[LTP] [PATCH v3 05/10] IMA: Read required policy from file

[Petr Vorel]

Hi MImi,

...
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > @@ -1,6 +1,7 @@
> >  #!/bin/sh
> >  # SPDX-License-Identifier: GPL-2.0-or-later
> >  # Copyright (c) 2021 Microsoft Corporation
> > +# Copyright (c) Linux Test Project, 2021-2025
> >  # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> >  #
> >  # Verify measurement of SELinux policy hash and state.
> > @@ -14,15 +15,12 @@ TST_CNT=2
> >  TST_SETUP="setup"
> >  TST_MIN_KVER="5.12"
> >  
> > -FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> > -REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> > +REQUIRED_POLICY_CONTENT='selinux.policy'

> The selinux.policy contains a specific critical data measurement rule:
> measure func=CRITICAL_DATA label=selinux.  However the test would work with the
> generic policy rule "measure func=CRITICAL_DATA", which can be specified on the . 
> boot command line via "ima_policy=critical_data".

> As long as being able to read the IMA policy is required, in addition to checking
> whether the specific critical data rule exists, check whether the generic rule exists
> before loading the specific one.

> Perhaps all that is needed is defining REQUIRED_BUILTIN_POLICY like:
> REQUIRED_BUILTIN_POLICY="critical_data"

Thanks for a hint, I'll retest ima_policy=critical_data and add it as an
alternative (as a separate patch). In a meanwhile I (hopefully) fixed all
mistakes in the commit messages and merged. Thanks a lot for your patient
review!

...

Kind regards,
Petr