[RFC,v3,10/10] ima: Print /proc/cmdline and IMA kernel config

Useful for debugging

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Adding one more commit as it's useful to see config (due problems with
test order).

Petr
---
 .../kernel/security/integrity/ima/tests/ima_setup.sh    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Hi Petr,
 
On Tue, Apr 24, 2018 at 08:35:56PM +0200, Petr Vorel wrote:  
> +print_ima_config()
> +{
> +	local config="/boot/config-$(uname -r)"
Just a small remark here: not all distributions have /boot/config-* files
in place. I don't remember which ones this were.
Wouldn't it make sense to check this file, if it does not exist check
if /proc/config.gz is available? 
> +	local i
> +
> +	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
> +
> +	if [ -r "$config" ]; then
> +		tst_res TINFO "IMA kernel config"
> +		for i in $(grep ^CONFIG_IMA $config); do
> +			tst_res TINFO "$i"
> +		done
> +	fi
> +}

Kind regards,
Michael

Hi Michael,

thank you for your comment.

> On Tue, Apr 24, 2018 at 08:35:56PM +0200, Petr Vorel wrote:  
> > +print_ima_config()
> > +{
> > +	local config="/boot/config-$(uname -r)"
> Just a small remark here: not all distributions have /boot/config-* files
> in place. I don't remember which ones this were.
> Wouldn't it make sense to check this file, if it does not exist check
> if /proc/config.gz is available? 
I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu,
CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have
that (it's a question if they have IKCONFIG_PROC=y) but why not to try it.

I wonder if we'd benefit from having these functions in shell API:
is_enabled(CONFIG_FOO)
is_module(CONFIG_FOO)
is_builtin(CONFIG_FOO)

which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz.

The first three are inspired with kernel macros from include/linux/kconfig.h


> Kind regards,
> Michael

Kind regards,
Petr

Hi!
> > Just a small remark here: not all distributions have /boot/config-* files
> > in place. I don't remember which ones this were.
> > Wouldn't it make sense to check this file, if it does not exist check
> > if /proc/config.gz is available? 
> I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu,
> CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have
> that (it's a question if they have IKCONFIG_PROC=y) but why not to try it.

Embedded usually dont have neither of them.

Also depending on the existence of /boot/config-* is really bad idea,
just imagine you compiled and kexeced testing kernel and testcases are
starting to fail for no good reason.

> I wonder if we'd benefit from having these functions in shell API:
> is_enabled(CONFIG_FOO)
> is_module(CONFIG_FOO)
> is_builtin(CONFIG_FOO)
> 
> which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz.

Generally you cannot detect features of the running kernel by the
/boot/config-* files. We tried that and it failed miserably.

We cannot rely on /proc/config.gz because many kernels have that
disabled to spare some space.

It's sad but the only reasonable way how to detect if kernel does
support something is to try to call the syscall/open and read sysfs
file/etc. and detect ENOSYS/ENOTTY/etc.

Hi Cyril,

> Hi!
> > > Just a small remark here: not all distributions have /boot/config-* files
> > > in place. I don't remember which ones this were.
> > > Wouldn't it make sense to check this file, if it does not exist check
> > > if /proc/config.gz is available? 
> > I haven't found any normal distro not having config in place (openSUSE/SLE, Debian/Ubuntu,
> > CentOS/Red Hat), but there might be some. I guess most of embedded devices don't have
> > that (it's a question if they have IKCONFIG_PROC=y) but why not to try it.

> Embedded usually dont have neither of them.
I think so as well.

> Also depending on the existence of /boot/config-* is really bad idea,
> just imagine you compiled and kexeced testing kernel and testcases are
> starting to fail for no good reason.
Do you NACK this commit? This code is just for debugging (nothing happen if /boot/config-*
doesn't exist)...

> > I wonder if we'd benefit from having these functions in shell API:
> > is_enabled(CONFIG_FOO)
> > is_module(CONFIG_FOO)
> > is_builtin(CONFIG_FOO)

> > which would do simple grep of either /boot/config-$(uname -r) or /proc/config.gz.

> Generally you cannot detect features of the running kernel by the
> /boot/config-* files. We tried that and it failed miserably.

> We cannot rely on /proc/config.gz because many kernels have that
> disabled to spare some space.

> It's sad but the only reasonable way how to detect if kernel does
> support something is to try to call the syscall/open and read sysfs
> file/etc. and detect ENOSYS/ENOTTY/etc.

OK, dropping idea about is_enabled etc. in shell API.

Thanks for your comments.

Kind regards,
Petr

Hi!
> > Also depending on the existence of /boot/config-* is really bad idea,
> > just imagine you compiled and kexeced testing kernel and testcases are
> > starting to fail for no good reason.
> Do you NACK this commit? This code is just for debugging (nothing happen if /boot/config-*
> doesn't exist)...

It's okay for additional debugging output, but we should not depend on
it in any way.