Message ID | 20180424183556.2368-1-pvorel@suse.cz |
---|---|
State | Accepted |
Delegated to: | Petr Vorel |
Headers | show |
Series | None | expand |
Hi Petr, On Tue, Apr 24, 2018 at 08:35:56PM +0200, Petr Vorel wrote: > +print_ima_config() > +{ > + local config="/boot/config-$(uname -r)" Just a small remark here: not all distributions have /boot/config-* files in place. I don't remember which ones this were. Wouldn't it make sense to check this file, if it does not exist check if /proc/config.gz is available? > + local i > + > + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" > + > + if [ -r "$config" ]; then > + tst_res TINFO "IMA kernel config" > + for i in $(grep ^CONFIG_IMA $config); do > + tst_res TINFO "$i" > + done > + fi > +} Kind regards, Michael
Hi Michael, thank you for your comment. > On Tue, Apr 24, 2018 at 08:35:56PM +0200, Petr Vorel wrote: > > +print_ima_config() > > +{ > > + local config="/boot/config-$(uname -r)" > Just a small remark here: not all distributions have /boot/config-* files > in place. I don't remember which ones this were. > Wouldn't it make sense to check this file, if it does not exist check > if /proc/config.gz is available? I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu, CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have that (it's a question if they have IKCONFIG_PROC=y) but why not to try it. I wonder if we'd benefit from having these functions in shell API: is_enabled(CONFIG_FOO) is_module(CONFIG_FOO) is_builtin(CONFIG_FOO) which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz. The first three are inspired with kernel macros from include/linux/kconfig.h > Kind regards, > Michael Kind regards, Petr
Hi! > > Just a small remark here: not all distributions have /boot/config-* files > > in place. I don't remember which ones this were. > > Wouldn't it make sense to check this file, if it does not exist check > > if /proc/config.gz is available? > I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu, > CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have > that (it's a question if they have IKCONFIG_PROC=y) but why not to try it. Embedded usually dont have neither of them. Also depending on the existence of /boot/config-* is really bad idea, just imagine you compiled and kexeced testing kernel and testcases are starting to fail for no good reason. > I wonder if we'd benefit from having these functions in shell API: > is_enabled(CONFIG_FOO) > is_module(CONFIG_FOO) > is_builtin(CONFIG_FOO) > > which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz. Generally you cannot detect features of the running kernel by the /boot/config-* files. We tried that and it failed miserably. We cannot rely on /proc/config.gz because many kernels have that disabled to spare some space. It's sad but the only reasonable way how to detect if kernel does support something is to try to call the syscall/open and read sysfs file/etc. and detect ENOSYS/ENOTTY/etc.
Hi Cyril, > Hi! > > > Just a small remark here: not all distributions have /boot/config-* files > > > in place. I don't remember which ones this were. > > > Wouldn't it make sense to check this file, if it does not exist check > > > if /proc/config.gz is available? > > I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu, > > CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have > > that (it's a question if they have IKCONFIG_PROC=y) but why not to try it. > Embedded usually dont have neither of them. I think so as well. > Also depending on the existence of /boot/config-* is really bad idea, > just imagine you compiled and kexeced testing kernel and testcases are > starting to fail for no good reason. Do you NACK this commit? This code is just for debugging (nothing happen if /boot/config-* doesn't exist)... > > I wonder if we'd benefit from having these functions in shell API: > > is_enabled(CONFIG_FOO) > > is_module(CONFIG_FOO) > > is_builtin(CONFIG_FOO) > > which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz. > Generally you cannot detect features of the running kernel by the > /boot/config-* files. We tried that and it failed miserably. > We cannot rely on /proc/config.gz because many kernels have that > disabled to spare some space. > It's sad but the only reasonable way how to detect if kernel does > support something is to try to call the syscall/open and read sysfs > file/etc. and detect ENOSYS/ENOTTY/etc. OK, dropping idea about is_enabled etc. in shell API. Thanks for your comments. Kind regards, Petr
Hi! > > Also depending on the existence of /boot/config-* is really bad idea, > > just imagine you compiled and kexeced testing kernel and testcases are > > starting to fail for no good reason. > Do you NACK this commit? This code is just for debugging (nothing happen if /boot/config-* > doesn't exist)... It's okay for additional debugging output, but we should not depend on it in any way.
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 56c4d5245..fa2b5337d 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -64,6 +64,21 @@ mount_loop_device() cd mntpoint } +print_ima_config() +{ + local config="/boot/config-$(uname -r)" + local i + + tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" + + if [ -r "$config" ]; then + tst_res TINFO "IMA kernel config" + for i in $(grep ^CONFIG_IMA $config); do + tst_res TINFO "$i" + done + fi +} + ima_setup() { SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" @@ -73,6 +88,8 @@ ima_setup() ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + print_ima_config + if [ "$TST_NEEDS_DEVICE" = 1 ]; then tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device" mount_loop_device
Useful for debugging Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Adding one more commit as it's useful to see config (due problems with test order). Petr --- .../kernel/security/integrity/ima/tests/ima_setup.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)