| Message ID | 20210914161503.97495-1-alexh@vpitech.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ltp,v3,1/2] IMA: Move check_policy_writable to ima_setup.sh and rename it | expand |
Hi Alex, ... > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh As it's now a generally used function I'll add a comment: # Because we don't grep kernel config for CONFIG_IMA_WRITE_POLICY, we just try # to write empty string (invalid), thus policy must be repeatedly checked. # Because after first write to policy policy will be removed on systems without # CONFIG_IMA_WRITE_POLICY. > +require_policy_writable() > +{ > + local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" > + > + [ -f $IMA_POLICY ] || tst_brk TCONF "$err" > + # CONFIG_IMA_READ_POLICY > + echo "" 2> log > $IMA_POLICY > + grep -q "Device or resource busy" log && tst_brk TCONF "$err" > +} > + Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 244cf081d..8924549df 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -11,19 +11,9 @@ TST_CNT=2 . ima_setup.sh -check_policy_writable() -{ - local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" - - [ -f $IMA_POLICY ] || tst_brk TCONF "$err" - # CONFIG_IMA_READ_POLICY - echo "" 2> log > $IMA_POLICY - grep -q "Device or resource busy" log && tst_brk TCONF "$err" -} - setup() { - check_policy_writable + require_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" @@ -55,7 +45,7 @@ test1() local p1 - check_policy_writable + require_policy_writable load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then @@ -71,7 +61,7 @@ test2() local p1 p2 rc1 rc2 - check_policy_writable + require_policy_writable load_policy $VALID_POLICY & p1=$! load_policy $VALID_POLICY & p2=$! wait "$p1"; rc1=$? diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 565f0bc3e..9c25d634d 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -73,6 +73,16 @@ require_policy_readable() fi } +require_policy_writable() +{ + local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)" + + [ -f $IMA_POLICY ] || tst_brk TCONF "$err" + # CONFIG_IMA_READ_POLICY + echo "" 2> log > $IMA_POLICY + grep -q "Device or resource busy" log && tst_brk TCONF "$err" +} + check_ima_policy_content() { local pattern="$1"
Signed-off-by: Alex Henrie <alexh@vpitech.com> --- .../security/integrity/ima/tests/ima_policy.sh | 16 +++------------- .../security/integrity/ima/tests/ima_setup.sh | 10 ++++++++++ 2 files changed, 13 insertions(+), 13 deletions(-)