[1/2] ima_setup.sh: Postpone loading policy after test setup

Commit Message

Petr Vorel Feb. 19, 2025, 6:19 p.m. UTC

Usual approach for LTP is to quit test early on missing prerequisites
(e.g. disabled SELinux in ima_selinux.sh). This is even more important
for IMA tests run with LTP_IMA_LOAD_POLICY=1, where it's useful to avoid
loading policy if test will be skipped with TCONF (often requires reboot).

Therefore first check $REQUIRED_BUILTIN_POLICY (value of ima_policy
kernel cmdline parameter, it can TCONF), then run the test specific
setup and finally run the policy if needed.

Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Link to v1:
https://patchwork.ozlabs.org/project/ltp/patch/20250217130839.2392666-2-pvorel@suse.cz/

Changes from v1:
* Instead of explicitly state that test setup should be run before
loading policy just postpone loading policy after running test setup.

 .../kernel/security/integrity/ima/tests/ima_setup.sh  | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Patch

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 1f1c267c4b..9732aa7b43 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -245,6 +245,8 @@  load_ima_policy()
 
 ima_setup()
 {
+	local load_policy
+
 	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
 
 	IMA_DIR="$SECURITYFS/ima"
@@ -265,11 +267,16 @@  ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
-	if ! verify_ima_policy; then
+	verify_ima_policy
+	load_policy=$?
+
+	# Run setup in case of TCONF before loading policy
+	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
+
+	if [ "$load_policy" = 1 ]; then
 		load_ima_policy
 	fi
 
-	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
 
 ima_cleanup()