Re: [PATCH] IMA: Check for ima-buf template is not required for keys tests
From: Petr Vorel <pvorel@suse.cz>
Date: 2021-02-23 09:24:06
Also in:
ltp
Hi Lakmasi,
ima-buf is the default IMA template used for all buffer measurements. Therefore, IMA policy rule for measuring keys need not specify an IMA template.
Good catch. But was it alway?
IMHO ima-buf as default was added in dea87d0889dd ("ima: select ima-buf template for buffer measurement") in v5.11-rc1.
But test1() tests 450d0fd51564 ("IMA: Call workqueue functions to measure queued keys") from v5.6-rc1.
Is it safe to ignore it?
BTW template=ima-buf requirement was added in commit b0418c93f ("IMA/ima_keys.sh: Require template=ima-buf, fix grep pattern")
Also, shouldn't we check that there is none of the other templates (e.g. template=ima-ng, ...)?
Update keys tests to not check for ima template in the policy rule.
Signed-off-by: Lakshmi Ramasubramanian <redacted> --- This patch is based in https://github.com/pevik/ltp/commits/ima/selinux.v2.draft in branch ima/selinux.v2.draft.
testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
quoted hunk ↗ jump to hunk
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index c9eef4b68..a3a7afbf7 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh@@ -15,8 +15,7 @@ TST_CLEANUP=cleanup . ima_setup.sh
FUNC_KEYCHECK='func=KEY_CHECK' -TEMPLATE_BUF='template=ima-buf' -REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)" +REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK)"
nit: remove brackets: REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" There is testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy file, which should be a helper to load proper policy and needs to be updated as well: -measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test I was also thinking to move keyrings to REQUIRED_POLICY, e.g.: KEYRINGS="keyrings=\.[a-z]+" REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$KEYRINGS|$KEYRINGS.*$FUNC_KEYCHECK)" Kind regards, Petr
quoted hunk ↗ jump to hunk
setup() {@@ -33,7 +32,7 @@ check_keys_policy() local pattern="$1"
if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF" + tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK" return 1 fi return 0