[v2,7/8] ima_violations.sh: Check for a required policy

Message ID	20241213222014.1580991-8-pvorel@suse.cz
State	Changes Requested
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Petr Vorel <pvorel@suse.cz> To: ltp@lists.linux.it Date: Fri, 13 Dec 2024 23:20:13 +0100 Message-ID: <20241213222014.1580991-8-pvorel@suse.cz> In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz> References: <20241213222014.1580991-1-pvorel@suse.cz> MIME-Version: 1.0 default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] Subject: [LTP] [PATCH v2 7/8] ima_violations.sh: Check for a required policy Precedence: list Cc: linux-integrity@vger.kernel.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	LTP tests: load predefined policy, enhancements \| expand [v2,0/8] LTP tests: load predefined policy, enhancements [v2,1/8] IMA: Add TCB policy as an example for ima_measurements.sh [v2,2/8] ima_setup.sh: Allow to load predefined policy [v2,3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA [v2,4/8] ima_setup: Print warning when policy not readable [v2,5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh [v2,6/8] IMA: Add example policy for ima_violations.sh [v2,7/8] ima_violations.sh: Check for a required policy [v2,8/8,RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF

Message ID

20241213222014.1580991-8-pvorel@suse.cz

State

Changes Requested

Headers

From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Date: Fri, 13 Dec 2024 23:20:13 +0100
Message-ID: <20241213222014.1580991-8-pvorel@suse.cz>
In-Reply-To: <20241213222014.1580991-1-pvorel@suse.cz>
References: <20241213222014.1580991-1-pvorel@suse.cz>
MIME-Version: 1.0
Subject: [LTP] [PATCH v2 7/8] ima_violations.sh: Check for a required policy
Precedence: list
Cc: linux-integrity@vger.kernel.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

LTP tests: load predefined policy, enhancements | expand

Add check for ^func=FILE_CHECK' Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Petr Vorel <pvorel@suse.cz> --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Mimi Zohar Dec. 31, 2024, 3:42 a.m. UTC | #1

Hi Petr,

On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
> Add check for ^func=FILE_CHECK'
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>  .../kernel/security/integrity/ima/tests/ima_violations.sh    | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 0f710dea2e..73b9fe6f30 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -1,7 +1,7 @@
>  #!/bin/sh
>  # SPDX-License-Identifier: GPL-2.0-or-later
>  # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
> +# Copyright (c) 2018-2024 Petr Vorel <pvorel@suse.cz>
>  # Author: Mimi Zohar <zohar@linux.ibm.com>
>  #
>  # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged.
> @@ -9,6 +9,7 @@
>  TST_SETUP="setup"
>  TST_CLEANUP="cleanup"
>  TST_CNT=3
> +REQUIRED_POLICY='^func=FILE_CHECK'

The first field of an IMA policy rule is the 'action', followed by the
condition. Use "func=FILE_CHECK" instead.

thanks,

Mimi

>  
>  setup()
>  {
> @@ -17,6 +18,8 @@ setup()
>  	LOG="/var/log/messages"
>  	PRINTK_RATE_LIMIT=
>  
> +	require_ima_policy_content_if_readable "$REQUIRED_POLICY"
> +
>  	if status_daemon auditd; then
>  		LOG="/var/log/audit/audit.log"
>  	elif tst_check_cmds sysctl; then

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 0f710dea2e..73b9fe6f30 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -1,7 +1,7 @@ 
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2024 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged.
@@ -9,6 +9,7 @@ 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
 TST_CNT=3
+REQUIRED_POLICY='^func=FILE_CHECK'
 
 setup()
 {
@@ -17,6 +18,8 @@  setup()
 	LOG="/var/log/messages"
 	PRINTK_RATE_LIMIT=
 
+	require_ima_policy_content_if_readable "$REQUIRED_POLICY"
+
 	if status_daemon auditd; then
 		LOG="/var/log/audit/audit.log"
 	elif tst_check_cmds sysctl; then

[v2,7/8] ima_violations.sh: Check for a required policy

Commit Message

Comments

Patch