From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH v3 02/10] security/ima: Change order of tests
Date: Thu, 26 Apr 2018 10:32:52 -0400 [thread overview]
Message-ID: <1524753172.5349.7.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180424180953.vbn2cancyxk7ghnk@dell5510>
On Tue, 2018-04-24 at 20:09 +0200, Petr Vorel wrote:
> Hi,
>
> > Unfortunately in some circumstances there are interdependencies between
> > tests.
> > measurements test require loaded IMA policy. If it's not loaded, policy
> > test do it for us => run measurements test after policy test.
>
> > Policy test somehow breaks violations test => run it before policy test.
> > TODO: this does not help if CONFIG_IMA_WRITE_POLICY=y and without auditd
> > daemon. Maybe we should require auditd for violation tests.
> ...
> > +++ b/runtest/ima
> > @@ -1,5 +1,5 @@
> > #DESCRIPTION:Integrity Measurement Architecture (IMA)
> > -ima_measurements ima_measurements.sh
> > +ima_violations ima_violations.sh
> > ima_policy ima_policy.sh
> > +ima_measurements ima_measurements.sh
> > ima_tpm ima_tpm.sh
> > -ima_violations ima_violations.sh
>
> I don't want to apply this patch any more. The behavior depends on ima_policy
> settings.
>
> What is meaningful setup for testing anyway? I suppose at least some tests need
> to have some policy set (ima_policy=tbc ?).
>
> Without this patch and with no ima_policy ima_measurements.sh test is failing, it needs to
> be skipped.
The original tests assumed a builtin IMA-measurement policy. Either
the boot command line "ima_tcb" or "ima_policy=tcb" options should
work. When checking the "ima_policy" for "tcb", it could be specified
anywhere in the list of builtin policies (eg.
ima_policy=appraise_tcb|secure_boot|ima).
Mimi
next prev parent reply other threads:[~2018-04-26 14:32 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:54 [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 01/10] security/ima: " Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-27 14:13 ` Mimi Zohar
2018-04-27 14:13 ` [LTP] " Mimi Zohar
2018-04-28 15:09 ` Petr Vorel
2018-04-28 15:09 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 02/10] security/ima: Change order of tests Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-24 18:09 ` Petr Vorel
2018-04-26 14:32 ` Mimi Zohar [this message]
2018-04-26 16:20 ` Mimi Zohar
2018-04-27 0:03 ` Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 04/10] ima/ima_policy.sh: Load whole policy with cat Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 05/10] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 1MB Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-20 11:02 ` Cyril Hrubis
2018-04-20 11:02 ` Cyril Hrubis
2018-04-19 19:54 ` [RFC PATCH v3 06/10] ima/tpm.sh: Use evmctl + other fixes Petr Vorel
2018-04-19 19:54 ` [LTP] " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 07/10] ima/ima_mmap: Reduce sleep + log it Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-20 11:36 ` Cyril Hrubis
2018-04-20 11:36 ` Cyril Hrubis
2018-04-19 19:55 ` [RFC PATCH v3 08/10] ima/{ima_measurements,ima_violations}.sh: Avoid running on tmpfs Petr Vorel
2018-04-19 19:55 ` [LTP] [RFC PATCH v3 08/10] ima/{ima_measurements, ima_violations}.sh: " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 09/10] ima: CRYPTO_LIBS are needed only for ima_boot_aggregate Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 10/10] ima/ima_mmap: Rewrite to new library Petr Vorel
2018-04-19 19:55 ` [LTP] " Petr Vorel
2018-04-20 11:42 ` Cyril Hrubis
2018-04-20 11:42 ` Cyril Hrubis
2018-04-26 16:18 ` [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Mimi Zohar
2018-04-26 16:18 ` [LTP] " Mimi Zohar
2018-04-27 9:32 ` Petr Vorel
2018-04-27 9:32 ` [LTP] " Petr Vorel
2018-04-27 9:51 ` Petr Vorel
2018-04-27 9:51 ` Petr Vorel
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:51 ` Petr Vorel
2018-04-27 12:51 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524753172.5349.7.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.