On Mon, Nov 23, 2020 at 2:24 PM Mimi Zohar <zo...@linux.ibm.com> wrote: > > On Sat, 2020-11-21 at 00:50 +0000, KP Singh wrote: > > From: KP Singh <kpsi...@google.com> > > > > - Update the IMA policy before executing the test binary (this is not an > > override of the policy, just an append that ensures that hashes are > > calculated on executions). > > Assuming the builtin policy has been replaced with a custom policy and > CONFIG_IMA_WRITE_POLICY is enabled, then yes the rule is appended. If > a custom policy has not yet been loaded, loading this rule becomes the > defacto custom policy. > > Even if a custom policy has been loaded, potentially additional > measurements unrelated to this test would be included the measurement > list. One way of limiting a rule to a specific test is by loopback > mounting a file system and defining a policy rule based on the loopback > mount unique uuid.
Thanks Mimi! I wonder if we simply limit this to policy to /tmp and run an executable from /tmp (like test_local_storage.c does). The only side effect would be of extra hashes being calculated on binaries run from /tmp which is not too bad I guess? We could do the loop mount too, but I am guessing the most clean way would be to shell out to mount from the test? Are there some other examples of IMA we could look at? - KP > > Mimi >
