[LTP] [PATCH v3 00/10] LTP tests: load predefined policy, enhancements
Petr Vorel
pvorel@suse.cz
Tue Jan 14 12:29:05 CET 2025
Changes v2->v3:
* Rewrite verifying logic if policy needs to be loaded and how it is
loaded.
* Allow testing when policy is not reliable, but relax failures to TCONF.
* Add TCB policy example.
* Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
* Fix test policy installation (previously wrong Makefile).
* Removed some of the previous commits ("ima_kexec.sh: Relax result on
unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
"ima_setup: Print warning when policy not readable").
* More cleanup.
TODO: ima_measurements.sh and ima_violations.sh use detection for
ima_policy=tcb builtin policy. But if example policy is loaded there is
no longer tcb policy. Not sure how to fix it - some tooling might not
support reboot, thus I wanted to use ima_policy=tcb, which previously
worked.
Petr Vorel (10):
ima_violations.sh: Fix log detection
IMA: Add TCB policy as an example for ima_measurements.sh
IMA: Move requirement check to ima_setup.sh
IMA: Add example policy for ima_violations.sh
IMA: Read required policy from file
ima_violations.sh: Declare tcb builtin policy
ima_setup.sh: Add digest index detection for ima-buf format
ima_setup.sh: Allow to load predefined policy
ima_measurements.sh: Check policy for test3
tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA
doc/users/setup_tests.rst | 3 +
.../kernel/security/integrity/ima/README.md | 12 ++
.../security/integrity/ima/datafiles/Makefile | 4 +-
.../ima/datafiles/ima_measurements/Makefile | 11 ++
.../ima/datafiles/ima_measurements/tcb.policy | 20 +++
.../ima/datafiles/ima_violations/Makefile | 11 ++
.../ima_violations/violations.policy | 2 +
.../integrity/ima/tests/evm_overlay.sh | 3 +-
.../security/integrity/ima/tests/ima_kexec.sh | 20 +--
.../security/integrity/ima/tests/ima_keys.sh | 48 ++-----
.../integrity/ima/tests/ima_measurements.sh | 19 ++-
.../integrity/ima/tests/ima_selinux.sh | 23 ++-
.../security/integrity/ima/tests/ima_setup.sh | 135 +++++++++++++++---
.../integrity/ima/tests/ima_violations.sh | 15 +-
testcases/lib/tst_test.sh | 4 +-
15 files changed, 235 insertions(+), 95 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
--
2.47.1
More information about the ltp
mailing list