[LTP] [PATCH 2/2] ima_{conditionals, policy}: Handle policy required to be signed
Petr Vorel
pvorel@suse.cz
Fri Sep 12 09:32:09 CEST 2025
Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
Skip testing in that case.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
This fixes errors:
ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
ima_conditionals 1 TINFO: verify measuring user files when requested via uid
echo: write error: Permission denied
ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
Ideally there would be test which check that unsigned policy cannot be
written.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../security/integrity/ima/tests/ima_conditionals.sh | 11 ++++++++++-
.../kernel/security/integrity/ima/tests/ima_policy.sh | 5 ++++-
.../kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index b59f330cac..9125616890 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2021 VPI Engineering
-# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2021-2025 Petr Vorel <pvorel@suse.cz>
# Author: Alex Henrie <alexh@vpitech.com>
#
# Verify that conditional rules work.
@@ -10,8 +10,16 @@
# support") from v5.16.
TST_NEEDS_CMDS="cat chgrp chown id sg sudo"
+TST_SETUP="setup"
TST_CNT=1
+setup()
+{
+ if check_need_signed_policy; then
+ tst_brk TCONF "policy have to be signed"
+ fi
+}
+
verify_measurement()
{
local request="$1"
@@ -22,6 +30,7 @@ verify_measurement()
local value="$(id -u $user)"
[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+ # needs to be checked each run (not in setup)
require_policy_writable
ROD rm -f $test_file
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 1c4763d838..490c8b6c2e 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -61,12 +61,15 @@ test2()
load_policy $VALID_POLICY & p2=$!
wait "$p1"; rc1=$?
wait "$p2"; rc2=$?
+
if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then
tst_res TFAIL "policy opened concurrently"
elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then
tst_res TPASS "policy was loaded just by one process and able to loaded multiple times"
+ elif check_need_signed_policy; then
+ tst_res TCONF "policy have to be signed"
else
- tst_res TFAIL "problem loading or extending policy (may require policy to be signed)"
+ tst_res TFAIL "problem loading or extending policy"
fi
}
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 83fcefb4fc..2a7d651818 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -449,6 +449,13 @@ require_evmctl()
fi
}
+# 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
+check_need_signed_policy()
+{
+ tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
+ 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
+}
+
# loop device is needed to use only for tmpfs
TMPDIR="${TMPDIR:-/tmp}"
if tst_supported_fs -d $TMPDIR -s "tmpfs"; then
--
2.51.0
More information about the ltp
mailing list