On Mon, 2023-01-30 at 15:02 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-30 at 08:28 -0500, Mimi Zohar wrote:
> > [Trimmed Cc list, since this is an ima-evm-utils discussion. Adding
> > Petr.]
> >
> > On Fri, 2023-01-27 at 08:57 +0100, Roberto Sassu wrote:
> > > On Thu, 2023-01-26 at 17:25 -0500, Stefan Berger wrote:
> > > > How do you tell the user that the patches need to be applied for the test to
> > > > succeed and not worry about it when the patches are not applied?
> > >
> > > Uhm, I agree. I should at least write a comment as for EVM portable
> > > signatures, and maybe display a message in the test logs.
> >
> > This is a generic problem that needs to be addressed. FYI, LTP
> > addressed it by introducing "struct test_tag" in commit ca2c76990
> > ("lib: Add support for test tags").
>
> One idea could be to list all the patches the group of tests is going
> to check, and add an argument to expect_pass and expect_fail to specify
> the indexes of patches required for the test. We print the required
> patches in an error message.
Ok, here is an example for this patch set. I added the following
changes to the mmap_check.test script:
PATCHES=(
'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
'ima: Introduce MMAP_CHECK_REQPROT hook'
)
[...]
expect_fail check_mmap "MMAP_CHECK" ""
expect_pass check_mmap "MMAP_CHECK" "exec"
expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" ""
expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"
expect_pass check_deny "MMAP_CHECK" "mprotect"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect"
expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"
I didn't add the _if suffix for the tests that are expected to
pass/fail without adding new patches.
I introduced expect_pass_if() and expect_fail_if() that call
respectively expect_pass() and expect_fail(), and additionally print an
error message with the patches that might be required.
The test results (without the two kernel patches applied) are:
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): not found
Possibly missing patches:
- ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
/home/roberto/repos/ima-evm-utils/tests/mmap_check.test: line 65: echo: write error: Invalid argument
Failed to set IMA policy
Possibly missing patches:
- ima: Introduce MMAP_CHECK_REQPROT hook
=================================
Run with FAILEARLY=1 /home/roberto/repos/ima-evm-utils/tests/mmap_check.test _cleanup_env cleanup
To stop after first failure
=================================
PASS: 4 SKIP: 0 FAIL: 6
The test results (with the two kernel patches applied) are:
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "")
Result (expect not found): not found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec")
Result (expect found): found
Test: check_mmap (hook="MMAP_CHECK_REQPROT", test_mmap arg: "read_implies_exec")
Result (expect not found): not found
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "mprotect")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
Test: check_deny (hook="MMAP_CHECK_REQPROT", test_mmap arg: "exec_on_writable")
Result (expect denied): denied
PASS: 10 SKIP: 0 FAIL: 0
Roberto
