> Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > [snip]
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > > @@ -1,7 +1,7 @@ > > #!/bin/sh > > # SPDX-License-Identifier: GPL-2.0-or-later > > # Copyright (c) 2009 IBM Corporation > > -# Copyright (c) 2018-2020 Petr Vorel <[email protected]> > > +# Copyright (c) 2018-2024 Petr Vorel <[email protected]> > > # Author: Mimi Zohar <[email protected]> > > TST_TESTFUNC="test" > > @@ -72,14 +72,20 @@ require_policy_readable() > > fi > > } > > -require_policy_writable() > > +check_policy_writable() > > { > > - local err="IMA policy already loaded and kernel not configured to > > enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" > > - > > - [ -f $IMA_POLICY ] || tst_brk TCONF "$err" > > - # CONFIG_IMA_READ_POLICY > > + [ -f $IMA_POLICY ] || return 1 > > + # workaround for kernels < v4.18 without fix > > + # ffb122de9a60b ("ima: Reflect correct permissions for policy") > > echo "" 2> log > $IMA_POLICY > > - grep -q "Device or resource busy" log && tst_brk TCONF "$err" > > + grep -q "Device or resource busy" log && return 1 > > + return 0 > > +} > > + > > +require_policy_writable() > > +{ > > + check_policy_writable || tst_brk TCONF \ > > + "IMA policy already loaded and kernel not configured to enable > > multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" > > } > > check_ima_policy_content() > > @@ -158,6 +164,34 @@ print_ima_config() > > tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)" > > } > > +load_ima_policy() > > +{ > > + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)" > > + > > + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then > > + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy > > for this test" > > + return > > + fi > > + > > + if [ -z "$policy" -o ! -f "$policy" ]; then > > + tst_res TINFO "no policy for this test" > > + LTP_IMA_LOAD_POLICY= > > + return > > + fi > > + > > + tst_res TINFO "trying to load '$policy' policy:" > > + cat $policy > > + if ! check_policy_writable; then > > + tst_res TINFO "WARNING: IMA policy already loaded and kernel > > not configured to enable multiple writes to it (need > > CONFIG_IMA_WRITE_POLICY=y), reboot required" > > + LTP_IMA_LOAD_POLICY= > > + return > > + fi > > + > > + cat "$policy" 2> log > $IMA_POLICY > > + if grep -q "Device or resource busy" log; then > > + tst_brk TBROK "Loading policy failed" > > + fi > To write to the IMA securityfs policy file, check_policy_writable() used > "echo", > while here it's using "cat". "cat" fails when signed policies are required. > Perhaps add something like: > + > + if grep -q "write error: Permission denied" log; then > + tst_brk TBROK "Loading unsigned policy failed" > + fi +1, I'll add this extra check to v3. I suppose echo "" > /sys/kernel/security/ima/policy does not need this check. Do I understand correctly you talk about policy containing func=POLICY_CHECK [1]? Maybe there could be a test based on example [2]. echo /home/user/tmpfile > /sys/kernel/security/ima/policy cp tmpfile /sys/kernel/security/ima/policy cat tmpfile > /sys/kernel/security/ima/policy Kind regards, Petr [1] https://ima-doc.readthedocs.io/en/latest/policy-syntax.html#func-policy-check [2] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#runtime-custom-policy > > +} > Mimi
