From patchwork Tue Jan 12 09:57:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1425080 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DFQxd4zK9z9sWr for ; Tue, 12 Jan 2021 20:58:13 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 2D6D33C26DE for ; Tue, 12 Jan 2021 10:58:11 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) by picard.linux.it (Postfix) with ESMTP id 0A8583C26DD for ; Tue, 12 Jan 2021 10:58:01 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id C114A200B05 for ; Tue, 12 Jan 2021 10:58:00 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 1F89AAB92 for ; Tue, 12 Jan 2021 09:58:00 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 12 Jan 2021 10:57:57 +0100 Message-Id: <20210112095759.11910-1-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-7.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-7.smtp.seeweb.it Subject: [LTP] [PATCH v6 1/3] Add tst_kconfig_get() helper function X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Signed-off-by: Martin Doucha --- Changes since v3: - new patch Changes since v4: - moved tst_kconfig_get() declaration to tst_private.h include/tst_private.h | 8 ++++++++ lib/tst_kconfig.c | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/tst_private.h b/include/tst_private.h index e30d34740..fe0955f3b 100644 --- a/include/tst_private.h +++ b/include/tst_private.h @@ -29,4 +29,12 @@ void tst_print_svar_change(const char *name, const char *val); int tst_get_prefix(const char *ip_str, int is_ipv6); +/* + * Checks kernel config for a single configuration option and returns its + * state if found. The possible return values are the same as for + * tst_kconfig_var.choice, with the same meaning. See tst_kconfig_read() + * description in tst_kconfig.h. + */ +char tst_kconfig_get(const char *confname); + #endif diff --git a/lib/tst_kconfig.c b/lib/tst_kconfig.c index 734039e37..2b1087a8d 100644 --- a/lib/tst_kconfig.c +++ b/lib/tst_kconfig.c @@ -511,3 +511,24 @@ void tst_kconfig_check(const char *const kconfigs[]) if (abort_test) tst_brk(TCONF, "Aborting due to unsuitable kernel config, see above!"); } + +char tst_kconfig_get(const char *confname) +{ + struct tst_kconfig_var var; + + var.id_len = strlen(confname); + + if (var.id_len >= sizeof(var.id)) + tst_brk(TBROK, "Kconfig var name \"%s\" too long", confname); + + strcpy(var.id, confname); + var.choice = 0; + var.val = NULL; + + tst_kconfig_read(&var, 1); + + if (var.choice == 'v') + free(var.val); + + return var.choice; +} From patchwork Tue Jan 12 09:57:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1425082 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DFQy80Kt5z9sWK for ; Tue, 12 Jan 2021 20:58:37 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 0B5C03C26DD for ; Tue, 12 Jan 2021 10:58:22 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) by picard.linux.it (Postfix) with ESMTP id 0C2293C26DE for ; Tue, 12 Jan 2021 10:58:00 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id B3FFD14010E7 for ; Tue, 12 Jan 2021 10:58:00 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 2E6C0AC8F for ; Tue, 12 Jan 2021 09:58:00 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 12 Jan 2021 10:57:58 +0100 Message-Id: <20210112095759.11910-2-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210112095759.11910-1-mdoucha@suse.cz> References: <20210112095759.11910-1-mdoucha@suse.cz> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v6 2/3] Add tst_secureboot_enabled() helper function X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown sysfile is not available/readable and the kernel is configured to enable lockdown automatically under SecureBoot. Signed-off-by: Martin Doucha --- Changes since v1: - check whether machine is in EFI mode first Changes since v2: - move tst_secureboot_enabled() code to a separate header file - move EFIVAR_CFLAGS and EFIVAR_LIBS out of global CFLAGS and LDLIBS Changes since v3: - rewritten using direct read from /sys/ (without libefivar) Changes since v5: - fixed #includes include/tst_lockdown.h | 1 + lib/tst_lockdown.c | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h index 78eaeccea..172a7daf5 100644 --- a/include/tst_lockdown.h +++ b/include/tst_lockdown.h @@ -5,6 +5,7 @@ #define PATH_LOCKDOWN "/sys/kernel/security/lockdown" +int tst_secureboot_enabled(void); int tst_lockdown_enabled(void); #endif /* TST_LOCKDOWN_H */ diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c index e7c19813c..cda7d7abd 100644 --- a/lib/tst_lockdown.c +++ b/lib/tst_lockdown.c @@ -10,6 +10,36 @@ #include "tst_safe_macros.h" #include "tst_safe_stdio.h" #include "tst_lockdown.h" +#include "tst_private.h" + +#define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" + +int tst_secureboot_enabled(void) +{ + int fd; + char data[5]; + + if (access(EFIVAR_SECUREBOOT, F_OK)) { + tst_res(TINFO, "Efivar FS not available"); + return -1; + } + + fd = open(EFIVAR_SECUREBOOT, O_RDONLY); + + if (fd == -1) { + tst_res(TINFO | TERRNO, + "Cannot open SecureBoot Efivar sysfile"); + return -1; + } else if (fd < 0) { + tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd); + return -1; + } + + SAFE_READ(1, fd, data, 5); + SAFE_CLOSE(fd); + tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off"); + return data[4]; +} int tst_lockdown_enabled(void) { @@ -17,6 +47,14 @@ int tst_lockdown_enabled(void) FILE *file; if (access(PATH_LOCKDOWN, F_OK) != 0) { + char flag; + + flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN"); + + /* SecureBoot enabled could mean integrity lockdown */ + if (flag == 'y' && tst_secureboot_enabled() > 0) + return 1; + tst_res(TINFO, "Unable to determine system lockdown state"); return 0; } From patchwork Tue Jan 12 09:57:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1425079 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DFQxT2v5bz9sWr for ; Tue, 12 Jan 2021 20:58:05 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id CDB9E3C545D for ; Tue, 12 Jan 2021 10:58:02 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [IPv6:2001:4b78:1:20::3]) by picard.linux.it (Postfix) with ESMTP id EFF603C26C0 for ; Tue, 12 Jan 2021 10:58:00 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id AF5E81A00E66 for ; Tue, 12 Jan 2021 10:58:00 +0100 (CET) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 3FE74AF19 for ; Tue, 12 Jan 2021 09:58:00 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 12 Jan 2021 10:57:59 +0100 Message-Id: <20210112095759.11910-3-mdoucha@suse.cz> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210112095759.11910-1-mdoucha@suse.cz> References: <20210112095759.11910-1-mdoucha@suse.cz> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-3.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-3.smtp.seeweb.it Subject: [LTP] [PATCH v6 3/3] syscalls/iopl02, ioperm02: Skip when kernel is locked down X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" The iopl() and ioperm() syscalls are blocked when the kernel is locked down. The order of sanity checks is not guaranteed so it's better to skip these tests even if they accidentally work. Signed-off-by: Martin Doucha --- Changes since v3: - new patch testcases/kernel/syscalls/ioperm/ioperm02.c | 4 ++++ testcases/kernel/syscalls/iopl/iopl02.c | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/testcases/kernel/syscalls/ioperm/ioperm02.c b/testcases/kernel/syscalls/ioperm/ioperm02.c index 1808191bf..80dcb992e 100644 --- a/testcases/kernel/syscalls/ioperm/ioperm02.c +++ b/testcases/kernel/syscalls/ioperm/ioperm02.c @@ -45,6 +45,10 @@ static struct tcase_t { static void setup(void) { + /* ioperm() is restricted under kernel lockdown. */ + if (tst_lockdown_enabled()) + tst_brk(TCONF, "Kernel is locked down, skip this test"); + /* * The value of IO_BITMAP_BITS (include/asm-i386/processor.h) changed * from kernel 2.6.8 to permit 16-bits (65536) ioperm diff --git a/testcases/kernel/syscalls/iopl/iopl02.c b/testcases/kernel/syscalls/iopl/iopl02.c index 6a817cf2d..a6135ddf3 100644 --- a/testcases/kernel/syscalls/iopl/iopl02.c +++ b/testcases/kernel/syscalls/iopl/iopl02.c @@ -52,6 +52,11 @@ static void verify_iopl(unsigned int i) static void setup(void) { struct passwd *pw; + + /* iopl() is restricted under kernel lockdown. */ + if (tst_lockdown_enabled()) + tst_brk(TCONF, "Kernel is locked down, skip this test"); + pw = SAFE_GETPWNAM("nobody"); SAFE_SETEUID(pw->pw_uid); }