| Message ID | 20250305145421.638857-5-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v3,1/5] ima_violations.sh: force $LOG ToMToU violation earlier | expand |
Hi Mimi, > Depending on the IMA policy and the number of violations, the kernel > patches for minimizing the number of open-writers and ToMToU (Time of > Measure Time of Use) violations may be a major performance improvement. I would prefer this to be squashed into "ima_violations.sh: additional open-writer violation tests" commit, which adds this incompatibility. But it's a minor detail, therefore I merged whole patchset as is. Thanks! Kind regards, Petr > Most likely the kernel patches will be back ported, but for now limit > the new tests to new kernels with the applied patches. Bail after the > first new test. > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../kernel/security/integrity/ima/tests/ima_violations.sh | 4 ++++ > 1 file changed, 4 insertions(+) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 0395f8d0a..8e988fca6 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -177,6 +177,10 @@ test4() > { > tst_res TINFO "verify limiting single open writer violation" > + if tst_kvcmp -lt 6.14; then > + tst_brk TCONF "Minimizing violations requires kernel 6.14 or newer" > + fi > + > local search="open_writers" > local count num_violations
On Thu, 2025-03-06 at 18:26 +0100, Petr Vorel wrote: > Hi Mimi, > > > Depending on the IMA policy and the number of violations, the kernel > > patches for minimizing the number of open-writers and ToMToU (Time of > > Measure Time of Use) violations may be a major performance improvement. > > I would prefer this to be squashed into "ima_violations.sh: additional > open-writer violation tests" commit, which adds this incompatibility. > > But it's a minor detail, therefore I merged whole patchset as is. Thanks, Petr.
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 0395f8d0a..8e988fca6 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -177,6 +177,10 @@ test4() { tst_res TINFO "verify limiting single open writer violation" + if tst_kvcmp -lt 6.14; then + tst_brk TCONF "Minimizing violations requires kernel 6.14 or newer" + fi + local search="open_writers" local count num_violations
Depending on the IMA policy and the number of violations, the kernel patches for minimizing the number of open-writers and ToMToU (Time of Measure Time of Use) violations may be a major performance improvement. Most likely the kernel patches will be back ported, but for now limit the new tests to new kernels with the applied patches. Bail after the first new test. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 4 ++++ 1 file changed, 4 insertions(+)