From patchwork Thu Apr 19 19:54:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 901461 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40RqV42lrYz9s3F for ; Fri, 20 Apr 2018 05:55:40 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id DAED43E771C for ; Thu, 19 Apr 2018 21:55:37 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) by picard.linux.it (Postfix) with ESMTP id 159CD3E7687 for ; Thu, 19 Apr 2018 21:55:26 +0200 (CEST) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 9F5DD1000C2B for ; Thu, 19 Apr 2018 21:55:25 +0200 (CEST) Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 34013ADE9; Thu, 19 Apr 2018 19:55:25 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Date: Thu, 19 Apr 2018 21:54:56 +0200 Message-Id: <20180419195503.7194-4-pvorel@suse.cz> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180419195503.7194-1-pvorel@suse.cz> References: <20180419195503.7194-1-pvorel@suse.cz> X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-4.smtp.seeweb.it Cc: linux-integrity@vger.kernel.org, Mimi Zohar Subject: [LTP] [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" + merge test3 into test2 as we test multiple writes already in test2. Kernel without CONFIG_IMA_WRITE_POLICY is not possible to repeat writing into policy. Add check to TCONF in this case. It's not easy to detect disabled CONFIG_IMA_WRITE_POLICY for different behavior across kernel versions. On older kernels (before CONFIG_IMA_WRITE_POLICY enabled) or on new ones with enabled both CONFIG_IMA_READ_POLICY and CONFIG_IMA_WRITE_POLICY policy file after writing disappears. Kernels with enabled CONFIG_IMA_READ_POLICY and (regardless of CONFIG_IMA_WRITE_POLICY) keeps policy file with the same permissions 600. The only way to detect is is to echo empty string into policy and detect errno: | OLD | WRITE | READ && !WRITE | !READ && !WRITE ------------------------------------------------------------------ before | ENOENT | exit code 0 | exit code 0 | exit code 0 after | EACCES | exit code 0 | EBUSY | EACCES OLD: kernels before CONFIG_IMA_WRITE_POLICY introduced (kernel < 4.5) READ: CONFIG_IMA_READ_POLICY WRITE: CONFIG_IMA_WRITE_POLICY Signed-off-by: Petr Vorel Signed-off-by: Petr Vorel --- .../security/integrity/ima/tests/ima_policy.sh | 38 ++++++++++------------ 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 2efa90038..35eb4055b 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -20,15 +20,24 @@ # Test replacing the default integrity measurement policy. TST_SETUP="setup" -TST_CNT=3 +TST_CNT=2 . ima_setup.sh +check_policy_writable() +{ + local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" + + [ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err" + # CONFIG_IMA_READ_POLICY + echo "" 2> log > $IMA_POLICY + grep -q "Device or resource busy" log && tst_brk TCONF "$err" +} + setup() { IMA_POLICY="$IMA_DIR/policy" - [ -f $IMA_POLICY ] || \ - tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" + check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" @@ -68,6 +77,7 @@ test1() local p1 + check_policy_writable load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then @@ -79,10 +89,11 @@ test1() test2() { - tst_res TINFO "verify that policy file is not opened concurrently" + tst_res TINFO "verify that policy file is not opened concurrently and able to loaded multiple times" local p1 p2 rc1 rc2 + check_policy_writable load_policy $VALID_POLICY & p1=$! load_policy $VALID_POLICY & p2=$! wait "$p1"; rc1=$? @@ -90,24 +101,9 @@ test2() if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then tst_res TFAIL "policy opened concurrently" elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then - tst_res TPASS "policy was loaded just by one process" - else - tst_res TFAIL "problem loading policy" - fi -} - -test3() -{ - tst_res TINFO "verify that invalid policy isn't loaded" - - local p1 - - load_policy $INVALID_POLICY & p1=$! - wait "$p1" - if [ $? -ne 0 ]; then - tst_res TPASS "didn't replace valid policy" + tst_res TPASS "policy was loaded just by one process and able to loaded multiple times" else - tst_res TFAIL "replaced valid policy" + tst_res TFAIL "problem with loading policy (policy should be able to load multiple times)" fi }