[LTP] [PATCH] tst_security.sh: Use enforce toggle to trigger SELinux measurement

All of lore.kernel.org
 help / color / mirror / Atom feed

* [LTP] [PATCH] tst_security.sh: Use enforce toggle to trigger SELinux measurement
@ 2026-06-12 16:38 Avinesh Kumar via ltp
  2026-06-12 19:07 ` [LTP] " linuxtestproject.agent
  0 siblings, 1 reply; 7+ messages in thread
From: Avinesh Kumar via ltp @ 2026-06-12 16:38 UTC (permalink / raw)
  To: ltp

Upstream kernel commit
644132a48f4e ("selinux: prune /sys/fs/selinux/checkreqprot") [0]
removed the selinux_ima_measure_state() call from the checkreqprot
write handler.
This broke tst_update_selinux_state() which relied on writing to
checkreqprot to trigger IMA measurements of SELinux state.

Switch to toggling the enforce value instead, which still triggers
selinux_ima_measure_state() on all kernel versions >= 5.12.

[0] https://github.com/torvalds/linux/commit/644132a48f4e28a1d949d162160869286f3e75de
Signed-off-by: Avinesh Kumar <avinesh.kumar@suse.com>
---
 testcases/lib/tst_security.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/testcases/lib/tst_security.sh b/testcases/lib/tst_security.sh
index 820736c72..e9f7147e3 100644
--- a/testcases/lib/tst_security.sh
+++ b/testcases/lib/tst_security.sh
@@ -146,6 +146,9 @@ tst_update_selinux_state()
 	local dir=$(tst_get_selinux_dir)
 	[ -n "$dir" ] || return 1
 
-	val=$(cat $dir/checkreqprot)
-	echo $val > $dir/checkreqprot
+	# Toggle enforce to trigger SELinux state measurement
+	orig_val=$(cat $dir/enforce)
+	val=$((1 - orig_val))
+	echo $val > $dir/enforce
+	echo $orig_val > $dir/enforce
 }
-- 
2.54.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [LTP] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-12 16:38 [LTP] [PATCH] tst_security.sh: Use enforce toggle to trigger SELinux measurement Avinesh Kumar via ltp
@ 2026-06-12 19:07 ` linuxtestproject.agent
  2026-06-15 11:13   ` [LTP] [PATCH v2] " Avinesh Kumar via ltp
  0 siblings, 1 reply; 7+ messages in thread
From: linuxtestproject.agent @ 2026-06-12 19:07 UTC (permalink / raw)
  To: Avinesh Kumar; +Cc: ltp

Hi Avinesh,

On Fri, 12 Jun 2026 18:38:04 +0200, Avinesh Kumar wrote:
> tst_security.sh: Use enforce toggle to trigger SELinux measurement

> +	orig_val=$(cat $dir/enforce)
> +	val=$((1 - orig_val))
> +	echo $val > $dir/enforce
> +	echo $orig_val > $dir/enforce

`orig_val` is not declared `local`, unlike `val` and `dir` in the
same function. This leaks `orig_val` into the caller's scope.

Should the declaration on line 145 be:

  local val orig_val

Verdict - Needs revision

---
Note:

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [LTP] [PATCH v2] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-12 19:07 ` [LTP] " linuxtestproject.agent
@ 2026-06-15 11:13   ` Avinesh Kumar via ltp
  2026-06-15 13:17     ` [LTP] " linuxtestproject.agent
                       ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Avinesh Kumar via ltp @ 2026-06-15 11:13 UTC (permalink / raw)
  To: ltp

Upstream kernel commit
644132a48f4e ("selinux: prune /sys/fs/selinux/checkreqprot") [0]
removed the selinux_ima_measure_state() call from the checkreqprot
write handler.
This broke tst_update_selinux_state() which relied on writing to
checkreqprot to trigger IMA measurements of SELinux state.

Switch to toggling the enforce value instead, which still triggers
selinux_ima_measure_state() on all kernel versions >= 5.12.

[0] https://github.com/torvalds/linux/commit/644132a48f4e28a1d949d162160869286f3e75de
Signed-off-by: Avinesh Kumar <avinesh.kumar@suse.com>
---
 testcases/lib/tst_security.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/testcases/lib/tst_security.sh b/testcases/lib/tst_security.sh
index 820736c72..8c23bc5a0 100644
--- a/testcases/lib/tst_security.sh
+++ b/testcases/lib/tst_security.sh
@@ -142,10 +142,13 @@ tst_get_enforce()
 
 tst_update_selinux_state()
 {
-	local val
+	local val orig_val
 	local dir=$(tst_get_selinux_dir)
 	[ -n "$dir" ] || return 1
 
-	val=$(cat $dir/checkreqprot)
-	echo $val > $dir/checkreqprot
+	# Toggle enforce to trigger SELinux state measurement
+	orig_val=$(cat $dir/enforce)
+	val=$((1 - orig_val))
+	echo $val > $dir/enforce
+	echo $orig_val > $dir/enforce
 }
-- 
2.54.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [LTP] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-15 11:13   ` [LTP] [PATCH v2] " Avinesh Kumar via ltp
@ 2026-06-15 13:17     ` linuxtestproject.agent
  2026-06-16  8:34     ` [LTP] [PATCH v2] " Andrea Cervesato via ltp
  2026-06-16 10:58     ` Andrea Cervesato via ltp
  2 siblings, 0 replies; 7+ messages in thread
From: linuxtestproject.agent @ 2026-06-15 13:17 UTC (permalink / raw)
  To: Avinesh Kumar; +Cc: ltp

Hi Avinesh,

On Mon, 15 Jun 2026 13:13:57 +0200, Avinesh Kumar wrote:
> tst_security.sh: Use enforce toggle to trigger SELinux measurement

Verdict - Reviewed

Pre-existing issue (not introduced by this patch):

tst_disable_selinux() at line 122 uses "cat 0 > $f", which tries
to read a file named "0" rather than writing the value 0 to the
enforce file. This should be "echo 0 > $f".

---
Note:

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [LTP] [PATCH v2] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-15 11:13   ` [LTP] [PATCH v2] " Avinesh Kumar via ltp
  2026-06-15 13:17     ` [LTP] " linuxtestproject.agent
@ 2026-06-16  8:34     ` Andrea Cervesato via ltp
  2026-06-16  9:25       ` Avinesh Kumar via ltp
  2026-06-16 10:58     ` Andrea Cervesato via ltp
  2 siblings, 1 reply; 7+ messages in thread
From: Andrea Cervesato via ltp @ 2026-06-16  8:34 UTC (permalink / raw)
  To: Avinesh Kumar via ltp; +Cc: ltp

Hi Avinesh,

The patch looks good. For some reason we didn't receive the
agent review which spotted a bug in the test as well.
I think this is wroth to fix on a separate patch as well.
WDYT?

---
Pre-existing issue (not introduced by this patch):

tst_disable_selinux() at line 122 uses "cat 0 > $f", which tries
to read a file named "0" rather than writing the value 0 to the
enforce file. This should be "echo 0 > $f".

--
Andrea Cervesato
SUSE QE Automation Engineer Linux
andrea.cervesato@suse.com

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [LTP] [PATCH v2] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-16  8:34     ` [LTP] [PATCH v2] " Andrea Cervesato via ltp
@ 2026-06-16  9:25       ` Avinesh Kumar via ltp
  0 siblings, 0 replies; 7+ messages in thread
From: Avinesh Kumar via ltp @ 2026-06-16  9:25 UTC (permalink / raw)
  To: Andrea Cervesato, Avinesh Kumar via ltp

Hi Andrea,

On 6/16/26 10:34 AM, Andrea Cervesato via ltp wrote:
> Hi Avinesh,
> 
> The patch looks good. For some reason we didn't receive the
> agent review which spotted a bug in the test as well.
> I think this is wroth to fix on a separate patch as well.
> WDYT?

Thank you for the review.
I have sent that fix here - 
https://patchwork.ozlabs.org/project/ltp/patch/20260616092300.177787-1-avinesh.kumar@suse.com/

Regards,
Avinesh



-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [LTP] [PATCH v2] tst_security.sh: Use enforce toggle to trigger SELinux measurement
  2026-06-15 11:13   ` [LTP] [PATCH v2] " Avinesh Kumar via ltp
  2026-06-15 13:17     ` [LTP] " linuxtestproject.agent
  2026-06-16  8:34     ` [LTP] [PATCH v2] " Andrea Cervesato via ltp
@ 2026-06-16 10:58     ` Andrea Cervesato via ltp
  2 siblings, 0 replies; 7+ messages in thread
From: Andrea Cervesato via ltp @ 2026-06-16 10:58 UTC (permalink / raw)
  To: Avinesh Kumar via ltp; +Cc: ltp

Reviewed-by: Andrea Cervesato <andrea.cervesato@suse.com>

--
Andrea Cervesato
SUSE QE Automation Engineer Linux
andrea.cervesato@suse.com

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-06-16 10:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12 16:38 [LTP] [PATCH] tst_security.sh: Use enforce toggle to trigger SELinux measurement Avinesh Kumar via ltp
2026-06-12 19:07 ` [LTP] " linuxtestproject.agent
2026-06-15 11:13   ` [LTP] [PATCH v2] " Avinesh Kumar via ltp
2026-06-15 13:17     ` [LTP] " linuxtestproject.agent
2026-06-16  8:34     ` [LTP] [PATCH v2] " Andrea Cervesato via ltp
2026-06-16  9:25       ` Avinesh Kumar via ltp
2026-06-16 10:58     ` Andrea Cervesato via ltp

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.