Re: [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy

Mon, 30 Dec 2024 12:44:29 -0800 

Hi Petr,

On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
[snip]

> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -1,7 +1,7 @@
>  #!/bin/sh
>  # SPDX-License-Identifier: GPL-2.0-or-later
>  # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018-2020 Petr Vorel <[email protected]>
> +# Copyright (c) 2018-2024 Petr Vorel <[email protected]>
>  # Author: Mimi Zohar <[email protected]>
>  
>  TST_TESTFUNC="test"
> @@ -72,14 +72,20 @@ require_policy_readable()
>       fi
>  }
>  
> -require_policy_writable()
> +check_policy_writable()
>  {
> -     local err="IMA policy already loaded and kernel not configured to 
> enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> -
> -     [ -f $IMA_POLICY ] || tst_brk TCONF "$err"
> -     # CONFIG_IMA_READ_POLICY
> +     [ -f $IMA_POLICY ] || return 1
> +     # workaround for kernels < v4.18 without fix
> +     # ffb122de9a60b ("ima: Reflect correct permissions for policy")
>       echo "" 2> log > $IMA_POLICY
> -     grep -q "Device or resource busy" log && tst_brk TCONF "$err"
> +     grep -q "Device or resource busy" log && return 1
> +     return 0
> +}
> +
> +require_policy_writable()
> +{
> +     check_policy_writable || tst_brk TCONF \
> +             "IMA policy already loaded and kernel not configured to enable 
> multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
>  }
>  
>  check_ima_policy_content()
> @@ -158,6 +164,34 @@ print_ima_config()
>       tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
>  }
>  
> +load_ima_policy()
> +{
> +     local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)"
> +
> +     if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then
> +             tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy 
> for this test"
> +             return
> +     fi
> +
> +     if [ -z "$policy" -o ! -f "$policy" ]; then
> +             tst_res TINFO "no policy for this test"
> +             LTP_IMA_LOAD_POLICY=
> +             return
> +     fi
> +
> +     tst_res TINFO "trying to load '$policy' policy:"
> +     cat $policy
> +     if ! check_policy_writable; then
> +             tst_res TINFO "WARNING: IMA policy already loaded and kernel 
> not configured to enable multiple writes to it (need 
> CONFIG_IMA_WRITE_POLICY=y), reboot required"
> +             LTP_IMA_LOAD_POLICY=
> +             return
> +     fi
> +
> +     cat "$policy" 2> log > $IMA_POLICY
> +     if grep -q "Device or resource busy" log; then
> +             tst_brk TBROK "Loading policy failed"
> +     fi

To write to the IMA securityfs policy file, check_policy_writable() used "echo",
while here it's using "cat".  "cat" fails when signed policies are required.
Perhaps add something like:
+
+       if grep -q "write error: Permission denied" log; then
+               tst_brk TBROK "Loading unsigned policy failed"
+       fi

> +}

Mimi

Reply via email to