On Tue, 2024-12-31 at 13:23 +0100, Petr Vorel wrote: > Hi Mimi, > > > Hi Petr, > > > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > > Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > > Signed-off-by: Petr Vorel <pvorel@xxxxxxx> > > > --- > > > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + > > > 1 file changed, 1 insertion(+) > > > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > > > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > > new file mode 100644 > > > index 0000000000..5734c7617f > > > --- /dev/null > > > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > > @@ -0,0 +1 @@ > > > +func=FILE_CHECK > > > "[PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh" > > contains two rules to measure files opened by root on file open. > > > measure func=FILE_CHECK mask=^MAY_READ euid=0 > > measure func=FILE_CHECK mask=^MAY_READ uid=0 > > > If the 'tcb' or equivalent policy is loaded, there is no need to load another > > policy rule. > > I guess I'll move check for builtin policy loaded via kernel command line > parameter also to ima_setup.sh to avoid loading example policy when there is a > required builtin policy loaded. > Between the builtin and arch specific policies, most of the rules are already defined. The exception is measuring the boot command line. Perhaps we should update the arch specific policy to include it with the other kexec rules. The arch specific policy may include the rule that requires the IMA policy to be signed. > I also wonder what is a common approach - don't > try to load custom example policy when there is builtin policy loaded? How about first checking if the rule exists when there is a builtin or equivalent custom policy loaded, before loading the example test policy? > > My goal was to allow more broad IMA testing based on different setup: Very good. > > * running tests with ima_policy=tcb builtin policy (current approach). Many > tests will be skipped due missing required policy content. Ok. Remember even with "ima_policy=tcb" specified on the boot command line, the results will differ depending on whether the arch specific policy is loaded. > * running tests without any builtin policy + load a custom policy + reboot via > LTP_IMA_LOAD_POLICY=1 (this patchset), but this should be probably be done only > if required (or even none) builtin policy is loaded. Good. The first patch introduces the equivalent custom policy to "ima_policy=tcb". By "load a custom policy" are you referring to this policy or a specific policy test rule? > * Ideally not require CONFIG_IMA_READ_POLICY=y as some distros does not have it > (but then it is hard to detect whether failures are real bugs or just false > positives due not having a proper policy). Maybe convert TBROK/TFAIL to TCONF if > policy content is required but cannot be read due CONFIG_IMA_READ_POLICY (and > custom policy with proper content was not loaded). Probably the latter option of converting from TBROK/TFAIL to TCONF is preferable. Why fail a test without knowing it will fail. > But you may have an idea what is more useful (brings more test coverage). There are two main problems: - Not being able to read the policy. - Only being able to load a signed policy. I think between your above ordering and a new test to see if the policy needs to be signed, it's the best we can do for now. As mentioned in my 2/8 response, a new package containing pre-defined custom policies that are signed by the distro would resolve the latter problem. Thanks, Mimi
