From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Lachlan Sneff <t-josne@linux.microsoft.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org, Cyril Hrubis <chrubis@suse.cz>
Subject: Re: [PATCH 1/1] IMA/ima_keys.sh Fix policy content check usage
Date: Fri, 7 Aug 2020 16:30:27 +0200 [thread overview]
Message-ID: <20200807143027.GB3247@dell5510> (raw)
In-Reply-To: <20200807141524.GA3247@dell5510>
Hi all,
> ...
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> > @@ -16,11 +16,14 @@ TST_NEEDS_DEVICE=1
> > # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> > test1()
> > {
> > - local keyrings keycheck_lines keycheck_line templates test_file="file.txt"
> > + local keyrings keycheck_lines keycheck_line templates
> > + local policy="func=KEY_CHECK"
> > + local test_file="file.txt"
> > tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> > - keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
> > + require_ima_policy_content $policy
> > + keycheck_lines=$(check_ima_policy_content $policy "")
> > keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
> While working on this patchset, I wonder, why we don't check for
> 'func=KEY_CHECK.*keyrings' in single grep call instead of grepping it twice.
> IMHO single grep call is enough. Or am I missing something?
OK, the order can be different as (according to doc [1] as Mimi remarked in some
older mail) only action is fixed on first place, order of conditions isn't
defined. Thus this would make it:
grep -E '^measure.*(func=KEY_CHECK.*keyrings|keyrings.*func=KEY_CHECK)'
But both tests have the requirement in common only 'func=KEY_CHECK', thus I'll
do some preparations for next test.
(+ we didn't require measure, thus dont_measure could fit into previous check as
well).
Kind regards,
Petr
[1] https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
next prev parent reply other threads:[~2020-08-07 14:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-07 11:29 [PATCH 1/1] IMA/ima_keys.sh Fix policy content check usage Petr Vorel
2020-08-07 14:15 ` Petr Vorel
2020-08-07 14:19 ` Lakshmi Ramasubramanian
2020-08-07 14:30 ` Petr Vorel [this message]
2020-08-07 20:50 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200807143027.GB3247@dell5510 \
--to=pvorel@suse.cz \
--cc=chrubis@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=t-josne@linux.microsoft.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox