integrity ima_policy=tcb (without security=apparmor)
* security= ima_policy=tcb
* ima_policy=tcb

For some reason ima_violations.sh works, when run as the first test after boot
(at least with only "ima_policy=tcb" setup), but not when whole ima runtest file
is run (as there are tests run before it).  I'm still trying to figure out
what's wrong.  What do you use for running LTP IMA tests? And do you run whole
runtest file?

Questions:
* which kernel cmdline options (IMA related) makes sense to use on testing IMA?
* is it feasible to have cmdline setup which which would be suitable
for all tests (running ima runtest file) + any of these tests? At least have a
detection and TCONF instead of failure.

> > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> > ima_violations 1 TINFO: LTP IMA policy rules based on fsuuid=7ab2cd65-3060-4dbc-b786-72703604a33e
> > ima_violations 1 TINFO: using log /var/log/audit/audit.log
> > ima_violations 1 TINFO: verify open writers violation
> > ima_violations 1 TFAIL: open_writers violation not added
> > ima_violations 2 TINFO: verify ToMToU violation
> > ima_violations 2 TFAIL: ToMToU violation not added
> > ima_violations 3 TINFO: verify open_writers using mmapped files
> > tst_test.c:1526: TINFO: Timeout per run is 0h 00m 30s
> > ima_mmap.c:38: TINFO: sleep 3s
> > ima_violations 3 TFAIL: open_writers violation not added
> > ima_mmap.c:41: TPASS: test completed

> > My fix [1] does not help. Problems are with my changes or just with your
> > original patch. Continue debugging.
> > Kind regards,
> > Petr

> > [1] https://patchwork.ozlabs.org/project/ltp/patch/20221010085944.26814-1-pvorel@suse.cz/

> Only the ima_conditionals.sh and ima_policy.sh tests define policy
> rules based on fsuuid.  The other tests are still based on the builtin
> "ima_policy=tcb" rules.
Ah, correct. What was the reason not to transform the rest?
Maybe my following patch which uses loop device for all tests wasn't a good
idea.

> Without seeing the output of "cat /sys/kernel/security/ima/policy" it's
> hard to understand what's causing these errors.
It's empty. with fsuuid based setup I'll try to use policy examples, so that it
won't TCONF, but that's a next step after we solve this.

Kind regards,
Petr

[2] https://lore.kernel.org/linux-integrity/cacde31235f08eeec698c63025a0eef81e10fe71.camel@linux.ibm.com/

> thanks,

> Mimi


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp