ima_setup.sh: Allow to load predefined policy

environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
if available. This should be used only if tooling running LTP tests
allows to reboot afterwards because policy may be writable only once,
e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
other.

Loading may fail due various reasons (e.g. previously mentioned missing
CONFIG_IMA_WRITE_POLICY=y and policy already loaded or when secure boot is
enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an
appraise func=POLICY_CHECK appraise_type=imasig rule is loaded, requiring the
IMA policy itself to be signed).

Link: https://lore.kernel.org/ltp/[email protected]/
Reviewed-by: Mimi Zohar <[email protected]>
Signed-off-by: Petr Vorel <[email protected]>

Author: pevik

doc/users/setup_tests.rst

@@ -59,6 +59,9 @@ users.
        both up and down with this multiplier. This is not yet implemented in the
        shell API.
 
+   * - LTP_IMA_LOAD_POLICY
+     - Load IMA example policy, see :master:`testcases/kernel/security/integrity/ima/README.md`.
+
    * - LTP_VIRT_OVERRIDE
      - Overrides virtual machine detection in the test library. Setting it to
        empty string, tells the library that system is not a virtual machine.

testcases/kernel/security/integrity/ima/README.md

@@ -8,6 +8,18 @@ CONFIG_INTEGRITY=y
 CONFIG_IMA=y
 ```
 
+### Loading policy for testing (optional)
+Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example
+policy if available. This should be used only if tooling running LTP tests
+allows to reboot afterwards because policy may be writable only once, e.g.
+missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other.
+
+Loading may fail due various reasons (e.g. previously mentioned missing
+`CONFIG_IMA_WRITE_POLICY=y` and policy already loaded or when secure boot is
+enabled and the kernel is configured with `CONFIG_IMA_ARCH_POLICY` enabled, an
+`appraise func=POLICY_CHECK appraise_type=imasig` rule is loaded, requiring the
+IMA policy itself to be signed).
+
 ### IMA measurement tests
 `ima_measurements.sh` require builtin IMA tcb policy to be loaded
 (`ima_policy=tcb` kernel parameter).

testcases/kernel/security/integrity/ima/tests/ima_kexec.sh

@@ -7,6 +7,7 @@
 # Verify that kexec cmdline is measured correctly.
 # Test attempts to kexec the existing running kernel image.
 # To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="grep kexec sed"
 TST_CNT=3

testcases/kernel/security/integrity/ima/tests/ima_keys.sh

@@ -5,6 +5,7 @@
 # Author: Lachlan Sneff <[email protected]>
 #
 # Verify that keys are measured correctly based on policy.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="cmp cut grep sed"
 TST_CNT=2

testcases/kernel/security/integrity/ima/tests/ima_measurements.sh

@@ -5,7 +5,7 @@
 # Author: Mimi Zohar <[email protected]>
 #
 # Verify that measurements are added to the measurement list based on policy.
-# Test requires ima_policy=tcb.
+# Test requires either ima_policy=tcb or example policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="awk cut sed"
 TST_SETUP="setup"

testcases/kernel/security/integrity/ima/tests/ima_selinux.sh

@@ -5,6 +5,7 @@
 # Author: Lakshmi Ramasubramanian <[email protected]>
 #
 # Verify measurement of SELinux policy hash and state.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 #
 # Relevant kernel commits:
 # * fdd1ffe8a812 ("selinux: include a consumer of the new IMA critical data hook")

testcases/kernel/security/integrity/ima/tests/ima_setup.sh

@@ -76,14 +76,20 @@ require_policy_readable()
 	fi
 }
 
-require_policy_writable()
+check_policy_writable()
 {
-	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
-
-	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
-	# CONFIG_IMA_READ_POLICY
+	[ -f $IMA_POLICY ] || return 1
+	# workaround for kernels < v4.18 without fix
+	# ffb122de9a60b ("ima: Reflect correct permissions for policy")
 	echo "" 2> log > $IMA_POLICY
-	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
+	grep -q "Device or resource busy" log && return 1
+	return 0
+}
+
+require_policy_writable()
+{
+	check_policy_writable || tst_brk TCONF \
+		"IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
 }
 
 check_ima_policy_content()
@@ -183,16 +189,58 @@ verify_ima_policy()
 			# check IMA policy content
 			while read line; do
 				if ! grep -q "$line" $IMA_POLICY; then
-					tst_brk TCONF "missing required policy '$line'"
+					tst_res TINFO "WARNING: missing required policy content: '$line'"
+					return 1
 				fi
-				IMA_POLICY_CHECKED=1
 			done < $file
+			IMA_POLICY_CHECKED=1
 		else
 			tst_res TINFO "policy is not readable, failure will be treated as TCONF"
 			IMA_FAIL="TCONF"
 			IMA_BROK="TCONF"
+			return 1
 		fi
 	fi
+	return 0
+}
+
+load_ima_policy()
+{
+	local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
+
+	if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then
+		tst_res TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
+		return 0
+	fi
+
+	if [ "$IMA_POLICY_CHECKED" = 1 ]; then
+		tst_res TINFO "valid policy already loaded, ignore LTP_IMA_LOAD_POLICY=1"
+	fi
+
+	tst_res TINFO "trying to load '$file' policy:"
+	cat $file
+	if ! check_policy_writable; then
+		tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required, failures will be treated as TCONF"
+		IMA_FAIL="TCONF"
+		IMA_BROK="TCONF"
+		LTP_IMA_LOAD_POLICY=
+		return
+	fi
+
+	cat "$file" 2> log > $IMA_POLICY
+	if grep -q "Device or resource busy" log; then
+		tst_brk TBROK "loading policy failed"
+	fi
+
+	if grep -q "write error: Permission denied" log; then
+		tst_brk TCONF "loading unsigned policy failed"
+	fi
+
+	IMA_POLICY_LOADED=1
+
+	tst_res TINFO "example policy successfully loaded"
+	IMA_FAIL="TFAIL"
+	IMA_BROK="TBROK"
 }
 
 ima_setup()
@@ -217,7 +265,9 @@ ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
-	verify_ima_policy
+	if ! verify_ima_policy; then
+		load_ima_policy
+	fi
 
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
@@ -231,6 +281,10 @@ ima_cleanup()
 	for dir in $UMOUNT; do
 		umount $dir
 	done
+
+	if [ "$IMA_POLICY_LOADED" = 1 ]; then
+		tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended"
+	fi
 }
 
 set_digest_index()