@@ -72,20 +72,27 @@ validate()
local num_violations="$1"
local count="$2"
local search="$3"
+ local expected_violations="$4"
local max_attempt=3
local count2 i num_violations_new
for i in $(seq 1 $max_attempt); do
read num_violations_new < $IMA_VIOLATIONS
count2="$(get_count $search)"
- if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+ if [ -z "$expected_violations" ] && \
+ [ $(($num_violations_new - $num_violations)) -gt 0 ] || \
+ [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
+ [ -z "$expected_violations" ] && expected_violations=1
if [ $count2 -gt $count ]; then
- tst_res TPASS "$search violation added"
+ tst_res TPASS "$expected_violations $search violation(s) added"
return
else
tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
tst_sleep 1s
fi
+ elif [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+ tst_res $IMA_FAIL "$search too many violations added: $num_violations_new - $num_violations"
+ return
else
tst_res $IMA_FAIL "$search violation not added"
return
Add optional support for the number of expected violations. Include the expected number of violations in the output. Limit the new expected violations to the new tests, so that the existing tests continue to work properly with/without the kernel changes. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- .../security/integrity/ima/tests/ima_violations.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)