From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Add two simple tests to check whether or not the HMAC calculated by the kernel and evmctl matches. Do one tests with a regular file, using SELinux or Smack as active LSM (whichever is available, or with both for the UML kernel) and another test with a directory successfully transmuted with Smack. Also add two bug fixes to include the filesystem UUID and the inode generation in the HMAC calculation, and the new option --hmackey to specify an alternate location of the HMAC key. Changelog v2: - Set TST_EVM_CHANGE_MODE in Github Action workflow (suggested by Mimi) - Add SELinux to kernel configuration option for CI - Parameterize the check_evm_hmac() test with the LSM to test - Skip the check_evm_hmac() test if the chosen LSM is not active - Load the existing SELinux policy in the UML kernel environment - Check EVM support for the additional Smack xattrs only in the check_evm_hmac_transmute() test (suggested by Mimi) - Run the UML kernel twice, once with SELinux enabled and once with Smack - Clarify in the error message why having at least one LSM active is necessary - Add a justification for the --hmackey option added to evmctl (suggested by Mimi) v1: - Add documentation for --hmackey option of evmctl (suggested by Mimi) - Update kernel configuration for CI - Include inode generation in HMAC calculation for directories - Specify kernel patches required for the tests (suggested by Mimi) - Move xattr compare code to compare_xattr() - Add new Smack-specific test to check HMAC of transmuting directory (suggested by Mimi) - Check in the test that the --hmackey option is available (suggested by Mimi) - Remove i_version mount option (should be default in ext4) - Mount smackfs if the UML kernel is used Roberto Sassu (4): Include the filesystem UUID in HMAC calculation Restore correct HMAC calculation for directories Add --hmackey option for evmctl Add simple tests to check EVM HMAC calculation .github/workflows/ci.yml | 1 + README | 3 +- kernel-configs/base | 6 +- kernel-configs/integrity | 1 + src/evmctl.c | 31 ++++- src/imaevm.h | 1 + tests/Makefile.am | 2 +- tests/evm_hmac.test | 281 +++++++++++++++++++++++++++++++++++++++ tests/functions.sh | 6 + 9 files changed, 326 insertions(+), 6 deletions(-) create mode 100755 tests/evm_hmac.test -- 2.25.1
