[LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID

Mimi Zohar zohar@linux.ibm.com
Fri Dec 16 00:29:16 CET 2022 

On Thu, 2022-12-15 at 19:39 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> I'm sorry, it took me long time to look into the issue.
> 
> > Only the ima_conditionals.sh and ima_policy.sh tests define policy
> > rules based on fsuuid.  The other tests are still based on the builtin
> > "ima_policy=tcb" rules.
> Yes.

< trimmed >

> 4) running ima_violations.sh after ima_policy.sh no longer works, because
> there is nothing new in /var/log/audit/audit.log. I don't know why, but
> ima_violations.sh requires either the default ima_policy=tcb policy or policy
> created by ima_policy.sh *without* fsuuid.

Violations occur when a file in policy is already opened for read and
is being opened for write, or the reverse.  After the builtin policy is
replaced with the custom policy based on the UUID, running the
violation test fails because the UUID is reset by the call to
ima_setup().  So the file being opened doesn't match any policy rule.

> FYI below is content of /var/log/audit/audit.log.
> 
> Also looking at things twice, fsuuid does not help testing much.
> Because main blocker for testing is not the scope of the policy, but write once
> policy - CONFIG_IMA_WRITE_POLICY not being set on distro kernels thus repeated
> write of the policy will need reboot.

Oh, I didn't realize this.  Fedora (and RHEL) enable
CONFIG_IMA_WRITE_POLICY.

> Rebooting actually might be possible sooner or later with new runltp-ng from
> Andrea [1] (the feature is not here yet, but will be sooner or later). runltp-ng
> is close to upstream, there was first attempt [2].

Let's try to avoid this solution as much as possible.

> Other option would be to prepare policy which would be suitable for all tests,
> with help of fsuuid.

Ok, I'll look into this.

> But that has drawback:
> Currently we use LTP API to mount directories on loop device after test has started.
> These devices are temporary, e.g.
> /tmp/LTP_ima_violations.pEvyfJO7Af/mntpoint/test.txt will be unmounted and
> deleted after each test run. But for fsuuid we'd need to first permanently
> mount the devices to get their UUID. Therefore there would have to be some
> special setup script needed to be run for all tests. This has proven to be
> problematic in the past. I'd have to extend the API to create something permanent.

Instead of ima_setup() setting the UUID to a new different value, if
additional rules cannot be written (require_policy_writable) the UUID
could be set to the existing policy rules UUID.

Thanks,

Mimi

More information about the ltp mailing list