| Message ID | 20250220160054.12149-2-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC,1/3] Update validate() to support multiple violations | expand |
Hi Mimi, > Kernel patch "ima: limit the number of open-writers integrity > violations" prevents superfluous "open-writers" violations. Add > corresponding LTP tests. > Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@linux.ibm.com/ > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../integrity/ima/tests/ima_violations.sh | 87 ++++++++++++++++++- > 1 file changed, 86 insertions(+), 1 deletion(-) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 7f0382fb8..65c5c3a92 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -8,7 +8,7 @@ > TST_SETUP="setup" > TST_CLEANUP="cleanup" > -TST_CNT=3 > +TST_CNT=6 > REQUIRED_BUILTIN_POLICY="tcb" > REQUIRED_POLICY_CONTENT='violations.policy' > @@ -60,6 +60,17 @@ close_file_write() > exec 4>&- > } > +open_file_write2() > +{ > + exec 5> $FILE || exit 1 maybe: exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed" Because tst_brk TBROK calls test cleanup. Plain exit kills everything. We also have ROD, but that requires binaries ('exec' is a shell builtin). (It applies to the third patch as well.) > + echo 'test writing2' >&5 > +} > + > +close_file_write2() > +{ > + exec 5>&- > +} > + > get_count() > { > local search="$1" > @@ -160,6 +171,80 @@ test3() > tst_sleep 2s > } > +test4() > +{ > + tst_res TINFO "verify limiting single open writer violation" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_read > + close_file_read > + > + close_file_write > + > + validate $num_violations $count $search 1 > +} > + > +test5() > +{ > + tst_res TINFO "verify limiting multiple open writers violations" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_write2 > + open_file_read > + close_file_read > + close_file_write2 > + > + open_file_read > + close_file_read > + > + close_file_write > + > + validate $num_violations $count $search 1 nit: safer to quote validate "$num_violations" "$count" "$search" 1 > +} > + > +test6() > +{ > + tst_res TINFO "verify new open writer causes additional violation" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_read > + close_file_read > + close_file_write > + > + open_file_write > + open_file_read > + close_file_read > + close_file_write > + validate $num_violations $count $search 2 And here. Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 7f0382fb8..65c5c3a92 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -8,7 +8,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" -TST_CNT=3 +TST_CNT=6 REQUIRED_BUILTIN_POLICY="tcb" REQUIRED_POLICY_CONTENT='violations.policy' @@ -60,6 +60,17 @@ close_file_write() exec 4>&- } +open_file_write2() +{ + exec 5> $FILE || exit 1 + echo 'test writing2' >&5 +} + +close_file_write2() +{ + exec 5>&- +} + get_count() { local search="$1" @@ -160,6 +171,80 @@ test3() tst_sleep 2s } +test4() +{ + tst_res TINFO "verify limiting single open writer violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + + close_file_write + + validate $num_violations $count $search 1 +} + +test5() +{ + tst_res TINFO "verify limiting multiple open writers violations" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_write2 + open_file_read + close_file_read + close_file_write2 + + open_file_read + close_file_read + + close_file_write + + validate $num_violations $count $search 1 +} + +test6() +{ + tst_res TINFO "verify new open writer causes additional violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + close_file_write + + open_file_write + open_file_read + close_file_read + close_file_write + validate $num_violations $count $search 2 +} + . ima_setup.sh . daemonlib.sh tst_run
Kernel patch "ima: limit the number of open-writers integrity violations" prevents superfluous "open-writers" violations. Add corresponding LTP tests. Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@linux.ibm.com/ Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- .../integrity/ima/tests/ima_violations.sh | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-)