[LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID

Thu Oct 6 18:43:42 CEST 2022

The LTP policy rules either replace or extend the global IMA policy. As a
result, the ordering of the LTP IMA tests is important and affects the
ability of re-running the tests.  For example, ima_conditionals.sh
defines a rule to measure user files, while ima_measuremnets.sh verifies
not measuring user files.  Not limiting the LTP IMA policy scope could
also affect the running system.

To allow the LTP tests to be re-run without rebooting the system, limit the
scope of the LTP policy rules to the loopback mounted filesystem based on
the UUID.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/integrity/ima/tests/ima_conditionals.sh       | 2 +-
 .../kernel/security/integrity/ima/tests/ima_policy.sh      | 7 ++++++-
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 4 ++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index 0d50db906..d5c5f3ebe 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -28,7 +28,7 @@ verify_measurement()
 	ROD rm -f $test_file
 
 	tst_res TINFO "verify measuring user files when requested via $request"
-	ROD echo "measure $request=$value" \> $IMA_POLICY
+	ROD echo "measure $FSUUID $request=$value" \> $IMA_POLICY
 	ROD echo "$(cat /proc/uptime) $request test" \> $test_file
 
 	case "$request" in
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index af1fb0028..95e7331a4 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -27,7 +27,12 @@ load_policy()
 	exec 2>/dev/null 4>$IMA_POLICY
 	[ $? -eq 0 ] || exit 1
 
-	cat $1 >&4 2> /dev/null
+	if [ -n "$FSUUID" ]; then
+		sed "s/measure /measure $FSUUID /" $1 >&4 2> /dev/null
+	else
+		cat $1 >&4 2> /dev/null
+	fi
+
 	ret=$?
 	exec 4>&-
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index df3fc5603..016a68cb2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -178,6 +178,10 @@ ima_setup()
 	if [ "$TST_MOUNT_DEVICE" = 1 ]; then
 		tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device"
 		cd "$TST_MNTPOINT"
+
+		loopdev=$(mount | grep $TST_MNTPOINT | cut -f1 -d' ')
+		FSUUID="fsuuid=$(blkid | grep $loopdev | cut -f2 -d'"')"
+		tst_res TINFO "LTP IMA policy rules based on $FSUUID"
 	fi
 
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
-- 
2.31.1

