[LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID
Mimi Zohar
zohar@linux.ibm.com
Thu Oct 6 18:43:42 CEST 2022
The LTP policy rules either replace or extend the global IMA policy. As a
result, the ordering of the LTP IMA tests is important and affects the
ability of re-running the tests. For example, ima_conditionals.sh
defines a rule to measure user files, while ima_measuremnets.sh verifies
not measuring user files. Not limiting the LTP IMA policy scope could
also affect the running system.
To allow the LTP tests to be re-run without rebooting the system, limit the
scope of the LTP policy rules to the loopback mounted filesystem based on
the UUID.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
.../security/integrity/ima/tests/ima_conditionals.sh | 2 +-
.../kernel/security/integrity/ima/tests/ima_policy.sh | 7 ++++++-
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 4 ++++
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index 0d50db906..d5c5f3ebe 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -28,7 +28,7 @@ verify_measurement()
ROD rm -f $test_file
tst_res TINFO "verify measuring user files when requested via $request"
- ROD echo "measure $request=$value" \> $IMA_POLICY
+ ROD echo "measure $FSUUID $request=$value" \> $IMA_POLICY
ROD echo "$(cat /proc/uptime) $request test" \> $test_file
case "$request" in
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index af1fb0028..95e7331a4 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -27,7 +27,12 @@ load_policy()
exec 2>/dev/null 4>$IMA_POLICY
[ $? -eq 0 ] || exit 1
- cat $1 >&4 2> /dev/null
+ if [ -n "$FSUUID" ]; then
+ sed "s/measure /measure $FSUUID /" $1 >&4 2> /dev/null
+ else
+ cat $1 >&4 2> /dev/null
+ fi
+
ret=$?
exec 4>&-
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index df3fc5603..016a68cb2 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -178,6 +178,10 @@ ima_setup()
if [ "$TST_MOUNT_DEVICE" = 1 ]; then
tst_res TINFO "\$TMPDIR is on tmpfs => run on loop device"
cd "$TST_MNTPOINT"
+
+ loopdev=$(mount | grep $TST_MNTPOINT | cut -f1 -d' ')
+ FSUUID="fsuuid=$(blkid | grep $loopdev | cut -f2 -d'"')"
+ tst_res TINFO "LTP IMA policy rules based on $FSUUID"
fi
[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
--
2.31.1
More information about the ltp
mailing list