From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: linux-integrity@vger.kernel.org
Subject: Re: [LTP] [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy
Date: Mon, 30 Dec 2024 15:43:40 -0500 [thread overview]
Message-ID: <a617f000c69875b5c02743c8f0a8fee72cb1ea55.camel@linux.ibm.com> (raw)
In-Reply-To: <20241213222014.1580991-3-pvorel@suse.cz>
Hi Petr,
On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
[snip]
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,7 +1,7 @@
> #!/bin/sh
> # SPDX-License-Identifier: GPL-2.0-or-later
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
> +# Copyright (c) 2018-2024 Petr Vorel <pvorel@suse.cz>
> # Author: Mimi Zohar <zohar@linux.ibm.com>
>
> TST_TESTFUNC="test"
> @@ -72,14 +72,20 @@ require_policy_readable()
> fi
> }
>
> -require_policy_writable()
> +check_policy_writable()
> {
> - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> -
> - [ -f $IMA_POLICY ] || tst_brk TCONF "$err"
> - # CONFIG_IMA_READ_POLICY
> + [ -f $IMA_POLICY ] || return 1
> + # workaround for kernels < v4.18 without fix
> + # ffb122de9a60b ("ima: Reflect correct permissions for policy")
> echo "" 2> log > $IMA_POLICY
> - grep -q "Device or resource busy" log && tst_brk TCONF "$err"
> + grep -q "Device or resource busy" log && return 1
> + return 0
> +}
> +
> +require_policy_writable()
> +{
> + check_policy_writable || tst_brk TCONF \
> + "IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> }
>
> check_ima_policy_content()
> @@ -158,6 +164,34 @@ print_ima_config()
> tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> }
>
> +load_ima_policy()
> +{
> + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)"
> +
> + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then
> + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test"
> + return
> + fi
> +
> + if [ -z "$policy" -o ! -f "$policy" ]; then
> + tst_res TINFO "no policy for this test"
> + LTP_IMA_LOAD_POLICY=
> + return
> + fi
> +
> + tst_res TINFO "trying to load '$policy' policy:"
> + cat $policy
> + if ! check_policy_writable; then
> + tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required"
> + LTP_IMA_LOAD_POLICY=
> + return
> + fi
> +
> + cat "$policy" 2> log > $IMA_POLICY
> + if grep -q "Device or resource busy" log; then
> + tst_brk TBROK "Loading policy failed"
> + fi
To write to the IMA securityfs policy file, check_policy_writable() used "echo",
while here it's using "cat". "cat" fails when signed policies are required.
Perhaps add something like:
+
+ if grep -q "write error: Permission denied" log; then
+ tst_brk TBROK "Loading unsigned policy failed"
+ fi
> +}
Mimi
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2024-12-30 20:44 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 22:20 [LTP] [PATCH v2 0/8] LTP tests: load predefined policy, enhancements Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh Petr Vorel
2024-12-31 16:01 ` Mimi Zohar
2025-01-03 11:57 ` Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy Petr Vorel
2024-12-30 20:43 ` Mimi Zohar [this message]
2024-12-31 10:00 ` Petr Vorel
2024-12-31 14:54 ` Mimi Zohar
2025-01-03 12:09 ` Petr Vorel
2025-01-03 12:18 ` Petr Vorel
2025-01-03 15:31 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 4/8] ima_setup: Print warning when policy not readable Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh Petr Vorel
2024-12-31 3:43 ` Mimi Zohar
2024-12-31 10:40 ` Petr Vorel
2024-12-31 12:23 ` Petr Vorel
2024-12-31 15:34 ` Mimi Zohar
2025-01-03 19:02 ` Petr Vorel
2025-01-07 18:29 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 7/8] ima_violations.sh: Check for a required policy Petr Vorel
2024-12-31 3:42 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 8/8] [RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a617f000c69875b5c02743c8f0a8fee72cb1ea55.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox