On Fri, 2018-04-27 at 11:51 +0200, Petr Vorel wrote: > Hi, > > > changes v2->v3: > > * Fixed some of errors caused by test order. > > > * ima_boot_aggregate > > - max event size is now 1MB according to spec > > > * ima_mmap > > - reduce sleep + log it > > - rewritten into new API > > > * ima_measurements.sh > > - don't require iversion for kernel >= 4.16 > > - avoid using tmpfs > > > * ima_policy.sh > > - improved detection of policy writability > > - merge test2 and test3 > > > * ima_violations.sh > > - avoid using tmpfs > > - improved grepping logs (no sleep is needed) > > > * ima_tpm.sh > > - Improve error messages > > > TODO: > > * fix problems with violations tests (see patch 02/10). > > * detect whether policy must be signed (currently tests assume the > > policy does not need to be signed): > > https://lists.linux.it/pipermail/ltp/2018-April/007702.html > > http://lists.linux.it/pipermail/ltp/2018-January/006970.html > > Merged. See diff against v3, if interested. > Thanks a lot Mimi for your comments, tips and review. Thank you for working on this and cleaning it up! > > TODO: > > * detect whether policy must be signed (currently tests assume the > policy does not need to be signed): > https://lists.linux.it/pipermail/ltp/2018-April/007702.html > http://lists.linux.it/pipermail/ltp/2018-January/006970.html > > * ima_violations are failing on logging into /var/log/messages (without auditd): > > tst_device.c:83: INFO: Found free device '/dev/loop0' > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-4.10.0-rc6-kaiser root=/dev/mapp er/debian--testing--vg-root ro quiet ima_policy=secure_boot > ima_violations 1 TINFO: IMA kernel config > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA1=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha1" > ima_violations 1 TINFO: CONFIG_IMA_WRITE_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y > ima_violations 1 TINFO: CONFIG_IMA_BLACKLIST_KEYRING=y > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: Formatting /dev/loop0 with ext3 extra opts='' > ima_violations 1 TINFO: using log /var/log/messages > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TINFO: open_writers not found in /var/log/messages (1/3 attempt)... > ima_violations 1 TINFO: open_writers not found in /var/log/messages (2/3 attempt)... > ima_violations 1 TINFO: open_writers not found in /var/log/messages (3/3 attempt)... > ima_violations 1 TFAIL: open_writers not found in /var/log/messages > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (1/3 attempt)... > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (2/3 attempt)... > ima_violations 2 TINFO: ToMToU not found in /var/log/messages (3/3 attempt)... > ima_violations 2 TFAIL: ToMToU not found in /var/log/messages > ... > This is due previous test ima_policy running (when there is not > possible write to policy, e.g. second run of the testsuites on CONFIG_IMA_WRITE_POLICY=n > it's ok) If there isn't any policy, then these results would be expected. > I wonder if we should just TCONF when logging into /var/log/messages with combination of > policy being writable (or TCONF when logging into /var/log/messages in any case). > > * Check whether current policy has tbc (i.e. presence of "ima_tcb" or "tcb" being part of ima_policy in > /proc/cmdline) [1]. I wonder if we should TCONF all tests without tcb (some tests are > working For the case of no policy, you could still run the boot-aggregate test. I'm not sure about any of the other tests. Even if the system was booted with either of the "tcb" policies, it could still have been replaced with a custom policy. If we're able to cat the policy, we could verify that the loaded policy includes the "tcb" policy and emit a TCONF warning message for non tcb policies. For now, perhaps add a general message indicating that the tests assume a tcb policy. > > * Getting record with old kernels (tested on both deprecated ima_tbc and ima_policy=tcb): ^ima_tcb > ima_measurements 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-3.10.0-693.2.2.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ima_tbc > ima_measurements 1 TINFO: IMA kernel config: > ima_measurements 1 TINFO: CONFIG_IMA=y > ima_measurements 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_measurements 1 TINFO: CONFIG_IMA_AUDIT=y > ima_measurements 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_measurements 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_measurements 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y > ima_measurements 1 TINFO: verify adding record to the IMA measurement list > ima_measurements 1 TFAIL: cannot find measurement for '/tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/test.txt' > awk: cmd. line:1: (FILENAME=- FNR=1) fatal: attempt to access field -1 > ima_measurements 1 TINFO: computing hash for sha1 digest > ima_measurements 1 TFAIL: hash not found > ima_measurements 2 TINFO: verify updating record in the IMA measurement list > ima_measurements 2 TCONF: XFS Filesystem >= V5 required for iversion support > ima_measurements 3 TINFO: verify not measuring user files > ima_measurements 3 TPASS: grep /tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/user/test.txt /sys/kernel/security/ima/ascii_runtime_measurements failed as expected > > Not sure if this is caused by different IMA behavior in old kernels or due configuration. Maybe just a typo - ima_tcb, not ima_tbc. Mimi
