[PATCH COMMITTED] ima_setup.sh: Quit the test on unsuitable IMA policy

Mon, 17 Feb 2025 10:34:11 -0800 

Fixing 2 bug:

1) Test wrongly continued testing on SUT with unsuitable IMA policy when
LTP_IMA_LOAD_POLICY=1 was *not* set.  That caused ima_keys.sh and
ima_kexec.sh TFAIL instead of TCONF.

2) Also don't attempt to load policy when needed but LTP_IMA_LOAD_POLICY=1
was *not* set.

This also reverts a5c47143b5 ("ima_measurements.sh: Check policy for test3")
which required the previous behavior. To restore behavior in the future
loading policy will need to be rewritten to allow check only for a
particular test or ima_measurements.sh can be split to require TCB
policy only for 3rd test.

Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy")
Signed-off-by: Petr Vorel <[email protected]>
---
 .../integrity/ima/tests/ima_measurements.sh        |  2 +-
 .../security/integrity/ima/tests/ima_setup.sh      | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh 
b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index d1e41b789a..60350f3926 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -77,7 +77,7 @@ test3()
        tst_res TINFO "verify not measuring user files"
        tst_check_cmds sudo || return
 
-       if [ "$IMA_POLICY_CHECKED" != 1 ]; then
+       if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
                tst_res TCONF "test requires specific policy, try load it with 
LTP_IMA_LOAD_POLICY=1"
                return
        fi
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh 
b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 69ee5a3d65..366e1257dc 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -190,10 +190,10 @@ verify_ima_policy()
                        while read line; do
                                if ! grep -q "$line" $IMA_POLICY; then
                                        tst_res TINFO "WARNING: missing 
required policy content: '$line'"
+                                       IMA_MISSING_POLICY_CONTENT=1
                                        return 1
                                fi
                        done < $file
-                       IMA_POLICY_CHECKED=1
                else
                        tst_res TINFO "policy is not readable, failure will be 
treated as TCONF"
                        IMA_FAIL="TCONF"
@@ -208,13 +208,11 @@ load_ima_policy()
 {
        local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
 
-       if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then
-               tst_res TCONF "missing required policy, example policy can be 
loaded with LTP_IMA_LOAD_POLICY=1"
-               return 0
-       fi
-
-       if [ "$IMA_POLICY_CHECKED" = 1 ]; then
-               tst_res TINFO "valid policy already loaded, ignore 
LTP_IMA_LOAD_POLICY=1"
+       if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then
+               if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
+                       tst_brk TCONF "missing required policy, example policy 
can be loaded with LTP_IMA_LOAD_POLICY=1"
+               fi
+               return
        fi
 
        tst_res TINFO "trying to load '$file' policy:"
-- 
2.47.2

Reply via email to