[LTP] [COMMITTED] Revert "ima_policy.sh: Optimize check for policy writable"

Thu Sep 18 12:26:46 CEST 2025

This reverts commit 31bb2bbdd3ecfe4b4557d3678f80fe61ace340d0.

c38b528783 demonstrated a bug introuduced by 31bb2bbdd3 on SUT on kernel
without CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

on tmpfs TMPDIR fails on umount:
...
ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)
ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)
umount: /tmp/LTP_ima_policy.23MpPS2XWr/mntpoint: target is busy.
ima_policy 2 TINFO: umount(/tmp/LTP_ima_policy.23MpPS2XWr/mntpoint) failed, try 1 ...
ima_policy 2 TINFO: Likely gvfsd-trash is probing newly mounted  fs, kill it to speed up tests.

on non-tmpfs TMPDIR (fails to remove temporary directory):
...
ima_policy 2 ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)
TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)
rm: cannot remove '/var/tmp/LTP_ima_policy.bujyrIYMGz': No such file or directory

Both errors are caused due load_policy() calling require_policy_writable(),
which calls tst_brk(). load_policy() spaws a new process, therefore it
should not call tst_brk (or otherwise exit a test) because ima_cleanup()
is then called twice (which causes the above problems).

Reported-by: Avinesh Kumar <akumar@suse.de>
Reported-by: Petr Cervinka <pcervinka@suse.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/tests/ima_policy.sh  | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 490c8b6c2e..d66f261a81 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Test replacing the default integrity measurement policy.
@@ -11,6 +11,8 @@ TST_CNT=2
 
 setup()
 {
+	require_policy_writable
+
 	VALID_POLICY="$TST_DATAROOT/measure.policy"
 	[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
 
@@ -18,11 +20,13 @@ setup()
 	[ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY"
 }
 
+# NOTE: function spaws a new process, therefore it should not call tst_brk()
+# (or otherwise exit a test), because that calls ima_cleanup() twice (which
+# breaks umount on TMPDIR or removing TMPDIR).
 load_policy()
 {
 	local ret
 
-	require_policy_writable
 	exec 2>/dev/null 4>$IMA_POLICY
 	[ $? -eq 0 ] || exit 1
 
@@ -42,6 +46,7 @@ test1()
 
 	local p1
 
+	require_policy_writable
 	load_policy $INVALID_POLICY & p1=$!
 	wait "$p1"
 	if [ $? -ne 0 ]; then
@@ -57,6 +62,7 @@ test2()
 
 	local p1 p2 rc1 rc2
 
+	require_policy_writable
 	load_policy $VALID_POLICY & p1=$!
 	load_policy $VALID_POLICY & p2=$!
 	wait "$p1"; rc1=$?
-- 
2.51.0

