| Message ID | 20180427095140.y6nngyv4ldjvitc6@dell5510 (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, 2018-04-27 at 11:51 +0200, Petr Vorel wrote: [...] > ima_cleanup() > diff --git testcases/kernel/security/integrity/ima/tests/ima_tpm.sh testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > index 0124c338f..0ffc3c022 100755 > --- testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > +++ testcases/kernel/security/integrity/ima/tests/ima_tpm.sh > @@ -69,7 +69,7 @@ validate_pcr() > grep 'HW PCR-10:' | awk '{print $3}')" > if [ -z "$aggregate_pcr" ]; then > tst_res TFAIL "failed to get PCR-10" > - return > + return 1 > fi > > while read line; do > aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \ grep 'HW PCR-10:' | awk '{print $3}')" This works properly with the "ima-ng" template and even the "ima-sig" template, without any signatures or keys. With the "ima-sig" there will be some informational/warning messages. Even with the warnings, we can still validate the measurement list PCR value. The last two records will contain the calculated aggregate PCR value and the real HW PCR value. example 1: evmctl without any keys [...] Failed to open keyfile: /etc/keys/x509_evm.der PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b example 2: evmctl missing some keys key 1: 6e6c1046 /etc/keys/ima/<additional key> [...] /usr/lib64/evolution/plugins/liborg-gnome-email-custom-header.so: RSA_public_decrypt() failed: -1 /usr/lib64/evolution/plugins/liborg-gnome-external-editor.so: RSA_public_decrypt() failed: -1 PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b example 3: evmctl with all keys ("-k" option) key 1: 6e6c1046 /etc/keys/ima/<distro key> key 2: c4e2426e /etc/keys/ima/<additional key> PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b Mimi
On Fri, 2018-04-27 at 11:51 +0200, Petr Vorel wrote: > Hi, > > > changes v2->v3: > > * Fixed some of errors caused by test order. > > > * ima_boot_aggregate > > - max event size is now 1MB according to spec > > > * ima_mmap > > - reduce sleep + log it > > - rewritten into new API > > > * ima_measurements.sh > > - don't require iversion for kernel >= 4.16 > > - avoid using tmpfs > > > * ima_policy.sh > > - improved detection of policy writability > > - merge test2 and test3 > > > * ima_violations.sh > > - avoid using tmpfs > > - improved grepping logs (no sleep is needed) > > > * ima_tpm.sh > > - Improve error messages > > > TODO: > > * fix problems with violations tests (see patch 02/10). > > * detect whether policy must be signed (currently tests assume the > > policy does not need to be signed): > > https://lists.linux.it/pipermail/ltp/2018-April/007702.html > > http://lists.linux.it/pipermail/ltp/2018-January/006970.html > > Merged. See diff against v3, if interested. > Thanks a lot Mimi for your comments, tips and review. Thank you for working on this and cleaning it up! > > TODO: > > * detect whether policy must be signed (currently tests assume the > policy does not need to be signed): > https://lists.linux.it/pipermail/ltp/2018-April/007702.html > http://lists.linux.it/pipermail/ltp/2018-January/006970.html > > * ima_violations are failing on logging into /var/log/messages (without auditd): > > tst_device.c:83: INFO: Found free device '/dev/loop0' > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-4.10.0-rc6-kaiser root=/dev/mapp er/debian--testing--vg-root ro quiet ima_policy=secure_boot > ima_violations 1 TINFO: IMA kernel config > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA1=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha1" > ima_violations 1 TINFO: CONFIG_IMA_WRITE_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y > ima_violations 1 TINFO: CONFIG_IMA_BLACKLIST_KEYRING=y > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: Formatting /dev/loop0 with ext3 extra opts='' > ima_violations 1 TINFO: using log /var/log/messages > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TINFO: open_writers not found in /var/log/messages (1/3 attempt)... > ima_violations 1 TINFO: open_writers not found in /var/log/messages (2/3 attempt)... > ima_violations 1 TINFO: open_writers not found in /var/log/messages (3/3 attempt)... > ima_violations 1 TFAIL: open_writers not found in /var/log/messages > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (1/3 attempt)... > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (2/3 attempt)... > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (3/3 attempt)... > ima_violations 2 TFAIL: ToMToU not found in /var/log/messages > ... > This is due previous test ima_policy running (when there is not > possible write to policy, e.g. second run of the testsuites on CONFIG_IMA_WRITE_POLICY=n > it's ok) If there isn't any policy, then these results would be expected. > I wonder if we should just TCONF when logging into /var/log/messages with combination of > policy being writable (or TCONF when logging into /var/log/messages in any case). > > * Check whether current policy has tbc (i.e. presence of "ima_tcb" or "tcb" being part of ima_policy in > /proc/cmdline) [1]. I wonder if we should TCONF all tests without tcb (some tests are > working For the case of no policy, you could still run the boot-aggregate test. I'm not sure about any of the other tests. Even if the system was booted with either of the "tcb" policies, it could still have been replaced with a custom policy. If we're able to cat the policy, we could verify that the loaded policy includes the "tcb" policy and emit a TCONF warning message for non tcb policies. For now, perhaps add a general message indicating that the tests assume a tcb policy. > > * Getting record with old kernels (tested on both deprecated ima_tbc and ima_policy=tcb): ^ima_tcb > ima_measurements 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-3.10.0-693.2.2.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ima_tbc > ima_measurements 1 TINFO: IMA kernel config: > ima_measurements 1 TINFO: CONFIG_IMA=y > ima_measurements 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_measurements 1 TINFO: CONFIG_IMA_AUDIT=y > ima_measurements 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_measurements 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_measurements 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > ima_measurements 1 TINFO: verify adding record to the IMA measurement list > ima_measurements 1 TFAIL: cannot find measurement for '/tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/test.txt' > awk: cmd. line:1: (FILENAME=- FNR=1) fatal: attempt to access field -1 > ima_measurements 1 TINFO: computing hash for sha1 digest > ima_measurements 1 TFAIL: hash not found > ima_measurements 2 TINFO: verify updating record in the IMA measurement list > ima_measurements 2 TCONF: XFS Filesystem >= V5 required for iversion support > ima_measurements 3 TINFO: verify not measuring user files > ima_measurements 3 TPASS: grep /tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/user/test.txt /sys/kernel/security/ima/ascii_runtime_measurements failed as expected > > Not sure if this is caused by different IMA behavior in old kernels or due configuration. Maybe just a typo - ima_tcb, not ima_tbc. Mimi
Hi Mimi, > > * ima_violations are failing on logging into /var/log/messages (without auditd): > > tst_device.c:83: INFO: Found free device '/dev/loop0' > > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-4.10.0-rc6-kaiser root=/dev/mapp er/debian--testing--vg-root ro quiet ima_policy=secure_boot > > ima_violations 1 TINFO: IMA kernel config > > ima_violations 1 TINFO: CONFIG_IMA=y > > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA1=y > > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha1" > > ima_violations 1 TINFO: CONFIG_IMA_WRITE_POLICY=y > > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > > ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > > ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y > > ima_violations 1 TINFO: CONFIG_IMA_BLACKLIST_KEYRING=y > > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > > ima_violations 1 TINFO: Formatting /dev/loop0 with ext3 extra opts='' > > ima_violations 1 TINFO: using log /var/log/messages > > ima_violations 1 TINFO: verify open writers violation > > ima_violations 1 TINFO: open_writers not found in /var/log/messages (1/3 attempt)... > > ima_violations 1 TINFO: open_writers not found in /var/log/messages (2/3 attempt)... > > ima_violations 1 TINFO: open_writers not found in /var/log/messages (3/3 attempt)... > > ima_violations 1 TFAIL: open_writers not found in /var/log/messages > > ima_violations 2 TINFO: verify ToMToU violation > > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (1/3 attempt)... > > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (2/3 attempt)... > > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (3/3 attempt)... > > ima_violations 2 TFAIL: ToMToU not found in /var/log/messages > > ... > > This is due previous test ima_policy running (when there is not > > possible write to policy, e.g. second run of the testsuites on CONFIG_IMA_WRITE_POLICY=n > > it's ok) > If there isn't any policy, then these results would be expected. No, ima_violations with /var/log/messages are failing even with tcb policy loaded (on kernels >= 4.x). > > I wonder if we should just TCONF when logging into /var/log/messages with combination of > > policy being writable (or TCONF when logging into /var/log/messages in any case). > > * Check whether current policy has tbc (i.e. presence of "ima_tcb" or "tcb" being part of ima_policy in > > /proc/cmdline) [1]. I wonder if we should TCONF all tests without tcb (some tests are > > working > For the case of no policy, you could still run the boot-aggregate > test. I'm not sure about any of the other tests. I'll check which ones are working and not issue TCONF for them. > Even if the system was booted with either of the "tcb" policies, it > could still have been replaced with a custom policy. If we're able to > cat the policy, we could verify that the loaded policy includes the > "tcb" policy and emit a TCONF warning message for non tcb policies. I understand you as checking /sys/kernel/security/ima/policy (assumes CONFIG_IMA_READ_POLICY) to have content defined in kernel ima_rule_entry default_measurement_rules[] (from ima_policy.c from kernel). > For now, perhaps add a general message indicating that the tests > assume a tcb policy. Make sense, I'll add it now. > > * Getting record with old kernels (tested on both deprecated ima_tbc and ima_policy=tcb): > ^ima_tcb > > ima_measurements 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-3.10.0-693.2.2.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ima_tbc > > ima_measurements 1 TINFO: IMA kernel config: > > ima_measurements 1 TINFO: CONFIG_IMA=y > > ima_measurements 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > > ima_measurements 1 TINFO: CONFIG_IMA_AUDIT=y > > ima_measurements 1 TINFO: CONFIG_IMA_LSM_RULES=y > > ima_measurements 1 TINFO: CONFIG_IMA_APPRAISE=y > > ima_measurements 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > > ima_measurements 1 TINFO: verify adding record to the IMA measurement list > > ima_measurements 1 TFAIL: cannot find measurement for '/tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/test.txt' > > awk: cmd. line:1: (FILENAME=- FNR=1) fatal: attempt to access field -1 > > ima_measurements 1 TINFO: computing hash for sha1 digest > > ima_measurements 1 TFAIL: hash not found > > ima_measurements 2 TINFO: verify updating record in the IMA measurement list > > ima_measurements 2 TCONF: XFS Filesystem >= V5 required for iversion support > > ima_measurements 3 TINFO: verify not measuring user files > > ima_measurements 3 TPASS: grep /tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/user/test.txt /sys/kernel/security/ima/ascii_runtime_measurements failed as expected > > Not sure if this is caused by different IMA behavior in old kernels or due configuration. > Maybe just a typo - ima_tcb, not ima_tbc. Yes, that was the reason (silly mistake). On older kernels 3.x only ima_tbc (I'll check kernel versions and let user to know correct variable in TCONF). > Mimi
diff --git runtest/ima runtest/ima index e7824a62a..bcae16bb7 100644 --- runtest/ima +++ runtest/ima @@ -1,5 +1,5 @@ #DESCRIPTION:Integrity Measurement Architecture (IMA) -ima_violations ima_violations.sh -ima_policy ima_policy.sh ima_measurements ima_measurements.sh +ima_policy ima_policy.sh ima_tpm ima_tpm.sh +ima_violations ima_violations.sh diff --git testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index 862cc07ba..f6e7be041 100644 --- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -81,7 +81,7 @@ int main(int argc, char *argv[]) for (i = 0; i < NUM_PCRS; i++) memset(&pcr[i].digest, 0, SHA_DIGEST_LENGTH); - event.data = (char *) malloc(MAX_EVENT_DATA_SIZE); + event.data = malloc(MAX_EVENT_DATA_SIZE); if (!event.data) { printf("Cannot allocate memory\n"); return 1; diff --git testcases/kernel/security/integrity/ima/tests/ima_policy.sh testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 1c4a0b922..64aa8cb7a 100755 --- testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -95,7 +95,7 @@ test2() elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then tst_res TPASS "policy was loaded just by one process and able to loaded multiple times" else - tst_res TFAIL "problem with loading policy (policy should be able to load multiple times)" + tst_res TFAIL "problem loading or extending policy (may require policy to be signed)" fi } diff --git testcases/kernel/security/integrity/ima/tests/ima_setup.sh testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 03851167f..8ea7aec18 100644 --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -64,6 +64,21 @@ mount_loop_device() cd mntpoint } +print_ima_config() +{ + local config="/boot/config-$(uname -r)" + local i + + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" + + if [ -r "$config" ]; then + tst_res TINFO "IMA kernel config:" + for i in $(grep ^CONFIG_IMA $config); do + tst_res TINFO "$i" + done + fi +} + ima_setup() { SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" @@ -73,14 +88,14 @@ ima_setup() ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + print_ima_config + if [ "$TST_NEEDS_DEVICE" = 1 ]; then tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device" mount_loop_device fi - if [ -n "$TST_SETUP_CALLER" ]; then - $TST_SETUP_CALLER - fi + [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } ima_cleanup() diff --git testcases/kernel/security/integrity/ima/tests/ima_tpm.sh testcases/kernel/security/integrity/ima/tests/ima_tpm.sh index 0124c338f..0ffc3c022 100755 --- testcases/kernel/security/integrity/ima/tests/ima_tpm.sh +++ testcases/kernel/security/integrity/ima/tests/ima_tpm.sh @@ -69,7 +69,7 @@ validate_pcr() grep 'HW PCR-10:' | awk '{print $3}')" if [ -z "$aggregate_pcr" ]; then tst_res TFAIL "failed to get PCR-10" - return + return 1 fi while read line; do