[PATCH 1/2] ima_setup.sh: Postpone loading policy after test setup

[PATCH 1/2] ima_setup.sh: Postpone loading policy after test setup

[Petr Vorel]

Usual approach for LTP is to quit test early on missing prerequisites
(e.g. disabled SELinux in ima_selinux.sh). This is even more important
for IMA tests run with LTP_IMA_LOAD_POLICY=1, where it's useful to avoid
loading policy if test will be skipped with TCONF (often requires reboot).

Therefore first check $REQUIRED_BUILTIN_POLICY (value of ima_policy
kernel cmdline parameter, it can TCONF), then run the test specific
setup and finally run the policy if needed.

Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Link to v1:
https://patchwork.ozlabs.org/project/ltp/patch/20250217130839.2392666-2-pvorel@suse.cz/

Changes from v1:
* Instead of explicitly state that test setup should be run before
loading policy just postpone loading policy after running test setup.

 .../kernel/security/integrity/ima/tests/ima_setup.sh  | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 1f1c267c4b..9732aa7b43 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -245,6 +245,8 @@ load_ima_policy()
 
 ima_setup()
 {
+	local load_policy
+
 	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
 
 	IMA_DIR="$SECURITYFS/ima"
@@ -265,11 +267,16 @@ ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
-	if ! verify_ima_policy; then
+	verify_ima_policy
+	load_policy=$?
+
+	# Run setup in case of TCONF before loading policy
+	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
+
+	if [ "$load_policy" = 1 ]; then
 		load_ima_policy
 	fi
 
-	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
 
 ima_cleanup()
-- 
2.47.2

[PATCH 2/2] ima_setup.sh: Check 'cat' exit code when loading policy

[Petr Vorel]

Parsing stderr should be enough, but check also 'cat' exit code
in case of error message change or other problem.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v2.

 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 9732aa7b43..83fcefb4fc 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -209,6 +209,7 @@ verify_ima_policy()
 load_ima_policy()
 {
 	local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
+	local ret
 
 	if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then
 		if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
@@ -228,6 +229,7 @@ load_ima_policy()
 	fi
 
 	cat "$file" 2> log > $IMA_POLICY
+	ret=$?
 	if grep -q "Device or resource busy" log; then
 		tst_brk TBROK "loading policy failed"
 	fi
@@ -236,6 +238,10 @@ load_ima_policy()
 		tst_brk TCONF "loading unsigned policy failed"
 	fi
 
+	if [ $ret -ne 0 ]; then
+		tst_brk TBROK "loading policy failed"
+	fi
+
 	IMA_POLICY_LOADED=1
 
 	tst_res TINFO "example policy successfully loaded"
-- 
2.47.2

Re: [PATCH 2/2] ima_setup.sh: Check 'cat' exit code when loading policy

[Petr Vorel]

Hi Mimi, all,

> Parsing stderr should be enough, but check also 'cat' exit code
> in case of error message change or other problem.

FYI patchset merged.

Kind regards,
Petr