On Tue, 2024-12-31 at 11:00 +0100, Petr Vorel wrote:
> > Hi Petr,
>
> > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
> > [snip]
>
> > > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> > > @@ -1,7 +1,7 @@
> > > #!/bin/sh
> > > # SPDX-License-Identifier: GPL-2.0-or-later
> > > # Copyright (c) 2009 IBM Corporation
> > > -# Copyright (c) 2018-2020 Petr Vorel <pvorel@xxxxxxx>
> > > +# Copyright (c) 2018-2024 Petr Vorel <pvorel@xxxxxxx>
> > > # Author: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>
> > > TST_TESTFUNC="test"
> > > @@ -72,14 +72,20 @@ require_policy_readable()
> > > fi
> > > }
>
> > > -require_policy_writable()
> > > +check_policy_writable()
> > > {
> > > - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> > > -
> > > - [ -f $IMA_POLICY ] || tst_brk TCONF "$err"
> > > - # CONFIG_IMA_READ_POLICY
> > > + [ -f $IMA_POLICY ] || return 1
> > > + # workaround for kernels < v4.18 without fix
> > > + # ffb122de9a60b ("ima: Reflect correct permissions for policy")
> > > echo "" 2> log > $IMA_POLICY
> > > - grep -q "Device or resource busy" log && tst_brk TCONF "$err"
> > > + grep -q "Device or resource busy" log && return 1
> > > + return 0
> > > +}
> > > +
> > > +require_policy_writable()
> > > +{
> > > + check_policy_writable || tst_brk TCONF \
> > > + "IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> > > }
>
> > > check_ima_policy_content()
> > > @@ -158,6 +164,34 @@ print_ima_config()
> > > tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> > > }
>
> > > +load_ima_policy()
> > > +{
> > > + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)"
> > > +
> > > + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then
> > > + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy for this test"
> > > + return
> > > + fi
> > > +
> > > + if [ -z "$policy" -o ! -f "$policy" ]; then
> > > + tst_res TINFO "no policy for this test"
> > > + LTP_IMA_LOAD_POLICY=
> > > + return
> > > + fi
> > > +
> > > + tst_res TINFO "trying to load '$policy' policy:"
> > > + cat $policy
> > > + if ! check_policy_writable; then
> > > + tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required"
> > > + LTP_IMA_LOAD_POLICY=
> > > + return
> > > + fi
> > > +
> > > + cat "$policy" 2> log > $IMA_POLICY
> > > + if grep -q "Device or resource busy" log; then
> > > + tst_brk TBROK "Loading policy failed"
> > > + fi
>
> > To write to the IMA securityfs policy file, check_policy_writable() used "echo",
> > while here it's using "cat". "cat" fails when signed policies are required.
> > Perhaps add something like:
> > +
> > + if grep -q "write error: Permission denied" log; then
> > + tst_brk TBROK "Loading unsigned policy failed"
> > + fi
>
> +1, I'll add this extra check to v3.
>
> I suppose echo "" > /sys/kernel/security/ima/policy does not need this check.
The original method for loading an IMA policy was by cat'ing the policy rules.
Commit 7429b092811f ("ima: load policy using path") introduced the ability of
verifying the integrity of the policy itself.
echo <policy filepath> > /sys/kernel/security/ima/policy
>
> Do I understand correctly you talk about policy containing func=POLICY_CHECK [1]?
Yes. On a secure boot enabled system, the architecture specific policy might
require the IMA policy itself to be signed.
Snippet from ima_fs.c:
#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) &&
IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
"appraise func=POLICY_CHECK appraise_type=imasig",
#endif
> Maybe there could be a test based on example [2].
>
> echo /home/user/tmpfile > /sys/kernel/security/ima/policy
> cp tmpfile /sys/kernel/security/ima/policy
> cat tmpfile > /sys/kernel/security/ima/policy
All of the above will load a policy, assuming the policy itself doesn't need to
be signed. Only "echo /home/user/tmpfile > /sys/kernel/security/ima/policy" can
load a signed policy.
Loading a CA key (mokutil), signing (evmctl)[1] and loading (keyctl) an IMA
policy is probably beyond LTP. The purpose of this test would be to detect
whether policies need to be signed.
Going forward what's probably needed is a new package containing a set of pre-
defined sample custom policies, which are signed by the distro.
[1] Directions for signing and loading a custom policy,
https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#sign-and-install-a-custom-policy
Thanks,
Mimi
>
> Kind regards,
> Petr
>
> [1] https://ima-doc.readthedocs.io/en/latest/policy-syntax.html#func-policy-check
> [2] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#runtime-custom-policy
>
> > > +}
>
> > Mimi
>
>
