[PATCH 0/4] ima_{conditionals,measurements}.sh enhancements

[PATCH 0/4] ima_{conditionals,measurements}.sh enhancements

[Petr Vorel]

Petr Vorel (4):
  ima_{conditionals,measurements}.sh: Add temporary user
  ima_conditionals.sh: Split test by request
  ima_conditionals.sh: Use 'sg' without 'sudo'
  ima_{conditionals,measurements}.sh: Use 'su' instead of 'sudo'

 runtest/ima                                   |  5 +-
 .../integrity/ima/tests/ima_conditionals.sh   | 81 ++++++++++++-------
 .../integrity/ima/tests/ima_measurements.sh   | 15 ++--
 .../security/integrity/ima/tests/ima_setup.sh | 12 +++
 4 files changed, 71 insertions(+), 42 deletions(-)

-- 
2.51.0

[PATCH 1/4] ima_{conditionals,measurements}.sh: Add temporary user

[Petr Vorel]

This is required because new releases of many distros (e.g. Debian,
openSUSE Tumbleweed, SLES, ...) switched shell for 'nobody' user from
/bin/bash (or /bin/sh) to /usr/sbin/nologin. That effectively disables
using 'sudo' or 'su':

    ima_conditionals 1 TINFO: verify measuring user files when requested via uid
    sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
    sudo: a password is required

Creating a temporary user is the best approach (no setup needed to be
done by testers).

Follow usual LTP approach to create user in setup(), delete in cleanup().
A small disadvantage of that approach is that whole ima_measurements.sh
is skipped if missing useradd or userdel while it's used only in
test3().

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_conditionals.sh      | 16 ++++++++--------
 .../integrity/ima/tests/ima_measurements.sh      | 13 ++++---------
 .../security/integrity/ima/tests/ima_setup.sh    | 12 ++++++++++++
 3 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index 9125616890..a8b2e1015a 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -9,9 +9,10 @@
 # gid and fgroup options test kernel commit 40224c41661b ("ima: add gid
 # support") from v5.16.
 
-TST_NEEDS_CMDS="cat chgrp chown id sg sudo"
+TST_NEEDS_CMDS="cat chgrp chown id sg sudo useradd userdel"
 TST_SETUP="setup"
 TST_CNT=1
+REQUIRE_TMP_USER=1
 
 setup()
 {
@@ -23,12 +24,11 @@ setup()
 verify_measurement()
 {
 	local request="$1"
-	local user="nobody"
 	local test_file="$PWD/test.txt"
 	local cmd="cat $test_file > /dev/null"
 
-	local value="$(id -u $user)"
-	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+	local value="$(id -u $IMA_USER)"
+	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $IMA_USER)"
 
 	# needs to be checked each run (not in setup)
 	require_policy_writable
@@ -41,15 +41,15 @@ verify_measurement()
 
 	case "$request" in
 	fgroup)
-		chgrp $user $test_file
+		chgrp $IMA_USER $test_file
 		sh -c "$cmd"
 		;;
 	fowner)
-		chown $user $test_file
+		chown $IMA_USER $test_file
 		sh -c "$cmd"
 		;;
-	gid) sudo sg $user "sh -c '$cmd'";;
-	uid) sudo -n -u $user sh -c "$cmd";;
+	gid) sudo sg $IMA_USER "sh -c '$cmd'";;
+	uid) sudo -n -u $IMA_USER sh -c "$cmd";;
 	*) tst_brk TBROK "Invalid res type '$1'";;
 	esac
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 60350f3926..e92f3efb95 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -7,11 +7,12 @@
 # Verify that measurements are added to the measurement list based on policy.
 # Test requires either ima_policy=tcb or example policy loadable with LTP_IMA_LOAD_POLICY=1.
 
-TST_NEEDS_CMDS="awk cut sed"
+TST_NEEDS_CMDS="awk cut sed useradd userdel"
 TST_SETUP="setup"
 TST_CNT=3
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='tcb.policy'
+REQUIRE_TMP_USER=1
 
 setup()
 {
@@ -68,7 +69,6 @@ test2()
 
 test3()
 {
-	local user="nobody"
 	local dir="$PWD/user"
 	local file="$dir/test.txt"
 	local cmd="grep $file $ASCII_MEASUREMENTS"
@@ -82,16 +82,11 @@ test3()
 		return
 	fi
 
-	if ! id $user >/dev/null 2>/dev/null; then
-		tst_res TCONF "missing system user $user (wrong installation)"
-		return
-	fi
-
 	[ -d "$dir" ] || mkdir -m 0700 $dir
-	chown $user $dir
+	chown $IMA_USER $dir
 	cd $dir
 	# need to read file to get updated $ASCII_MEASUREMENTS
-	sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
+	sudo -n -u $IMA_USER sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
 	cd ..
 
 	if ! tst_rod "$cmd" 2> /dev/null; then
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 2a7d651818..23400a0fde 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -22,6 +22,7 @@ TST_FS_TYPE="ext3"
 
 IMA_FAIL="TFAIL"
 IMA_BROK="TBROK"
+IMA_USER="ltp_ima_$$"
 
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
 compute_digest()
@@ -283,12 +284,23 @@ ima_setup()
 		load_ima_policy
 	fi
 
+	if [ "$REQUIRE_TMP_USER" = 1 ]; then
+		tst_require_cmds useradd userdel
+		tst_res TINFO "adding temporary user $IMA_USER"
+		id "$IMA_USER" 2>/dev/null || ROD useradd --no-create-home "$IMA_USER"
+		USER_ADDED=1
+	fi
 }
 
 ima_cleanup()
 {
 	local dir
 
+	if [ "$USER_ADDED" = 1 ]; then
+		tst_res TINFO "removing user $IMA_USER"
+		userdel "$IMA_USER"
+	fi
+
 	[ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
 
 	for dir in $UMOUNT; do
-- 
2.51.0

[PATCH 2/4] ima_conditionals.sh: Split test by request

[Petr Vorel]

This helps to run all testcases on systems without CONFIG_IMA_WRITE_POLICY=y
(disabled by default in mainline, therefore disabled for some distros,
e.g. openSUSE Tumbleweed), if SUT reboots.

The downside is creating user account 4x instead just once.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  5 +-
 .../integrity/ima/tests/ima_conditionals.sh   | 67 ++++++++++++-------
 2 files changed, 47 insertions(+), 25 deletions(-)

diff --git a/runtest/ima b/runtest/ima
index 01942eefa3..c8d0c6801e 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -6,5 +6,8 @@ ima_violations ima_violations.sh
 ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
 ima_selinux ima_selinux.sh
-ima_conditionals ima_conditionals.sh
+ima_conditionals_uid ima_conditionals.sh -r uid
+ima_conditionals_fowner ima_conditionals.sh -r fowner
+ima_conditionals_gid ima_conditionals.sh -r gid
+ima_conditionals_fgroup ima_conditionals.sh -r fgroup
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index a8b2e1015a..afa2ae05da 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -11,35 +11,68 @@
 
 TST_NEEDS_CMDS="cat chgrp chown id sg sudo useradd userdel"
 TST_SETUP="setup"
-TST_CNT=1
+TST_TESTFUNC="test"
 REQUIRE_TMP_USER=1
+TST_OPTS="r:"
+TST_USAGE="usage"
+TST_PARSE_ARGS="parse_args"
+REQUEST="uid"
+
+parse_args()
+{
+	REQUEST="$2"
+}
+
+usage()
+{
+	cat << EOF
+usage: $0 [-r <uid|fowner|gid|fgroup>]
+
+OPTIONS
+-r	Specify the request to be measured. One of:
+	uid, fowner, gid, fgroup
+	Default: uid
+EOF
+}
 
 setup()
 {
+	case "$REQUEST" in
+	fgroup|fowner|gid|uid)
+		tst_res TINFO "request '$REQUEST'"
+		;;
+	*) tst_brk TBROK "Invalid -r '$REQUEST', use: -r <uid|fowner|gid|fgroup>";;
+	esac
+
 	if check_need_signed_policy; then
 		tst_brk TCONF "policy have to be signed"
 	fi
 }
 
-verify_measurement()
+test()
 {
+	# needs to be checked each run (not in setup)
+	require_policy_writable
+
 	local request="$1"
 	local test_file="$PWD/test.txt"
 	local cmd="cat $test_file > /dev/null"
-
 	local value="$(id -u $IMA_USER)"
-	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $IMA_USER)"
 
-	# needs to be checked each run (not in setup)
-	require_policy_writable
+	if [ "$REQUEST" = 'gid' -o "$REQUEST" = 'fgroup' ]; then
+		if tst_kvcmp -lt 5.16; then
+			tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
+		fi
+		value="$(id -g $IMA_USER)"
+	fi
 
 	ROD rm -f $test_file
 
-	tst_res TINFO "verify measuring user files when requested via $request"
-	ROD echo "measure $request=$value" \> $IMA_POLICY
-	ROD echo "$(cat /proc/uptime) $request test" \> $test_file
+	tst_res TINFO "verify measuring user files when requested via $REQUEST"
+	ROD echo "measure $REQUEST=$value" \> $IMA_POLICY
+	ROD echo "$(cat /proc/uptime) $REQUEST test" \> $test_file
 
-	case "$request" in
+	case "$REQUEST" in
 	fgroup)
 		chgrp $IMA_USER $test_file
 		sh -c "$cmd"
@@ -50,24 +83,10 @@ verify_measurement()
 		;;
 	gid) sudo sg $IMA_USER "sh -c '$cmd'";;
 	uid) sudo -n -u $IMA_USER sh -c "$cmd";;
-	*) tst_brk TBROK "Invalid res type '$1'";;
 	esac
 
 	ima_check $test_file
 }
 
-test1()
-{
-	verify_measurement uid
-	verify_measurement fowner
-
-	if tst_kvcmp -lt 5.16; then
-		tst_brk TCONF "gid and fgroup options require kernel 5.16 or newer"
-	fi
-
-	verify_measurement gid
-	verify_measurement fgroup
-}
-
 . ima_setup.sh
 tst_run
-- 
2.51.0

[PATCH 3/4] ima_conditionals.sh: Use 'sg' without 'sudo'

[Petr Vorel]

We run as root, therefore 'sg' can be run without 'sudo'.

Fixes: 5734da5f11 ("IMA: Add tests for uid, gid, fowner, and fgroup options")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/tests/ima_conditionals.sh     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index afa2ae05da..f4ee79b2bc 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -81,7 +81,7 @@ test()
 		chown $IMA_USER $test_file
 		sh -c "$cmd"
 		;;
-	gid) sudo sg $IMA_USER "sh -c '$cmd'";;
+	gid) sg $IMA_USER "sh -c '$cmd'";;
 	uid) sudo -n -u $IMA_USER sh -c "$cmd";;
 	esac
 
-- 
2.51.0

[PATCH 4/4] ima_{conditionals,measurements}.sh: Use 'su' instead of 'sudo'

[Petr Vorel]

'su' is simpler than 'sudo' (fewer configuration files, less libraries)
and it's usually installed (part of util-linux or busybox). This also
helps to test with initramfs based rapido-linux.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
https://github.com/rapido-linux/rapido

 .../kernel/security/integrity/ima/tests/ima_conditionals.sh   | 4 ++--
 .../kernel/security/integrity/ima/tests/ima_measurements.sh   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index f4ee79b2bc..4eca0e88b9 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -9,7 +9,7 @@
 # gid and fgroup options test kernel commit 40224c41661b ("ima: add gid
 # support") from v5.16.
 
-TST_NEEDS_CMDS="cat chgrp chown id sg sudo useradd userdel"
+TST_NEEDS_CMDS="cat chgrp chown id sg su useradd userdel"
 TST_SETUP="setup"
 TST_TESTFUNC="test"
 REQUIRE_TMP_USER=1
@@ -82,7 +82,7 @@ test()
 		sh -c "$cmd"
 		;;
 	gid) sg $IMA_USER "sh -c '$cmd'";;
-	uid) sudo -n -u $IMA_USER sh -c "$cmd";;
+	uid) su - $IMA_USER sh -c "$cmd";;
 	esac
 
 	ima_check $test_file
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index e92f3efb95..404b63d99f 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -75,7 +75,7 @@ test3()
 
 	# Default policy does not measure user files
 	tst_res TINFO "verify not measuring user files"
-	tst_check_cmds sudo || return
+	tst_check_cmds su || return
 
 	if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
 		tst_res TCONF "test requires specific policy, try load it with LTP_IMA_LOAD_POLICY=1"
@@ -86,7 +86,7 @@ test3()
 	chown $IMA_USER $dir
 	cd $dir
 	# need to read file to get updated $ASCII_MEASUREMENTS
-	sudo -n -u $IMA_USER sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
+	su - $IMA_USER sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
 	cd ..
 
 	if ! tst_rod "$cmd" 2> /dev/null; then
-- 
2.51.0

Re: [LTP] [PATCH 0/4] ima_{conditionals,measurements}.sh enhancements

[Andrea Cervesato]

hi!

On Thu Oct 2, 2025 at 10:36 AM CEST, Petr Vorel wrote:
>
> Petr Vorel (4):
>   ima_{conditionals,measurements}.sh: Add temporary user
>   ima_conditionals.sh: Split test by request
>   ima_conditionals.sh: Use 'sg' without 'sudo'
>   ima_{conditionals,measurements}.sh: Use 'su' instead of 'sudo'
>
>  runtest/ima                                   |  5 +-
>  .../integrity/ima/tests/ima_conditionals.sh   | 81 ++++++++++++-------
>  .../integrity/ima/tests/ima_measurements.sh   | 15 ++--
>  .../security/integrity/ima/tests/ima_setup.sh | 12 +++
>  4 files changed, 71 insertions(+), 42 deletions(-)

What about creating a tool simulating sudo? I thought that was our main
goal. Using 'su' is ok, but this forces us to create a new user all the
times we execute a new suite, while our new sudo implementation would
create and destroy the user only for the specific session.

- Andrea

Re: [LTP] [PATCH 2/4] ima_conditionals.sh: Split test by request

[Andrea Cervesato]

Hi!

On Thu Oct 2, 2025 at 10:36 AM CEST, Petr Vorel wrote:
> This helps to run all testcases on systems without CONFIG_IMA_WRITE_POLICY=y
> (disabled by default in mainline, therefore disabled for some distros,
> e.g. openSUSE Tumbleweed), if SUT reboots.
>
> The downside is creating user account 4x instead just once.
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>  runtest/ima                                   |  5 +-
>  .../integrity/ima/tests/ima_conditionals.sh   | 67 ++++++++++++-------
>  2 files changed, 47 insertions(+), 25 deletions(-)
>
> diff --git a/runtest/ima b/runtest/ima
> index 01942eefa3..c8d0c6801e 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -6,5 +6,8 @@ ima_violations ima_violations.sh
>  ima_keys ima_keys.sh
>  ima_kexec ima_kexec.sh
>  ima_selinux ima_selinux.sh
> -ima_conditionals ima_conditionals.sh
> +ima_conditionals_uid ima_conditionals.sh -r uid
> +ima_conditionals_fowner ima_conditionals.sh -r fowner
> +ima_conditionals_gid ima_conditionals.sh -r gid
> +ima_conditionals_fgroup ima_conditionals.sh -r fgroup

Why not using multiple test cases inside the test?

Re: [LTP] [PATCH 0/4] ima_{conditionals,measurements}.sh enhancements

[Petr Vorel]

Hi Andrea,

...
> What about creating a tool simulating sudo? I thought that was our main
> goal. Using 'su' is ok, but this forces us to create a new user all the
> times we execute a new suite, while our new sudo implementation would
> create and destroy the user only for the specific session.

Jan suggested to implement it [1] ("changes uid/git based on parameters and
executes whatever we give it"). I'll move the discussion under that thread so
that we have it on single place.

Kind regards,
Petr

[1] https://lore.kernel.org/ltp/CAASaF6yjdrLLVnehESx1TjsrB_z48nmN_2i585GPfkG3Vvg15Q@mail.gmail.com/

> - Andrea

Re: [LTP] [PATCH 2/4] ima_conditionals.sh: Split test by request

[Petr Vorel]

Hi Andrea,

> Hi!

> On Thu Oct 2, 2025 at 10:36 AM CEST, Petr Vorel wrote:
> > This helps to run all testcases on systems without CONFIG_IMA_WRITE_POLICY=y
> > (disabled by default in mainline, therefore disabled for some distros,
> > e.g. openSUSE Tumbleweed), if SUT reboots.

> > The downside is creating user account 4x instead just once.

> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > ---
> >  runtest/ima                                   |  5 +-
> >  .../integrity/ima/tests/ima_conditionals.sh   | 67 ++++++++++++-------
> >  2 files changed, 47 insertions(+), 25 deletions(-)

> > diff --git a/runtest/ima b/runtest/ima
> > index 01942eefa3..c8d0c6801e 100644
> > --- a/runtest/ima
> > +++ b/runtest/ima
> > @@ -6,5 +6,8 @@ ima_violations ima_violations.sh
> >  ima_keys ima_keys.sh
> >  ima_kexec ima_kexec.sh
> >  ima_selinux ima_selinux.sh
> > -ima_conditionals ima_conditionals.sh
> > +ima_conditionals_uid ima_conditionals.sh -r uid
> > +ima_conditionals_fowner ima_conditionals.sh -r fowner
> > +ima_conditionals_gid ima_conditionals.sh -r gid
> > +ima_conditionals_fgroup ima_conditionals.sh -r fgroup

> Why not using multiple test cases inside the test?

That would not help. I hoped I explained the reason well in the commit message
but obviously I didn't.

verify_measurement() writes into /sys/kernel/security/ima/policy which on
kernels without CONFIG_IMA_WRITE_POLICY requires SUT reboot. Because LTP does
not support any reboot, this needs to be handled after test finishes. That's why
I separated the tests. This helps to cover more than the first test case out of
four.

Kind regards,
Petr

Re: [LTP] [PATCH 2/4] ima_conditionals.sh: Split test by request

[Andrea Cervesato]

> verify_measurement() writes into /sys/kernel/security/ima/policy which on
> kernels without CONFIG_IMA_WRITE_POLICY requires SUT reboot. Because LTP does
> not support any reboot, this needs to be handled after test finishes. That's why
> I separated the tests. This helps to cover more than the first test case out of
> four.

Now I see, this is clearly a corner case given by LTP limitations. I
think we should probably start to think about reboot flag then. Once the
PR for the new SUT will be implemented in kirk, it's time to work on
this.

-- 
Andrea Cervesato
andrea.cervesato@suse.com

Re: [LTP] [PATCH 2/4] ima_conditionals.sh: Split test by request

[Petr Vorel]

> > verify_measurement() writes into /sys/kernel/security/ima/policy which on
> > kernels without CONFIG_IMA_WRITE_POLICY requires SUT reboot. Because LTP does
> > not support any reboot, this needs to be handled after test finishes. That's why
> > I separated the tests. This helps to cover more than the first test case out of
> > four.

> Now I see, this is clearly a corner case given by LTP limitations. I
> think we should probably start to think about reboot flag then. Once the
> PR for the new SUT will be implemented in kirk, it's time to work on
> this.

I would not wait for this as this is a long term project (on both LTP side and
IMA tests being converted into shell API at least). Once there is this
functionality implemented the split can be reverted.

Kind regards,
Petr