lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <acc5495c0bef99f255c4e16f47c2a23dd450d5ad.camel@linux.ibm.com>
Date:   Wed, 01 Feb 2023 12:54:26 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...weicloud.com>,
        dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, stefanb@...ux.ibm.com,
        viro@...iv.linux.org.uk, pvorel@...e.cz,
        Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH ima-evm-utils v2] Add tests for MMAP_CHECK and
 MMAP_CHECK_REQPROT hooks

On Wed, 2023-02-01 at 18:29 +0100, Roberto Sassu wrote:
> On Tue, 2023-01-31 at 22:02 -0500, Mimi Zohar wrote:
> > Hi Roberto,
> > 
> > > +check_mmap() {
> > > +	local hook="$1"
> > > +	local arg="$2"
> > > +	local test_file fowner rule result test_file_entry
> > > +
> > > +	echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
> > > +
> > > +	if ! test_file=$(mktemp -p "$PWD"); then
> > > +		echo "${RED}Cannot write $test_file${NORM}"
> > > +		return "$HARDFAIL"
> > > +	fi
> > > +
> > > +	fowner="$MMAP_CHECK_FOWNER"
> > > +	rule="$MEASURE_MMAP_CHECK_RULE"
> > > +
> > > +	if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
> > > +		fowner="$MMAP_CHECK_REQPROT_FOWNER"
> > > +		rule="$MEASURE_MMAP_CHECK_REQPROT_RULE"
> > > +	fi
> > > +
> > > +	if ! chown "$fowner" "$test_file"; then
> > > +		echo "${RED}Cannot change owner of $test_file${NORM}"
> > > +		return "$HARDFAIL"
> > > +	fi
> > > +
> > > +	check_load_ima_rule "$rule"
> > > +	result=$?
> > > +	if [ $result -ne "$OK" ]; then
> > > +		return $result
> > > +	fi
> > > +
> > > +	test_mmap "$test_file" "$arg"
> > > +
> > > +	if [ "$TFAIL" != "yes" ]; then
> > > +		echo -n "Result (expect found): "
> > > +	else
> > > +		echo -n "Result (expect not found): "
> > > +	fi
> > > +
> > > +	test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements)
> > > +	if [ -z "$test_file_entry" ]; then
> > > +		echo "not found"
> > > +		return "$FAIL"
> > > +	fi
> > 
> > Using temporary files should prevent having multiple records.  Having a
> > verbose option to show the actual matching measurement list record
> > would be nice.
> > 
> > > +
> > > +	echo "found"
> > > +	return "$OK"
> > > +}
> > > +
> > 
> > 
> > > +
> > > +# Run in the new environment if TST_ENV is set.
> > > +_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
> > > +
> > > +# Exit from the creator of the new environment.
> > > +_exit_env "$TST_KERNEL"
> > > +
> > > +# Mount filesystems in the new environment.
> > > +_init_env
> > > +
> > > +if [ "$(whoami)" != "root" ]; then
> > > +	echo "${CYAN}This script must be executed as root${NORM}"
> > > +	exit "$SKIP"
> > > +fi
> > > +
> > > +if [ ! -f /sys/kernel/security/ima/policy ]; then
> > > +	echo "${CYAN}IMA policy file not found${NORM}"
> > > +	exit "$SKIP"
> > > +fi
> > > +
> > > +if ! cat /sys/kernel/security/ima/policy &> /dev/null; then
> > > +	echo "${CYAN}IMA policy file is not readable${NORM}"
> > > +	exit "$SKIP"
> > > +fi
> > 
> > An existing policy with an mmap rule would affect this test.  Check to
> > see if one already exists.
> 
> Not sure about this. We are specifying the filesystem UUID and the file
> owner. Should be enough to avoid interferences. Also
> check_load_ima_rule() avoids duplicated rules.

Since the policy rules are walked sequentially, existing mmap rules
without the uuid or owner qualifiers will interfere with the test
policy rules.   To see the problem load a custom policy containing an
mmap rule, without any qualifiers.  Then run the mmap_check test.

> 
> > > +
> > > +if [ -n "$TST_KEY_PATH" ]; then
> > > +	if [ "${TST_KEY_PATH:0:1}" != "/" ]; then
> > > +		echo "${RED}Absolute path required for the signing key${NORM}"
> > > +		exit "$FAIL"
> > > +	fi
> > > 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ