[PATCH v3 1/5] ima_violations.sh: force $LOG ToMToU violation earlier

[PATCH v3 1/5] ima_violations.sh: force $LOG ToMToU violation earlier

[Mimi Zohar]

Violation tests are dependent on searching the $LOG file, which may
itself result in a ToMToU violation.  Preempt getting an additional
violation during the tests by forcing the $LOG ToMToU violation
earlier.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 37d8d473c..22863fb72 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -30,6 +30,7 @@ setup()
 	if [ ! -e "$LOG" ]; then
 		tst_brk TCONF "log file not found, install auditd"
 	fi
+	exec 3< $LOG || tst_brk TBROK "failed to read log file"
 	tst_res TINFO "using log $LOG"
 }
 
-- 
2.48.1

[PATCH v3 2/5] ima_violations.sh: Update validate() to support multiple violations

[Mimi Zohar]

Add optional support for the number of expected violations.  Include the
expected number of violations in the output.

Limit the new expected violations to the new tests, so that the existing
tests continue to work properly with/without the kernel changes.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../security/integrity/ima/tests/ima_violations.sh    | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 22863fb72..37bf2182b 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -72,20 +72,27 @@ validate()
 	local num_violations="$1"
 	local count="$2"
 	local search="$3"
+	local expected_violations="$4"
 	local max_attempt=3
 	local count2 i num_violations_new
 
 	for i in $(seq 1 $max_attempt); do
 		read num_violations_new < $IMA_VIOLATIONS
 		count2="$(get_count $search)"
-		if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+		if [ -z "$expected_violations" ] && \
+		   [ $(($num_violations_new - $num_violations)) -gt 0 ] || \
+		   [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
+			[ -z "$expected_violations" ] && expected_violations=1
 			if [ $count2 -gt $count ]; then
-				tst_res TPASS "$search violation added"
+				tst_res TPASS "$expected_violations $search violation(s) added"
 				return
 			else
 				tst_res TINFO "$search not found in $LOG ($i/$max_attempt attempt)..."
 				tst_sleep 1s
 			fi
+		elif [ $(($num_violations_new - $num_violations)) -gt 0 ]; then
+			tst_res $IMA_FAIL "$search too many violations added: $num_violations_new - $num_violations"
+			return
 		else
 			tst_res $IMA_FAIL "$search violation not added"
 			return
-- 
2.48.1

[PATCH v3 3/5] ima_violations.sh: additional open-writer violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of open-writers integrity
violations" prevents superfluous "open-writers" violations.  Add
corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250228205505.476845-2-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 87 ++++++++++++++++++-
 1 file changed, 86 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 37bf2182b..d3081a4d1 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=3
+TST_CNT=6
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -61,6 +61,17 @@ close_file_write()
 	exec 4>&-
 }
 
+open_file_write2()
+{
+	exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed"
+	echo 'test writing2' >&5
+}
+
+close_file_write2()
+{
+	exec 5>&-
+}
+
 get_count()
 {
 	local search="$1"
@@ -162,6 +173,80 @@ test3()
 	tst_sleep 2s
 }
 
+test4()
+{
+	tst_res TINFO "verify limiting single open writer violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test5()
+{
+	tst_res TINFO "verify limiting multiple open writers violations"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_write2
+	open_file_read
+	close_file_read
+	close_file_write2
+
+	open_file_read
+	close_file_read
+
+	close_file_write
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test6()
+{
+	tst_res TINFO "verify new open writer causes additional violation"
+
+	local search="open_writers"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_write
+	open_file_read
+	close_file_read
+
+	open_file_read
+	close_file_read
+	close_file_write
+
+	open_file_write
+	open_file_read
+	close_file_read
+	close_file_write
+	validate "$num_violations" "$count" "$search" 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

[PATCH v3 4/5] ima_violations.sh: additional ToMToU violation tests

[Mimi Zohar]

Kernel patch "ima: limit the number of ToMToU integrity violations"
prevents superfluous ToMToU violations.  Add corresponding LTP tests.

Link: https://lore.kernel.org/linux-integrity/20250228205505.476845-3-zohar@linux.ibm.com/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../integrity/ima/tests/ima_violations.sh     | 46 ++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index d3081a4d1..0395f8d0a 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -8,7 +8,7 @@
 
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
-TST_CNT=6
+TST_CNT=8
 
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
@@ -247,6 +247,50 @@ test6()
 	validate "$num_violations" "$count" "$search" 2
 }
 
+test7()
+{
+	tst_res TINFO "verify limiting single open reader ToMToU violations"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate "$num_violations" "$count" "$search" 1
+}
+
+test8()
+{
+	tst_res TINFO "verify new open reader causes additional violation"
+
+	local search="ToMToU"
+	local count num_violations
+
+	read num_violations < $IMA_VIOLATIONS
+	count="$(get_count $search)"
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	open_file_read
+	open_file_write
+	close_file_write
+	close_file_read
+
+	validate "$num_violations" "$count" "$search" 2
+}
+
 . ima_setup.sh
 . daemonlib.sh
 tst_run
-- 
2.48.1

[PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

[Mimi Zohar]

Depending on the IMA policy and the number of violations, the kernel
patches for minimizing the number of open-writers and ToMToU (Time of
Measure Time of Use) violations may be a major performance improvement.

Most likely the kernel patches will be back ported, but for now limit
the new tests to new kernels with the applied patches.  Bail after the
first new test.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../kernel/security/integrity/ima/tests/ima_violations.sh     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 0395f8d0a..8e988fca6 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -177,6 +177,10 @@ test4()
 {
 	tst_res TINFO "verify limiting single open writer violation"
 
+	if tst_kvcmp -lt 6.14; then
+		tst_brk TCONF "Minimizing violations requires kernel 6.14 or newer"
+	fi
+
 	local search="open_writers"
 	local count num_violations
 
-- 
2.48.1

Re: [PATCH v3 1/5] ima_violations.sh: force $LOG ToMToU violation earlier

[Petr Vorel]

Hi Mimi,

> Violation tests are dependent on searching the $LOG file, which may
> itself result in a ToMToU violation.  Preempt getting an additional
> violation during the tests by forcing the $LOG ToMToU violation
> earlier.

FYI I already merged this from v2 (modified, just swap TINFO message with exec):
https://github.com/linux-test-project/ltp/commit/fdd6da28cf8a2e6de5104e7332724dd5eee346b0

Kind regards,
Petr

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
>  1 file changed, 1 insertion(+)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 37d8d473c..22863fb72 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -30,6 +30,7 @@ setup()
>  	if [ ! -e "$LOG" ]; then
>  		tst_brk TCONF "log file not found, install auditd"
>  	fi
> +	exec 3< $LOG || tst_brk TBROK "failed to read log file"
>  	tst_res TINFO "using log $LOG"
>  }

Re: [PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

[Petr Vorel]

Hi Mimi,

> Depending on the IMA policy and the number of violations, the kernel
> patches for minimizing the number of open-writers and ToMToU (Time of
> Measure Time of Use) violations may be a major performance improvement.

I would prefer this to be squashed into "ima_violations.sh: additional
open-writer violation tests" commit, which adds this incompatibility.

But it's a minor detail, therefore I merged whole patchset as is.

Thanks!

Kind regards,
Petr

> Most likely the kernel patches will be back ported, but for now limit
> the new tests to new kernels with the applied patches.  Bail after the
> first new test.

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .../kernel/security/integrity/ima/tests/ima_violations.sh     | 4 ++++
>  1 file changed, 4 insertions(+)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 0395f8d0a..8e988fca6 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -177,6 +177,10 @@ test4()
>  {
>  	tst_res TINFO "verify limiting single open writer violation"

> +	if tst_kvcmp -lt 6.14; then
> +		tst_brk TCONF "Minimizing violations requires kernel 6.14 or newer"
> +	fi
> +
>  	local search="open_writers"
>  	local count num_violations

Re: [PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

[Mimi Zohar]

On Thu, 2025-03-06 at 18:26 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> > Depending on the IMA policy and the number of violations, the kernel
> > patches for minimizing the number of open-writers and ToMToU (Time of
> > Measure Time of Use) violations may be a major performance improvement.
> 
> I would prefer this to be squashed into "ima_violations.sh: additional
> open-writer violation tests" commit, which adds this incompatibility.
> 
> But it's a minor detail, therefore I merged whole patchset as is.

Thanks, Petr.