| Message ID | 20200928194730.20862-1-nramas@linux.microsoft.com |
|---|---|
| Headers | show |
| Series | ima: Add test for selinux measurement | expand |
Hi Lakshmi, Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP freeze and work needed to review fixes before release I'll probably review this after the release (1, max. 2 weeks). Could you please have a look at fix planned to be part of the release? https://patchwork.ozlabs.org/project/ltp/list/?series=204230 Kind regards, Petr > New functionality is being added to IMA to measure data provided by > kernel components. With this feature, IMA policy can be set to enable > measuring data provided by Linux Security Modules (LSM). Currently one > such LSM namely selinux is being updated to use this functionality. > This new functionality needs test automation in LTP. > This patch set adds tests which verify that the IMA subsystem correctly > measures the data provided by selinux. > This patch is based on > commit 286401a1c1f3 ("thp04: Add linux tag") > in "master" branch in https://github.com/linux-test-project/ltp > This patch is dependent on the following patch series in LTP > https://patchwork.kernel.org/patch/11802771/ I put link to LTP patchwork to avoid the confusion. https://patchwork.ozlabs.org/project/ltp/list/?series=204486 > This series needs a kernel built on the following repo/branch/patches: > repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git > branch: next > commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") Thanks for adding this info. It'd be great if it were part of kernel commit message and also added as a comment in the test itself (we don't want to get it lost). BTW LTP has 2 kind ways of handling of kernel versions: * fixes which are meant to be backported to the stable trees: In C API it looks like (here also with CVE entry): https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187 .tags = (const struct tst_tag[]) { {"linux-git", "95a762e2c8c9"}, {"CVE", "2017-16995"}, {} This is not part of shell API, but I'll add it after the release. Thus we don't want to loose this info. * new kernel features, which are likely not to be backported You either have some way to detect this feature is presented (ideally) or you specify kernel version since it should be run This is used in shell API as: https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8 TST_MIN_KVER="4.13" > And the following patch series should be applied in the following order: > 1, https://patchwork.kernel.org/patch/11709527/ > 2, https://patchwork.kernel.org/patch/11795559/ > 3, https://patchwork.kernel.org/patch/11801525/ > 4, https://patchwork.kernel.org/patch/11801585/ Kind regards, Petr
On 9/28/20 10:23 PM, Petr Vorel wrote: > Hi Lakshmi, > > Thanks for your patch. FYI I'll try to have look ASAP, but as there is LTP > freeze and work needed to review fixes before release I'll probably review this > after the release (1, max. 2 weeks). > > Could you please have a look at fix planned to be part of the release? > https://patchwork.ozlabs.org/project/ltp/list/?series=204230 > Will do Petr. > >> New functionality is being added to IMA to measure data provided by >> kernel components. With this feature, IMA policy can be set to enable >> measuring data provided by Linux Security Modules (LSM). Currently one >> such LSM namely selinux is being updated to use this functionality. >> This new functionality needs test automation in LTP. > >> This patch set adds tests which verify that the IMA subsystem correctly >> measures the data provided by selinux. > >> This patch is based on >> commit 286401a1c1f3 ("thp04: Add linux tag") >> in "master" branch in https://github.com/linux-test-project/ltp > >> This patch is dependent on the following patch series in LTP >> https://patchwork.kernel.org/patch/11802771/ > I put link to LTP patchwork to avoid the confusion. > https://patchwork.ozlabs.org/project/ltp/list/?series=204486 Thanks. On the next update I'll add the LTP patchwork URL. > >> This series needs a kernel built on the following repo/branch/patches: >> repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git >> branch: next >> commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") > Thanks for adding this info. It'd be great if it were part of kernel commit > message and also added as a comment in the test itself (we don't want to get it > lost). > > BTW LTP has 2 kind ways of handling of kernel versions: > > * fixes which are meant to be backported to the stable trees: > In C API it looks like (here also with CVE entry): > https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bpf/bpf_prog03.c#L187 > .tags = (const struct tst_tag[]) { > {"linux-git", "95a762e2c8c9"}, > {"CVE", "2017-16995"}, > {} > This is not part of shell API, but I'll add it after the release. Thus we don't > want to loose this info. > > * new kernel features, which are likely not to be backported > You either have some way to detect this feature is presented (ideally) or you > specify kernel version since it should be run > This is used in shell API as: > https://github.com/linux-test-project/ltp/blob/master/testcases/network/tcp_cc/bbr02.sh#L8 > TST_MIN_KVER="4.13" Thanks for the info. -lakshmi > >> And the following patch series should be applied in the following order: >> 1, https://patchwork.kernel.org/patch/11709527/ >> 2, https://patchwork.kernel.org/patch/11795559/ >> 3, https://patchwork.kernel.org/patch/11801525/ >> 4, https://patchwork.kernel.org/patch/11801585/ >
New functionality is being added to IMA to measure data provided by kernel components. With this feature, IMA policy can be set to enable measuring data provided by Linux Security Modules (LSM). Currently one such LSM namely selinux is being updated to use this functionality. This new functionality needs test automation in LTP. This patch set adds tests which verify that the IMA subsystem correctly measures the data provided by selinux. This patch is based on commit 286401a1c1f3 ("thp04: Add linux tag") in "master" branch in https://github.com/linux-test-project/ltp This patch is dependent on the following patch series in LTP https://patchwork.kernel.org/patch/11802771/ This series needs a kernel built on the following repo/branch/patches: repo: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git branch: next commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot") And the following patch series should be applied in the following order: 1, https://patchwork.kernel.org/patch/11709527/ 2, https://patchwork.kernel.org/patch/11795559/ 3, https://patchwork.kernel.org/patch/11801525/ 4, https://patchwork.kernel.org/patch/11801585/ Lakshmi Ramasubramanian (1): ima: Add test for selinux measurement runtest/ima | 2 + .../kernel/security/integrity/ima/README.md | 19 +++ .../integrity/ima/tests/ima_selinux_policy.sh | 72 ++++++++++ .../integrity/ima/tests/ima_selinux_state.sh | 136 ++++++++++++++++++ .../security/integrity/ima/tests/ima_setup.sh | 28 ++++ 5 files changed, 257 insertions(+) create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_policy.sh create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_selinux_state.sh