| Message ID | 20180419195503.7194-3-pvorel@suse.cz |
|---|---|
| State | Accepted |
| Delegated to: | Petr Vorel |
| Headers | show |
| Series | Rewrite tests into new API + fixes | expand |
Hi, > Unfortunately in some circumstances there are interdependencies between > tests. > measurements test require loaded IMA policy. If it's not loaded, policy > test do it for us => run measurements test after policy test. > Policy test somehow breaks violations test => run it before policy test. > TODO: this does not help if CONFIG_IMA_WRITE_POLICY=y and without auditd > daemon. Maybe we should require auditd for violation tests. ... > +++ b/runtest/ima > @@ -1,5 +1,5 @@ > #DESCRIPTION:Integrity Measurement Architecture (IMA) > -ima_measurements ima_measurements.sh > +ima_violations ima_violations.sh > ima_policy ima_policy.sh > +ima_measurements ima_measurements.sh > ima_tpm ima_tpm.sh > -ima_violations ima_violations.sh I don't want to apply this patch any more. The behavior depends on ima_policy settings. What is meaningful setup for testing anyway? I suppose at least some tests need to have some policy set (ima_policy=tbc ?). Without this patch and with no ima_policy ima_measurements.sh test is failing, it needs to be skipped. Kind regards, Petr
On Tue, 2018-04-24 at 20:09 +0200, Petr Vorel wrote: > Hi, > > > Unfortunately in some circumstances there are interdependencies between > > tests. > > measurements test require loaded IMA policy. If it's not loaded, policy > > test do it for us => run measurements test after policy test. > > > Policy test somehow breaks violations test => run it before policy test. > > TODO: this does not help if CONFIG_IMA_WRITE_POLICY=y and without auditd > > daemon. Maybe we should require auditd for violation tests. > ... > > +++ b/runtest/ima > > @@ -1,5 +1,5 @@ > > #DESCRIPTION:Integrity Measurement Architecture (IMA) > > -ima_measurements ima_measurements.sh > > +ima_violations ima_violations.sh > > ima_policy ima_policy.sh > > +ima_measurements ima_measurements.sh > > ima_tpm ima_tpm.sh > > -ima_violations ima_violations.sh > > I don't want to apply this patch any more. The behavior depends on ima_policy > settings. > > What is meaningful setup for testing anyway? I suppose at least some tests need > to have some policy set (ima_policy=tbc ?). > > Without this patch and with no ima_policy ima_measurements.sh test is failing, it needs to > be skipped. The original tests assumed a builtin IMA-measurement policy. Either the boot command line "ima_tcb" or "ima_policy=tcb" options should work. When checking the "ima_policy" for "tcb", it could be specified anywhere in the list of builtin policies (eg. ima_policy=appraise_tcb|secure_boot|ima). Mimi
On Thu, 2018-04-26 at 10:32 -0400, Mimi Zohar wrote: > On Tue, 2018-04-24 at 20:09 +0200, Petr Vorel wrote: [...] > The original tests assumed a builtin IMA-measurement policy. Either > the boot command line "ima_tcb" or "ima_policy=tcb" options should > work. When checking the "ima_policy" for "tcb", it could be specified > anywhere in the list of builtin policies (eg. > ima_policy=appraise_tcb|secure_boot|ima). oops, ima_policy=appraise_tcb|secure_boot|tcb. Mimi
Hi Mimi, > On Thu, 2018-04-26 at 10:32 -0400, Mimi Zohar wrote: > > On Tue, 2018-04-24 at 20:09 +0200, Petr Vorel wrote: > [...] > > The original tests assumed a builtin IMA-measurement policy. Either > > the boot command line "ima_tcb" or "ima_policy=tcb" options should > > work. When checking the "ima_policy" for "tcb", it could be specified > > anywhere in the list of builtin policies (eg. > > ima_policy=appraise_tcb|secure_boot|ima). > oops, ima_policy=appraise_tcb|secure_boot|tcb. Thanks for clarification. I'll grep /proc/cmdline it in ima_setup.sh and TCONF if it's not met (I suppose this requirement/assumption is for all 4 tests). > Mimi Kind regards, Petr
diff --git a/runtest/ima b/runtest/ima index bcae16bb7..e7824a62a 100644 --- a/runtest/ima +++ b/runtest/ima @@ -1,5 +1,5 @@ #DESCRIPTION:Integrity Measurement Architecture (IMA) -ima_measurements ima_measurements.sh +ima_violations ima_violations.sh ima_policy ima_policy.sh +ima_measurements ima_measurements.sh ima_tpm ima_tpm.sh -ima_violations ima_violations.sh
Unfortunately in some circumstances there are interdependencies between tests. measurements test require loaded IMA policy. If it's not loaded, policy test do it for us => run measurements test after policy test. Policy test somehow breaks violations test => run it before policy test. TODO: this does not help if CONFIG_IMA_WRITE_POLICY=y and without auditd daemon. Maybe we should require auditd for violation tests. Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Is it caused by using unsigned policy? This problem haven't been solved by avoiding tmpfs. --- runtest/ima | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)