[RFC PATCH 1/3] Update validate() to support multiple violations

[RFC PATCH 1/3] Update validate() to support multiple violations

[Mimi Zohar]

Add support for the number of expected violations.  Include the
expected number of violations in the output.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/integrity/ima/tests/ima_violations.sh     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 37d8d473c..7f0382fb8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -71,20 +71,26 @@ validate()
 	local num_violations="$1"
 	local count="$2"
 	local search="$3"
+	local expected_violations=$4
 	local max_attempt=3
 	local count2 i num_violations_new
 
+	[ -z $expected_violations ] && expected_violations=1
+
 	for i in $(seq 1 $max_attempt); do
 		read num_violations_new < $IMA_VIOLATIONS
 		count2="$(get_count $search)"
-		if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+		if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
 			if [ $count2 -gt $count ]; then
-				tst_res TPASS "$search violation added"
+				tst_res TPASS "$expected_violations $search violation(s) added"
 				return
 			else
 				tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
 				tst_sleep 1s
 			fi
+		elif [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+			tst_res $IMA_FAIL "$search too many violations added"
+			return
 		else
 			tst_res $IMA_FAIL "$search violation not added"
 			return
-- 
2.48.1

[RFC PATCH 2/3] ima: additional open-writer violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of open-writers integrity
violations" prevents superfluous "open-writers" violations.  Add
corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 87 ++++++++++++++++++-
 1 file changed, 86 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 7f0382fb8..65c5c3a92 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=3
+TST_CNT=6
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -60,6 +60,17 @@ close_file_write()
 	exec 4>&-
 }
 
+open_file_write2()
+{
+	exec 5> $FILE || exit 1
+	echo 'test writing2' >&5
+}
+
+close_file_write2()
+{
+	exec 5>&-
+}
+
 get_count()
 {
 	local search="$1"
@@ -160,6 +171,80 @@ test3()
 	tst_sleep 2s
 }
 
+test4()
+{
+	tst_res TINFO "verify limiting single open writer violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate $num_violations $count $search 1
+}
+
+test5()
+{
+	tst_res TINFO "verify limiting multiple open writers violations"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_write2
+	open_file_read
+	close_file_read
+	close_file_write2
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate $num_violations $count $search 1
+}
+
+test6()
+{
+	tst_res TINFO "verify new open writer causes additional violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+	close_file_write
+
+	open_file_write
+	open_file_read
+	close_file_read
+	close_file_write
+	validate $num_violations $count $search 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

[RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of ToMToU integrity violations"
prevents superfluous ToMToU violations.  Add corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 46 ++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 65c5c3a92..5b6d7e993 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=6
+TST_CNT=8
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -245,6 +245,50 @@ test6()
 	validate $num_violations $count $search 2
 }
 
+test7()
+{
+	tst_res TINFO "verify limiting single open reader ToMToU violations"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate $num_violations $count $search 1
+}
+
+test8()
+{
+	tst_res TINFO "verify new open reader causes additional ToMToU violation"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate $num_violations $count $search 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

Hi Mimi,

> Kernel patch "ima: limit the number of ToMToU integrity violations"
> prevents superfluous ToMToU violations.  Add corresponding LTP tests.

> Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Unfortunately tests fail on both mainline kernel and kernel with your patches.

Any hint what could be wrong?

Mainline kernel (on kernel with your patches it looks the same):
ima_violations 1 TINFO: Running: ima_violations.sh
ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: SUT has required policy content
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TFAIL: open_writers too many violations added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TFAIL: open_writers too many violations added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TFAIL: open_writers too many violations added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TFAIL: ToMToU too many violations added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TFAIL: ToMToU too many violations added

Kind regards,
Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

Hi Mimi,

> Hi Mimi,

> > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > prevents superfluous ToMToU violations.  Add corresponding LTP tests.

> > Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

> Unfortunately tests fail on both mainline kernel and kernel with your patches.

> Any hint what could be wrong?

> Mainline kernel (on kernel with your patches it looks the same):

I'm sorry, I accidentally tested only on vanilla kernel. Rerunning tests with
updated kernel.

Is it this considered as a security feature? If yes, than failures on vanilla
kernel are ok, we just need to later add kernel hashes to let testers know about
missing backports. If it's a feature (not to be backported) we should test new
feature only on newer kernels.

Kind regards,
Petr

> ima_violations 1 TINFO: Running: ima_violations.sh
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem)
> tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: SUT has required policy content
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TFAIL: ToMToU too many violations added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TFAIL: open_writers too many violations added
> ima_mmap.c:41: TPASS: test completed

> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TFAIL: open_writers too many violations added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TFAIL: open_writers too many violations added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TFAIL: open_writers too many violations added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TFAIL: ToMToU too many violations added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TFAIL: ToMToU too many violations added

> Kind regards,
> Petr

Re: [RFC PATCH 1/3] Update validate() to support multiple violations

[Petr Vorel]

Hi Mimi,

> Add support for the number of expected violations.  Include the
> expected number of violations in the output.

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../security/integrity/ima/tests/ima_violations.sh     | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 37d8d473c..7f0382fb8 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -71,20 +71,26 @@ validate()
>  	local num_violations="$1"
>  	local count="$2"
>  	local search="$3"
> +	local expected_violations=$4
nit: safer to quote as much as possible (="$4") to avoid errors.

>  	local max_attempt=3
>  	local count2 i num_violations_new

> +	[ -z $expected_violations ] && expected_violations=1
Also here: -z "$expected_violations"

I can add quotes before merge if you don't want to bother (I would send you a
diff to ack it before merging).

> +
>  	for i in $(seq 1 $max_attempt); do
>  		read num_violations_new < $IMA_VIOLATIONS
>  		count2="$(get_count $search)"
> -		if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
> +		if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
>  			if [ $count2 -gt $count ]; then
> -				tst_res TPASS "$search violation added"
> +				tst_res TPASS "$expected_violations $search violation(s) added"
>  				return
>  			else
>  				tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
>  				tst_sleep 1s
>  			fi
> +		elif [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
> +			tst_res $IMA_FAIL "$search too many violations added"
nit: maybe print values for debugging?

			tst_res $IMA_FAIL "$search too many violations added: $num_violations_new - $num_violations"

FYI failing tests has 2 or 3 higher:

ima_violations 1 TINFO: SUT has required policy content
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added: 106 - 104
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added: 109 - 107
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added: 112 - 110
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TFAIL: open_writers too many violations added: 116 - 113
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TFAIL: open_writers too many violations added: 121 - 117
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TFAIL: open_writers too many violations added: 126 - 122
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TFAIL: ToMToU too many violations added: 130 - 127
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TFAIL: ToMToU too many violations added: 134 - 131

As I noted in previous mail, either has of a backport (can be added later, we
don't have to wait for merging) or skip on older kernels (tst_kvcmp -lt ...).

Kind regards,
Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > prevents superfluous ToMToU violations.  Add corresponding LTP tests.
> 
> > Link:
> > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Unfortunately tests fail on both mainline kernel and kernel with your patches.

The new LTP IMA violations patches should fail without the associated kernel patches.
> 
> Any hint what could be wrong?

Of course it's dependent on the IMA policy.  The tests assume being booted with the IMA
TCB measurement policy or similar policy being loaded.  Can you share the IMA policy?
e.g. cat /sys/kernel/security/ima/policy

thanks,

Mimi

> 
> Mainline kernel (on kernel with your patches it looks the same):
> ima_violations 1 TINFO: Running: ima_violations.sh
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP
> PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs
> filesystem)
> tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0
> /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-
> default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768
> plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto
> security=apparmor ignore_loglevel
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: SUT has required policy content
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TFAIL: ToMToU too many violations added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC
> Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow
> the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TFAIL: open_writers too many violations added
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TFAIL: open_writers too many violations added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TFAIL: open_writers too many violations added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TFAIL: open_writers too many violations added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TFAIL: ToMToU too many violations added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TFAIL: ToMToU too many violations added
> 
> Kind regards,
> Petr
> 

Re: [RFC PATCH 2/3] ima: additional open-writer violation tests

[Petr Vorel]

Hi Mimi,

> Kernel patch "ima: limit the number of open-writers integrity
> violations" prevents superfluous "open-writers" violations.  Add
> corresponding LTP tests.

> Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@linux.ibm.com/
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../integrity/ima/tests/ima_violations.sh     | 87 ++++++++++++++++++-
>  1 file changed, 86 insertions(+), 1 deletion(-)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 7f0382fb8..65c5c3a92 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -8,7 +8,7 @@

>  TST_SETUP="setup"
>  TST_CLEANUP="cleanup"
> -TST_CNT=3
> +TST_CNT=6

>  REQUIRED_BUILTIN_POLICY="tcb"
>  REQUIRED_POLICY_CONTENT='violations.policy'
> @@ -60,6 +60,17 @@ close_file_write()
>  	exec 4>&-
>  }

> +open_file_write2()
> +{
> +	exec 5> $FILE || exit 1
maybe:
	exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed"

Because tst_brk TBROK calls test cleanup. Plain exit kills everything.
We also have ROD, but that requires binaries ('exec' is a shell builtin).
(It applies to the third patch as well.)

> +	echo 'test writing2' >&5
> +}
> +
> +close_file_write2()
> +{
> +	exec 5>&-
> +}
> +
>  get_count()
>  {
>  	local search="$1"
> @@ -160,6 +171,80 @@ test3()
>  	tst_sleep 2s
>  }

> +test4()
> +{
> +	tst_res TINFO "verify limiting single open writer violation"
> +
> +	local search="open_writers"
> +	local count num_violations
> +
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	open_file_write
> +	open_file_read
> +	close_file_read
> +
> +	open_file_read
> +	close_file_read
> +
> +	close_file_write
> +
> +	validate $num_violations $count $search 1
> +}
> +
> +test5()
> +{
> +	tst_res TINFO "verify limiting multiple open writers violations"
> +
> +	local search="open_writers"
> +	local count num_violations
> +
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	open_file_write
> +	open_file_read
> +	close_file_read
> +
> +	open_file_write2
> +	open_file_read
> +	close_file_read
> +	close_file_write2
> +
> +	open_file_read
> +	close_file_read
> +
> +	close_file_write
> +
> +	validate $num_violations $count $search 1
nit: safer to quote
	validate "$num_violations" "$count" "$search" 1
> +}
> +
> +test6()
> +{
> +	tst_res TINFO "verify new open writer causes additional violation"
> +
> +	local search="open_writers"
> +	local count num_violations
> +
> +	read num_violations < $IMA_VIOLATIONS
> +	count="$(get_count $search)"
> +
> +	open_file_write
> +	open_file_read
> +	close_file_read
> +
> +	open_file_read
> +	close_file_read
> +	close_file_write
> +
> +	open_file_write
> +	open_file_read
> +	close_file_read
> +	close_file_write
> +	validate $num_violations $count $search 2
And here.

Kind regards,
Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

> On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > Hi Mimi,

> > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.

> > > Link:
> > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

> > Unfortunately tests fail on both mainline kernel and kernel with your patches.

> The new LTP IMA violations patches should fail without the associated kernel patches.

> > Any hint what could be wrong?

> Of course it's dependent on the IMA policy.  The tests assume being booted with the IMA
> TCB measurement policy or similar policy being loaded.  Can you share the IMA policy?
> e.g. cat /sys/kernel/security/ima/policy

> thanks,

> Mimi

Now testing on kernel *with* your patches. First run always fails, regardless
whether using ima_policy=tcb or
/opt/ltp/testcases/data/ima_violations/violations.policy).

Kind regards,
Petr

First run fails:

# LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh
(policy is /opt/ltp/testcases/data/ima_violations/violations.policy)
ima_violations 1 TINFO: Running: ima_violations.sh 
ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.XR34KhtnDM as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.XR34KhtnDM/mntpoint 
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: WARNING: missing required policy content: 'measure func=FILE_CHECK mask=^MAY_READ euid=0'
ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: example policy successfully loaded
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added: 2 - 0
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TPASS: 1 ToMToU violation(s) added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TPASS: 1 open_writers violation(s) added
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TPASS: 1 open_writers violation(s) added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TPASS: 1 open_writers violation(s) added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TPASS: 2 open_writers violation(s) added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TPASS: 1 ToMToU violation(s) added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TPASS: 2 ToMToU violation(s) added
ima_violations 9 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended

Summary:
passed   7
failed   1
broken   0
skipped  0
warnings 0

Second run is ok:
# LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh
ima_violations 1 TINFO: Running: ima_violations.sh 
ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /var/tmp/LTP_ima_violations.SWERFjvPTp as tmpdir (btrfs filesystem)
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: SUT has required policy content
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TPASS: 1 open_writers violation(s) added
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TPASS: 1 ToMToU violation(s) added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TPASS: 1 open_writers violation(s) added
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TPASS: 1 open_writers violation(s) added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TPASS: 1 open_writers violation(s) added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TPASS: 2 open_writers violation(s) added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TPASS: 1 ToMToU violation(s) added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TPASS: 2 ToMToU violation(s) added

Summary:
passed   8
failed   0
broken   0
skipped  0
warnings 0

Reboot and running with ima_policy=tcb also fails on the first time:

# LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh 
tmpfs is skipped
ima_violations 1 TINFO: Running: ima_violations.sh 
ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.FKQSfezAwR as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.FKQSfezAwR/mntpoint 
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_policy=tcb
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: booted with IMA policy: tcb
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TPASS: 1 ToMToU violation(s) added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TPASS: 1 open_writers violation(s) added
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TPASS: 1 open_writers violation(s) added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TPASS: 1 open_writers violation(s) added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TPASS: 2 open_writers violation(s) added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TPASS: 1 ToMToU violation(s) added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TPASS: 2 ToMToU violation(s) added

Summary:
passed   7
failed   1
broken   0
skipped  0
warnings 0

Second and later run is again OK
# LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh 
tmpfs is skipped
ima_violations 1 TINFO: Running: ima_violations.sh 
ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.1Qf6qJuSoo as tmpdir (tmpfs filesystem)
tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.1Qf6qJuSoo/mntpoint 
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_policy=tcb
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: booted with IMA policy: tcb
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TPASS: 1 open_writers violation(s) added
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TPASS: 1 ToMToU violation(s) added
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TPASS: 1 open_writers violation(s) added
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: verify limiting single open writer violation
ima_violations 4 TPASS: 1 open_writers violation(s) added
ima_violations 5 TINFO: verify limiting multiple open writers violations
ima_violations 5 TPASS: 1 open_writers violation(s) added
ima_violations 6 TINFO: verify new open writer causes additional violation
ima_violations 6 TPASS: 2 open_writers violation(s) added
ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
ima_violations 7 TPASS: 1 ToMToU violation(s) added
ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
ima_violations 8 TPASS: 2 ToMToU violation(s) added

Summary:
passed   8
failed   0
broken   0
skipped  0
warnings 0

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > Hi Mimi,
> 
> > > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.
> 
> > > > Link:
> > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> > > Unfortunately tests fail on both mainline kernel and kernel with your patches.
> 
> > The new LTP IMA violations patches should fail without the associated kernel patches.
> 
> > > Any hint what could be wrong?
> 
> > Of course it's dependent on the IMA policy.  The tests assume being booted with the
> > IMA
> > TCB measurement policy or similar policy being loaded.  Can you share the IMA policy?
> > e.g. cat /sys/kernel/security/ima/policy
> 
> > thanks,
> 
> > Mimi
> 
> Now testing on kernel *with* your patches. First run always fails, regardless
> whether using ima_policy=tcb or
> /opt/ltp/testcases/data/ima_violations/violations.policy).
> 
> Kind regards,
> Petr

I'm not seeing that on my test machine.  Could there be other things running on your
system causing violations.  In anycase, your original test was less exacting.   Similarly,
instead of "-eq", try using "-qe" in the following test and removing the subsequent new
"gt" test.

if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then

> 
> First run fails:
> 
> # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH"
> ima_violations.sh
> (policy is /opt/ltp/testcases/data/ima_violations/violations.policy)
> ima_violations 1 TINFO: Running: ima_violations.sh 
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.XR34KhtnDM as tmpdir (tmpfs
> filesystem)
> tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0
> /tmp/LTP_ima_violations.XR34KhtnDM/mntpoint 
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-
> default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768
> plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto
> security=apparmor ignore_loglevel
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: WARNING: missing required policy content: 'measure
> func=FILE_CHECK mask=^MAY_READ euid=0'
> ima_violations 1 TINFO: trying to load
> '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: example policy successfully loaded
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added: 2 - 0
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TPASS: 1 ToMToU violation(s) added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow
> the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TPASS: 1 open_writers violation(s) added
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TPASS: 1 open_writers violation(s) added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TPASS: 1 open_writers violation(s) added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TPASS: 2 open_writers violation(s) added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TPASS: 1 ToMToU violation(s) added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TPASS: 2 ToMToU violation(s) added
> ima_violations 9 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot
> recommended
> 
> Summary:
> passed   7
> failed   1
> broken   0
> skipped  0
> warnings 0
> 
> Second run is ok:
> # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh
> ima_violations 1 TINFO: Running: ima_violations.sh 
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /var/tmp/LTP_ima_violations.SWERFjvPTp as tmpdir (btrfs
> filesystem)
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-
> default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768
> plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto
> security=apparmor ignore_loglevel
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: SUT has required policy content
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TPASS: 1 open_writers violation(s) added
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TPASS: 1 ToMToU violation(s) added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow
> the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TPASS: 1 open_writers violation(s) added
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TPASS: 1 open_writers violation(s) added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TPASS: 1 open_writers violation(s) added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TPASS: 2 open_writers violation(s) added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TPASS: 1 ToMToU violation(s) added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TPASS: 2 ToMToU violation(s) added
> 
> Summary:
> passed   8
> failed   0
> broken   0
> skipped  0
> warnings 0
> 
> Reboot and running with ima_policy=tcb also fails on the first time:
> 
> # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh 
> tmpfs is skipped
> ima_violations 1 TINFO: Running: ima_violations.sh 
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.FKQSfezAwR as tmpdir (tmpfs
> filesystem)
> tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0
> /tmp/LTP_ima_violations.FKQSfezAwR/mntpoint 
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-
> default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768
> plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto
> security=apparmor ignore_loglevel ima_policy=tcb
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: booted with IMA policy: tcb
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TPASS: 1 ToMToU violation(s) added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow
> the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TPASS: 1 open_writers violation(s) added
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TPASS: 1 open_writers violation(s) added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TPASS: 1 open_writers violation(s) added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TPASS: 2 open_writers violation(s) added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TPASS: 1 ToMToU violation(s) added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TPASS: 2 ToMToU violation(s) added
> 
> Summary:
> passed   7
> failed   1
> broken   0
> skipped  0
> warnings 0
> 
> Second and later run is again OK
> # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh 
> tmpfs is skipped
> ima_violations 1 TINFO: Running: ima_violations.sh 
> ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.1Qf6qJuSoo as tmpdir (tmpfs
> filesystem)
> tst_device.c:99: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0
> /tmp/LTP_ima_violations.1Qf6qJuSoo/mntpoint 
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-
> default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768
> plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
> resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto
> security=apparmor ignore_loglevel ima_policy=tcb
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: booted with IMA policy: tcb
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TPASS: 1 open_writers violation(s) added
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TPASS: 1 ToMToU violation(s) added
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f
> tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP
> PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow
> the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TPASS: 1 open_writers violation(s) added
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: verify limiting single open writer violation
> ima_violations 4 TPASS: 1 open_writers violation(s) added
> ima_violations 5 TINFO: verify limiting multiple open writers violations
> ima_violations 5 TPASS: 1 open_writers violation(s) added
> ima_violations 6 TINFO: verify new open writer causes additional violation
> ima_violations 6 TPASS: 2 open_writers violation(s) added
> ima_violations 7 TINFO: verify limiting single open reader ToMToU violations
> ima_violations 7 TPASS: 1 ToMToU violation(s) added
> ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation
> ima_violations 8 TPASS: 2 ToMToU violation(s) added
> 
> Summary:
> passed   8
> failed   0
> broken   0
> skipped  0
> warnings 0
> 

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

Hi Petr,

On Thu, 2025-02-20 at 19:46 +0100, Petr Vorel wrote:

> Is it this considered as a security feature? If yes, than failures on vanilla
> kernel are ok, we just need to later add kernel hashes to let testers know about
> missing backports. If it's a feature (not to be backported) we should test new
> feature only on newer kernels.

I posted these LTP patches as RFC since the kernel patches themselves haven't been
upstreamed.  I'm still waiting for some kernel patch reviews. Posting these LTP patches
might help with that.

Having multiple open-writers or ToMToU violations doesn't provide any benefit in terms of
attestation.  It just clutters the audit log and the IMA measurement list.  Not extending
the TPM would be a performance improvement.  I'm not sure it would be classified as a
security feature or bug fix.

Mimi

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > Hi Mimi,
> > 
> > > > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.
> > 
> > > > > Link:
> > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > > > Unfortunately tests fail on both mainline kernel and kernel with your patches.
> > 
> > > The new LTP IMA violations patches should fail without the associated kernel
> > > patches.
> > 
> > > > Any hint what could be wrong?
> > 
> > > Of course it's dependent on the IMA policy.  The tests assume being booted with the
> > > IMA
> > > TCB measurement policy or similar policy being loaded.  Can you share the IMA
> > > policy?
> > > e.g. cat /sys/kernel/security/ima/policy
> > 
> > > thanks,
> > 
> > > Mimi
> > 
> > Now testing on kernel *with* your patches. First run always fails, regardless
> > whether using ima_policy=tcb or
> > /opt/ltp/testcases/data/ima_violations/violations.policy).
> > 
> > Kind regards,
> > Petr
> 
> I'm not seeing that on my test machine.  Could there be other things running on your
> system causing violations.  In anycase, your original test was less exacting.  
> Similarly,
> instead of "-eq", try using "-qe" in the following test and removing the subsequent new
> "gt" test.

-> "-ge"

> 
> if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
> 

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

> On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > > Hi Mimi,

> > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.

> > > > > > Link:
> > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

> > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches.

> > > > The new LTP IMA violations patches should fail without the associated kernel
> > > > patches.

> > > > > Any hint what could be wrong?

> > > > Of course it's dependent on the IMA policy.  The tests assume being booted with the
> > > > IMA
> > > > TCB measurement policy or similar policy being loaded.  Can you share the IMA
> > > > policy?
> > > > e.g. cat /sys/kernel/security/ima/policy

> > > > thanks,

> > > > Mimi

> > > Now testing on kernel *with* your patches. First run always fails, regardless
> > > whether using ima_policy=tcb or
> > > /opt/ltp/testcases/data/ima_violations/violations.policy).

> > > Kind regards,
> > > Petr

> > I'm not seeing that on my test machine.  Could there be other things running on your
> > system causing violations.  In anycase, your original test was less exacting.  
> > Similarly,
> > instead of "-eq", try using "-qe" in the following test and removing the subsequent new
> > "gt" test.

> -> "-ge"

Sure, changing to -ge fixes the problem:
if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then

I guess we need "-ge" for older kernels (unless "fix" for stable).  Should we
accept "$expected_violations || $expected_violations + 1" for new kernels to
avoid problems like the one on my system.

I wonder if the problem was somehow caused by the fact that I built kernel. OTOH
it's build by OBS (official openSUSE build service).

I don't expect you'd have time to look into it, in case you're interested and
have time sending a links to rpm binary and src package.

https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm
https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm

Kind regards,
Petr

> > if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote:
> > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > > > Hi Mimi,
> 
> > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > > > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.
> 
> > > > > > > Link:
> > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches.
> 
> > > > > The new LTP IMA violations patches should fail without the associated kernel
> > > > > patches.
> 
> > > > > > Any hint what could be wrong?
> 
> > > > > Of course it's dependent on the IMA policy.  The tests assume being booted with
> > > > > the
> > > > > IMA
> > > > > TCB measurement policy or similar policy being loaded.  Can you share the IMA
> > > > > policy?
> > > > > e.g. cat /sys/kernel/security/ima/policy
> 
> > > > > thanks,
> 
> > > > > Mimi
> 
> > > > Now testing on kernel *with* your patches. First run always fails, regardless
> > > > whether using ima_policy=tcb or
> > > > /opt/ltp/testcases/data/ima_violations/violations.policy).
> 
> > > > Kind regards,
> > > > Petr
> 
> > > I'm not seeing that on my test machine.  Could there be other things running on your
> > > system causing violations.  In anycase, your original test was less exacting.  
> > > Similarly,
> > > instead of "-eq", try using "-qe" in the following test and removing the subsequent
> > > new
> > > "gt" test.
> 
> > -> "-ge"
> 
> Sure, changing to -ge fixes the problem:
> if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then
> 
> I guess we need "-ge" for older kernels (unless "fix" for stable).  Should we
> accept "$expected_violations || $expected_violations + 1" for new kernels to
> avoid problems like the one on my system.

The problem is that we don't control what else is running on the system.  So there could
be other violations independent of these tests.  I'll have to think about it some more and
get back to you.  (There's no rush to do anything with these LTP IMA violation tests.)

> 
> I wonder if the problem was somehow caused by the fact that I built kernel. OTOH
> it's build by OBS (official openSUSE build service).

As long as you weren't building the kernel and running the tests at the same, I doubt it
would be the problem.

> 
> I don't expect you'd have time to look into it, in case you're interested and
> have time sending a links to rpm binary and src package.

Ok.
> 
> https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm
> https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm
> 

thanks,

Mimi

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

> On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote:
> > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > > > > Hi Mimi,

> > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations"
> > > > > > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests.

> > > > > > > > Link:
> > > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

> > > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches.

> > > > > > The new LTP IMA violations patches should fail without the associated kernel
> > > > > > patches.

> > > > > > > Any hint what could be wrong?

> > > > > > Of course it's dependent on the IMA policy.  The tests assume being booted with
> > > > > > the
> > > > > > IMA
> > > > > > TCB measurement policy or similar policy being loaded.  Can you share the IMA
> > > > > > policy?
> > > > > > e.g. cat /sys/kernel/security/ima/policy

> > > > > > thanks,

> > > > > > Mimi

> > > > > Now testing on kernel *with* your patches. First run always fails, regardless
> > > > > whether using ima_policy=tcb or
> > > > > /opt/ltp/testcases/data/ima_violations/violations.policy).

> > > > > Kind regards,
> > > > > Petr

> > > > I'm not seeing that on my test machine.  Could there be other things running on your
> > > > system causing violations.  In anycase, your original test was less exacting.  
> > > > Similarly,
> > > > instead of "-eq", try using "-qe" in the following test and removing the subsequent
> > > > new
> > > > "gt" test.

> > > -> "-ge"

> > Sure, changing to -ge fixes the problem:
> > if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then

> > I guess we need "-ge" for older kernels (unless "fix" for stable).  Should we
> > accept "$expected_violations || $expected_violations + 1" for new kernels to
> > avoid problems like the one on my system.

> The problem is that we don't control what else is running on the system.  So there could
> be other violations independent of these tests.  I'll have to think about it some more and
> get back to you.  (There's no rush to do anything with these LTP IMA violation tests.)

OK, thank you. The worse scenario would be to use less precise variant "-ge".

> > I wonder if the problem was somehow caused by the fact that I built kernel. OTOH
> > it's build by OBS (official openSUSE build service).

> As long as you weren't building the kernel and running the tests at the same, I doubt it
> would be the problem.

Understand, just something on openSUSE Tumbleweed system.

Kind regards,
Petr

> > I don't expect you'd have time to look into it, in case you're interested and
> > have time sending a links to rpm binary and src package.

> Ok.

> > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm
> > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm


> thanks,

> Mimi

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Mimi Zohar]

On Fri, 2025-02-21 at 09:16 +0100, Petr Vorel wrote:
> > On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote:
> > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > > > > > Hi Mimi,
> 
> > > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity
> > > > > > > > > violations"
> > > > > > > > > prevents superfluous ToMToU violations.  Add corresponding LTP
> > > > > > > > > tests.
> 
> > > > > > > > > Link:
> > > > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> > > > > > > > Unfortunately tests fail on both mainline kernel and kernel with
> > > > > > > > your patches.
> 
> > > > > > > The new LTP IMA violations patches should fail without the
> > > > > > > associated kernel
> > > > > > > patches.
> 
> > > > > > > > Any hint what could be wrong?
> 
> > > > > > > Of course it's dependent on the IMA policy.  The tests assume
> > > > > > > being booted with
> > > > > > > the
> > > > > > > IMA
> > > > > > > TCB measurement policy or similar policy being loaded.  Can you
> > > > > > > share the IMA
> > > > > > > policy?
> > > > > > > e.g. cat /sys/kernel/security/ima/policy
> 
> > > > > > > thanks,
> 
> > > > > > > Mimi
> 
> > > > > > Now testing on kernel *with* your patches. First run always fails,
> > > > > > regardless
> > > > > > whether using ima_policy=tcb or
> > > > > > /opt/ltp/testcases/data/ima_violations/violations.policy).
> 
> > > > > > Kind regards,
> > > > > > Petr
> 
> > > > > I'm not seeing that on my test machine.  Could there be other things
> > > > > running on your
> > > > > system causing violations.  In anycase, your original test was less
> > > > > exacting.  
> > > > > Similarly,
> > > > > instead of "-eq", try using "-qe" in the following test and removing
> > > > > the subsequent
> > > > > new
> > > > > "gt" test.
> 
> > > > -> "-ge"
> 
> > > Sure, changing to -ge fixes the problem:
> > > if [ $(($num_violations_new - $num_violations)) -ge $expected_violations
> > > ]; then
> 
> > > I guess we need "-ge" for older kernels (unless "fix" for stable).  Should
> > > we
> > > accept "$expected_violations || $expected_violations + 1" for new kernels
> > > to
> > > avoid problems like the one on my system.
> 
> > The problem is that we don't control what else is running on the system.  So
> > there could
> > be other violations independent of these tests.  I'll have to think about it
> > some more and
> > get back to you.  (There's no rush to do anything with these LTP IMA
> > violation tests.)
> 
> OK, thank you. The worse scenario would be to use less precise variant "-ge".
> 
> > > I wonder if the problem was somehow caused by the fact that I built
> > > kernel. OTOH
> > > it's build by OBS (official openSUSE build service).
> 
> > As long as you weren't building the kernel and running the tests at the
> > same, I doubt it
> > would be the problem.
> 
> Understand, just something on openSUSE Tumbleweed system.

Peter, thank you for the tumbleweed image.

The default IMA tcb policy results is measuring $LOG (/var/log/audit/audit.log)
on the first call to validate().  To prevent that from interfering with test1, I
would add the following line or something similar in setup() to force measuring
$LOG to happen earlier.

exec 3< $LOG || exit 1

Assuming that works, I'll update the kernel and LTP tests.

thanks,

Mimi

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

[Petr Vorel]

> On Fri, 2025-02-21 at 09:16 +0100, Petr Vorel wrote:
> > > On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote:
> > > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote:
> > > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote:
> > > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote:
> > > > > > > > > Hi Mimi,

> > > > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity
> > > > > > > > > > violations"
> > > > > > > > > > prevents superfluous ToMToU violations.  Add corresponding LTP
> > > > > > > > > > tests.

> > > > > > > > > > Link:
> > > > > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/
> > > > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

> > > > > > > > > Unfortunately tests fail on both mainline kernel and kernel with
> > > > > > > > > your patches.

> > > > > > > > The new LTP IMA violations patches should fail without the
> > > > > > > > associated kernel
> > > > > > > > patches.

> > > > > > > > > Any hint what could be wrong?

> > > > > > > > Of course it's dependent on the IMA policy.  The tests assume
> > > > > > > > being booted with
> > > > > > > > the
> > > > > > > > IMA
> > > > > > > > TCB measurement policy or similar policy being loaded.  Can you
> > > > > > > > share the IMA
> > > > > > > > policy?
> > > > > > > > e.g. cat /sys/kernel/security/ima/policy

> > > > > > > > thanks,

> > > > > > > > Mimi

> > > > > > > Now testing on kernel *with* your patches. First run always fails,
> > > > > > > regardless
> > > > > > > whether using ima_policy=tcb or
> > > > > > > /opt/ltp/testcases/data/ima_violations/violations.policy).

> > > > > > > Kind regards,
> > > > > > > Petr

> > > > > > I'm not seeing that on my test machine.  Could there be other things
> > > > > > running on your
> > > > > > system causing violations.  In anycase, your original test was less
> > > > > > exacting.  
> > > > > > Similarly,
> > > > > > instead of "-eq", try using "-qe" in the following test and removing
> > > > > > the subsequent
> > > > > > new
> > > > > > "gt" test.

> > > > > -> "-ge"

> > > > Sure, changing to -ge fixes the problem:
> > > > if [ $(($num_violations_new - $num_violations)) -ge $expected_violations
> > > > ]; then

> > > > I guess we need "-ge" for older kernels (unless "fix" for stable).  Should
> > > > we
> > > > accept "$expected_violations || $expected_violations + 1" for new kernels
> > > > to
> > > > avoid problems like the one on my system.

> > > The problem is that we don't control what else is running on the system.  So
> > > there could
> > > be other violations independent of these tests.  I'll have to think about it
> > > some more and
> > > get back to you.  (There's no rush to do anything with these LTP IMA
> > > violation tests.)

> > OK, thank you. The worse scenario would be to use less precise variant "-ge".

> > > > I wonder if the problem was somehow caused by the fact that I built
> > > > kernel. OTOH
> > > > it's build by OBS (official openSUSE build service).

> > > As long as you weren't building the kernel and running the tests at the
> > > same, I doubt it
> > > would be the problem.

> > Understand, just something on openSUSE Tumbleweed system.

Hi Mimi,

> Peter, thank you for the tumbleweed image.

Thanks for debugging on the image!

> The default IMA tcb policy results is measuring $LOG (/var/log/audit/audit.log)
> on the first call to validate().  To prevent that from interfering with test1, I
> would add the following line or something similar in setup() to force measuring
> $LOG to happen earlier.

+1

> exec 3< $LOG || exit 1
Ideally use:
exec 3< $LOG || tst_brk TBROK "some explanation..."

> Assuming that works, I'll update the kernel and LTP tests.

+1 (patch from you is preferred)

Kind regards,
Petr

> thanks,

> Mimi