[LTP] [PATCH] IMA: Check for ima-buf template is not required for keys tests
Lakshmi Ramasubramanian
nramas@linux.microsoft.com
Tue Feb 23 16:52:34 CET 2021
On 2/23/21 1:24 AM, Petr Vorel wrote:
Hi Petr,
>
>> ima-buf is the default IMA template used for all buffer measurements.
>> Therefore, IMA policy rule for measuring keys need not specify
>> an IMA template.
> Good catch. But was it alway?
> IMHO ima-buf as default was added in dea87d0889dd ("ima: select ima-buf template for buffer measurement") in v5.11-rc1.
For key measurements ima-buf template was required in the policy rule,
but with the above commit (dea87d0889dd) it was changed to ima-buf. So
we no longer need to specify the template in the policy.
> But test1() tests 450d0fd51564 ("IMA: Call workqueue functions to measure queued keys") from v5.6-rc1.
> Is it safe to ignore it?
Even when the key is queued for measurement, ima-buf template will be
used when the key is dequeued. Not sure if that answers your question.
> BTW template=ima-buf requirement was added in commit b0418c93f ("IMA/ima_keys.sh: Require template=ima-buf, fix grep pattern")
>
> Also, shouldn't we check that there is none of the other templates (e.g. template=ima-ng, ...)?
This is a good point - yes: we should check if no other template other
than ima-buf is specified in the policy rule for measuring keys.
>
>> Update keys tests to not check for ima template in the policy rule.
>
>> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>> ---
>> This patch is based
>> in https://github.com/pevik/ltp/commits/ima/selinux.v2.draft
>> in branch ima/selinux.v2.draft.
>
>> testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 5 ++---
>> 1 file changed, 2 insertions(+), 3 deletions(-)
>
>> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> index c9eef4b68..a3a7afbf7 100755
>> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> @@ -15,8 +15,7 @@ TST_CLEANUP=cleanup
>> . ima_setup.sh
>
>> FUNC_KEYCHECK='func=KEY_CHECK'
>> -TEMPLATE_BUF='template=ima-buf'
>> -REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)"
>> +REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK)"
> nit: remove brackets:
> REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
Sure - will remove that.
>
> There is
> testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy file,
> which should be a helper to load proper policy and needs to be updated as well:
> -measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
> +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test
>
> I was also thinking to move keyrings to REQUIRED_POLICY, e.g.:
>
> KEYRINGS="keyrings=\.[a-z]+"
> REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$KEYRINGS|$KEYRINGS.*$FUNC_KEYCHECK)"
"keyrings=" is optional in the policy. If keyrings is specified it
should be checked.
thanks,
-lakshmi
>
>> setup()
>> {
>> @@ -33,7 +32,7 @@ check_keys_policy()
>> local pattern="$1"
>
>> if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then
>> - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF"
>> + tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK"
>> return 1
>> fi
>> return 0
More information about the ltp
mailing list