[LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID
Petr Vorel
pvorel@suse.cz
Wed Oct 12 16:39:53 CEST 2022
Hi Mimi,
> Hi Petr,
> On Wed, 2022-10-12 at 13:54 +0200, Petr Vorel wrote:
> > For some reason ima_violations.sh works, when run as the first test after boot
> > (at least with only "ima_policy=tcb" setup), but not when whole ima runtest file
> > is run (as there are tests run before it). I'm still trying to figure out
> > what's wrong.
> Sounds like initially the tests are run with the builtin "tcb" policy.
Yes, since LTP does not support reboot and IMA ima_measurements.sh requires
ima_policy=tcb, I configured VM to run all tests with ima_policy=tcb.
> Loading any IMA policy rules replaces the existing builtin policy with
> the new custom policy.
Yes, done in ima_policy.sh, which is the second test (valid policy: measure.policy).
Thus only ima_measurements.sh and ima_policy.sh are run with ima_policy=tcb.
I haven't had a time to look into ascii_runtime_measurements, but this changed
with fsuuid= (previously was working, now vails in ima_violations.sh).
I'll have look soon (I'm wasting your time if I ask before proper debugging).
As I wrote before, it'd be great if 1) running whole runtest/ima worked (either
TPASS or TCONF detect missing something in kernel or in kernel params, ...).
2) running any single tests also TPASS or TCONF.
Testers then could run tests with a different setup (builtin policies, custom
policies, ...).
Kind regards,
Petr
More information about the ltp
mailing list