[LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID

[Mimi Zohar]

On Mon, 2022-10-10 at 13:43 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> FYI I have problems with ima_violations.sh, when run whole runtest/ima:
> 
> tst_device.c:89: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.Og149san78/mntpoint
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_TRUSTED_KEYRING=y
> ima_violations 1 TINFO: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-
> 5.19.12-1-default root=UUID=6de93d21-b5ed-4aa4-a9e4-00a7ab77c6d9
> splash=silent video=1024x768 plymouth.ignore-serial-consoles
> console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/570474ff-969e-41e6-883e-ecff2fd15015
> security=apparmor mitigations=auto ignore_loglevel lsm=integrity
> ima_policy=tcb

I would use either use the original "security=" or the new "lsm=" boot
command line option.

> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: LTP IMA policy rules based on fsuuid=7ab2cd65-3060-4dbc-b786-72703604a33e
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers violation not added
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TFAIL: ToMToU violation not added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1526: TINFO: Timeout per run is 0h 00m 30s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TFAIL: open_writers violation not added
> ima_mmap.c:41: TPASS: test completed
> 
> My fix [1] does not help. Problems are with my changes or just with your
> original patch. Continue debugging.
> Kind regards,
> Petr
> 
> [1] https://patchwork.ozlabs.org/project/ltp/patch/20221010085944.26814-1-pvorel@suse.cz/

Only the ima_conditionals.sh and ima_policy.sh tests define policy
rules based on fsuuid.  The other tests are still based on the builtin
"ima_policy=tcb" rules.

Without seeing the output of "cat /sys/kernel/security/ima/policy" it's
hard to understand what's causing these errors.

thanks,

Mimi