Add ima_policy_check.awk to check for possible overlapping of a rule being
added by a test with the existing IMA policy (policy replacement by IMA at
the first policy load is not taken into account).
ima_policy_check.awk expects as input the rule to be added, followed by the
IMA policy.
It returns a bit mask with the following values:
- 1: invalid new rule;
- 2: overlap of the new rule with an existing rule in the IMA policy;
- 4: new rule exists in the IMA policy.
Values can be individually checked by the test executing the awk script, to
determine what to do (abort loading, print a warning in case of overlap,
avoid adding an existing rule).
The bit mask allows the test to see multiple statements regarding the new
rule. For example, if the test added anyway an overlapping rule, it could
also see that the policy already contains it at the next test execution,
and does not add it again.
Since ima_policy_check.awk uses GNU extensions (such as the or() function,
or the fourth argument of split()), add gawk as dependency for the CI.
Finally add ima_policy_check.test, to ensure that the awk script behaves as
expected.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The travis "fedora:latest" matrix rule fails due to not finding
"haveged". Install "haveged" after enabling EPEL.
Fixes: f106a9022d1f ("Add support for creating a new testing environment in functions.sh")
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verify that operations on files with EVM portable signatures succeed and
that the new kernel patch set does not break the existing kernel integrity
expectations. Build and install mount-idmapped for ci/fedora.sh, to
additionally test idmapped mounts.
To run the tests, pass the path of the kernel private key with the
TST_KEY_PATH environment variable. If not provided, search first in the
ima-evm-utils top directory, and then in
/lib/modules/$(uname -r)/source/certs/signing_key.pem and
/lib/modules/$(uname -r)/build/certs/signing_key.pem.
Root privileges are required to mount the image, configure IMA/EVM and set
xattrs.
Set TST_ENV to 'um', to relaunch the script in a new environment after
booting an UML kernel. The UML kernel path must be specified with the
TST_KERNEL environment variable.
Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
current EVM mode, if a test needs a different one. Otherwise, execute only
the tests compatible with the current EVM mode.
Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
launching the script, to run the check_evm_revalidate() test. Execute:
echo 4 > /sys/kernel/security/evm
The last two environment variables above affect which tests will run the
next time the script is executed. Without setting TST_ENV, changes to the
current EVM mode will be irreversibly done in the host. Next time, unless
the host is rebooted, only tests compatible with the last EVM mode set will
run. The others will be skipped.
By setting TST_ENV, this problem does not arise as, every time the
environment is created, it will be clean with no flags set in the EVM mode.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add the new functions _run_env(), _exit_env(), _init_env() and
_cleanup_env() to run the tests inside a new environment specified with the
TST_ENV environment variable.
A typical structure of a script with tests is:
trap '_report_exit_and_cleanup _cleanup_env cleanup' \
SIGINT SIGTERM SIGSEGV EXIT
cleanup() {
<test cleanup>
}
<tests implementations>
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "env_var1=$env_var1 ..."
_exit_env "$TST_KERNEL"
_init_env
<tests init>
<tests call>
If TST_ENV is not set or empty, don't create a new testing environment and
perform the cleanup in the current environment. Don't create a new testing
environment also if the script is already executed in a new environment, to
avoid loops. Instead, for cleanup, do it in the new environment and skip it
in the host environment (if the cleanup function is passed to
_cleanup_env()).
Signal to the creator of the environment failures of tests or of the script
itself run in the new environment (if the exit code is 1 ($FAIL) or 99
($HARDFAIL)) with an unclean shutdown of the system.
Add haveged and systemd as dependencies for the tests in ci/fedora.sh,
respectively for initializing the random number generator and for shutting
down the system in the new environment.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add a build job, prerequisite of the existing job, to compile the UML
kernel and upload it and the signing key to a cache. Github configuration
should have two variables: LINUX_URL, the full URL of the kernel
repository; LINUX_BRANCH, the branch to check out as fallback if the kernel
repository does not have the same branch name as the one being pushed for
ima-evm-utils. See:
https://docs.github.com/en/actions/learn-github-actions/variables
for directions on how to define those variables.
If the two variables are not defined, the default values are:
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
LINUX_BRANCH=next-integrity
If there is a cache hit (same kernel commit and same kernel configuration),
next time the UML kernel will not be rebuilt. To use the cache, it is
necessary to install zstd in the container. Add this dependency to
ci/fedora.sh.
The cache can be managed at the following URL:
https://github.com/<username>/ima-evm-utils/actions/caches
The page also offers the possibility to clean the cache, to force
rebuilding the kernel.
Add a new entry in the testing matrix, for the fedora-latest container
image, to run the tests with the UML kernel. The entry differs from the
others for the new environment variable TST_ENV, set to 'um', and
TST_KERNEL set to '../linux', as the tests will be executed from the
tests/ directory in ima-evm-utils.
Add a new volume to the container, /dev/shm from the host, as it is
required for running the UML kernel.
Extend the existing job with steps to download the UML kernel and signing
key from the cache. The new steps are executed only if the matrix entry has
TST_ENV set.
Finally, pass TST_ENV and TST_KERNEL to the tests. A test should also
propagate these variables to the new environment, by passing them to the
kernel command line.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Test IMA support for including fs-verity enabled file measurements
in the IMA measurement list based on the ima-ngv2 and ima-sigv2
records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
bash is a dependency for tests, not being installed by default on
containers.
This fixes:
../test-driver: line 112: ./ima_hash.test: not found
../test-driver: line 112: ./sign_verify.test: not found
../test-driver: line 112: ./boot_aggregate.test: not found
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Get the packages for pkcs11 testing on the CI/CD system, where available.
On those system where it is not available, skip the two tests.
The following distros cannot run the pkcs11 tests:
- Alpine: package with pkcs11 engine not available
- CentOS7: softhsm 2.1.0 is too old for tests to work; tests also fail when
trying to sign with pkcs11 URI using openssl command line tool
- OpenSuSE Leap: softhsm package not available in main repo
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Build on Sisyphus branch which is bleeding edge repository.
Package manager is apt-rpm (not APT as it may look from the scripts).
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This symlink is missing only on openSUSE Tumbleweed,
it exists on openSUSE Leap, thus build failed.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This is a preparation for adding GitHub Actions support.
Also run from root directory. It's a bit confusing to run from
travis directory.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
