diff mbox series

[2/3] ima_setup.sh: Allow to load predefined policy

Message ID 20241126173830.98960-3-pvorel@suse.cz (mailing list archive)
State New
Headers show
Series LTP tests: load predefined policy | expand

Commit Message

Petr Vorel Nov. 26, 2024, 5:38 p.m. UTC
environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
if available. This should be used only if tooling running LTP tests
allows to reboot afterwards (because policy may be writable only once,
e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
other).

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/README.md   |  6 +++
 .../integrity/ima/tests/ima_measurements.sh   | 17 +++++-
 .../security/integrity/ima/tests/ima_setup.sh | 52 ++++++++++++++++---
 3 files changed, 66 insertions(+), 9 deletions(-)

Comments

Petr Vorel Nov. 26, 2024, 10:09 p.m. UTC | #1
Hi Mimi, all,

...
> +load_ima_policy()
> +{
> +	local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)"
> +
> +	if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then
> +		tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test"
> +		return
> +	fi
> +
> +	if [ -z "$policy" -o ! -f "$policy" ]; then
> +		tst_res TINFO "no policy for this test"
FYI here needs to be a flag to not warn in the cleanup about needed reboot.

> +		return
> +	fi
> +
> +	tst_res TINFO "trying to load '$policy' policy:"
> +	cat $policy
> +	if ! check_policy_writable; then
> +		tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required"
> +		return
> +	fi
> +
> +	cat "$policy" 2> log > $IMA_POLICY
> +	if grep -q "Device or resource busy" log; then
> +		tst_brk TBROK "Loading policy failed"
Also here.

diff, which should solve it.

Kind regards,
Petr

+++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -175,6 +175,7 @@ load_ima_policy()
 
 	if [ -z "$policy" -o ! -f "$policy" ]; then
 		tst_res TINFO "no policy for this test"
+		LTP_IMA_LOAD_POLICY=
 		return
 	fi
 
@@ -182,6 +183,7 @@ load_ima_policy()
 	cat $policy
 	if ! check_policy_writable; then
 		tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required"
+		LTP_IMA_LOAD_POLICY=
 		return
 	fi
Mimi Zohar Dec. 11, 2024, 12:18 p.m. UTC | #2
On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> if available. This should be used only if tooling running LTP tests
> allows to reboot afterwards (because policy may be writable only once,
> e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> other).

Thanks, Petr.  Allowing the policy to be updated only if permitted is a good
idea.  Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
might not be loaded.  For example, when secure boot is enabled and the kernel is
configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
signed.

On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
"TINFO: SELinux enabled in enforcing mode, this may affect test results".  We
should stop blaming SELinux. :)

thanks,

Mimi
Petr Vorel Dec. 11, 2024, 7:48 p.m. UTC | #3
Hi Mimi, all,

> On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> > if available. This should be used only if tooling running LTP tests
> > allows to reboot afterwards (because policy may be writable only once,
> > e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> > other).

> Thanks, Petr.  Allowing the policy to be updated only if permitted is a good
> idea.  Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
> might not be loaded.  For example, when secure boot is enabled and the kernel is
> configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
> appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
> signed.

Yes, it's an attempt, which can fail for various reasons. I'll add this example
of failure to load the policy to the commit message and to the docs.

I'd like to detect if policy got updated to avoid wasting time with SUT reboot
when policy was not updated. But this probably will not be always possible
(e.g. (CONFIG_IMA_READ_POLICY not set).

> On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
> "TINFO: SELinux enabled in enforcing mode, this may affect test results".  We
> should stop blaming SELinux. :)

This info was added for LTP shell tests, which got often affected by
SELinux/Apparmor. Because IMA is written in LTP shell API it gets this.
Error message is printed on TBROK, TFAIL, TWARN. Is this the only part where you
would like to avoid the message? Or do you want to remove SELinux/Apparmor
warning from all IMA tests?

Kind regards,
Petr

> thanks,

> Mimi
Mimi Zohar Dec. 12, 2024, 2:29 p.m. UTC | #4
On Wed, 2024-12-11 at 20:48 +0100, Petr Vorel wrote:
> Hi Mimi, all,
> 
> > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> > > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> > > if available. This should be used only if tooling running LTP tests
> > > allows to reboot afterwards (because policy may be writable only once,
> > > e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> > > other).
> 
> > Thanks, Petr.  Allowing the policy to be updated only if permitted is a good
> > idea.  Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
> > might not be loaded.  For example, when secure boot is enabled and the kernel is
> > configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
> > appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
> > signed.
> 
> Yes, it's an attempt, which can fail for various reasons. I'll add this example
> of failure to load the policy to the commit message and to the docs.
> 
> I'd like to detect if policy got updated to avoid wasting time with SUT reboot
> when policy was not updated. But this probably will not be always possible
> (e.g. (CONFIG_IMA_READ_POLICY not set).

Why do you actually need to be able to read the policy, after updating it?
Either the policy update succeeded or failed.  For example in the signed policy
case, writing a valid policy rule via 'cat' on a system requiring the policy to
be signed always fails.

> 
> > On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
> > "TINFO: SELinux enabled in enforcing mode, this may affect test results".  We
> > should stop blaming SELinux. :)
> 
> This info was added for LTP shell tests, which got often affected by
> SELinux/Apparmor. Because IMA is written in LTP shell API it gets this.
> Error message is printed on TBROK, TFAIL, TWARN. Is this the only part where you
> would like to avoid the message? Or do you want to remove SELinux/Apparmor
> warning from all IMA tests?

You have a better feel than me as to whether SELinux/Apparmor could interfere
with these tests.  Unless we have some reason to blame SELinux/Apparmor, I would
remove it.

Mimi
Petr Vorel Dec. 12, 2024, 3:11 p.m. UTC | #5
> On Wed, 2024-12-11 at 20:48 +0100, Petr Vorel wrote:
> > Hi Mimi, all,

> > > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> > > > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> > > > if available. This should be used only if tooling running LTP tests
> > > > allows to reboot afterwards (because policy may be writable only once,
> > > > e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> > > > other).

> > > Thanks, Petr.  Allowing the policy to be updated only if permitted is a good
> > > idea.  Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
> > > might not be loaded.  For example, when secure boot is enabled and the kernel is
> > > configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
> > > appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
> > > signed.

> > Yes, it's an attempt, which can fail for various reasons. I'll add this example
> > of failure to load the policy to the commit message and to the docs.

> > I'd like to detect if policy got updated to avoid wasting time with SUT reboot
> > when policy was not updated. But this probably will not be always possible
> > (e.g. (CONFIG_IMA_READ_POLICY not set).

> Why do you actually need to be able to read the policy, after updating it?
You're right that's not needed for detecting the update.
But it's needed for tests which would like to detect whether policy contain
required items. Because without CONFIG_IMA_READ_POLICY when tests fails due old
kernel or unsuitable policy we have no way to detect. And TBROK is here false
positive which needs to be resolved by testers. But that's IMHO unsolvable.

> Either the policy update succeeded or failed.  For example in the signed policy
> case, writing a valid policy rule via 'cat' on a system requiring the policy to
> be signed always fails.

> > > On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
> > > "TINFO: SELinux enabled in enforcing mode, this may affect test results".  We
> > > should stop blaming SELinux. :)

> > This info was added for LTP shell tests, which got often affected by
> > SELinux/Apparmor. Because IMA is written in LTP shell API it gets this.
> > Error message is printed on TBROK, TFAIL, TWARN. Is this the only part where you
> > would like to avoid the message? Or do you want to remove SELinux/Apparmor
> > warning from all IMA tests?

> You have a better feel than me as to whether SELinux/Apparmor could interfere
> with these tests.  Unless we have some reason to blame SELinux/Apparmor, I would
> remove it.

+1, I'll remove it for IMA in v2.

Kind regards,
Petr

> Mimi
diff mbox series

Patch

diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 5b261a1914..a00b01b5fe 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -8,6 +8,12 @@  CONFIG_INTEGRITY=y
 CONFIG_IMA=y
 ```
 
+### Loading policy for testing (optional)
+Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example
+policy if available. This should be used only if tooling running LTP tests
+allows to reboot afterwards (because policy may be writable only once, e.g.
+missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other).
+
 ### IMA measurement tests
 `ima_measurements.sh` require builtin IMA tcb policy to be loaded
 (`ima_policy=tcb` kernel parameter).
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 1da2aa6a51..b4205ab95f 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,7 +1,7 @@ 
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2021 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2024 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Verify that measurements are added to the measurement list based on policy.
@@ -12,10 +12,23 @@  TST_CNT=3
 
 setup()
 {
-	require_ima_policy_cmdline "tcb"
+	local policy="tcb"
 
 	TEST_FILE="$PWD/test.txt"
 	[ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy"
+
+	if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then
+		require_ima_policy_cmdline $policy
+		return
+	elif check_ima_policy_cmdline $policy; then
+		return
+	fi
+
+	if ! check_ima_policy_cmdline $policy &&
+		! require_ima_policy_content '^measure func=FILE_CHECK mask=^MAY_READ uid=0' &&
+		! require_ima_policy_content 'measure func=POLICY_CHECK'; then
+		tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter or it's equivalent)"
+	fi
 }
 
 check_iversion_support()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index df3fc5603f..e585418c17 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,7 +1,7 @@ 
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2024 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 
 TST_TESTFUNC="test"
@@ -72,14 +72,20 @@  require_policy_readable()
 	fi
 }
 
-require_policy_writable()
+check_policy_writable()
 {
-	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
-
-	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
-	# CONFIG_IMA_READ_POLICY
+	[ -f $IMA_POLICY ] || return 1
+	# workaround for kernels < v4.18 without fix
+	# ffb122de9a60b ("ima: Reflect correct permissions for policy")
 	echo "" 2> log > $IMA_POLICY
-	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
+	grep -q "Device or resource busy" log && return 1
+	return 0
+}
+
+require_policy_writable()
+{
+	check_policy_writable || tst_brk TCONF \
+		"IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
 }
 
 check_ima_policy_content()
@@ -158,6 +164,32 @@  print_ima_config()
 	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
 }
 
+load_ima_policy()
+{
+	local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)"
+
+	if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then
+		tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test"
+		return
+	fi
+
+	if [ -z "$policy" -o ! -f "$policy" ]; then
+		tst_res TINFO "no policy for this test"
+		return
+	fi
+
+	tst_res TINFO "trying to load '$policy' policy:"
+	cat $policy
+	if ! check_policy_writable; then
+		tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required"
+		return
+	fi
+
+	cat "$policy" 2> log > $IMA_POLICY
+	if grep -q "Device or resource busy" log; then
+		tst_brk TBROK "Loading policy failed"
+	fi
+}
 ima_setup()
 {
 	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
@@ -180,6 +212,8 @@  ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
+	load_ima_policy
+
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
 
@@ -192,6 +226,10 @@  ima_cleanup()
 	for dir in $UMOUNT; do
 		umount $dir
 	done
+
+	if [ "$LTP_IMA_LOAD_POLICY" = 1 ]; then
+		tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended"
+	fi
 }
 
 set_digest_index()