From patchwork Sun Mar 14 23:36:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 1452861 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.a=rsa-sha256 header.s=default header.b=VXXsOLzJ; dkim-atps=neutral Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DzGDS4z8jz9sSC for ; Mon, 15 Mar 2021 10:37:10 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 0DD803C6515 for ; Mon, 15 Mar 2021 00:37:01 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) by picard.linux.it (Postfix) with ESMTP id C05983C0887 for ; Mon, 15 Mar 2021 00:36:58 +0100 (CET) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by in-6.smtp.seeweb.it (Postfix) with ESMTP id BDBD21400445 for ; Mon, 15 Mar 2021 00:36:57 +0100 (CET) Received: from localhost.localdomain (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id DC15020B39C5; Sun, 14 Mar 2021 16:36:50 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com DC15020B39C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1615765011; bh=9wi0f3H3ip86QGPiTWiYDomXo3fNUV261DgfPDEivlI=; h=From:To:Cc:Subject:Date:From; b=VXXsOLzJFxWwP7Q1aq7/PGFMY2XQJ9C5hT2jxKDYrFVkfRaiPz+jhyxQDGEAlVZrx y1YGttKB7oSHXhKRdfsP1JRa00joBx6KQI2xdXj9iVDbPXCu/m5a979yhhbHiuVnC/ 9JGe7rbcbYCUZAylY7MFg2ZNBWY6epkPWvB79Bo4= From: Lakshmi Ramasubramanian To: pvorel@suse.cz, zohar@linux.ibm.com Date: Sun, 14 Mar 2021 16:36:46 -0700 Message-Id: <20210314233646.2925-1-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-14.9 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,SPF_HELO_PASS,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v2] IMA: Allow only ima-buf template for key measurement X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org, ltp@lists.linux.it Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" ima-buf is the default IMA template used for all buffer measurements. Therefore, IMA policy rule for measuring keys need not specify an IMA template. But if a template is specified for key measurement rule then it must be only ima-buf. Update keys tests to not require a template to be specified for key measurement rule, but if a template is specified verify it is only ima-buf. Signed-off-by: Lakshmi Ramasubramanian Reviewed-by: Petr Vorel --- .../security/integrity/ima/tests/ima_keys.sh | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index c9eef4b68..b9bef4feb 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -15,8 +15,7 @@ TST_CLEANUP=cleanup . ima_setup.sh FUNC_KEYCHECK='func=KEY_CHECK' -TEMPLATE_BUF='template=ima-buf' -REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)" +REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" setup() { @@ -28,12 +27,23 @@ cleanup() tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } +check_policy_template() +{ + while read line; do + if ( echo $line | grep -q 'template=') && ( ! echo $line | grep -q 'template=ima-buf' ); then + tst_res TCONF "only template=ima-buf can be specified for KEY_CHECK" + return 1 + fi + done < $TST_TMPDIR/policy.txt + return 0 +} + check_keys_policy() { local pattern="$1" if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF" + tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK" return 1 fi return 0 @@ -49,6 +59,8 @@ test1() tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" + check_policy_template || return + check_keys_policy "$pattern" > $tmp_file || return keycheck_lines=$(cat $tmp_file) keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ @@ -101,6 +113,8 @@ test2() tst_res TINFO "verify measurement of certificate imported into a keyring" + check_policy_template || return + check_keys_policy "$pattern" >/dev/null || return KEYRING_ID=$(keyctl newring $keyring_name @s) || \