From patchwork Mon Jan 11 16:11:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1424704 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DDzGl4TCsz9svs for ; Tue, 12 Jan 2021 03:11:27 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 00B8C3C6885 for ; Mon, 11 Jan 2021 17:11:25 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) by picard.linux.it (Postfix) with ESMTP id 75DED3C313B for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 882A61000646 for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id A9937AE89 for ; Mon, 11 Jan 2021 16:11:03 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Mon, 11 Jan 2021 17:11:01 +0100 Message-Id: <20210111161103.22433-1-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-4.smtp.seeweb.it Subject: [LTP] [PATCH v5 1/3] Add tst_kconfig_get() helper function X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Signed-off-by: Martin Doucha --- Changes since v3: - new patch Changes since v4: - moved tst_kconfig_get() declaration to tst_private.h include/tst_private.h | 8 ++++++++ lib/tst_kconfig.c | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/tst_private.h b/include/tst_private.h index e30d34740..fe0955f3b 100644 --- a/include/tst_private.h +++ b/include/tst_private.h @@ -29,4 +29,12 @@ void tst_print_svar_change(const char *name, const char *val); int tst_get_prefix(const char *ip_str, int is_ipv6); +/* + * Checks kernel config for a single configuration option and returns its + * state if found. The possible return values are the same as for + * tst_kconfig_var.choice, with the same meaning. See tst_kconfig_read() + * description in tst_kconfig.h. + */ +char tst_kconfig_get(const char *confname); + #endif diff --git a/lib/tst_kconfig.c b/lib/tst_kconfig.c index 734039e37..2b1087a8d 100644 --- a/lib/tst_kconfig.c +++ b/lib/tst_kconfig.c @@ -511,3 +511,24 @@ void tst_kconfig_check(const char *const kconfigs[]) if (abort_test) tst_brk(TCONF, "Aborting due to unsuitable kernel config, see above!"); } + +char tst_kconfig_get(const char *confname) +{ + struct tst_kconfig_var var; + + var.id_len = strlen(confname); + + if (var.id_len >= sizeof(var.id)) + tst_brk(TBROK, "Kconfig var name \"%s\" too long", confname); + + strcpy(var.id, confname); + var.choice = 0; + var.val = NULL; + + tst_kconfig_read(&var, 1); + + if (var.choice == 'v') + free(var.val); + + return var.choice; +} From patchwork Mon Jan 11 16:11:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1424702 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DDzGQ0nLLz9svs for ; Tue, 12 Jan 2021 03:11:09 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 68C9C3C5FF2 for ; Mon, 11 Jan 2021 17:11:06 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [IPv6:2001:4b78:1:20::6]) by picard.linux.it (Postfix) with ESMTP id CEBB33C313B for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 765271400DB9 for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id B9A98B746 for ; Mon, 11 Jan 2021 16:11:03 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Mon, 11 Jan 2021 17:11:02 +0100 Message-Id: <20210111161103.22433-2-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210111161103.22433-1-mdoucha@suse.cz> References: <20210111161103.22433-1-mdoucha@suse.cz> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v5 2/3] Add tst_secureboot_enabled() helper function X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown sysfile is not available/readable and the kernel is configured to enable lockdown automatically under SecureBoot. Signed-off-by: Martin Doucha Reviewed-by: Li Wang --- Changes since v1: - check whether machine is in EFI mode first Changes since v2: - move tst_secureboot_enabled() code to a separate header file - move EFIVAR_CFLAGS and EFIVAR_LIBS out of global CFLAGS and LDLIBS Changes since v3: - rewritten using direct read from /sys/ (without libefivar) include/tst_lockdown.h | 1 + lib/tst_lockdown.c | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h index 78eaeccea..172a7daf5 100644 --- a/include/tst_lockdown.h +++ b/include/tst_lockdown.h @@ -5,6 +5,7 @@ #define PATH_LOCKDOWN "/sys/kernel/security/lockdown" +int tst_secureboot_enabled(void); int tst_lockdown_enabled(void); #endif /* TST_LOCKDOWN_H */ diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c index e7c19813c..a753ca752 100644 --- a/lib/tst_lockdown.c +++ b/lib/tst_lockdown.c @@ -9,14 +9,52 @@ #include "tst_test.h" #include "tst_safe_macros.h" #include "tst_safe_stdio.h" +#include "tst_kconfig.h" #include "tst_lockdown.h" +#define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" + +int tst_secureboot_enabled(void) +{ + int fd; + char data[5]; + + if (access(EFIVAR_SECUREBOOT, F_OK)) { + tst_res(TINFO, "Efivar FS not available"); + return -1; + } + + fd = open(EFIVAR_SECUREBOOT, O_RDONLY); + + if (fd == -1) { + tst_res(TINFO | TERRNO, + "Cannot open SecureBoot Efivar sysfile"); + return -1; + } else if (fd < 0) { + tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd); + return -1; + } + + SAFE_READ(1, fd, data, 5); + SAFE_CLOSE(fd); + tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off"); + return data[4]; +} + int tst_lockdown_enabled(void) { char line[BUFSIZ]; FILE *file; if (access(PATH_LOCKDOWN, F_OK) != 0) { + char flag; + + flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN"); + + /* SecureBoot enabled could mean integrity lockdown */ + if (flag == 'y' && tst_secureboot_enabled() > 0) + return 1; + tst_res(TINFO, "Unable to determine system lockdown state"); return 0; } From patchwork Mon Jan 11 16:11:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1424703 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DDzGZ2hK7z9svs for ; Tue, 12 Jan 2021 03:11:18 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id A6DE53C6ACC for ; Mon, 11 Jan 2021 17:11:15 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) by picard.linux.it (Postfix) with ESMTP id E70073C315A for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 80BB7200FE1 for ; Mon, 11 Jan 2021 17:11:04 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id CC464B775 for ; Mon, 11 Jan 2021 16:11:03 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Mon, 11 Jan 2021 17:11:03 +0100 Message-Id: <20210111161103.22433-3-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210111161103.22433-1-mdoucha@suse.cz> References: <20210111161103.22433-1-mdoucha@suse.cz> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-7.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-7.smtp.seeweb.it Subject: [LTP] [PATCH v5 3/3] syscalls/iopl02, ioperm02: Skip when kernel is locked down X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" The iopl() and ioperm() syscalls are blocked when the kernel is locked down. The order of sanity checks is not guaranteed so it's better to skip these tests even if they accidentally work. Signed-off-by: Martin Doucha --- Changes since v3: - new patch testcases/kernel/syscalls/ioperm/ioperm02.c | 4 ++++ testcases/kernel/syscalls/iopl/iopl02.c | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/testcases/kernel/syscalls/ioperm/ioperm02.c b/testcases/kernel/syscalls/ioperm/ioperm02.c index 1808191bf..80dcb992e 100644 --- a/testcases/kernel/syscalls/ioperm/ioperm02.c +++ b/testcases/kernel/syscalls/ioperm/ioperm02.c @@ -45,6 +45,10 @@ static struct tcase_t { static void setup(void) { + /* ioperm() is restricted under kernel lockdown. */ + if (tst_lockdown_enabled()) + tst_brk(TCONF, "Kernel is locked down, skip this test"); + /* * The value of IO_BITMAP_BITS (include/asm-i386/processor.h) changed * from kernel 2.6.8 to permit 16-bits (65536) ioperm diff --git a/testcases/kernel/syscalls/iopl/iopl02.c b/testcases/kernel/syscalls/iopl/iopl02.c index 6a817cf2d..a6135ddf3 100644 --- a/testcases/kernel/syscalls/iopl/iopl02.c +++ b/testcases/kernel/syscalls/iopl/iopl02.c @@ -52,6 +52,11 @@ static void verify_iopl(unsigned int i) static void setup(void) { struct passwd *pw; + + /* iopl() is restricted under kernel lockdown. */ + if (tst_lockdown_enabled()) + tst_brk(TCONF, "Kernel is locked down, skip this test"); + pw = SAFE_GETPWNAM("nobody"); SAFE_SETEUID(pw->pw_uid); }