From patchwork Tue Jan 14 11:29:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938631 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F3EE224B1A for ; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854167; cv=none; b=o2Ir35bwNGPATEM73BMmI4FI457HaVGUUMUSpB6L3S5iSLAOORccq2rclLYr2t4gBZ2wzjkK/TgMC9KS1dxa60LxEbWjDMSUJDE3BivnN9lnk050oBwyv0jCEuJzeZwParDZZmWCYtoyA4n4ZySGz2B0panL2s/3GC0RIt+Qm6o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854167; c=relaxed/simple; bh=tUBmltWzAosUQLN6w0BQsphAYeRlGwEhQ0G7oIn6WNk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=S44J5ZAU6hsIOKteyo71cPk20BaQ92oXC9+gNayKOOPmfvefKMgEzY9ROOBYxFvZD1yJVtkMD/jofHfX9WPDWmLzoPPxKFGMlkuYAgqNCCyZuqzqu2Q0dOoLmy/19nQZA8YyrkRgHTUPbpMb+DNLbrEbE/0ByHmHTlzx5IjKm3U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=RRxI3UcN; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=NbyRglXW; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=RRxI3UcN; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=NbyRglXW; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="RRxI3UcN"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="NbyRglXW"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="RRxI3UcN"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="NbyRglXW" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 9DF0221161; Tue, 14 Jan 2025 11:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0s/frsk6RFXoxvXBXW/i5hroD+8/U2yuZ2yviEeqlBU=; b=RRxI3UcNYRlaUI9aIrB8L3vuHRqnbIDES1s/29ias/aCvmsMAN1gvVg9fGZzW/atkV/M5b HcwCV9ulBHTOB20kDMtWgxT1/Vl+24uyGBaixd0iuEXd393wD8lWWN/vaNzpuc0VILbZw9 xyMKLTag7YNt/MUJKIMV9YakdV3pYoU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0s/frsk6RFXoxvXBXW/i5hroD+8/U2yuZ2yviEeqlBU=; b=NbyRglXW1tVKn1ITVxgHsF5VlBChmCIgUl8TAvelL2znaJcWcdO1LxdeBm+V5SzhVFd8h2 fyvj53dMjSMMD7BA== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0s/frsk6RFXoxvXBXW/i5hroD+8/U2yuZ2yviEeqlBU=; b=RRxI3UcNYRlaUI9aIrB8L3vuHRqnbIDES1s/29ias/aCvmsMAN1gvVg9fGZzW/atkV/M5b HcwCV9ulBHTOB20kDMtWgxT1/Vl+24uyGBaixd0iuEXd393wD8lWWN/vaNzpuc0VILbZw9 xyMKLTag7YNt/MUJKIMV9YakdV3pYoU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0s/frsk6RFXoxvXBXW/i5hroD+8/U2yuZ2yviEeqlBU=; b=NbyRglXW1tVKn1ITVxgHsF5VlBChmCIgUl8TAvelL2znaJcWcdO1LxdeBm+V5SzhVFd8h2 fyvj53dMjSMMD7BA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 6A85813A86; Tue, 14 Jan 2025 11:29:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GEecGJNKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:23 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 01/10] ima_violations.sh: Fix log detection Date: Tue, 14 Jan 2025 12:29:06 +0100 Message-ID: <20250114112915.610297-2-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:email,suse.cz:mid]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO Fix TBROK on systems which does not have /var/log/messages (any modern distro is using systemd) not auditd installed: ima_violations 1 TBROK: log /var/log/messages does not exist (bug in detection?) Instead TCONF with more meaningful message: ima_violations 1 TCONF: log file not found, install auditd Fixes: https://github.com/linux-test-project/ltp/issues/372 Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 0f710dea2e..b2b597ad08 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -23,8 +23,10 @@ setup() PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit` sysctl -wq kernel.printk_ratelimit=0 fi - [ -f "$LOG" ] || \ - tst_brk TBROK "log $LOG does not exist (bug in detection?)" + + if [ ! -e "$LOG" ]; then + tst_brk TCONF "log file not found, install auditd" + fi tst_res TINFO "using log $LOG" } From patchwork Tue Jan 14 11:29:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938635 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D682022962B for ; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; cv=none; b=MTaOPaFLfgHxLcH8namaCDx0wPjjqmtnpfQW5PeFKkcIzPQVI1Ak6rak1tQJzr8QblLkuFskyhNu1kjBte5x0DAep4Z1GStkTrBCSKhPDl9PGP6JZq35ehbgyu+SsuKsWjPWOIKGzr9JAhXXvqpG6SqnniNTBBj6YF7gG3q/O94= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; c=relaxed/simple; bh=3UN/P26F9ScNrsch9mWgI8HV9iYA5JBg6S6C1tu5UOM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=A93cdCC57ddfu5tYZe/71QHk/zd8shScdXxZZgHbZP5k+AQ9qXUJeFv+8SBJX42xX1DvWSuMDVhLVHR1Q6g8wyomOA7E0SVzZbaVr3rz/M05gjRkE/6snQKSCbXPzU/1P4u8zjiOfDxoA3s0XZOKP2378lMvRmfwd26Gp49RjBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=qfSIUHaz; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=D5/6G9fC; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=rZ2g2Inx; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=P8ESsQFm; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="qfSIUHaz"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="D5/6G9fC"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="rZ2g2Inx"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="P8ESsQFm" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id DE6322116A; Tue, 14 Jan 2025 11:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+WXyKE2K3p5EG+WHjfaMCB+mhIvRAATFDUklAB18hQ=; b=qfSIUHazWkYs8e2IUgCNOvGIjhtNQ62CqNoIEE9FfVddsG8ZGHltt6BfFt4D4i6D3U9ja3 HpThJQZ9WwcMP651fp3PqU6bq37QZklB4pLf/atBWc8EkhjJOP0mpEqnGRLWsvkJhU8HsG jWeIGmwBfYR+5WV15xpFuUwlbY0o9O0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+WXyKE2K3p5EG+WHjfaMCB+mhIvRAATFDUklAB18hQ=; b=D5/6G9fC0mT9GorqmxEtjTR6qseKxX0y+CzC/nQuJUWPSwZQxFACGRhDCXj45rqxKfomQJ wY035S05Z2P35+DQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+WXyKE2K3p5EG+WHjfaMCB+mhIvRAATFDUklAB18hQ=; b=rZ2g2InxisYGDWjiI1XQfs38/2QzNYRa4Ps2MLqa3K7FREk4fGJxQigyKidbu2wsZHpykJ sck1nM2HfEaUZoTQpwTpj9ia2me/jGicwR+SorZSj1Klq7JdheAzVFeeuVquCTvIonRhGD sLJZy1nWb0doh/acPQNxBJ3NTbaLWdg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854163; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+WXyKE2K3p5EG+WHjfaMCB+mhIvRAATFDUklAB18hQ=; b=P8ESsQFmtroA7bKRS/qCzhBea2G/8Wd9385iVV4uMSeb7oTvFszzZDfB419wUXUUz6ilfU mA1FXDlCM3UnAQAw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A48D3139CB; Tue, 14 Jan 2025 11:29:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 2NNVJpNKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:23 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh Date: Tue, 14 Jan 2025 12:29:07 +0100 Message-ID: <20250114112915.610297-3-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid,suse.cz:email]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs) as suggested by Mimi. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Petr Vorel --- .../security/integrity/ima/datafiles/Makefile | 4 ++-- .../ima/datafiles/ima_measurements/Makefile | 11 ++++++++++ .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 200fd3f4d3..0f2b4fdb11 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0-or-later -# Copyright (c) Linux Test Project, 2019-2020 +# Copyright (c) Linux Test Project, 2019-2025 # Copyright (c) 2020 Microsoft Corporation # Copyright (C) 2009, Cisco Systems Inc. # Ngie Cooper, July 2009 @@ -8,6 +8,6 @@ top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -SUBDIRS := ima_kexec ima_keys ima_policy ima_selinux +SUBDIRS := ima_kexec ima_keys ima_measurements ima_policy ima_selinux include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile new file mode 100644 index 0000000000..6317f2bf85 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2025 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_measurements +INSTALL_TARGETS := *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy new file mode 100644 index 0000000000..1e4a932bf0 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy @@ -0,0 +1,20 @@ +dont_measure fsmagic=0x9fa0 +dont_measure fsmagic=0x62656572 +dont_measure fsmagic=0x64626720 +dont_measure fsmagic=0x1021994 func=FILE_CHECK +dont_measure fsmagic=0x1cd1 +dont_measure fsmagic=0x42494e4d +dont_measure fsmagic=0x73636673 +dont_measure fsmagic=0xf97cff8c +dont_measure fsmagic=0x43415d53 +dont_measure fsmagic=0x27e0eb +dont_measure fsmagic=0x63677270 +dont_measure fsmagic=0x6e736673 +dont_measure fsmagic=0xde5e81e4 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=^MAY_READ euid=0 +measure func=FILE_CHECK mask=^MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK From patchwork Tue Jan 14 11:29:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938633 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D688522963F for ; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854167; cv=none; b=CR6IS0WcDnqjujgT56/GEeG2Rq35Z5U1ULnIaAfQ8H9shwAzp9CSUfHKaamZO9X21rJWivFjCI5qnR5JYTD3ohlzJWrw6uzaFNXAhZTMTvagGlcN+eUJ1ZigUNBhjwryLWWuelwBqhG4gLS479b5sIXfo0ohyR+s/R1XijR4FPU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854167; c=relaxed/simple; bh=6xvNtCzW+/6cOMbTDmmQEuptcvwgsgB/5oEfh2v/ec8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nLCiQpGuZvJ3iD8S1XNVVVq+QZEjxOB2Z+3BvBmUlXBEO/qDfjE0lsMQuCnF3TPJHmCzb2IgMXioFdowiz46jqxOJePJ5lUvV+TuzmQcuCHAQab8i8q9caI70gw8+vHJV0ZtDMvU+6zP2yHszu/+Oj5N2IvF1MqT8dAUoBtESw4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 3C9A62117D; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) Authentication-Results: smtp-out1.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id ED76213A86; Tue, 14 Jan 2025 11:29:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id aBdDOJNKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:23 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 03/10] IMA: Move requirement check to ima_setup.sh Date: Tue, 14 Jan 2025 12:29:08 +0100 Message-ID: <20250114112915.610297-4-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spam-Level: X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Spam-Score: -4.00 X-Spam-Flag: NO X-Rspamd-Queue-Id: 3C9A62117D X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/evm_overlay.sh | 3 +-- .../kernel/security/integrity/ima/tests/ima_measurements.sh | 6 +++--- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 +++++- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh index 12b2a28c25..6a48f63aaa 100755 --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh +++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh @@ -9,6 +9,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" TST_CNT=4 +REQUIRED_BUILTIN_POLICY="appraise_tcb" setup() { @@ -17,8 +18,6 @@ setup() [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel" [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot" - require_ima_policy_cmdline "appraise_tcb" - lower="$TST_MNTPOINT/lower" upper="$TST_MNTPOINT/upper" work="$TST_MNTPOINT/work" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 1da2aa6a51..ca9d73b4aa 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,19 +1,19 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2021 Petr Vorel +# Copyright (c) 2018-2025 Petr Vorel # Author: Mimi Zohar # # Verify that measurements are added to the measurement list based on policy. +# Test requires ima_policy=tcb. TST_NEEDS_CMDS="awk cut sed" TST_SETUP="setup" TST_CNT=3 +REQUIRED_BUILTIN_POLICY="tcb" setup() { - require_ima_policy_cmdline "tcb" - TEST_FILE="$PWD/test.txt" [ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy" } diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index fc0e769729..2a578ceb45 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2025 Petr Vorel # Author: Mimi Zohar TST_TESTFUNC="test" @@ -180,6 +180,10 @@ ima_setup() cd "$TST_MNTPOINT" fi + if [ "$REQUIRED_BUILTIN_POLICY" ]; then + require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY" + fi + [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } From patchwork Tue Jan 14 11:29:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938634 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4642A2309AC for ; Tue, 14 Jan 2025 11:29:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; cv=none; b=UaFq1mVcZQ3ewCDwDJ/aoYKo7XShgnlFTfpmKjX7h39t/W/y987LDqRf32uS0ywIdwBl+vv2UjJPnQGFoJryQ7dHhwy1F6W3YNSDtgkmaP66g/jZCXa3Pxu6hCBhqtlZk3DCB13MJhsE/ozfl2cIWcc9ITZMajDQsH2X0E5dchI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; c=relaxed/simple; bh=1CY20wFTb+0JTbVWOOH3TvJF4ouDuXlbMofT+Dk3xn8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DB4J5KfSCNcGH3UIqXdgNINFpdD/uklMtEeZL+e4Tvmf50llObe1+zCrPfAg0k4ggQGJzlHYAFzSBqYwg30VUDhXMZhiW5zSzF/Tw4IU0it8ongQwSkn4rPJUrnheK9NPORabDu5kFe8X5Lgr8FzigCoDDOpNy7rK2PbSTqJtGc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 8FF101F391; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) Authentication-Results: smtp-out2.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4D08A139CB; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 6AxaEJRKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:24 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 04/10] IMA: Add example policy for ima_violations.sh Date: Tue, 14 Jan 2025 12:29:09 +0100 Message-ID: <20250114112915.610297-5-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Spam-Flag: NO X-Spam-Score: -4.00 X-Rspamd-Queue-Id: 8FF101F391 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Level: Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/datafiles/Makefile | 2 +- .../integrity/ima/datafiles/ima_violations/Makefile | 11 +++++++++++ .../ima/datafiles/ima_violations/violations.policy | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 0f2b4fdb11..2013bfc918 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -8,6 +8,6 @@ top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -SUBDIRS := ima_kexec ima_keys ima_measurements ima_policy ima_selinux +SUBDIRS := ima_kexec ima_keys ima_measurements ima_policy ima_selinux ima_violations include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile new file mode 100644 index 0000000000..58d474f076 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2025 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_violations +INSTALL_TARGETS := *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy new file mode 100644 index 0000000000..466b8c5a64 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy @@ -0,0 +1,2 @@ +measure func=FILE_CHECK mask=^MAY_READ euid=0 +measure func=FILE_CHECK mask=^MAY_READ uid=0 From patchwork Tue Jan 14 11:29:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938636 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9046C24025B for ; Tue, 14 Jan 2025 11:29:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; cv=none; b=F4fsMcyw3NkJWF8TSIcsJ25NJP6eX3Jz4xsVoBfGB2wKnRPJEAUuxVE4GVOwzOcsfqTzV1H55OBRLeWPuhwEsm/LIa2OeS32gPLU623naV8X4K3MVAm+va8ZliecasOmDC35kiipynUfuHChYCxHG3hWVd/lHgYhPbmDXIp6X8g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854168; c=relaxed/simple; bh=diVLOcmvehwxzrDGEckNGTdkpApjEIck7IloGFnp9Ao=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=L17skRhmxGhCdzoPhZmIYYYS3XF6DEwoAtaO3Xj74n34H5OX/xXireRXG6rXiDNH/LpFt29qtksRYlA9kxJBJsiqJ0SlZJMTMClMNU/CjvwOqFj2SX9HuoFHQD+qlF+hYYVrbGEKGIyZc800nQX0rqWp8wv0Hz6SPJVRiSbymVk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=vpeN8EDg; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=6MWbL1tI; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=vpeN8EDg; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=6MWbL1tI; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="vpeN8EDg"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="6MWbL1tI"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="vpeN8EDg"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="6MWbL1tI" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id BC9B72117E; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PrmAkrf9zSPs3YZrI4aN2+q55IQh2OjPjwxkARwftys=; b=vpeN8EDgtYdiFuXKzI00WYXTHrFFblYsaGIypPnLb6vTUj6tzvXiu0UBSPWPxVXfr5O85R n4l5vWiABiqx6Ldrpyis0gbDp67ysDLNCORvYhxdU+DtrxMNA/kqXgFudeL4F/rfH5jb3l Q7R3bdYc25pThS6sr6dGuJpRiv2YVhc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PrmAkrf9zSPs3YZrI4aN2+q55IQh2OjPjwxkARwftys=; b=6MWbL1tIlzLD/1xW/F/CDQ7BTVmkf1M3nl6RKj+t3eCUDQci1JFL/9ll5Zs5hOwjS2W+5U oTrvQzhg9AZoewBQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PrmAkrf9zSPs3YZrI4aN2+q55IQh2OjPjwxkARwftys=; b=vpeN8EDgtYdiFuXKzI00WYXTHrFFblYsaGIypPnLb6vTUj6tzvXiu0UBSPWPxVXfr5O85R n4l5vWiABiqx6Ldrpyis0gbDp67ysDLNCORvYhxdU+DtrxMNA/kqXgFudeL4F/rfH5jb3l Q7R3bdYc25pThS6sr6dGuJpRiv2YVhc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854164; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PrmAkrf9zSPs3YZrI4aN2+q55IQh2OjPjwxkARwftys=; b=6MWbL1tIlzLD/1xW/F/CDQ7BTVmkf1M3nl6RKj+t3eCUDQci1JFL/9ll5Zs5hOwjS2W+5U oTrvQzhg9AZoewBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8BDA413A86; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id CJb/IJRKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:24 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 05/10] IMA: Read required policy from file Date: Tue, 14 Jan 2025 12:29:10 +0100 Message-ID: <20250114112915.610297-6-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid,suse.cz:email]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: Previously snipped of required policy was as a string or regexp. Loading required policy from file allows to move code to ima_setup.sh. This is a preparation for loading IMA policy from file. Check can be done on one or both: 1) IMA builtin policy (based on /proc/cmdline) 2) IMA policy content (actual content of /sys/kernel/security/ima/policy) When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert TFAIL => TCONF. Signed-off-by: Petr Vorel --- .../security/integrity/ima/tests/ima_kexec.sh | 19 ++---- .../security/integrity/ima/tests/ima_keys.sh | 47 ++++--------- .../integrity/ima/tests/ima_measurements.sh | 8 ++- .../integrity/ima/tests/ima_selinux.sh | 22 +++--- .../security/integrity/ima/tests/ima_setup.sh | 68 ++++++++++++++----- .../integrity/ima/tests/ima_violations.sh | 8 ++- 6 files changed, 92 insertions(+), 80 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh index 3446bc24bf..95e6186bb5 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2020 Microsoft Corporation -# Copyright (c) 2020 Petr Vorel +# Copyright (c) 2020-2025 Petr Vorel # Author: Lachlan Sneff # # Verify that kexec cmdline is measured correctly. @@ -14,7 +14,7 @@ TST_SETUP="setup" TST_MIN_KVER="5.3" IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}" -REQUIRED_POLICY='^measure.*func=KEXEC_CMDLINE' +REQUIRED_POLICY_CONTENT='kexec.policy' measure() { @@ -46,11 +46,6 @@ setup() if [ ! -f "$IMA_KEXEC_IMAGE" ]; then tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE" fi - - if check_policy_readable; then - require_ima_policy_content "$REQUIRED_POLICY" - policy_readable=1 - fi } kexec_failure_hint() @@ -79,7 +74,6 @@ kexec_test() { local param="$1" local cmdline="$2" - local res=TFAIL local kexec_cmd kexec_cmd="$param=$cmdline" @@ -97,13 +91,10 @@ kexec_test() ROD kexec -su if ! measure "$cmdline"; then - if [ "$policy_readable" != 1 ]; then - tst_res TWARN "policy not readable, it might not contain required policy '$REQUIRED_POLICY'" - res=TBROK - fi - tst_brk $res "unable to find a correct measurement" + tst_res $IMA_FAIL "unable to find a correct measurement" + else + tst_res TPASS "kexec cmdline was measured correctly" fi - tst_res TPASS "kexec cmdline was measured correctly" } test() diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index ff32eb6c43..a2e9c77738 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2020 Microsoft Corporation -# Copyright (c) 2020-2021 Petr Vorel +# Copyright (c) 2020-2025 Petr Vorel # Author: Lachlan Sneff # # Verify that keys are measured correctly based on policy. @@ -12,38 +12,24 @@ TST_SETUP=setup TST_CLEANUP=cleanup TST_MIN_KVER="5.6" -FUNC_KEYCHECK='func=KEY_CHECK' -REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" +REQUIRED_POLICY_CONTENT='keycheck.policy' setup() { - require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt - require_valid_policy_template -} + local line -cleanup() -{ - tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID -} + require_policy_readable -require_valid_policy_template() -{ while read line; do - if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then - tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK" - fi - done < $TST_TMPDIR/policy.txt + if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then + tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK" + fi + done < $IMA_POLICY } -check_keys_policy() +cleanup() { - local pattern="$1" - - if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK" - return 1 - fi - return 0 + tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } # Based on https://lkml.org/lkml/2019/12/13/564. @@ -51,12 +37,10 @@ check_keys_policy() test1() { local keycheck_lines i keyrings templates - local pattern='keyrings=[^[:space:]]+' local test_file="file.txt" tmp_file="file2.txt" tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" - check_keys_policy "$pattern" > $tmp_file || return keycheck_lines=$(cat $tmp_file) keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') @@ -87,7 +71,7 @@ test1() fi if [ "$digest" != "$expected_digest" ]; then - tst_res TFAIL "incorrect digest was found for $keyring keyring" + tst_res $IMA_FAIL "incorrect digest was found for $keyring keyring" return fi done @@ -105,13 +89,10 @@ test2() local cert_file="$TST_DATAROOT/x509_ima.der" local keyring_name="key_import_test" - local pattern="keyrings=[^[:space:]]*$keyring_name" local temp_file="file.txt" tst_res TINFO "verify measurement of certificate imported into a keyring" - check_keys_policy "$pattern" >/dev/null || return - KEYRING_ID=$(keyctl newring $keyring_name @s) || \ tst_brk TBROK "unable to create a new keyring" @@ -126,19 +107,19 @@ test2() tst_hexdump -d > $temp_file if [ ! -s $temp_file ]; then - tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS" + tst_res $IMA_FAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS" return fi if ! openssl x509 -in $temp_file -inform der > /dev/null; then - tst_res TFAIL "logged certificate is not a valid x509 certificate" + tst_res $IMA_FAIL "logged certificate is not a valid x509 certificate" return fi if cmp -s $temp_file $cert_file; then tst_res TPASS "logged certificate matches the original" else - tst_res TFAIL "logged certificate does not match original" + tst_res $IMA_FAIL "logged certificate does not match original" fi } diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index ca9d73b4aa..41d53aa03b 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -11,6 +11,7 @@ TST_NEEDS_CMDS="awk cut sed" TST_SETUP="setup" TST_CNT=3 REQUIRED_BUILTIN_POLICY="tcb" +REQUIRED_POLICY_CONTENT='tcb.policy' setup() { @@ -70,6 +71,7 @@ test3() local user="nobody" local dir="$PWD/user" local file="$dir/test.txt" + local cmd="grep $file $ASCII_MEASUREMENTS" # Default policy does not measure user files tst_res TINFO "verify not measuring user files" @@ -87,7 +89,11 @@ test3() sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null" cd .. - EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS" + if tst_rod "$cmd" 2> /dev/null; then + tst_res TPASS "$cmd failed as expected" + else + tst_res $IMA_FAIL "$cmd passed unexpectedly" + fi } . ima_setup.sh diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh index 75f9ba84e4..45fd741b5f 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh @@ -1,6 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2021 Microsoft Corporation +# Copyright (c) Linux Test Project, 2021-2025 # Author: Lakshmi Ramasubramanian # # Verify measurement of SELinux policy hash and state. @@ -14,15 +15,12 @@ TST_CNT=2 TST_SETUP="setup" TST_MIN_KVER="5.12" -FUNC_CRITICAL_DATA='func=CRITICAL_DATA' -REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA" +REQUIRED_POLICY_CONTENT='selinux.policy' setup() { SELINUX_DIR=$(tst_get_selinux_dir) [ "$SELINUX_DIR" ] || tst_brk TCONF "SELinux is not enabled" - - require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt } # Format of the measured SELinux state data. @@ -45,7 +43,7 @@ validate_policy_capabilities() measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}') expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap") if [ "$measured_value" != "$expected_value" ]; then - tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest" + tst_res $IMA_FAIL "$measured_cap: expected: $expected_value, got: $digest" return fi @@ -75,7 +73,7 @@ test1() # in kernel memory for SELinux line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1) if [ -z "$line" ]; then - tst_res TFAIL "SELinux policy hash not measured" + tst_res $IMA_FAIL "SELinux policy hash not measured" return fi @@ -86,7 +84,7 @@ test1() tst_brk TCONF "cannot compute digest for $algorithm" if [ "$policy_digest" != "$expected_policy_digest" ]; then - tst_res TFAIL "Digest mismatch: expected: $expected_policy_digest, got: $policy_digest" + tst_res $IMA_FAIL "Digest mismatch: expected: $expected_policy_digest, got: $policy_digest" return fi @@ -116,7 +114,7 @@ test2() # state matches that currently set for SELinux line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1) if [ -z "$line" ]; then - tst_res TFAIL "SELinux state not measured" + tst_res $IMA_FAIL "SELinux state not measured" return fi @@ -129,7 +127,7 @@ test2() tst_brk TCONF "cannot compute digest for $algorithm" if [ "$digest" != "$expected_digest" ]; then - tst_res TFAIL "digest mismatch: expected: $expected_digest, got: $digest" + tst_res $IMA_FAIL "digest mismatch: expected: $expected_digest, got: $digest" return fi @@ -146,20 +144,20 @@ test2() enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $4}') expected_enforced_value=$(cat $SELINUX_DIR/enforce) if [ "$expected_enforced_value" != "$enforced_value" ]; then - tst_res TFAIL "enforce: expected: $expected_enforced_value, got: $enforced_value" + tst_res $IMA_FAIL "enforce: expected: $expected_enforced_value, got: $enforced_value" return fi checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $6}') expected_checkreqprot_value=$(cat $SELINUX_DIR/checkreqprot) if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ]; then - tst_res TFAIL "checkreqprot: expected: $expected_checkreqprot_value, got: $checkreqprot_value" + tst_res $IMA_FAIL "checkreqprot: expected: $expected_checkreqprot_value, got: $checkreqprot_value" return fi initialized_value=$(echo $measured_data | awk -F'[=;]' '{print $2}') if [ "$initialized_value" != "1" ]; then - tst_res TFAIL "initialized: expected 1, got: $initialized_value" + tst_res $IMA_FAIL "initialized: expected 1, got: $initialized_value" return fi diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 2a578ceb45..af5584951c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -19,6 +19,9 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +IMA_FAIL="TFAIL" +IMA_BROK="TBROK" + # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 compute_digest() { @@ -85,21 +88,9 @@ require_policy_writable() check_ima_policy_content() { local pattern="$1" - local grep_params="${2--q}" check_policy_readable || return 1 - grep $grep_params "$pattern" $IMA_POLICY -} - -require_ima_policy_content() -{ - local pattern="$1" - local grep_params="${2--q}" - - require_policy_readable - if ! grep $grep_params "$pattern" $IMA_POLICY; then - tst_brk TCONF "IMA policy does not specify '$pattern'" - fi + grep -q "$pattern" $IMA_POLICY } check_ima_policy_cmdline() @@ -158,6 +149,51 @@ print_ima_config() tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" } +# Check for required +# 1) IMA builtin policy (based on /proc/cmdline) +# 2) IMA policy content (actual content of /sys/kernel/security/ima/policy) +# When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert TFAIL => TCONF. +# $REQUIRED_POLICY_CONTENT: file with required IMA policy +# $REQUIRED_BUILTIN_POLICY: IMA policy specified as kernel cmdline +verify_ima_policy() +{ + local check_content line + local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT" + + if [ -z "$REQUIRED_POLICY_CONTENT" -a -z "$REQUIRED_BUILTIN_POLICY" ]; then + return 0 + fi + + if [ -n "$REQUIRED_POLICY_CONTENT" ]; then + check_content=1 + if [ -n "$REQUIRED_BUILTIN_POLICY" ] && check_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY"; then + tst_res TINFO "booted with IMA policy: $REQUIRED_BUILTIN_POLICY" + return 0 + fi + elif [ -n "$REQUIRED_BUILTIN_POLICY" ]; then + require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY" + fi + + if [ "$check_content" = 1 ]; then + [ -e $file ] || tst_brk TBROK "policy file '$file' does not exist (LTPROOT=$LTPROOT)" + tst_res TINFO "test requires IMA policy:" + cat $file + if check_policy_readable; then + # check IMA policy content + while read line; do + if ! grep -q "$line" $IMA_POLICY; then + tst_brk TCONF "missing required policy '$line'" + fi + IMA_POLICY_CHECKED=1 + done < $file + else + tst_res TINFO "policy is not readable, failure will be treated as TCONF" + IMA_FAIL="TCONF" + IMA_BROK="TCONF" + fi + fi +} + ima_setup() { SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" @@ -180,9 +216,7 @@ ima_setup() cd "$TST_MNTPOINT" fi - if [ "$REQUIRED_BUILTIN_POLICY" ]; then - require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY" - fi + verify_ima_policy [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } @@ -290,7 +324,7 @@ ima_check() algorithm=$(cat tmp | cut -d'|' -f1) digest=$(cat tmp | cut -d'|' -f2) else - tst_brk TBROK "failed to get algorithm/digest for '$test_file'" + tst_brk $IMA_BROK "failed to get algorithm/digest for '$test_file'" fi tst_res TINFO "computing digest for $algorithm algorithm" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index b2b597ad08..1852e8bc74 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2025 Petr Vorel # Author: Mimi Zohar # # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. @@ -10,6 +10,8 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" TST_CNT=3 +REQUIRED_POLICY_CONTENT='violations.policy' + setup() { FILE="test.txt" @@ -83,11 +85,11 @@ validate() tst_sleep 1s fi else - tst_res TFAIL "$search violation not added" + tst_res $IMA_FAIL "$search violation not added" return fi done - tst_res TFAIL "$search not found in $LOG" + tst_res $IMA_FAIL "$search not found in $LOG" } test1() From patchwork Tue Jan 14 11:29:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938641 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDEA52309AC for ; Tue, 14 Jan 2025 11:29:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854170; cv=none; b=PYu5K+xVNdULHySDU0i2gyANUMwoHdwaK48wR6khNR0YAXNrfwQ/nby2Gn2KXTmO25WaAjdqITCnipvHGyhEHGE2eBt8yTLfAeQil4ps40sJmw2OgGvX5pwKU2l0ABVz4NwLCBwsjyGmYGVUHcyjw4sFhWMnJ5ojtBbo2fo22eQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854170; c=relaxed/simple; bh=n3Vk6Fmu+kXL5EqrrlCgq8n71wU1lWMcwS2MYdgcGYE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DwLbFmz7KH+q1ON1TxVrw+DZvHjiXw8LozquI3Wh1ezcOaDwgPvSc65n08g4d5mWGcXke/StphywtAgpgcl5xfNlAuKSI9iFzGfMgkc9/rGvktzXd36UY86BGFqnu0p6FpUyP3A3UygIGPsOmV+C1Sa4LRd6d4CC4kothZGsvXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=eQEtm93f; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=1MUiR3fa; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=eQEtm93f; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=1MUiR3fa; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="eQEtm93f"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="1MUiR3fa"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="eQEtm93f"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="1MUiR3fa" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id F40A721180; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=//+rR0W3ziSksdffU+7ZMDZ1TdJIydRw9gp0mH52+Fc=; b=eQEtm93fSJLJj5Yh8gtAZBxg4kHDCnai1ogFmv2BdEe2OIkvWBKLh34dp9g6EgpBSKg9Fx x/g8L6T5tEXClAGNwp4zbpnjWq9bNqpBxl/WDvCESQ0Tc0j99W08Wc2ifROgdW6+HpaT1r 8TpBbnmY1M/UOiU+olcV1ngCcytJPGQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=//+rR0W3ziSksdffU+7ZMDZ1TdJIydRw9gp0mH52+Fc=; b=1MUiR3faXvdGMWQnOHKi/g+IEX1moUnCPqXFrbJWrHkIdq+5QKTq4ByNif3fQo/LtycJ/W 9jrxHaOFEIRlSDCQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=//+rR0W3ziSksdffU+7ZMDZ1TdJIydRw9gp0mH52+Fc=; b=eQEtm93fSJLJj5Yh8gtAZBxg4kHDCnai1ogFmv2BdEe2OIkvWBKLh34dp9g6EgpBSKg9Fx x/g8L6T5tEXClAGNwp4zbpnjWq9bNqpBxl/WDvCESQ0Tc0j99W08Wc2ifROgdW6+HpaT1r 8TpBbnmY1M/UOiU+olcV1ngCcytJPGQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=//+rR0W3ziSksdffU+7ZMDZ1TdJIydRw9gp0mH52+Fc=; b=1MUiR3faXvdGMWQnOHKi/g+IEX1moUnCPqXFrbJWrHkIdq+5QKTq4ByNif3fQo/LtycJ/W 9jrxHaOFEIRlSDCQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id C6252139CB; Tue, 14 Jan 2025 11:29:24 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id gGnELpRKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:24 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 06/10] ima_violations.sh: Declare tcb builtin policy Date: Tue, 14 Jan 2025 12:29:11 +0100 Message-ID: <20250114112915.610297-7-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:email,suse.cz:mid]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO IMA builtin policy contains required rules, allow using it. This helps more reliable results on kernels without CONFIG_IMA_READ_POLICY=y. Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 1852e8bc74..37d8d473c2 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -10,6 +10,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" TST_CNT=3 +REQUIRED_BUILTIN_POLICY="tcb" REQUIRED_POLICY_CONTENT='violations.policy' setup() From patchwork Tue Jan 14 11:29:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938640 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDF1D284A4A for ; Tue, 14 Jan 2025 11:29:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854170; cv=none; b=iqzgmz5V+IZwg2REVL5VYNbBl6rDRviJIxfpIqfYSRNWjpB8M8KChYgcqT38kH2fyD3U5FgA2woLlIe8+d1sSpcQq77HqD68TmSZGY9c1lkZz76Y+Xdlq58SUw8sI78C8t3RfvCa1UpUw/aGf8vtnIQSDCJCr28sFqkvm3iPvEs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854170; c=relaxed/simple; bh=hMblFic8hCYZGTfwWEGk+4w65rgby5ycLuZOLeOpUgY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=D5FKk/Kwcfqc9gYOHMLYRL9REQDowkKU1o11C8a2ySIt7R684nUVziY4eN+6qqU5/HADt6Miu9Wd3LplvtUOGO94uPXol4UMlT6d/cJ417zjwcgqwgAtqHPfvN5NdBAZ/b0Cev0YrTRVNfeaiPKq1cce7aOhT4bU+nVN6Q3Ett8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=ng9bttMe; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ExThOX6I; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=ng9bttMe; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ExThOX6I; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="ng9bttMe"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ExThOX6I"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="ng9bttMe"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ExThOX6I" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 3EFCC21183; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y1IjH6eEOqfGyRDirMP4HvZHR5QtV4DoWONGfmX5Kt8=; b=ng9bttMewAQhLaUZECQQ/c5yKM8XXFpXwkwbOvo9gT5WVnQsGv6HQdQm9WEjFX1UfoImrY 9mX2wSIfQ5d5YH23HPJkvn+qIzTi5aHlnDog/KX+prKGa5otWtNyvvW+G9wIa3pLSBgI4Y yacZcjvmzgHU58KoCnNaGZMhd9i0YIw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y1IjH6eEOqfGyRDirMP4HvZHR5QtV4DoWONGfmX5Kt8=; b=ExThOX6IiPA/zbk+uCjRcChgYqYSCz0LvD8T/JaNUYVKzD4tLxIoO7foxunTT7fpVPP4VF vezFYSuj86jf90Aw== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y1IjH6eEOqfGyRDirMP4HvZHR5QtV4DoWONGfmX5Kt8=; b=ng9bttMewAQhLaUZECQQ/c5yKM8XXFpXwkwbOvo9gT5WVnQsGv6HQdQm9WEjFX1UfoImrY 9mX2wSIfQ5d5YH23HPJkvn+qIzTi5aHlnDog/KX+prKGa5otWtNyvvW+G9wIa3pLSBgI4Y yacZcjvmzgHU58KoCnNaGZMhd9i0YIw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y1IjH6eEOqfGyRDirMP4HvZHR5QtV4DoWONGfmX5Kt8=; b=ExThOX6IiPA/zbk+uCjRcChgYqYSCz0LvD8T/JaNUYVKzD4tLxIoO7foxunTT7fpVPP4VF vezFYSuj86jf90Aw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 0A45013A86; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mE5KAZVKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:25 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 07/10] ima_setup.sh: Add digest index detection for ima-buf format Date: Tue, 14 Jan 2025 12:29:12 +0100 Message-ID: <20250114112915.610297-8-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid,suse.cz:email]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: ima-buf format might be loaded via loading policy in the next commit. Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index af5584951c..1f01f18cf6 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -242,7 +242,7 @@ set_digest_index() # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + ima|ima-buf|ima-ng|ima-sig) DIGEST_INDEX=4 ;; *) # using ima_template_fmt kernel parameter local IFS="|" From patchwork Tue Jan 14 11:29:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938639 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29FBE24335A for ; Tue, 14 Jan 2025 11:29:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; cv=none; b=nx35lRfDDEYMYav20S3ZR6VIjEt3kK4pHcDDCsLso1Y17mnCftT7bFWA8K/7pDRXjdoUx8WxT9aLIsaU28h6+/fcXexE6Js7Pu/BaMHLUs4JJVShg+PY8h7UxsgbMFfUU+oCi7KEz7b11teRmmaiOqRbQ891tsKEoM0nf6mDupw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; c=relaxed/simple; bh=UuaYUxK/SAMpzTOQicsMlZXUIud0UBXcgo+2cmQ+eAo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WNP/iNM5yLxEz3vioSHSmfnJ9oaTN7s+qyCRyA33EfjCpzeaeJf/H3M/txBgOmZLqI0pyX91Jx3c3DTd5crntRezuzLOGxbVUV6Sl1Ck0kAau4tNw/GQlPUDxG3++FO4Q1+axb0fuw3l2eppfjUplqqmNK/4fs3bom3b4LDpWjw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6DDE31F395; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Authentication-Results: smtp-out2.suse.de; none Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4908B139CB; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id gF2AEJVKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:25 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 08/10] ima_setup.sh: Allow to load predefined policy Date: Tue, 14 Jan 2025 12:29:13 +0100 Message-ID: <20250114112915.610297-9-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spam-Level: X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Spam-Score: -4.00 X-Spam-Flag: NO X-Rspamd-Queue-Id: 6DDE31F395 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy if available. This should be used only if tooling running LTP tests allows to reboot afterwards because policy may be writable only once, e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each other. Loading may fail due various reasons (e.g. previously mentioned missing CONFIG_IMA_WRITE_POLICY=y and policy already loaded or when secure boot is enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an appraise func=POLICY_CHECK appraise_type=imasig rule is loaded, requiring the IMA policy itself to be signed). Signed-off-by: Petr Vorel --- doc/users/setup_tests.rst | 3 + .../kernel/security/integrity/ima/README.md | 12 ++++ .../security/integrity/ima/tests/ima_kexec.sh | 1 + .../security/integrity/ima/tests/ima_keys.sh | 1 + .../integrity/ima/tests/ima_measurements.sh | 2 +- .../integrity/ima/tests/ima_selinux.sh | 1 + .../security/integrity/ima/tests/ima_setup.sh | 72 ++++++++++++++++--- 7 files changed, 82 insertions(+), 10 deletions(-) diff --git a/doc/users/setup_tests.rst b/doc/users/setup_tests.rst index 721ec6bb5e..9d7f9b2cd9 100644 --- a/doc/users/setup_tests.rst +++ b/doc/users/setup_tests.rst @@ -59,6 +59,9 @@ users. both up and down with this multiplier. This is not yet implemented in the shell API. + * - LTP_IMA_LOAD_POLICY + - Load IMA example policy, see :master:`testcases/kernel/security/integrity/ima/README.md`. + * - LTP_VIRT_OVERRIDE - Overrides virtual machine detection in the test library. Setting it to empty string, tells the library that system is not a virtual machine. diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 5b261a1914..c5b3db1a5a 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -8,6 +8,18 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +### Loading policy for testing (optional) +Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example +policy if available. This should be used only if tooling running LTP tests +allows to reboot afterwards because policy may be writable only once, e.g. +missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other. + +Loading may fail due various reasons (e.g. previously mentioned missing +`CONFIG_IMA_WRITE_POLICY=y` and policy already loaded or when secure boot is +enabled and the kernel is configured with `CONFIG_IMA_ARCH_POLICY` enabled, an +`appraise func=POLICY_CHECK appraise_type=imasig` rule is loaded, requiring the +IMA policy itself to be signed). + ### IMA measurement tests `ima_measurements.sh` require builtin IMA tcb policy to be loaded (`ima_policy=tcb` kernel parameter). diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh index 95e6186bb5..5d178494b7 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh @@ -7,6 +7,7 @@ # Verify that kexec cmdline is measured correctly. # Test attempts to kexec the existing running kernel image. # To kexec a different kernel image export IMA_KEXEC_IMAGE=. +# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1. TST_NEEDS_CMDS="grep kexec sed" TST_CNT=3 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index a2e9c77738..fb1636a8b8 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -5,6 +5,7 @@ # Author: Lachlan Sneff # # Verify that keys are measured correctly based on policy. +# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1. TST_NEEDS_CMDS="cmp cut grep sed" TST_CNT=2 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 41d53aa03b..c42c31c898 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -5,7 +5,7 @@ # Author: Mimi Zohar # # Verify that measurements are added to the measurement list based on policy. -# Test requires ima_policy=tcb. +# Test requires either ima_policy=tcb or example policy loadable with LTP_IMA_LOAD_POLICY=1. TST_NEEDS_CMDS="awk cut sed" TST_SETUP="setup" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh index 45fd741b5f..97c5d64ec5 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh @@ -5,6 +5,7 @@ # Author: Lakshmi Ramasubramanian # # Verify measurement of SELinux policy hash and state. +# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1. # # Relevant kernel commits: # * fdd1ffe8a812 ("selinux: include a consumer of the new IMA critical data hook") diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 1f01f18cf6..5213763ee0 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -75,14 +75,20 @@ require_policy_readable() fi } -require_policy_writable() +check_policy_writable() { - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" - - [ -f $IMA_POLICY ] || tst_brk TCONF "$err" - # CONFIG_IMA_READ_POLICY + [ -f $IMA_POLICY ] || return 1 + # workaround for kernels < v4.18 without fix + # ffb122de9a60b ("ima: Reflect correct permissions for policy") echo "" 2> log > $IMA_POLICY - grep -q "Device or resource busy" log && tst_brk TCONF "$err" + grep -q "Device or resource busy" log && return 1 + return 0 +} + +require_policy_writable() +{ + check_policy_writable || tst_brk TCONF \ + "IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" } check_ima_policy_content() @@ -182,16 +188,58 @@ verify_ima_policy() # check IMA policy content while read line; do if ! grep -q "$line" $IMA_POLICY; then - tst_brk TCONF "missing required policy '$line'" + tst_res TINFO "WARNING: missing required policy content: '$line'" + return 1 fi - IMA_POLICY_CHECKED=1 done < $file + IMA_POLICY_CHECKED=1 else tst_res TINFO "policy is not readable, failure will be treated as TCONF" IMA_FAIL="TCONF" IMA_BROK="TCONF" + return 1 fi fi + return 0 +} + +load_ima_policy() +{ + local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT" + + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then + tst_res TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1" + return 0 + fi + + if [ "$IMA_POLICY_CHECKED" = 1 ]; then + tst_res TINFO "valid policy already loaded, ignore LTP_IMA_LOAD_POLICY=1" + fi + + tst_res TINFO "trying to load '$file' policy:" + cat $file + if ! check_policy_writable; then + tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required, failures will be treated as TCONF" + IMA_FAIL="TCONF" + IMA_BROK="TCONF" + LTP_IMA_LOAD_POLICY= + return + fi + + cat "$file" 2> log > $IMA_POLICY + if grep -q "Device or resource busy" log; then + tst_brk TBROK "loading policy failed" + fi + + if grep -q "write error: Permission denied" log; then + tst_brk TCONF "loading unsigned policy failed" + fi + + IMA_POLICY_LOADED=1 + + tst_res TINFO "example policy successfully loaded" + IMA_FAIL="TFAIL" + IMA_BROK="TBROK" } ima_setup() @@ -216,7 +264,9 @@ ima_setup() cd "$TST_MNTPOINT" fi - verify_ima_policy + if ! verify_ima_policy; then + load_ima_policy + fi [ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER } @@ -230,6 +280,10 @@ ima_cleanup() for dir in $UMOUNT; do umount $dir done + + if [ "$IMA_POLICY_LOADED" = 1 ]; then + tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended" + fi } set_digest_index() From patchwork Tue Jan 14 11:29:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938637 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 788E1284A48 for ; Tue, 14 Jan 2025 11:29:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; cv=none; b=b1k1LhTlyWrZd/Hv6GWku/oXkvSiqJRSjgFQ2hJO+zrn5dPAAHkEcSgpXJhYOb8nc7yBoBiwPWBsgsqahCXkO08df/h7o+BWDF3eiB1rSjHI+2v1DhLAza9y1vMWbKW7kGfkfjRKibLFOaZT2tiESGqBfVKFzLGBErnU1QaWDJ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; c=relaxed/simple; bh=VSpXkU5xVa9eqJVA9qotmIG+zbKOdFuw71zN01bCQEg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LQwNdkxHi0MQ9wL4kttkpfqJcSEf8Yz3vtkVxXGsxZcFFGK91pwnGF6ixOWgXIzIOTmlb5FZdDjCgKmwzOIQzK+dP+KojrZggpAp5oWPu4CX08K7MPmvJILv1yFIXNhb64hKcEnpzZke+IG2VvF2C3dQdGw4fZTXQdMj8nZ+zPU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=e87wnBD0; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=n+Ey4BbV; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=e87wnBD0; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=n+Ey4BbV; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="e87wnBD0"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="n+Ey4BbV"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="e87wnBD0"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="n+Ey4BbV" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id A08B71F441; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wbSNLSUZ3waUTk6RAkd2Tl7h7KSHJSs2a5nCnCUFWqo=; b=e87wnBD069QGVRv73KQIsk4y3icyNsTJconDpXiPk/1ylsP3cH66XT6sameoHomuJ72CUq f1AI6d0KL1l42J+zaTNN8aJiERYwmwlBhquT5uIQMzHPuunvCIVSN6aPXB6b62LjrYtYP2 7p8QG8pedBLYw64thcJnhjFwHK6Nqc8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wbSNLSUZ3waUTk6RAkd2Tl7h7KSHJSs2a5nCnCUFWqo=; b=n+Ey4BbVP7wUzXHvXJypFgPOPL8zKUpnrxciYlIEIEsgWuVxkkL6Wf8xpSzFDe6aRiprn9 yVL3iJ65xcdfRRAw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wbSNLSUZ3waUTk6RAkd2Tl7h7KSHJSs2a5nCnCUFWqo=; b=e87wnBD069QGVRv73KQIsk4y3icyNsTJconDpXiPk/1ylsP3cH66XT6sameoHomuJ72CUq f1AI6d0KL1l42J+zaTNN8aJiERYwmwlBhquT5uIQMzHPuunvCIVSN6aPXB6b62LjrYtYP2 7p8QG8pedBLYw64thcJnhjFwHK6Nqc8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wbSNLSUZ3waUTk6RAkd2Tl7h7KSHJSs2a5nCnCUFWqo=; b=n+Ey4BbVP7wUzXHvXJypFgPOPL8zKUpnrxciYlIEIEsgWuVxkkL6Wf8xpSzFDe6aRiprn9 yVL3iJ65xcdfRRAw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 77FCD139CB; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id QDX7G5VKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:25 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 09/10] ima_measurements.sh: Check policy for test3 Date: Tue, 14 Jan 2025 12:29:14 +0100 Message-ID: <20250114112915.610297-10-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Score: -6.80 X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; R_RATELIMIT(0.00)[to_ip_from(RLqxawhspxxs4naamnp9m5ipny)]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:mid,suse.cz:email]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; RCPT_COUNT_THREE(0.00)[4]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Level: First two tests are working with ima_policy=tcb, but 3rd test requires more specific policy. Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_measurements.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index c42c31c898..35acc6ea78 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -77,6 +77,11 @@ test3() tst_res TINFO "verify not measuring user files" tst_check_cmds sudo || return + if [ "$IMA_POLICY_CHECKED" != 1 ]; then + tst_res TCONF "test requires specific policy, try load it with LTP_IMA_LOAD_POLICY=1" + return + fi + if ! id $user >/dev/null 2>/dev/null; then tst_res TCONF "missing system user $user (wrong installation)" return From patchwork Tue Jan 14 11:29:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 13938638 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91227224B07 for ; Tue, 14 Jan 2025 11:29:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; cv=none; b=cQDsWsaFU2BHxkEAsjUBdwj2jTKtYvvDNrYiN3joNs9U3657vsJsv+hsdfRuf1kGIIRyD02PBoGuanhi2RCdM+rWNbUaLRrwg8Hx0QwUWJ2cM/AWn9mnSg8UpApC/rEwtYSyYxkStbx1rqcMY6evfWBMWtVhIe3H2/lwyKTlo5M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736854169; c=relaxed/simple; bh=+ayin8Bpi891FlWLcawQ+2XO0N0cUnmTzoVlLuaj9dU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ut7qqMvKn8qmbd7iRNfxW9a6U1w87Az4DR2GlgG5NO1X1ucmpVC+5+kcZiTUY5nGrKCXmSrocOTkajWcKChA6RToiVT8aloSBmcfIP6gybJPbMy/KLwetWxitfhASJkpNsFJ9rIS4jO2F7VVxsdDgMvPQSVJ5/tKALS+UIilE/w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=2MgnJVZ3; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=C4AOhQ3J; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=2MgnJVZ3; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=C4AOhQ3J; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="2MgnJVZ3"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="C4AOhQ3J"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="2MgnJVZ3"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="C4AOhQ3J" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E91C91F444; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bzAZdL6SpzR9L3j+WjgIxlFgcFnJ7UNJPMzET7xpXyk=; b=2MgnJVZ3NiqHPpaJ6jv3OISxTipYEl8Z5y+/mok+CAW8N6b06vyT3u6rOlQUO5t8Rypokn bGRXWLreIzdarS1dOLGDfwtQEwAy0tfVIh8PDWaxj8aEWkbpBpewpBIFQxn1DKuz/2A5Nb qtZFKWglZccCQCDOIaig1b5Zo8ePQfA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bzAZdL6SpzR9L3j+WjgIxlFgcFnJ7UNJPMzET7xpXyk=; b=C4AOhQ3JywhXBHE+cVoFNKZaYzn7zfTxjrj0ZizrktGV6joTpiSRXJP0TIkndd2U1a3NsB CnI7pM6p1PVofDDA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bzAZdL6SpzR9L3j+WjgIxlFgcFnJ7UNJPMzET7xpXyk=; b=2MgnJVZ3NiqHPpaJ6jv3OISxTipYEl8Z5y+/mok+CAW8N6b06vyT3u6rOlQUO5t8Rypokn bGRXWLreIzdarS1dOLGDfwtQEwAy0tfVIh8PDWaxj8aEWkbpBpewpBIFQxn1DKuz/2A5Nb qtZFKWglZccCQCDOIaig1b5Zo8ePQfA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1736854165; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bzAZdL6SpzR9L3j+WjgIxlFgcFnJ7UNJPMzET7xpXyk=; b=C4AOhQ3JywhXBHE+cVoFNKZaYzn7zfTxjrj0ZizrktGV6joTpiSRXJP0TIkndd2U1a3NsB CnI7pM6p1PVofDDA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id AB8D613A86; Tue, 14 Jan 2025 11:29:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id YGWyKJVKhmeMIAAAD6G6ig (envelope-from ); Tue, 14 Jan 2025 11:29:25 +0000 From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , linux-integrity@vger.kernel.org Subject: [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Date: Tue, 14 Jan 2025 12:29:15 +0100 Message-ID: <20250114112915.610297-11-pvorel@suse.cz> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250114112915.610297-1-pvorel@suse.cz> References: <20250114112915.610297-1-pvorel@suse.cz> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; R_RATELIMIT(0.00)[to_ip_from(RLqxawhspxxs4naamnp9m5ipny)]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:email,suse.cz:mid]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; RCPT_COUNT_THREE(0.00)[4]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -6.80 X-Spam-Flag: NO Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 1 + testcases/lib/tst_test.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 5213763ee0..69ee5a3d65 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -11,6 +11,7 @@ TST_CLEANUP_CALLER="$TST_CLEANUP" TST_CLEANUP="ima_cleanup" TST_NEEDS_ROOT=1 TST_MOUNT_DEVICE=1 +TST_SKIP_LSM_WARNINGS=1 # TST_MOUNT_DEVICE can be unset, therefore specify explicitly TST_NEEDS_TMPDIR=1 diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh index cfdae02300..2b797705e3 100644 --- a/testcases/lib/tst_test.sh +++ b/testcases/lib/tst_test.sh @@ -1,6 +1,6 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later -# Copyright (c) Linux Test Project, 2014-2022 +# Copyright (c) Linux Test Project, 2014-2025 # Author: Cyril Hrubis # # LTP test library for shell. @@ -81,7 +81,7 @@ _tst_do_exit() fi if [ $TST_BROK -gt 0 -o $TST_FAIL -gt 0 -o $TST_WARN -gt 0 ]; then - _tst_check_security_modules + [ -z "$TST_SKIP_LSM_WARNINGS" ] && _tst_check_security_modules fi cat >&2 << EOF