[PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

[PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

[Mimi Zohar]

Violation tests are dependent on searching the $LOG file, which may
itself result in a ToMToU violation.  Preempt getting an additional
violation during the tests by forcing the $LOG ToMToU violation
earlier.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 37d8d473c..22863fb72 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -30,6 +30,7 @@ setup()
 	if [ ! -e "$LOG" ]; then
 		tst_brk TCONF "log file not found, install auditd"
 	fi
+	exec 3< $LOG || tst_brk TBROK "failed to read log file"
 	tst_res TINFO "using log $LOG"
 }
 
-- 
2.48.1

[PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Mimi Zohar]

Add support for the number of expected violations.  Include the
expected number of violations in the output.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/integrity/ima/tests/ima_violations.sh     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 22863fb72..3f9f1d342 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -72,20 +72,26 @@ validate()
 	local num_violations="$1"
 	local count="$2"
 	local search="$3"
+	local expected_violations="$4"
 	local max_attempt=3
 	local count2 i num_violations_new
 
+	[ -z "$expected_violations" ] && expected_violations=1
+
 	for i in $(seq 1 $max_attempt); do
 		read num_violations_new < $IMA_VIOLATIONS
 		count2="$(get_count $search)"
-		if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+		if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
 			if [ $count2 -gt $count ]; then
-				tst_res TPASS "$search violation added"
+				tst_res TPASS "$expected_violations $search violation(s) added"
 				return
 			else
 				tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
 				tst_sleep 1s
 			fi
+		elif [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+			tst_res $IMA_FAIL "$search too many violations added: $num_violations_new - $num_violations"
+			return
 		else
 			tst_res $IMA_FAIL "$search violation not added"
 			return
-- 
2.48.1

[PATCH v2 3/4] ima_violations.sh: additional open-writer violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of open-writers integrity
violations" prevents superfluous "open-writers" violations.  Add
corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250228205505.476845-2-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 87 ++++++++++++++++++-
 1 file changed, 86 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 3f9f1d342..578cb1402 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=3
+TST_CNT=6
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -61,6 +61,17 @@ close_file_write()
 	exec 4>&-
 }
 
+open_file_write2()
+{
+	exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed"
+	echo 'test writing2' >&5
+}
+
+close_file_write2()
+{
+	exec 5>&-
+}
+
 get_count()
 {
 	local search="$1"
@@ -161,6 +172,80 @@ test3()
 	tst_sleep 2s
 }
 
+test4()
+{
+	tst_res TINFO "verify limiting single open writer violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test5()
+{
+	tst_res TINFO "verify limiting multiple open writers violations"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_write2
+	open_file_read
+	close_file_read
+	close_file_write2
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test6()
+{
+	tst_res TINFO "verify new open writer causes additional violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+	close_file_write
+
+	open_file_write
+	open_file_read
+	close_file_read
+	close_file_write
+	validate "$num_violations" "$count" "$search" 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

[PATCH v2 4/4] ima_violations.sh: additional ToMToU violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of ToMToU integrity violations"
prevents superfluous ToMToU violations.  Add corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250228205505.476845-3-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 46 ++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 578cb1402..2fbffc5da 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=6
+TST_CNT=8
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -246,6 +246,50 @@ test6()
 	validate "$num_violations" "$count" "$search" 2
 }
 
+test7()
+{
+	tst_res TINFO "verify limiting single open reader ToMToU violations"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test8()
+{
+	tst_res TINFO "verify new open reader causes additional violation"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate "$num_violations" "$count" "$search" 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

Re: [PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

[Petr Vorel]

Hi Mimi,

> Violation tests are dependent on searching the $LOG file, which may
> itself result in a ToMToU violation.  Preempt getting an additional
> violation during the tests by forcing the $LOG ToMToU violation
> earlier.

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
>  1 file changed, 1 insertion(+)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 37d8d473c..22863fb72 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -30,6 +30,7 @@ setup()
>  	if [ ! -e "$LOG" ]; then
>  		tst_brk TCONF "log file not found, install auditd"
>  	fi
> +	exec 3< $LOG || tst_brk TBROK "failed to read log file"
>  	tst_res TINFO "using log $LOG"

If you don't mind, I would reverse the order to get info about which log is
used:

	tst_res TINFO "using log $LOG"
	exec 3< $LOG || tst_brk TBROK "failed to read log file"

Or, if it's needed to for some reason to run it before (no idea why, but I might
miss something), I would merge it as:

	exec 3< $LOG || tst_brk TBROK "failed to read $LOG"
	tst_res TINFO "using log $LOG"

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

Re: [PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

[Mimi Zohar]

On Tue, 2025-03-04 at 13:57 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> > Violation tests are dependent on searching the $LOG file, which may
> > itself result in a ToMToU violation.  Preempt getting an additional
> > violation during the tests by forcing the $LOG ToMToU violation
> > earlier.
> 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
> >  1 file changed, 1 insertion(+)
> 
> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> > index 37d8d473c..22863fb72 100755
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> > @@ -30,6 +30,7 @@ setup()
> >  	if [ ! -e "$LOG" ]; then
> >  		tst_brk TCONF "log file not found, install auditd"
> >  	fi
> > +	exec 3< $LOG || tst_brk TBROK "failed to read log file"
> >  	tst_res TINFO "using log $LOG"
> 
> If you don't mind, I would reverse the order to get info about which log is
> used:
> 
> 	tst_res TINFO "using log $LOG"
> 	exec 3< $LOG || tst_brk TBROK "failed to read log file"

Oh, I see what you mean.  All of the TINFO come first and then an error, if
there is one.  That's fine.

> 
> Or, if it's needed to for some reason to run it before (no idea why, but I might
> miss something), I would merge it as:
> 
> 	exec 3< $LOG || tst_brk TBROK "failed to read $LOG"
> 	tst_res TINFO "using log $LOG"
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>

thanks,

Mimi

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Petr Vorel]

Hi Mimi,

> Add support for the number of expected violations.  Include the
> expected number of violations in the output.

Unfortunately this works only on fixed kernel (e.g. the one with v1 of your
"ima: limit both open-writers and ToMToU violations" kernel patchset [1]
(I haven't built v2 [2], but it's really just
s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work)

Testing on any other kernel it fails on first testing after reboot:

# LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # openSUSE Tumbleweed 6.13, without your patch
tmpfs is skipped
ima_violations 1 TINFO: Running: ima_violations.sh
ima_violations 1 TINFO: Tested kernel: Linux tss 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64 x86_64 x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.bbGjQQLJIx as tmpdir (tmpfs filesystem)
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.bbGjQQLJIx/mntpoint
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.1-1-default root=UUID=1e7acd04-4289-49c9-ba76-a406b385cdc9 splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 mitigations=auto ignore_loglevel security=selinux selinux=1 enforcing=1 ima_policy=critical_data
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: WARNING: missing required policy content: 'measure func=FILE_CHECK mask=^MAY_READ euid=0'
ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: example policy successfully loaded
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1900: TINFO: LTP version: 20250130
tst_test.c:1904: TINFO: Tested kernel: 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended
ima_mmap.c:41: TPASS: test completed

It keeps failing repeatedly.
I was able to reproduce the problem on SLE15-SP6 (6.4 based) and SLE15-SP4 (5.14 based).

I tried to test also some Debian VM. It fails when run after reboot:

# LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # some Debian VM
tmpfs is skipped
ima_violations 1 TINFO: Running: ima_violations.sh
ima_violations 1 TINFO: Tested kernel: Linux tt 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64 GNU/Linux
ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.RbX4HA7oZx as tmpdir (tmpfs filesystem)
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.RbX4HA7oZx/mntpoint
ima_violations 1 TINFO: timeout per run is 0h 5m 0s
ima_violations 1 TINFO: IMA kernel config:
ima_violations 1 TINFO: CONFIG_IMA=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
ima_violations 1 TINFO: CONFIG_IMA_SIG_TEMPLATE=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.9.9-amd64 root=UUID=e55db984-06ad-45d3-9707-dcaec157aebd ro quiet
ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
ima_violations 1 TINFO: test requires IMA policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: WARNING: policy is not readable, failure will be treated as TCONF
ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
ima_violations 1 TINFO: example policy successfully loaded
ima_violations 1 TINFO: using log /var/log/audit/audit.log
ima_violations 1 TINFO: verify open writers violation
ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
ima_mmap.c:41: TPASS: test completed

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended

Summary:
passed   0
failed   3
broken   0
skipped  0
warnings 0

But it TCONF when repeatedly run:

ima_violations 1 TCONF: open_writers too many violations added: 13 - 11
ima_violations 2 TINFO: verify ToMToU violation
ima_violations 2 TCONF: ToMToU too many violations added: 16 - 14
ima_violations 3 TINFO: verify open_writers using mmapped files
tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
ima_mmap.c:38: TINFO: sleep 3s
ima_violations 3 TCONF: open_writers too many violations added: 19 - 17

I guess this is not what you expected. I wonder what is wrong.

Kind regards,
Petr

[1] https://lore.kernel.org/linux-integrity/20250219162131.416719-1-zohar@linux.ibm.com/
[2] https://lore.kernel.org/linux-integrity/20250228205505.476845-1-zohar@linux.ibm.com/

Re: [PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

[Petr Vorel]

Hi Mimi,

...
> > > +	exec 3< $LOG || tst_brk TBROK "failed to read log file"
> > >  	tst_res TINFO "using log $LOG"

> > If you don't mind, I would reverse the order to get info about which log is
> > used:

> > 	tst_res TINFO "using log $LOG"
> > 	exec 3< $LOG || tst_brk TBROK "failed to read log file"

> Oh, I see what you mean.  All of the TINFO come first and then an error, if
> there is one.  That's fine.

Good. Merged this patch.

Kind regards,
Petr

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Mimi Zohar]

On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> > Add support for the number of expected violations.  Include the
> > expected number of violations in the output.
> 
> Unfortunately this works only on fixed kernel (e.g. the one with v1 of your
> "ima: limit both open-writers and ToMToU violations" kernel patchset [1]
> (I haven't built v2 [2], but it's really just
> s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work)
> 
> Testing on any other kernel it fails on first testing after reboot:

Hi Petr,

I only tested by specifying the "ima_policy=tcb" on the boot command line.  This
failure happens when loading the test specific policy rules.  If setup() is
called before loading the test specific policy rules, forcing the $LOG file
violation at setup() would be too early.

Mimi

> 
> # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # openSUSE Tumbleweed 6.13, without your patch
> tmpfs is skipped
> ima_violations 1 TINFO: Running: ima_violations.sh
> ima_violations 1 TINFO: Tested kernel: Linux tss 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64 x86_64 x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.bbGjQQLJIx as tmpdir (tmpfs filesystem)
> tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.bbGjQQLJIx/mntpoint
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.1-1-default root=UUID=1e7acd04-4289-49c9-ba76-a406b385cdc9 splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 mitigations=auto ignore_loglevel security=selinux selinux=1 enforcing=1 ima_policy=critical_data
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: WARNING: missing required policy content: 'measure func=FILE_CHECK mask=^MAY_READ euid=0'
> ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: example policy successfully loaded
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1900: TINFO: LTP version: 20250130
> tst_test.c:1904: TINFO: Tested kernel: 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
> tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
> ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended
> ima_mmap.c:41: TPASS: test completed
> 
> It keeps failing repeatedly.
> I was able to reproduce the problem on SLE15-SP6 (6.4 based) and SLE15-SP4 (5.14 based).
> 
> I tried to test also some Debian VM. It fails when run after reboot:
> 
> # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # some Debian VM
> tmpfs is skipped
> ima_violations 1 TINFO: Running: ima_violations.sh
> ima_violations 1 TINFO: Tested kernel: Linux tt 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64 GNU/Linux
> ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.RbX4HA7oZx as tmpdir (tmpfs filesystem)
> tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
> ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.RbX4HA7oZx/mntpoint
> ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> ima_violations 1 TINFO: IMA kernel config:
> ima_violations 1 TINFO: CONFIG_IMA=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> ima_violations 1 TINFO: CONFIG_IMA_SIG_TEMPLATE=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.9.9-amd64 root=UUID=e55db984-06ad-45d3-9707-dcaec157aebd ro quiet
> ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> ima_violations 1 TINFO: test requires IMA policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: WARNING: policy is not readable, failure will be treated as TCONF
> ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> ima_violations 1 TINFO: example policy successfully loaded
> ima_violations 1 TINFO: using log /var/log/audit/audit.log
> ima_violations 1 TINFO: verify open writers violation
> ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
> tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
> tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
> ima_mmap.c:41: TPASS: test completed
> 
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
> ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended
> 
> Summary:
> passed   0
> failed   3
> broken   0
> skipped  0
> warnings 0
> 
> But it TCONF when repeatedly run:
> 
> ima_violations 1 TCONF: open_writers too many violations added: 13 - 11
> ima_violations 2 TINFO: verify ToMToU violation
> ima_violations 2 TCONF: ToMToU too many violations added: 16 - 14
> ima_violations 3 TINFO: verify open_writers using mmapped files
> tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
> tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
> tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
> ima_mmap.c:38: TINFO: sleep 3s
> ima_violations 3 TCONF: open_writers too many violations added: 19 - 17
> 
> I guess this is not what you expected. I wonder what is wrong.
> 
> Kind regards,
> Petr
> 
> [1] https://lore.kernel.org/linux-integrity/20250219162131.416719-1-zohar@linux.ibm.com/
> [2] https://lore.kernel.org/linux-integrity/20250228205505.476845-1-zohar@linux.ibm.com/
> 

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Mimi Zohar]

On Tue, 2025-03-04 at 09:44 -0500, Mimi Zohar wrote:
> On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote:
> > Hi Mimi,
> > 
> > > Add support for the number of expected violations.  Include the
> > > expected number of violations in the output.
> > 
> > Unfortunately this works only on fixed kernel (e.g. the one with v1 of your
> > "ima: limit both open-writers and ToMToU violations" kernel patchset [1]
> > (I haven't built v2 [2], but it's really just
> > s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work)
> > 
> > Testing on any other kernel it fails on first testing after reboot:
> 
> Hi Petr,
> 
> I only tested by specifying the "ima_policy=tcb" on the boot command line.  This
> failure happens when loading the test specific policy rules.  If setup() is
> called before loading the test specific policy rules, forcing the $LOG file
> violation at setup() would be too early.

Sorry, that doesn't seem to be the case.

With the changes to validate(), even the original tests will only work on a new
kernel.  I'll rework the patch set, so at least the original tests will continue
to work.

Mimi

> 
> > 
> > # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # openSUSE Tumbleweed 6.13, without your patch
> > tmpfs is skipped
> > ima_violations 1 TINFO: Running: ima_violations.sh
> > ima_violations 1 TINFO: Tested kernel: Linux tss 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64 x86_64 x86_64 GNU/Linux
> > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.bbGjQQLJIx as tmpdir (tmpfs filesystem)
> > tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
> > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.bbGjQQLJIx/mntpoint
> > ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> > ima_violations 1 TINFO: IMA kernel config:
> > ima_violations 1 TINFO: CONFIG_IMA=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y
> > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.1-1-default root=UUID=1e7acd04-4289-49c9-ba76-a406b385cdc9 splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 mitigations=auto ignore_loglevel security=selinux selinux=1 enforcing=1 ima_policy=critical_data
> > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> > ima_violations 1 TINFO: test requires IMA policy:
> > measure func=FILE_CHECK mask=^MAY_READ euid=0
> > measure func=FILE_CHECK mask=^MAY_READ uid=0
> > ima_violations 1 TINFO: WARNING: missing required policy content: 'measure func=FILE_CHECK mask=^MAY_READ euid=0'
> > ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
> > measure func=FILE_CHECK mask=^MAY_READ euid=0
> > measure func=FILE_CHECK mask=^MAY_READ uid=0
> > ima_violations 1 TINFO: example policy successfully loaded
> > ima_violations 1 TINFO: using log /var/log/audit/audit.log
> > ima_violations 1 TINFO: verify open writers violation
> > ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
> > ima_violations 2 TINFO: verify ToMToU violation
> > ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
> > ima_violations 3 TINFO: verify open_writers using mmapped files
> > tst_test.c:1900: TINFO: LTP version: 20250130
> > tst_test.c:1904: TINFO: Tested kernel: 6.13.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb  3 05:33:25 UTC 2025 (1918d13) x86_64
> > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution
> > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s
> > ima_mmap.c:38: TINFO: sleep 3s
> > ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
> > ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended
> > ima_mmap.c:41: TPASS: test completed
> > 
> > It keeps failing repeatedly.
> > I was able to reproduce the problem on SLE15-SP6 (6.4 based) and SLE15-SP4 (5.14 based).
> > 
> > I tried to test also some Debian VM. It fails when run after reboot:
> > 
> > # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh # some Debian VM
> > tmpfs is skipped
> > ima_violations 1 TINFO: Running: ima_violations.sh
> > ima_violations 1 TINFO: Tested kernel: Linux tt 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64 GNU/Linux
> > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.RbX4HA7oZx as tmpdir (tmpfs filesystem)
> > tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
> > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0'
> > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.RbX4HA7oZx/mntpoint
> > ima_violations 1 TINFO: timeout per run is 0h 5m 0s
> > ima_violations 1 TINFO: IMA kernel config:
> > ima_violations 1 TINFO: CONFIG_IMA=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10
> > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y
> > ima_violations 1 TINFO: CONFIG_IMA_SIG_TEMPLATE=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y
> > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256"
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y
> > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y
> > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y
> > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.9.9-amd64 root=UUID=e55db984-06ad-45d3-9707-dcaec157aebd ro quiet
> > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device
> > ima_violations 1 TINFO: test requires IMA policy:
> > measure func=FILE_CHECK mask=^MAY_READ euid=0
> > measure func=FILE_CHECK mask=^MAY_READ uid=0
> > ima_violations 1 TINFO: WARNING: policy is not readable, failure will be treated as TCONF
> > ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy:
> > measure func=FILE_CHECK mask=^MAY_READ euid=0
> > measure func=FILE_CHECK mask=^MAY_READ uid=0
> > ima_violations 1 TINFO: example policy successfully loaded
> > ima_violations 1 TINFO: using log /var/log/audit/audit.log
> > ima_violations 1 TINFO: verify open writers violation
> > ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1
> > ima_violations 2 TINFO: verify ToMToU violation
> > ima_violations 2 TFAIL: ToMToU too many violations added: 6 - 4
> > ima_violations 3 TINFO: verify open_writers using mmapped files
> > tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
> > tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
> > tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
> > ima_mmap.c:38: TINFO: sleep 3s
> > ima_violations 3 TFAIL: open_writers too many violations added: 9 - 7
> > ima_mmap.c:41: TPASS: test completed
> > 
> > Summary:
> > passed   1
> > failed   0
> > broken   0
> > skipped  0
> > warnings 0
> > ima_violations 4 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended
> > 
> > Summary:
> > passed   0
> > failed   3
> > broken   0
> > skipped  0
> > warnings 0
> > 
> > But it TCONF when repeatedly run:
> > 
> > ima_violations 1 TCONF: open_writers too many violations added: 13 - 11
> > ima_violations 2 TINFO: verify ToMToU violation
> > ima_violations 2 TCONF: ToMToU too many violations added: 16 - 14
> > ima_violations 3 TINFO: verify open_writers using mmapped files
> > tst_test.c:1890: TINFO: LTP version: 20240930-58-g15ce5997c
> > tst_test.c:1894: TINFO: Tested kernel: 6.9.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.9.9-1 (2024-07-13) x86_64
> > tst_test.c:1725: TINFO: Timeout per run is 0h 00m 30s
> > ima_mmap.c:38: TINFO: sleep 3s
> > ima_violations 3 TCONF: open_writers too many violations added: 19 - 17
> > 
> > I guess this is not what you expected. I wonder what is wrong.
> > 
> > Kind regards,
> > Petr
> > 
> > [1] https://lore.kernel.org/linux-integrity/20250219162131.416719-1-zohar@linux.ibm.com/
> > [2] https://lore.kernel.org/linux-integrity/20250228205505.476845-1-zohar@linux.ibm.com/
> > 
> 
> 

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Petr Vorel]

> On Tue, 2025-03-04 at 09:44 -0500, Mimi Zohar wrote:
> > On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote:
> > > Hi Mimi,

> > > > Add support for the number of expected violations.  Include the
> > > > expected number of violations in the output.

> > > Unfortunately this works only on fixed kernel (e.g. the one with v1 of your
> > > "ima: limit both open-writers and ToMToU violations" kernel patchset [1]
> > > (I haven't built v2 [2], but it's really just
> > > s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work)

> > > Testing on any other kernel it fails on first testing after reboot:

> > Hi Petr,

> > I only tested by specifying the "ima_policy=tcb" on the boot command line.  This
> > failure happens when loading the test specific policy rules.  If setup() is
> > called before loading the test specific policy rules, forcing the $LOG file
> > violation at setup() would be too early.

> Sorry, that doesn't seem to be the case.

> With the changes to validate(), even the original tests will only work on a new
> kernel.  I'll rework the patch set, so at least the original tests will continue
> to work.

+1, thank you!

Kind regards,
Petr

> Mimi

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

[Mimi Zohar]

On Tue, 2025-03-04 at 18:43 +0100, Petr Vorel wrote:
> > On Tue, 2025-03-04 at 09:44 -0500, Mimi Zohar wrote:
> > > On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote:
> > > > Hi Mimi,
> 
> > > > > Add support for the number of expected violations.  Include the
> > > > > expected number of violations in the output.
> 
> > > > Unfortunately this works only on fixed kernel (e.g. the one with v1 of your
> > > > "ima: limit both open-writers and ToMToU violations" kernel patchset [1]
> > > > (I haven't built v2 [2], but it's really just
> > > > s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work)
> 
> > > > Testing on any other kernel it fails on first testing after reboot:
> 
> > > Hi Petr,
> 
> > > I only tested by specifying the "ima_policy=tcb" on the boot command line.  This
> > > failure happens when loading the test specific policy rules.  If setup() is
> > > called before loading the test specific policy rules, forcing the $LOG file
> > > violation at setup() would be too early.
> 
> > Sorry, that doesn't seem to be the case.
> 
> > With the changes to validate(), even the original tests will only work on a new
> > kernel.  I'll rework the patch set, so at least the original tests will continue
> > to work.
> 
> +1, thank you!

Hi Petr,

Since the original three tests don't provide the expected number of violations,
the following should work for them.  The new tests will fail without the kernel
patch.  The assumption is that LTP can handle some of the tests, not all of
them, succeeding.  On a new kernel, all of the tests should succeed.  Tested
only with bash.

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 2fbffc5da..0395f8d0a 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -87,12 +87,13 @@ validate()
        local max_attempt=3
        local count2 i num_violations_new
 
-       [ -z "$expected_violations" ] && expected_violations=1
-
        for i in $(seq 1 $max_attempt); do
                read num_violations_new < $IMA_VIOLATIONS
                count2="$(get_count $search)"
-               if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
+               if [ -z "$expected_violations" ] && \
+                  [ $(($num_violations_new - $num_violations)) -gt 0 ] || \
+                  [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
+                       [ -z "$expected_violations" ] && expected_violations=1
                        if [ $count2 -gt $count ]; then
                                tst_res TPASS "$expected_violations $search violation(s) added"
                                return

thanks,

Mimi