| Message ID | 20250304115331.524842-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2,1/4] ima_violations.sh: force $LOG ToMToU violation earlier | expand |
Hi Mimi, > Violation tests are dependent on searching the $LOG file, which may > itself result in a ToMToU violation. Preempt getting an additional > violation during the tests by forcing the $LOG ToMToU violation > earlier. > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 + > 1 file changed, 1 insertion(+) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 37d8d473c..22863fb72 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -30,6 +30,7 @@ setup() > if [ ! -e "$LOG" ]; then > tst_brk TCONF "log file not found, install auditd" > fi > + exec 3< $LOG || tst_brk TBROK "failed to read log file" > tst_res TINFO "using log $LOG" If you don't mind, I would reverse the order to get info about which log is used: tst_res TINFO "using log $LOG" exec 3< $LOG || tst_brk TBROK "failed to read log file" Or, if it's needed to for some reason to run it before (no idea why, but I might miss something), I would merge it as: exec 3< $LOG || tst_brk TBROK "failed to read $LOG" tst_res TINFO "using log $LOG" Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr
On Tue, 2025-03-04 at 13:57 +0100, Petr Vorel wrote: > Hi Mimi, > > > Violation tests are dependent on searching the $LOG file, which may > > itself result in a ToMToU violation. Preempt getting an additional > > violation during the tests by forcing the $LOG ToMToU violation > > earlier. > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 + > > 1 file changed, 1 insertion(+) > > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > > index 37d8d473c..22863fb72 100755 > > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > > @@ -30,6 +30,7 @@ setup() > > if [ ! -e "$LOG" ]; then > > tst_brk TCONF "log file not found, install auditd" > > fi > > + exec 3< $LOG || tst_brk TBROK "failed to read log file" > > tst_res TINFO "using log $LOG" > > If you don't mind, I would reverse the order to get info about which log is > used: > > tst_res TINFO "using log $LOG" > exec 3< $LOG || tst_brk TBROK "failed to read log file" Oh, I see what you mean. All of the TINFO come first and then an error, if there is one. That's fine. > > Or, if it's needed to for some reason to run it before (no idea why, but I might > miss something), I would merge it as: > > exec 3< $LOG || tst_brk TBROK "failed to read $LOG" > tst_res TINFO "using log $LOG" > > Reviewed-by: Petr Vorel <pvorel@suse.cz> thanks, Mimi
Hi Mimi, ... > > > + exec 3< $LOG || tst_brk TBROK "failed to read log file" > > > tst_res TINFO "using log $LOG" > > If you don't mind, I would reverse the order to get info about which log is > > used: > > tst_res TINFO "using log $LOG" > > exec 3< $LOG || tst_brk TBROK "failed to read log file" > Oh, I see what you mean. All of the TINFO come first and then an error, if > there is one. That's fine. Good. Merged this patch. Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 37d8d473c..22863fb72 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -30,6 +30,7 @@ setup() if [ ! -e "$LOG" ]; then tst_brk TCONF "log file not found, install auditd" fi + exec 3< $LOG || tst_brk TBROK "failed to read log file" tst_res TINFO "using log $LOG" }
Violation tests are dependent on searching the $LOG file, which may itself result in a ToMToU violation. Preempt getting an additional violation during the tests by forcing the $LOG ToMToU violation earlier. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 + 1 file changed, 1 insertion(+)