Re: [PATCH ima-evm-utils v3] Add ima_policy_check.awk and ima_policy_check.test

Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> · Thu, 02 Mar 2023 16:02:44 +0100

On Thu, 2023-03-02 at 09:47 -0500, Mimi Zohar wrote:
> On Thu, 2023-03-02 at 13:40 +0100, Roberto Sassu wrote:
> > On Wed, 2023-03-01 at 19:18 -0500, Mimi Zohar wrote:
> > > Hi Roberto,
> > > 
> > > Just a couple of comments below.
> > > 
> > > 
> > > > diff --git a/tests/ima_policy_check.test b/tests/ima_policy_check.test
> > > > new file mode 100755
> > > > index 00000000000..3549009bb1c
> > > > --- /dev/null
> > > > +++ b/tests/ima_policy_check.test
> > > > @@ -0,0 +1,245 @@
> > > > +#!/bin/bash
> > > > +# SPDX-License-Identifier: GPL-2.0
> > > > +#
> > > > +# Copyright (C) 2023 Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > > > +#
> > > > +# Test for ima_policy_check.awk
> > > > +
> > > > +trap '_report_exit_and_cleanup' SIGINT SIGTERM EXIT
> > > > +
> > > > +cd "$(dirname "$0")" || exit 1
> > > > +. ./functions.sh
> > > > +
> > > > +export PATH=$PWD:$PATH
> > > > +
> > > > +check_result() {
> > > > +	local result
> > > > +
> > > > +	echo -e "\nTest: $1"
> > > > +	echo "New rule: $2"
> > > > +	echo "IMA policy: $3"
> > > > +
> > > > +	echo -n "Result (expect $4): "
> > > > +
> > > > +	echo -e "$2\n$3" | ima_policy_check.awk
> > > > +	result=$?
> > > > +
> > > > +	if [ "$result" -ne "$4" ]; then
> > > > +		echo "${RED}$result${NORM}"
> > > > +		return "$FAIL"
> > > > +	fi
> > > > +
> > > > +	echo "${GREEN}$result${NORM}"
> > > > +	return "$OK"
> > > > +}
> > > > +
> > > > +# ima_policy_check.awk returns a bit mask with the following values:
> > > > +# - 1: invalid new rule;
> > > > +# - 2: overlap of the new rule with an existing rule in the IMA policy;
> > > > +# - 4: new rule exists in the IMA policy.
> > > > +
> > > > +# Basic checks.
> > > > +desc="empty IMA policy"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy=""
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Empty new rule"
> > > > +rule=""
> > > > +ima_policy=""
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 1
> > > > +
> > > > +desc="Unknown policy keyword fun"
> > > > +rule="measure fun=FILE_CHECK"
> > > > +ima_policy=""
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 1
> > > > +
> > > > +desc="Missing action"
> > > > +rule="func=FILE_CHECK"
> > > > +ima_policy=""
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 1
> > > > +
> > > > +# Non-overlapping rules.
> > > > +desc="Non-overlapping by action measure/dont_appraise, same func"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="dont_appraise func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by action audit/dont_appraise, same func"
> > > > +rule="audit func=FILE_CHECK"
> > > > +ima_policy="dont_appraise func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by action appraise/dont_measure, same func"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="dont_measure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by action dont_measure/hash, same func"
> > > > +rule="dont_measure func=FILE_CHECK"
> > > > +ima_policy="hash func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by func"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="measure func=MMAP_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by uid, func is equal"
> > > > +rule="measure func=FILE_CHECK uid=0"
> > > > +ima_policy="measure uid=1 func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by uid, func is equal, same policy options"
> > > > +rule="measure func=FILE_CHECK uid=0 permit_directio"
> > > > +ima_policy="measure uid=1 func=FILE_CHECK permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by mask, func and uid are equal, same policy options"
> > > > +rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
> > > > +ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="Non-overlapping by mask, func and uid are equal, different policy options"
> > > > +rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
> > > > +ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +# Overlapping and different rules.
> > > > +desc="same actions, different keywords"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="appraise uid=0"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="unrelated actions with appraise and a do action, same func"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="measure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > 
> > > All the different actions - appraise, measure, audit - are applied for
> > > the same hook.  If the appraise rule func is "FILE_CHECK", then for any
> > > other func, the rules would overlap. 
> > 
> > Hi Mimi
> > 
> > yes. But also, if two tests add respectively appraise func=MMAP_CHECK
> > and measure func=FILE_CHECK, if we say that they don't overlap, we are
> > implying that there won't be mmap operations in the second test.
> 
> With this understanding of what constitutes overlapping rules, then a
> "measure func=FILE_CHECK" rule should overlap with all other rules. 
> Why limit it to the same hook?

Ok, I agree.

> > I would be more on the safe side, and say that if there is an appraise
> > rule, different func values won't lead to no overlap.
> 
> Ok, at least adding a comment explaining what is meant by overlap in
> this case would help.

I think the fact is that by executing commands, more than one hook can
be executed. Will add a note.

> > > > +
> > > > +desc="related actions, same func"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="dont_measure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="related actions, same func, different policy options"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="dont_measure func=FILE_CHECK permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="related actions, same func, different policy options"
> > > > +rule="measure func=FILE_CHECK permit_directio"
> > > > +ima_policy="dont_measure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="same actions, same func, same mask with different modifier"
> > > > +rule="measure func=FILE_CHECK mask=MAY_EXEC"
> > > > +ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="same actions, same func, different mask with same modifier"
> > > > +rule="measure func=FILE_CHECK mask=^MAY_READ"
> > > > +ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="same actions, same func, different policy options"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="measure func=FILE_CHECK permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="same actions, same func, different policy options"
> > > > +rule="measure func=FILE_CHECK permit_directio"
> > > > +ima_policy="measure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="same actions, MMAP_CHECK and MMAP_CHECK_REQPROT hooks"
> > > > +rule="measure func=MMAP_CHECK"
> > > > +ima_policy="measure func=MMAP_CHECK_REQPROT"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +desc="related actions, same func, same mask with same modifier"
> > > > +rule="measure func=FILE_CHECK mask=^MAY_EXEC"
> > > > +ima_policy="dont_measure func=FILE_CHECK mask=^MAY_EXEC"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +desc="same actions, same func, different uid with same operator"
> > > > +rule="measure func=FILE_CHECK uid>0"
> > > > +ima_policy="measure func=FILE_CHECK uid>1"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > 
> > > Please add a comment here before the < > test, indicating these
> > > operators are currently not supported.
> > > > +desc="same actions, same func, same uid with different operator"
> > > > +rule="measure func=FILE_CHECK uid>1"
> > > > +ima_policy="measure func=FILE_CHECK uid<1"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 2
> > > > +
> > > > +# Overlapping and same rules.
> > > > +desc="same actions, same func"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="appraise func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func, same mask"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK"
> > > > +ima_policy="appraise func=FILE_CHECK mask=MAY_READ"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func, same mask, same policy options"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK permit_directio appraise_type=imasig"
> > > > +ima_policy="appraise func=FILE_CHECK mask=MAY_READ permit_directio appraise_type=imasig"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func"
> > > > +rule="measure func=MMAP_CHECK_REQPROT"
> > > > +ima_policy="measure func=MMAP_CHECK_REQPROT"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func with alias"
> > > > +rule="measure func=FILE_CHECK"
> > > > +ima_policy="measure func=PATH_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> 
> Aliases should probably be classified as duplicate rules.  For now this
> is fine, since aliases are deprecated and should be removed.   Perhaps
> comment it.

Yes, aliases are converted internally to the main hook name. So, the
script considers rules with aliases as duplicate (equivalent). Ok.

Thanks

Roberto

> > > > +
> > > > +desc="same actions, same func with alias, same mask with same modifiers"
> > > > +rule="measure mask=^MAY_READ func=FILE_CHECK"
> > > > +ima_policy="measure func=PATH_CHECK mask=^MAY_READ"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func with alias and same mask with same modifiers, same uid with same operators"
> > > > +rule="measure mask=^MAY_READ uid>0 func=FILE_CHECK"
> > > > +ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid>0"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +desc="same actions, same func with alias and same mask with same modifiers, same uid with same operators"
> > > > +rule="measure mask=^MAY_READ uid<1 func=FILE_CHECK"
> > > > +ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid<1"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4
> > > > +
> > > > +# Overlapping and two rules (one same, one different).
> > > > +desc="first: same actions, same func, second: unrelated actions with appraise and a do action"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="appraise func=FILE_CHECK\nmeasure func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 6
> > > 
> > > Refer to comment above on different action rules for same func.
> > > 
> > > > +desc="first: unrelated actions with appraise and a do action, same func, second: same actions"
> > > > +rule="appraise func=FILE_CHECK"
> > > > +ima_policy="measure func=FILE_CHECK\nappraise func=FILE_CHECK"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 6
> > > > +
> > > > +desc="first: same actions, same func, same mask, second: different policy options"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK"
> > > > +ima_policy="appraise func=FILE_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 6
> > > > +
> > > > +desc="first: same actions, same func with alias, same mask, second: different policy options"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK"
> > > > +ima_policy="appraise func=PATH_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 6
> > > > +
> > > > +# Non-overlapping and three rules.
> > > > +desc="same actions, same func and mask, different uid"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
> > > > +ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=2\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 0
> > > > +
> > > > +desc="same actions, same func and mask, different uid, except one that is the same"
> > > > +rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
> > > > +ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=0\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
> > > > +expect_pass check_result "$desc" "$rule" "$ima_policy" 4