[LTP] [PATCH] IMA: Add test for selinux measurement
Lakshmi Ramasubramanian
nramas@linux.microsoft.com
Wed Feb 24 00:01:47 CET 2021
On 2/23/21 2:14 PM, Petr Vorel wrote:
>> On 2/23/21 10:00 AM, Petr Vorel wrote:
>
>
>>>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> ...
>>>> +validate_policy_capabilities()
>>>> +{
>>>> + local measured_cap measured_value expected_value
>>>> + local result=1
>>>> + local inx=7
>>>> +
>>>> + # Policy capabilities flags start from "network_peer_controls"
>>>> + # in the measured SELinux state at offset 7 for 'awk'
>>>> + while [ $inx -lt 20 ]; do
>>>> + measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + inx=$(( $inx + 1 ))
>>>> +
>>>> + measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
>>>> + expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
>>>> + if [ "$measured_value" != "$expected_value" ];then
>>>> + tst_res TWARN "$measured_cap: expected: $expected_value, got: $digest"
>>> We rarely use TWARN in the tests, only when the error is not related to the test result.
>>> Otherwise we use TFAIL.
>> ok - I will change it to TFAIL.
> Thanks!
> But I've noticed that this error is handled twice, first in validate_policy_capabilities()
> as TWARN (or TFAIL) and then in test2(). Let's use TPASS/TFAIL in
> validate_policy_capabilities():
Sure - will make that change.
>
> validate_policy_capabilities()
> {
> local measured_cap measured_value expected_value
> local inx=7
>
> # Policy capabilities flags start from "network_peer_controls"
> # in the measured SELinux state at offset 7 for 'awk'
> while [ $inx -lt 20 ]; do
> measured_cap=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> inx=$(($inx + 1))
>
> measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
> expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
> if [ "$measured_value" != "$expected_value" ]; then
> tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
> return
> fi
>
> inx=$(($inx + 1))
> done
>
> tst_res TPASS "SELinux state measured correctly"
> }
>
> test2()
> {
> ...
> validate_policy_capabilities $measured_data
> }
>
> ...
>>> As we discuss, I'm going tom merge test when patchset is merged in maintainers tree,
>>> please ping me. And ideally we should mention kernel commit hash as a comment in
>>> the test.
>> Will do. Thank you.
> Thanks!
>
> ...
>>> +++ testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
>>> @@ -13,16 +13,14 @@ TST_SETUP="setup"
>>> . ima_setup.sh
>>> FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
>>> -REQUIRED_POLICY="^measure.*($FUNC_CRITICAL_DATA)"
>>> +REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
>>> setup()
>>> {
>>> - SELINUX_DIR=$(tst_get_selinux_dir)
>>> - if [ -z "$SELINUX_DIR" ]; then
>>> - tst_brk TCONF "SELinux is not enabled"
>>> - return
>>> - fi
>>> + tst_require_selinux_enabled
>> Please correct me if I have misunderstood this one:
>
>> tst_require_selinux_enabled is checking if SELinux is enabled in "enforce"
>> mode. Would this check fail if SELinux is enabled in "permissive" mode?
>
>> For running the test, we just need SELinux to be enabled. I verify that by
>> checking for the presence of SELINUX_DIR.
>
> Good catch. Your original version is correct (put it back into ima/selinux.v2.fixes).
> I didn't put a helper for it, because you need $SELINUX_DIR anyway.
> Thus removed tst_require_selinux_enabled() as not needed.
Thanks
>
> I renamed tst_selinux_enabled() to tst_selinux_enforced() to make the purpose clearer
> (commit 82b598ea1 IMA: Add test for selinux measurement).
>
> I've updated branch ima/selinux.v2.fixes with all mentioned changes
> https://github.com/pevik/ltp/commits/ima/selinux.v2.fixes
>
Thanks again. I'll make my changes in this branch and post the patches
later this week.
-lakshmi
More information about the ltp
mailing list