diff mbox series

[v4,3/4] ima/ima_measurements.sh: Require builtin IMA tcb policy

Message ID 20190613161414.29161-4-pvorel@suse.cz (mailing list archive)
State New, archived
Headers show
Series LTP reproducer on broken IMA on overlayfs | expand

Commit Message

Petr Vorel June 13, 2019, 4:14 p.m. UTC
Although custom policy which may contain the equivalent measurement
tcb rules can be loaded via dracut, systemd or later manually from
user space, detecting it would require IMA_READ_POLICY=y. In order
to simplify the check and avoid false positives lets ignore this
option and require builtin IMA tcb policy.

Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
other tests.

+ Use SPDX license identifier

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
 .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
 2 files changed, 21 insertions(+), 32 deletions(-)

Comments

Ignaz Forster June 13, 2019, 4:42 p.m. UTC | #1
Hi Petr,

Am 13.06.19 um 18:14 Uhr schrieb Petr Vorel:
> Although custom policy which may contain the equivalent measurement
> tcb rules can be loaded via dracut, systemd or later manually from
> user space, detecting it would require IMA_READ_POLICY=y. In order
> to simplify the check and avoid false positives lets ignore this
> option and require builtin IMA tcb policy.
> 
> Create check_ima_policy() helper in ima_setup.sh, so it can be reused in
> other tests.
> 
> + Use SPDX license identifier
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   .../integrity/ima/tests/ima_measurements.sh   | 23 ++++----------
>   .../security/integrity/ima/tests/ima_setup.sh | 30 ++++++++++---------
>   2 files changed, 21 insertions(+), 32 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index 328affc43..1b9ed85b8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   #
> @@ -28,16 +16,17 @@ TST_NEEDS_DEVICE=1
>   
>   setup()
>   {
> -	TEST_FILE="$PWD/test.txt"
> +	check_ima_policy "tcb"
>   
> +	TEST_FILE="$PWD/test.txt"
>   	POLICY="$IMA_DIR/policy"
>   	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
> -
>   	DIGEST_INDEX=
>   
>   	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
>   	local i
>   
> +	# parse digest index
>   	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
>   	case "$template" in
>   	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> @@ -56,8 +45,6 @@ setup()
>   
>   	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
>   		"Cannot find digest index (template: '$template')"
> -
> -	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
>   }
>   
>   # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index da49eb1b2..606034fec 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,19 +1,7 @@
>   #!/bin/sh
>   # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2 of
> -# the License, or (at your option) any later version.
> -#
> -# This program is distributed in the hope that it would be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
> +# SPDX-License-Identifier: GPL-2.0-or-later
>   #
>   # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
>   
> @@ -31,6 +19,20 @@ SYSFS="/sys"
>   UMOUNT=
>   TST_FS_TYPE="ext3"
>   
> +check_ima_policy()
> +{
> +	local policy="$1"
> +	local i
> +
> +	grep -q "ima_$policy" /proc/cmdline && return
> +	for i in $(cat /proc/cmdline); do
> +		if grep -q '^ima_policy=' $i; then

$i will not contain a file, which grep will expect here. I guess you 
meant to echo the variable instead?

Ignaz

> +			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
> +		fi
> +	done
> +	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
> +}
> +
>   mount_helper()
>   {
>   	local type="$1"
>
diff mbox series

Patch

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 328affc43..1b9ed85b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,7 @@ 
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 #
@@ -28,16 +16,17 @@  TST_NEEDS_DEVICE=1
 
 setup()
 {
-	TEST_FILE="$PWD/test.txt"
+	check_ima_policy "tcb"
 
+	TEST_FILE="$PWD/test.txt"
 	POLICY="$IMA_DIR/policy"
 	[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
-
 	DIGEST_INDEX=
 
 	local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
 	local i
 
+	# parse digest index
 	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
 	case "$template" in
 	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
@@ -56,8 +45,6 @@  setup()
 
 	[ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
 		"Cannot find digest index (template: '$template')"
-
-	tst_res TINFO "IMA measurement tests assume tcb policy to be loaded (ima_policy=tcb)"
 }
 
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index da49eb1b2..606034fec 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,19 +1,7 @@ 
 #!/bin/sh
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it would be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2018-2019 Petr Vorel <pvorel@suse.cz>
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
 
@@ -31,6 +19,20 @@  SYSFS="/sys"
 UMOUNT=
 TST_FS_TYPE="ext3"
 
+check_ima_policy()
+{
+	local policy="$1"
+	local i
+
+	grep -q "ima_$policy" /proc/cmdline && return
+	for i in $(cat /proc/cmdline); do
+		if grep -q '^ima_policy=' $i; then
+			grep -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" $i && return
+		fi
+	done
+	tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+}
+
 mount_helper()
 {
 	local type="$1"