[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Fri, 2020-08-28 at 00:54 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> ...
> > > > > Instead of using TST_DATAROOT, which is defined as
> > > > > "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> > > > > cert.  Adding the following will allow the test to run from the build
> > > > > directory.
> > > > >       if [ ! -f $cert_file ]; then
> > > > >               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> > > > >       fi
> > > > Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:
> > When running any of the tests from build tree test directory -
> > ltp/testcases/kernel/security/integrity/ima/tests, supplying LTPROOT
> > isn't necessary. "IMA: Refactor datafiles directory" broke running the
> > other tests directly from the build tree as well.
> Correct, I overlooked $LTPROOT does not have to be set.
> You're right, there is export LTPROOT="$PWD" in tst_test.sh.
> 
> The only broken tests are ima_policy.sh and ima_keys.sh. I fixed that workaround
> in the commit "IMA: Refactor datafiles directory":
> 
> +++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -160,6 +160,11 @@ ima_setup()
>  	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>  	IMA_POLICY="$IMA_DIR/policy"
>  
> +	# hack when running tests locally from tests directory
> +	if [ ! -d "$TST_DATAROOT" ]; then
> +		TST_DATAROOT="$LTPROOT/../datafiles/$TST_ID/"
> +	fi
> +

Thanks, Petr.  This works properly.  To remove the "hack", would
require running the test from "ima", not "ima/tests", but that would
require fixing how ima_setup.sh is called.   It also would still
require setting TST_DATAROOT to TST_DATAROOT/$TST_ID.

Mimi

>  	print_ima_config
>  
>  	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
> ---
> 
> Again, pushed to:
> https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v4.fixes
> 
> Kind regards,
> Petr