From patchwork Tue Nov 26 17:38:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13886281 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 109281D6DA1 for ; Tue, 26 Nov 2024 17:38:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642716; cv=none; b=opw5GUZPmkVIiWYQFXrMMdZurl+xqff/lVxsutpMgtt4BZTPDS7vblIpa/razM2tmPrfpM3owYSpRT5eaKFq3lC9p3W7c97vh/7hXpwWNUUfiyweFZsbrevj8p1ua59TXS3s782JlKvQADeQZwZRCpy4Ed239h5Q83Vfx98kAAs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642716; c=relaxed/simple; bh=7Zkf519ubOYluKyuJgR4YEkImSL7ScEPwJNJH3q9qBI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DhN5Xgc2cB2YdmAqVAI4lenWpuZjUQCMDcoDBnsl2lMxkzsu2v1kBTwvUsgV7Es+64Ges4Vm363Jx648yENpd8/7tDQvptlWpZjfJI5rNUnSyplr1Mwb8kcceOF5jTTkki1MzBxeWzHztGroUU2lORMmla4pZ2I6ZYIhV8PSzOc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 21FE72115C; Tue, 26 Nov 2024 17:38:33 +0000 (UTC) Authentication-Results: smtp-out1.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id F0CF213A27; Tue, 26 Nov 2024 17:38:32 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4HspOZgHRmf2OAAAD6G6ig (envelope-from ); Tue, 26 Nov 2024 17:38:32 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH 1/3] ima: Add TCB policy as an example Date: Tue, 26 Nov 2024 18:38:28 +0100 Message-ID: <20241126173830.98960-2-pvorel@suse.cz> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241126173830.98960-1-pvorel@suse.cz> References: <20241126173830.98960-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Spam-Flag: NO X-Spam-Score: -4.00 X-Rspamd-Queue-Id: 21FE72115C X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Level: Signed-off-by: Petr Vorel --- .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy new file mode 100644 index 0000000000..280e6af87c --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy @@ -0,0 +1,20 @@ +dont_measure fsmagic=0x9fa0 +dont_measure fsmagic=0x62656572 +dont_measure fsmagic=0x64626720 +dont_measure fsmagic=0x1021994 +dont_measure fsmagic=0x1cd1 +dont_measure fsmagic=0x42494e4d +dont_measure fsmagic=0x73636673 +dont_measure fsmagic=0xf97cff8c +dont_measure fsmagic=0x43415d53 +dont_measure fsmagic=0x27e0eb +dont_measure fsmagic=0x63677270 +dont_measure fsmagic=0x6e736673 +dont_measure fsmagic=0xde5e81e4 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=^MAY_READ euid=0 +measure func=FILE_CHECK mask=^MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK From patchwork Tue Nov 26 17:38:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13886284 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49B7D1DAC88 for ; Tue, 26 Nov 2024 17:38:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642717; cv=none; b=GEmJCyHCtfIoK6M6OHXFF0KUhh8w25DsO9F+WcLu2BG2EtllKVvUbbVDyLcr4Q7uOl769kZxmvfow2Gw7GHrW2h6uBuaYXb0I6YdNriCVC6dWqWMRRsWB5EeifMDd6JOqWuOLlUoIBNbYf/FZYrr3nmdkLNSDd3k36BVWMJeq5Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642717; c=relaxed/simple; bh=FhFq3zNl2d0xQsSQp29x/nsFrrHE/Pq5QUm1OgdNTiU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qvaTA2WmSAlZpUkP85LAcQAMWARw2WsNesnY+vqIO+T2ygv5peJ9C9WfhR4klzQqjFDDenw6XDaRgUSltc4yJ6kRIBzJjkm3SCN3iB+m79Oc0OvdixH7WLBfKQ03NWInRuCWrs89IWVwaZuU8caUnLP7mQsNazbxnqo74meU8po= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=x4jw3cxd; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ci7LcNko; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=x4jw3cxd; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ci7LcNko; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="x4jw3cxd"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ci7LcNko"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="x4jw3cxd"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ci7LcNko" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 554F71F766; Tue, 26 Nov 2024 17:38:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrWank4tcr+vU8qiBUPC/7ef67hJYayhhGjGbPCpZ/s=; b=x4jw3cxdzDrJq+sUZly+hbHZnp/OYZiGAcvnDRY4jP6zOu78OY5ppH/GdsJEsDL2HpAjJV liBXvATqXtFZHYunYKjXgz4QP0H07VxHIK+ythwZeCdgGFjMIN/wwBduqUJM+pmb5wBqjS XI8Pp7ZuFqGWHnz5b/x0WagjMAoYs7Y= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrWank4tcr+vU8qiBUPC/7ef67hJYayhhGjGbPCpZ/s=; b=ci7LcNkoiyOFBaNWD+Wm3ctjrUTDNtMjk4oAANK33r3+2XyZPIRdG776VhBIFhwKPdpX4L TLmO1L+mm8wTLiDw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrWank4tcr+vU8qiBUPC/7ef67hJYayhhGjGbPCpZ/s=; b=x4jw3cxdzDrJq+sUZly+hbHZnp/OYZiGAcvnDRY4jP6zOu78OY5ppH/GdsJEsDL2HpAjJV liBXvATqXtFZHYunYKjXgz4QP0H07VxHIK+ythwZeCdgGFjMIN/wwBduqUJM+pmb5wBqjS XI8Pp7ZuFqGWHnz5b/x0WagjMAoYs7Y= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrWank4tcr+vU8qiBUPC/7ef67hJYayhhGjGbPCpZ/s=; b=ci7LcNkoiyOFBaNWD+Wm3ctjrUTDNtMjk4oAANK33r3+2XyZPIRdG776VhBIFhwKPdpX4L TLmO1L+mm8wTLiDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 28CFC13890; Tue, 26 Nov 2024 17:38:33 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4H/7CJkHRmf2OAAAD6G6ig (envelope-from ); Tue, 26 Nov 2024 17:38:33 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH 2/3] ima_setup.sh: Allow to load predefined policy Date: Tue, 26 Nov 2024 18:38:29 +0100 Message-ID: <20241126173830.98960-3-pvorel@suse.cz> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241126173830.98960-1-pvorel@suse.cz> References: <20241126173830.98960-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:email,suse.cz:mid,imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy if available. This should be used only if tooling running LTP tests allows to reboot afterwards (because policy may be writable only once, e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each other). Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/README.md | 6 +++ .../integrity/ima/tests/ima_measurements.sh | 17 +++++- .../security/integrity/ima/tests/ima_setup.sh | 52 ++++++++++++++++--- 3 files changed, 66 insertions(+), 9 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 5b261a1914..a00b01b5fe 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -8,6 +8,12 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +### Loading policy for testing (optional) +Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example +policy if available. This should be used only if tooling running LTP tests +allows to reboot afterwards (because policy may be writable only once, e.g. +missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other). + ### IMA measurement tests `ima_measurements.sh` require builtin IMA tcb policy to be loaded (`ima_policy=tcb` kernel parameter). diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 1da2aa6a51..b4205ab95f 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2021 Petr Vorel +# Copyright (c) 2018-2024 Petr Vorel # Author: Mimi Zohar # # Verify that measurements are added to the measurement list based on policy. @@ -12,10 +12,23 @@ TST_CNT=3 setup() { - require_ima_policy_cmdline "tcb" + local policy="tcb" TEST_FILE="$PWD/test.txt" [ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy" + + if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then + require_ima_policy_cmdline $policy + return + elif check_ima_policy_cmdline $policy; then + return + fi + + if ! check_ima_policy_cmdline $policy && + ! require_ima_policy_content '^measure func=FILE_CHECK mask=^MAY_READ uid=0' && + ! require_ima_policy_content 'measure func=POLICY_CHECK'; then + tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter or it's equivalent)" + fi } check_iversion_support() diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index df3fc5603f..e585418c17 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2024 Petr Vorel # Author: Mimi Zohar TST_TESTFUNC="test" @@ -72,14 +72,20 @@ require_policy_readable() fi } -require_policy_writable() +check_policy_writable() { - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" - - [ -f $IMA_POLICY ] || tst_brk TCONF "$err" - # CONFIG_IMA_READ_POLICY + [ -f $IMA_POLICY ] || return 1 + # workaround for kernels < v4.18 without fix + # ffb122de9a60b ("ima: Reflect correct permissions for policy") echo "" 2> log > $IMA_POLICY - grep -q "Device or resource busy" log && tst_brk TCONF "$err" + grep -q "Device or resource busy" log && return 1 + return 0 +} + +require_policy_writable() +{ + check_policy_writable || tst_brk TCONF \ + "IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" } check_ima_policy_content() @@ -158,6 +164,32 @@ print_ima_config() tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" } +load_ima_policy() +{ + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)" + + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test" + return + fi + + if [ -z "$policy" -o ! -f "$policy" ]; then + tst_res TINFO "no policy for this test" + return + fi + + tst_res TINFO "trying to load '$policy' policy:" + cat $policy + if ! check_policy_writable; then + tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required" + return + fi + + cat "$policy" 2> log > $IMA_POLICY + if grep -q "Device or resource busy" log; then + tst_brk TBROK "Loading policy failed" + fi +} ima_setup() { SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" @@ -180,6 +212,8 @@ ima_setup() cd "$TST_MNTPOINT" fi + load_ima_policy + [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } @@ -192,6 +226,10 @@ ima_cleanup() for dir in $UMOUNT; do umount $dir done + + if [ "$LTP_IMA_LOAD_POLICY" = 1 ]; then + tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended" + fi } set_digest_index() From patchwork Tue Nov 26 17:38:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13886283 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5EBAB1DACB4 for ; Tue, 26 Nov 2024 17:38:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642717; cv=none; b=T4/dcYVffMooXx74uL6uDImtNkU0aqDc92eVIa+kfz/xUJZkYlgfCBx8oxvPF/CO8hIUP7F6onNUrEhAe+mSA/K+mD9KRkV0C+3En9ud5Rd+vhmbzhW2EYCwcWjrryLArCs9ZBrbWmpFQAe8NBdD/UHtjdE/Eacv9hte3IJp/5M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732642717; c=relaxed/simple; bh=vSja6F8EcgjJssXnwBf57gR/N1WqsSC4TR58nLHI0Ts=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FyVP8gUJKV3UvvHbamdhSX4bDN+0llqkniT2uzhQVuieAd+/GxhxqHBEztiaC6acIJJC5gfLnCR2ZtJiKo2jPzw9CapodGx5u5vA7UuFUTQaXbFDKfIHXS4Nh0nPb0gt0i6Bf0xdhfH7LGOCfQpXmasLYh7GYyxD35WylTen0g4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=vAlX49PK; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=5PkQNldE; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=vAlX49PK; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=5PkQNldE; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="vAlX49PK"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="5PkQNldE"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="vAlX49PK"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="5PkQNldE" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 8D2211F76B; Tue, 26 Nov 2024 17:38:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jTWjmXCHuK6Ahz2oKzGpurmcrrhxSCvvi9Fa5ogJJw=; b=vAlX49PKhhJAOM2Dpdt+IE+REd9+dypYY4CsNQItLbAlKUPsSinCCkQ5exOioLQJmnNhqO CRG+jvZyUTvsH4qNhN6nrS1rKZLDt0waLAtXdXMw5xrdoGcZDXXHp/e7SUGM4uXCvT6rEO e76aA8jkVcy2iaybjdIq6tSOcYrdFw8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jTWjmXCHuK6Ahz2oKzGpurmcrrhxSCvvi9Fa5ogJJw=; b=5PkQNldE4hVv3F8xzATk7lS15qWVbH+LZW73h/kLqwQ9Ch3Wdw/tspMiQgCtvBIp1w+3ng 7lxMJ9hscnRm6GBg== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jTWjmXCHuK6Ahz2oKzGpurmcrrhxSCvvi9Fa5ogJJw=; b=vAlX49PKhhJAOM2Dpdt+IE+REd9+dypYY4CsNQItLbAlKUPsSinCCkQ5exOioLQJmnNhqO CRG+jvZyUTvsH4qNhN6nrS1rKZLDt0waLAtXdXMw5xrdoGcZDXXHp/e7SUGM4uXCvT6rEO e76aA8jkVcy2iaybjdIq6tSOcYrdFw8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1732642713; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jTWjmXCHuK6Ahz2oKzGpurmcrrhxSCvvi9Fa5ogJJw=; b=5PkQNldE4hVv3F8xzATk7lS15qWVbH+LZW73h/kLqwQ9Ch3Wdw/tspMiQgCtvBIp1w+3ng 7lxMJ9hscnRm6GBg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5F53613A27; Tue, 26 Nov 2024 17:38:33 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4H8wFZkHRmf2OAAAD6G6ig (envelope-from ); Tue, 26 Nov 2024 17:38:33 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH 3/3] ima_{kexec,keys,selinux}: Set minimal kernel version Date: Tue, 26 Nov 2024 18:38:30 +0100 Message-ID: <20241126173830.98960-4-pvorel@suse.cz> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241126173830.98960-1-pvorel@suse.cz> References: <20241126173830.98960-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid,suse.cz:email,imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: The functionality IMHO was not backported to the enterprise kernels. This helps to avoid false positive in ima_kexec.sh: ima_kexec 1 TWARN: policy not readable, it might not contain required policy '^measure.*func=KEXEC_CMDLINE' ima_kexec 1 TBROK: unable to find a correct measurement Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 1 + testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 1 + testcases/kernel/security/integrity/ima/tests/ima_selinux.sh | 1 + 3 files changed, 3 insertions(+) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh index 62f05f5361..3446bc24bf 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh @@ -11,6 +11,7 @@ TST_NEEDS_CMDS="grep kexec sed" TST_CNT=3 TST_SETUP="setup" +TST_MIN_KVER="5.3" IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}" REQUIRED_POLICY='^measure.*func=KEXEC_CMDLINE' diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 793908d44a..ff32eb6c43 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -10,6 +10,7 @@ TST_NEEDS_CMDS="cmp cut grep sed" TST_CNT=2 TST_SETUP=setup TST_CLEANUP=cleanup +TST_MIN_KVER="5.6" FUNC_KEYCHECK='func=KEY_CHECK' REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh index f6e392822a..75f9ba84e4 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh @@ -12,6 +12,7 @@ TST_NEEDS_CMDS="awk cut grep tail" TST_CNT=2 TST_SETUP="setup" +TST_MIN_KVER="5.12" FUNC_CRITICAL_DATA='func=CRITICAL_DATA' REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"