Add tests to ensure that, after applying the kernel patch 'ima: Align
ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
checks the protections applied by the kernel and not those requested by the
application.
Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
the MMAP_CHECK_REQPROT hook checks the protections requested by the
application.
Test both with the test_mmap application that by default requests the
PROT_READ protection flag. Its syntax is:
test_mmap <file> <mode>
where mode can be:
- exec: adds the PROT_EXEC protection flag to mmap()
- read_implies_exec: calls the personality() system call with
READ_IMPLIES_EXEC as the first argument before mmap()
- mprotect: adds the PROT_EXEC protection flag to a memory area in addition
to PROT_READ
- exec_on_writable: calls mmap() with PROT_EXEC on a file which has a
writable mapping
Check the different combinations of hooks/modes and ensure that a
measurement entry is found in the IMA measurement list only when it is
expected. No measurement entry should be found when only the PROT_READ
protection flag is requested or the matching policy rule has the
MMAP_CHECK_REQPROT hook and the personality() system call was called with
READ_IMPLIES_EXEC.
mprotect() with PROT_EXEC on an existing memory area protected with
PROT_READ should be denied (with an appraisal rule), regardless of the MMAP
hook specified in the policy. The same applies for mmap() with PROT_EXEC on
a file with a writable mapping.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add ima_policy_check.awk to check for possible overlapping of a rule being
added by a test with the existing IMA policy (policy replacement by IMA at
the first policy load is not taken into account).
ima_policy_check.awk expects as input the rule to be added, followed by the
IMA policy.
It returns a bit mask with the following values:
- 1: invalid new rule;
- 2: overlap of the new rule with an existing rule in the IMA policy;
- 4: new rule exists in the IMA policy.
Values can be individually checked by the test executing the awk script, to
determine what to do (abort loading, print a warning in case of overlap,
avoid adding an existing rule).
The bit mask allows the test to see multiple statements regarding the new
rule. For example, if the test added anyway an overlapping rule, it could
also see that the policy already contains it at the next test execution,
and does not add it again.
Since ima_policy_check.awk uses GNU extensions (such as the or() function,
or the fourth argument of split()), add gawk as dependency for the CI.
Finally add ima_policy_check.test, to ensure that the awk script behaves as
expected.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Unlike the original ima-evm-utils ima_hash.test and sign_verify.test
selftests, kernel tests may fail for any number of reasons (e.g. kernel
config, permissions, missing applications, test infrastructure). For
these tests, the full test log is needed to analyze the failure.
Create a phony target in tests/Makefile.am named "check-logs". Based on
test name, output different amounts of the test log.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verify that operations on files with EVM portable signatures succeed and
that the new kernel patch set does not break the existing kernel integrity
expectations. Build and install mount-idmapped for ci/fedora.sh, to
additionally test idmapped mounts.
To run the tests, pass the path of the kernel private key with the
TST_KEY_PATH environment variable. If not provided, search first in the
ima-evm-utils top directory, and then in
/lib/modules/$(uname -r)/source/certs/signing_key.pem and
/lib/modules/$(uname -r)/build/certs/signing_key.pem.
Root privileges are required to mount the image, configure IMA/EVM and set
xattrs.
Set TST_ENV to 'um', to relaunch the script in a new environment after
booting an UML kernel. The UML kernel path must be specified with the
TST_KERNEL environment variable.
Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
current EVM mode, if a test needs a different one. Otherwise, execute only
the tests compatible with the current EVM mode.
Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
launching the script, to run the check_evm_revalidate() test. Execute:
echo 4 > /sys/kernel/security/evm
The last two environment variables above affect which tests will run the
next time the script is executed. Without setting TST_ENV, changes to the
current EVM mode will be irreversibly done in the host. Next time, unless
the host is rebooted, only tests compatible with the last EVM mode set will
run. The others will be skipped.
By setting TST_ENV, this problem does not arise as, every time the
environment is created, it will be clean with no flags set in the EVM mode.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Test IMA support for including fs-verity enabled file measurements
in the IMA measurement list based on the ima-ngv2 and ima-sigv2
records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Calculate the boot_aggregate for each TPM bank and verify that the
boot_aggregate in the IMA measurement list matches one of them.
A software TPM may be used to verify the boot_aggregate. If a
software TPM is not already running on the system, this test
starts one and initializes the TPM PCR banks by walking the sample
binary_bios_measurements event log, included in this directory, and
extending the TPM PCRs. The associated ascii_runtime_measurements
for verifying the calculated boot_aggregate is included in this
directory as well.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Run `make check' to execute the tests.
This commit only adds ima_hash test.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Newer automake does not like to put programs and scripts
to lib directory. Use libexec instead.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
For debugging purpose it is nice to have evm hmac calculation for
labeling filesystem using hmac.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
evmctl provides signing support for IMA/EVM.
Functionality includes signing of file content (IMA), file metadata (EVM),
importing public keys into kernel keyring.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
