[LTP] [RFC PATCH v3 00/10] Rewrite tests into new API + fixes

Petr Vorel pvorel@suse.cz
Fri Apr 27 11:51:40 CEST 2018 

Hi,

> changes v2->v3:
> * Fixed some of errors caused by test order.

> * ima_boot_aggregate
>   - max event size is now 1MB according to spec

> * ima_mmap
>   - reduce sleep + log it
>   - rewritten into new API

> * ima_measurements.sh
>   - don't require iversion for kernel >= 4.16
>   - avoid using tmpfs

> * ima_policy.sh
>   - improved detection of policy writability
>   - merge test2 and test3

> * ima_violations.sh
>   - avoid using tmpfs
>   - improved grepping logs (no sleep is needed)

> * ima_tpm.sh
>   - Improve error messages

> TODO:
> * fix problems with violations tests (see patch 02/10).
> * detect whether policy must be signed (currently tests assume the
> policy does not need to be signed):
> https://lists.linux.it/pipermail/ltp/2018-April/007702.html
> http://lists.linux.it/pipermail/ltp/2018-January/006970.html

Merged. See diff against v3, if interested.
Thanks a lot Mimi for your comments, tips and review.

TODO:

* detect whether policy must be signed (currently tests assume the
policy does not need to be signed):
https://lists.linux.it/pipermail/ltp/2018-April/007702.html
http://lists.linux.it/pipermail/ltp/2018-January/006970.html

* ima_violations are failing on logging into /var/log/messages (without auditd):

tst_device.c:83: INFO: Found free device '/dev/loop0'
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-4.10.0-rc6-kaiser root=/dev/mapp             er/debian--testing--vg-root ro quiet ima_policy=secure_boot
ima_violations 1 TINFO: IMA kernel config
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA1=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha1"
ima_violations 1 TINFO: CONFIG_IMA_WRITE_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y
ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
ima_violations 1 TINFO: CONFIG_IMA_BLACKLIST_KEYRING=y
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: Formatting /dev/loop0 with ext3 extra opts=''
ima_violations 1 TINFO: using log /var/log/messages
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TINFO: open_writers not found in /var/log/messages (1/3 attempt)...
ima_violations 1 TINFO: open_writers not found in /var/log/messages (2/3 attempt)...
ima_violations 1 TINFO: open_writers not found in /var/log/messages (3/3 attempt)...
ima_violations 1 TFAIL: open_writers not found in /var/log/messages
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TINFO: ToMToU not found in /var/log/messages (1/3 attempt)...
ima_violations 2 TINFO: ToMToU not found in /var/log/messages (2/3 attempt)...
ima_violations 2 TINFO: ToMToU not found in /var/log/messages (3/3 attempt)...
ima_violations 2 TFAIL: ToMToU not found in /var/log/messages
...
This is due previous test ima_policy running (when there is not
possible write to policy, e.g. second run of the testsuites on CONFIG_IMA_WRITE_POLICY=n
it's ok)
I wonder if we should just TCONF when logging into /var/log/messages with combination of
policy being writable (or TCONF when logging into /var/log/messages in any case).


* Check whether current policy has tbc (i.e. presence of "ima_tcb" or "tcb" being part of ima_policy in
/proc/cmdline) [1]. I wonder if we should TCONF all tests without tcb (some tests are
working

* Getting record with old kernels (tested on both deprecated ima_tbc and ima_policy=tcb):
ima_measurements 1 TINFO: /proc/cmdline: BOOT_IMAGE=/vmlinuz-3.10.0-693.2.2.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ima_tbc
ima_measurements 1 TINFO: IMA kernel config:
ima_measurements 1 TINFO: CONFIG_IMA=y
ima_measurements 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_measurements 1 TINFO: CONFIG_IMA_AUDIT=y
ima_measurements 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_measurements 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_measurements 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y
ima_measurements 1 TINFO: verify adding record to the IMA measurement list
ima_measurements 1 TFAIL: cannot find measurement for '/tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/test.txt'
awk: cmd. line:1: (FILENAME=- FNR=1) fatal: attempt to access field -1
ima_measurements 1 TINFO: computing hash for sha1 digest
ima_measurements 1 TFAIL: hash not found
ima_measurements 2 TINFO: verify updating record in the IMA measurement list
ima_measurements 2 TCONF: XFS Filesystem >= V5 required for iversion support
ima_measurements 3 TINFO: verify not measuring user files
ima_measurements 3 TPASS: grep /tmp/netpan-1253/LTP_ima_measurements.P2uyOze2J4/user/test.txt /sys/kernel/security/ima/ascii_runtime_measurements failed as expected

Not sure if this is caused by different IMA behavior in old kernels or due configuration.

Kind regards,
Petr

[1] https://lists.linux.it/pipermail/ltp/2018-April/007906.html


Diff against v3:
diff --git runtest/ima runtest/ima
index e7824a62a..bcae16bb7 100644
--- runtest/ima
+++ runtest/ima
@@ -1,5 +1,5 @@
 #DESCRIPTION:Integrity Measurement Architecture (IMA)
-ima_violations ima_violations.sh
-ima_policy ima_policy.sh
 ima_measurements ima_measurements.sh
+ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
+ima_violations ima_violations.sh
diff --git testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 862cc07ba..f6e7be041 100644
--- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -81,7 +81,7 @@ int main(int argc, char *argv[])
 	for (i = 0; i < NUM_PCRS; i++)
 		memset(&pcr[i].digest, 0, SHA_DIGEST_LENGTH);
 
-	event.data = (char *) malloc(MAX_EVENT_DATA_SIZE);
+	event.data = malloc(MAX_EVENT_DATA_SIZE);
 	if (!event.data) {
 		printf("Cannot allocate memory\n");
 		return 1;
diff --git testcases/kernel/security/integrity/ima/tests/ima_policy.sh testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 1c4a0b922..64aa8cb7a 100755
--- testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -95,7 +95,7 @@ test2()
 	elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then
 		tst_res TPASS "policy was loaded just by one process and able to loaded multiple times"
 	else
-		tst_res TFAIL "problem with loading policy (policy should be able to load multiple times)"
+		tst_res TFAIL "problem loading or extending policy (may require policy to be signed)"
 	fi
 }
 
diff --git testcases/kernel/security/integrity/ima/tests/ima_setup.sh testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 03851167f..8ea7aec18 100644
--- testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -64,6 +64,21 @@ mount_loop_device()
 	cd mntpoint
 }
 
+print_ima_config()
+{
+	local config="/boot/config-$(uname -r)"
+	local i
+
+	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
+
+	if [ -r "$config" ]; then
+		tst_res TINFO "IMA kernel config:"
+		for i in $(grep ^CONFIG_IMA $config); do
+			tst_res TINFO "$i"
+		done
+	fi
+}
+
 ima_setup()
 {
 	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
@@ -73,14 +88,14 @@ ima_setup()
 	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
 	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
 
+	print_ima_config
+
 	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
 		tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device"
 		mount_loop_device
 	fi
 
-	if [ -n "$TST_SETUP_CALLER" ]; then
-		$TST_SETUP_CALLER
-	fi
+	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
 
 ima_cleanup()
diff --git testcases/kernel/security/integrity/ima/tests/ima_tpm.sh testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
index 0124c338f..0ffc3c022 100755
--- testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
+++ testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
@@ -69,7 +69,7 @@ validate_pcr()
 		grep 'HW PCR-10:' | awk '{print $3}')"
 	if [ -z "$aggregate_pcr" ]; then
 		tst_res TFAIL "failed to get PCR-10"
-		return
+		return 1
 	fi
 
 	while read line; do

More information about the ltp mailing list