From patchwork Tue Jan 15 02:14:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763829 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BE74717FB for ; Tue, 15 Jan 2019 02:16:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF0D92C64A for ; Tue, 15 Jan 2019 02:16:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A3A552C659; Tue, 15 Jan 2019 02:16:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 483262C64A for ; Tue, 15 Jan 2019 02:16:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727211AbfAOCQQ (ORCPT ); Mon, 14 Jan 2019 21:16:16 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:38159 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726886AbfAOCQP (ORCPT ); Mon, 14 Jan 2019 21:16:15 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R181e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e07486;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIG.4ZV_1547518480; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIG.4ZV_1547518480) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:40 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 1/6] ima/ima_boot_aggregate: Fix the definition of event log Date: Tue, 15 Jan 2019 10:14:31 +0800 Message-Id: <1547518476-34008-2-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP According to [1], the structure of event log should be packed, and certain fields should be 32-bit unsigned integer. Fortunately, keeping natural alignment seems to make everything working as expected all the time. [1] page 17,18 @https://trustedcomputinggroup.org/wp-content/uploads/TCG_EFI_Protocol_1_22_Final-v05.pdf Signed-off-by: Jia Zhang --- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index f6e7be0..d85d222 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -53,10 +53,10 @@ int main(int argc, char *argv[]) struct { struct { u_int32_t pcr; - int type; - unsigned char digest[SHA_DIGEST_LENGTH]; - u_int16_t len; - } header; + u_int32_t type; + u_int8_t digest[SHA_DIGEST_LENGTH]; + u_int32_t len; + } header __attribute__ ((packed)); char *data; } event; struct { From patchwork Tue Jan 15 02:14:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763825 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AD5B717FB for ; Tue, 15 Jan 2019 02:15:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E77F2C61B for ; Tue, 15 Jan 2019 02:15:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9250F2C624; Tue, 15 Jan 2019 02:15:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8473F2C61B for ; Tue, 15 Jan 2019 02:15:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727498AbfAOCPq (ORCPT ); Mon, 14 Jan 2019 21:15:46 -0500 Received: from out30-131.freemail.mail.aliyun.com ([115.124.30.131]:40829 "EHLO out30-131.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726886AbfAOCPq (ORCPT ); Mon, 14 Jan 2019 21:15:46 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R901e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e07417;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIFSdAi_1547518480; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIFSdAi_1547518480) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:41 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 2/6] ima/ima_boot_aggregate: Don't hard code the length of sha1 hash Date: Tue, 15 Jan 2019 10:14:32 +0800 Message-Id: <1547518476-34008-3-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Instead, use SHA_DIGEST_LENGTH. Signed-off-by: Jia Zhang Reviewed-by: Mimi Zohar --- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index d85d222..67be6a7 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -42,7 +42,7 @@ static void display_sha1_digest(unsigned char *pcr) { int i; - for (i = 0; i < 20; i++) + for (i = 0; i < SHA_DIGEST_LENGTH; i++) printf("%02x", *(pcr + i) & 0xff); printf("\n"); } @@ -94,8 +94,9 @@ int main(int argc, char *argv[]) display_sha1_digest(event.header.digest); } SHA1_Init(&c); - SHA1_Update(&c, pcr[event.header.pcr].digest, 20); - SHA1_Update(&c, event.header.digest, 20); + SHA1_Update(&c, pcr[event.header.pcr].digest, + SHA_DIGEST_LENGTH); + SHA1_Update(&c, event.header.digest, SHA_DIGEST_LENGTH); SHA1_Final(pcr[event.header.pcr].digest, &c); #if MAX_EVENT_DATA_SIZE < USHRT_MAX if (event.header.len > MAX_EVENT_DATA_SIZE) { @@ -116,7 +117,7 @@ int main(int argc, char *argv[]) printf("PCR-%2.2x: ", i); display_sha1_digest(pcr[i].digest); } - SHA1_Update(&c, pcr[i].digest, 20); + SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH); } SHA1_Final(boot_aggregate, &c); From patchwork Tue Jan 15 02:14:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763835 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 668D517FB for ; Tue, 15 Jan 2019 02:16:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5445A2C671 for ; Tue, 15 Jan 2019 02:16:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4587B2C679; Tue, 15 Jan 2019 02:16:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EC3792C671 for ; Tue, 15 Jan 2019 02:16:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727513AbfAOCQj (ORCPT ); Mon, 14 Jan 2019 21:16:39 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:55555 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727508AbfAOCQj (ORCPT ); Mon, 14 Jan 2019 21:16:39 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R361e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04446;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIG.4Zb_1547518481; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIG.4Zb_1547518481) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:41 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 3/6] ima/ima_boot_aggregate: Fix extending PCRs beyond PCR 0-7 Date: Tue, 15 Jan 2019 10:14:33 +0800 Message-Id: <1547518476-34008-4-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The boot aggragate calculation should never touch PCRs beyond PCR 0-7, even a PCR extension really manipulates out-of-domain PCRs. Signed-off-by: Jia Zhang Reviewed-by: Mimi Zohar --- .../security/integrity/ima/src/ima_boot_aggregate.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index 67be6a7..98893b9 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -93,11 +93,16 @@ int main(int argc, char *argv[]) printf("%03u ", event.header.pcr); display_sha1_digest(event.header.digest); } - SHA1_Init(&c); - SHA1_Update(&c, pcr[event.header.pcr].digest, - SHA_DIGEST_LENGTH); - SHA1_Update(&c, event.header.digest, SHA_DIGEST_LENGTH); - SHA1_Final(pcr[event.header.pcr].digest, &c); + + if (event.header.pcr < NUM_PCRS) { + SHA1_Init(&c); + SHA1_Update(&c, pcr[event.header.pcr].digest, + SHA_DIGEST_LENGTH); + SHA1_Update(&c, event.header.digest, + SHA_DIGEST_LENGTH); + SHA1_Final(pcr[event.header.pcr].digest, &c); + } + #if MAX_EVENT_DATA_SIZE < USHRT_MAX if (event.header.len > MAX_EVENT_DATA_SIZE) { printf("Error event too long\n"); From patchwork Tue Jan 15 02:14:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763827 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 12B1614E5 for ; Tue, 15 Jan 2019 02:16:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 033352C62F for ; Tue, 15 Jan 2019 02:16:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EB2332C641; Tue, 15 Jan 2019 02:16:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 937042C62F for ; Tue, 15 Jan 2019 02:16:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727497AbfAOCQB (ORCPT ); Mon, 14 Jan 2019 21:16:01 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:56674 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726886AbfAOCQB (ORCPT ); Mon, 14 Jan 2019 21:16:01 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R301e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e01424;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIFN-Xc_1547518481; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIFN-Xc_1547518481) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:42 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 4/6] ima: Code cleanup Date: Tue, 15 Jan 2019 10:14:34 +0800 Message-Id: <1547518476-34008-5-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP - Change the legacy function name from PATH_CHECK to FILE_CHECK. - Use the variable IMA_POLICY instead of hard code path. Signed-off-by: Jia Zhang Reviewed-by: Mimi Zohar --- testcases/kernel/security/integrity/ima/policy/measure.policy | 2 +- testcases/kernel/security/integrity/ima/policy/measure.policy-invalid | 2 +- testcases/kernel/security/integrity/ima/tests/ima_policy.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy b/testcases/kernel/security/integrity/ima/policy/measure.policy index c68e722..9976ddf 100644 --- a/testcases/kernel/security/integrity/ima/policy/measure.policy +++ b/testcases/kernel/security/integrity/ima/policy/measure.policy @@ -13,4 +13,4 @@ dont_measure fsmagic=0x01021994 dont_measure fsmagic=0x73636673 measure func=FILE_MMAP mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC -measure func=PATH_CHECK mask=MAY_READ uid=0 +measure func=FILE_CHECK mask=MAY_READ uid=0 diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid index e406757..04dff89 100644 --- a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid +++ b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid @@ -13,4 +13,4 @@ dont_measure fsmagic=0x01021994 dnt_measure fsmagic=0x73636673 measure func=FILE_MMAP mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC -measure func=PATH_CHECK mask=MAY_READ uid=0 +measure func=FILE_CHECK mask=MAY_READ uid=0 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 64aa8cb..a0c7869 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -28,7 +28,7 @@ check_policy_writable() { local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" - [ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err" + [ -f $IMA_POLICY ] || tst_brk TCONF "$err" # CONFIG_IMA_READ_POLICY echo "" 2> log > $IMA_POLICY grep -q "Device or resource busy" log && tst_brk TCONF "$err" From patchwork Tue Jan 15 02:14:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763823 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 548AE14E5 for ; Tue, 15 Jan 2019 02:15:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4303B2C5F9 for ; Tue, 15 Jan 2019 02:15:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 370DA2C5FF; Tue, 15 Jan 2019 02:15:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 598EA2C5FA for ; Tue, 15 Jan 2019 02:15:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727256AbfAOCPR (ORCPT ); Mon, 14 Jan 2019 21:15:17 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:34999 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726886AbfAOCPR (ORCPT ); Mon, 14 Jan 2019 21:15:17 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R181e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04391;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIFQkVE_1547518482; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIFQkVE_1547518482) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:42 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 5/6] ima: Rename the folder name for policy files to datafiles Date: Tue, 15 Jan 2019 10:14:35 +0800 Message-Id: <1547518476-34008-6-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If we choose to run ima_policy.sh locally without installation, a failure message is reported as following: ima_policy 1 TCONF: missing /ltp/testcases/kernel/security/integrity/ima/datafiles/measure.policy TST_DATAROOT would be extended to datafiles but the policy files are actually placed under policy. In order to make it easier, just rename the folder name to datafiles. Signed-off-by: Jia Zhang --- testcases/kernel/security/integrity/ima/Makefile | 2 +- .../security/integrity/ima/datafiles/Makefile | 31 ++++++++++++++++++++++ .../integrity/ima/datafiles/measure.policy | 16 +++++++++++ .../integrity/ima/datafiles/measure.policy-invalid | 16 +++++++++++ .../kernel/security/integrity/ima/policy/Makefile | 31 ---------------------- .../security/integrity/ima/policy/measure.policy | 16 ----------- .../integrity/ima/policy/measure.policy-invalid | 16 ----------- 7 files changed, 64 insertions(+), 64 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/Makefile create mode 100644 testcases/kernel/security/integrity/ima/datafiles/measure.policy create mode 100644 testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid delete mode 100644 testcases/kernel/security/integrity/ima/policy/Makefile delete mode 100644 testcases/kernel/security/integrity/ima/policy/measure.policy delete mode 100644 testcases/kernel/security/integrity/ima/policy/measure.policy-invalid diff --git a/testcases/kernel/security/integrity/ima/Makefile b/testcases/kernel/security/integrity/ima/Makefile index 1290e6f..19b10ff 100644 --- a/testcases/kernel/security/integrity/ima/Makefile +++ b/testcases/kernel/security/integrity/ima/Makefile @@ -24,6 +24,6 @@ top_srcdir ?= ../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -SUBDIRS := policy src tests +SUBDIRS := datafiles src tests include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile new file mode 100644 index 0000000..a960f9d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -0,0 +1,31 @@ +# +# testcases/kernel/security/integrity/ima/policy testcases Makefile. +# +# Copyright (C) 2009, Cisco Systems Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Ngie Cooper, July 2009 +# + +top_srcdir ?= ../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_policy + +INSTALL_TARGETS := measure* + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/measure.policy new file mode 100644 index 0000000..9976ddf --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/measure.policy @@ -0,0 +1,16 @@ +# +# Integrity measure policy +# +# PROC_SUPER_MAGIC +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_measure fsmagic=0x01021994 +# SECURITYFS_MAGIC +dont_measure fsmagic=0x73636673 +measure func=FILE_MMAP mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=MAY_READ uid=0 diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid new file mode 100644 index 0000000..04dff89 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid @@ -0,0 +1,16 @@ +# +# Integrity measure policy +# +# PROC_SUPER_MAGIC +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_measure fsmagic=0x01021994 +# SECURITYFS_MAGIC +dnt_measure fsmagic=0x73636673 +measure func=FILE_MMAP mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=MAY_READ uid=0 diff --git a/testcases/kernel/security/integrity/ima/policy/Makefile b/testcases/kernel/security/integrity/ima/policy/Makefile deleted file mode 100644 index a960f9d..0000000 --- a/testcases/kernel/security/integrity/ima/policy/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# testcases/kernel/security/integrity/ima/policy testcases Makefile. -# -# Copyright (C) 2009, Cisco Systems Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Ngie Cooper, July 2009 -# - -top_srcdir ?= ../../../../../.. - -include $(top_srcdir)/include/mk/env_pre.mk - -INSTALL_DIR := testcases/data/ima_policy - -INSTALL_TARGETS := measure* - -include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy b/testcases/kernel/security/integrity/ima/policy/measure.policy deleted file mode 100644 index 9976ddf..0000000 --- a/testcases/kernel/security/integrity/ima/policy/measure.policy +++ /dev/null @@ -1,16 +0,0 @@ -# -# Integrity measure policy -# -# PROC_SUPER_MAGIC -dont_measure fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_measure fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_measure fsmagic=0x64626720 -# TMPFS_MAGIC -dont_measure fsmagic=0x01021994 -# SECURITYFS_MAGIC -dont_measure fsmagic=0x73636673 -measure func=FILE_MMAP mask=MAY_EXEC -measure func=BPRM_CHECK mask=MAY_EXEC -measure func=FILE_CHECK mask=MAY_READ uid=0 diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid deleted file mode 100644 index 04dff89..0000000 --- a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid +++ /dev/null @@ -1,16 +0,0 @@ -# -# Integrity measure policy -# -# PROC_SUPER_MAGIC -dont_measure fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_measure fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_measure fsmagic=0x64626720 -# TMPFS_MAGIC -dont_measure fsmagic=0x01021994 -# SECURITYFS_MAGIC -dnt_measure fsmagic=0x73636673 -measure func=FILE_MMAP mask=MAY_EXEC -measure func=BPRM_CHECK mask=MAY_EXEC -measure func=FILE_CHECK mask=MAY_READ uid=0 From patchwork Tue Jan 15 02:14:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia Zhang X-Patchwork-Id: 10763831 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EE4E517FB for ; Tue, 15 Jan 2019 02:16:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEDD22C671 for ; Tue, 15 Jan 2019 02:16:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D2FC22C672; Tue, 15 Jan 2019 02:16:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83F292C66C for ; Tue, 15 Jan 2019 02:16:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727507AbfAOCQW (ORCPT ); Mon, 14 Jan 2019 21:16:22 -0500 Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:58534 "EHLO out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726886AbfAOCQW (ORCPT ); Mon, 14 Jan 2019 21:16:22 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R521e4;CH=green;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04452;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TIFSdAu_1547518482; Received: from localhost(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TIFSdAu_1547518482) by smtp.aliyun-inc.com(127.0.0.1); Tue, 15 Jan 2019 10:14:43 +0800 From: Jia Zhang To: zohar@linux.ibm.com, pvorel@suse.cz Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it, zhang.jia@linux.alibaba.com Subject: [PATCH 6/6] ima/ima_violations: Temporarily remove the printk rate limit Date: Tue, 15 Jan 2019 10:14:36 +0800 Message-Id: <1547518476-34008-7-git-send-email-zhang.jia@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> References: <1547518476-34008-1-git-send-email-zhang.jia@linux.alibaba.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The output frequency of audit log is limited by printk_ratelimit() in kernel if auditd not used. Thus, the test heavily depending on searching keywords in log file may fail if the matching patterns are exactly suppressed by printk_ratelimit(). In order to fix such a sort of failure, just temporarily remove the limit, and recover its setting at the end of test. Signed-off-by: Jia Zhang --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index f3f40d4..a1360b8 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -31,15 +31,27 @@ setup() FILE="test.txt" IMA_VIOLATIONS="$SECURITYFS/ima/violations" LOG="/var/log/messages" + PRINTK_RATE_LIMIT="0" if status_daemon auditd; then LOG="/var/log/audit/audit.log" + else + tst_check_cmds sysctl + + PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` + sysctl -wq kernel.printk_ratelimit=0 fi [ -f "$LOG" ] || \ tst_brk TBROK "log $LOG does not exist (bug in detection?)" tst_res TINFO "using log $LOG" } +reset_printk_ratelimit() +{ + [ "$PRINTK_RATE_LIMIT" != "0" ] && \ + sysctl -wq kernel.printk_ratelimit=$PRINTK_RATE_LIMIT +} + open_file_read() { exec 3< $FILE || exit 1 @@ -151,6 +163,8 @@ test3() validate $num_violations $count $search + reset_printk_ratelimit + # wait for ima_mmap to exit, so we can umount tst_sleep 2s }