[LTP] [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh
Petr Vorel
pvorel@suse.cz
Tue Dec 31 11:40:39 CET 2024
> Hi Petr,
> On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > ---
> > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 +
> > 1 file changed, 1 insertion(+)
> > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > new file mode 100644
> > index 0000000000..5734c7617f
> > --- /dev/null
> > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > @@ -0,0 +1 @@
> > +func=FILE_CHECK
> "[PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh"
> contains two rules to measure files opened by root on file open.
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
My bad of course "func=FILE_CHECK" is not enough. Thanks for providing a correct
example policy (required part of 'tcb' policy).
> If the 'tcb' or equivalent policy is loaded, there is no need to load another
> policy rule.
Yes, I'll fix the next commit to avoid loading example policy when
ima_policy=tcb.
Kind regards,
Petr
> Thanks,
> Mimi
More information about the ltp
mailing list