dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-27 14:22:31 +02:00
Code Releases Activity
ima-evm-utils-mirror/tests/Makefile.am
Roberto Sassu 6917e384d3 Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks 
Add tests to ensure that, after applying the kernel patch 'ima: Align
ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
checks the protections applied by the kernel and not those requested by the
application.

Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
the MMAP_CHECK_REQPROT hook checks the protections requested by the
application.

Test both with the test_mmap application that by default requests the
PROT_READ protection flag. Its syntax is:

test_mmap <file> <mode>

where mode can be:
- exec: adds the PROT_EXEC protection flag to mmap()
- read_implies_exec: calls the personality() system call with
                     READ_IMPLIES_EXEC as the first argument before mmap()
- mprotect: adds the PROT_EXEC protection flag to a memory area in addition
            to PROT_READ
- exec_on_writable: calls mmap() with PROT_EXEC on a file which has a
                    writable mapping

Check the different combinations of hooks/modes and ensure that a
measurement entry is found in the IMA measurement list only when it is
expected. No measurement entry should be found when only the PROT_READ
protection flag is requested or the matching policy rule has the
MMAP_CHECK_REQPROT hook and the personality() system call was called with
READ_IMPLIES_EXEC.

mprotect() with PROT_EXEC on an existing memory area protected with
PROT_READ should be denied (with an appraisal rule), regardless of the MMAP
hook specified in the policy. The same applies for mmap() with PROT_EXEC on
a file with a writable mapping.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2023-03-02 16:52:50 -05:00

30 lines
662 B
Makefile
Raw Permalink Blame History

check_SCRIPTS =
TESTS = $(check_SCRIPTS)
check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
fsverity.test portable_signatures.test ima_policy_check.test \
mmap_check.test
check_PROGRAMS := test_mmap
.PHONY: check_logs
check_logs:
@for log in $(TEST_LOGS); do \
echo -e "\n***" $$log "***" ; \
case $$log in \
ima_hash.log | sign_verify.log ) \
tail -3 $$log ; \
grep "skipped" $$log && grep "skipped" $$log | wc -l ;; \
*) \
cat $$log ;; \
esac ; \
done
clean-local:
-rm -f *.txt *.out *.sig *.sig2
distclean: distclean-keys
.PHONY: distclean-keys
distclean-keys:
./gen-keys.sh clean
View Git Blame Copy Permalink