[PATCH v3 00/10] LTP tests: load predefined policy, enhancements

[PATCH v3 00/10] LTP tests: load predefined policy, enhancements

[Petr Vorel]

Changes v2->v3:
* Rewrite verifying logic if policy needs to be loaded and how it is
  loaded.
* Allow testing when policy is not reliable, but relax failures to TCONF.
* Add TCB policy example.
* Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
* Fix test policy installation (previously wrong Makefile).
* Removed some of the previous commits ("ima_kexec.sh: Relax result on
  unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
  "ima_setup: Print warning when policy not readable").
* More cleanup.

TODO: ima_measurements.sh and ima_violations.sh use detection for
ima_policy=tcb builtin policy. But if example policy is loaded there is
no longer tcb policy. Not sure how to fix it - some tooling might not
support reboot, thus I wanted to use ima_policy=tcb, which previously
worked.

Petr Vorel (10):
  ima_violations.sh: Fix log detection
  IMA: Add TCB policy as an example for ima_measurements.sh
  IMA: Move requirement check to ima_setup.sh
  IMA: Add example policy for ima_violations.sh
  IMA: Read required policy from file
  ima_violations.sh: Declare tcb builtin policy
  ima_setup.sh: Add digest index detection for ima-buf format
  ima_setup.sh: Allow to load predefined policy
  ima_measurements.sh: Check policy for test3
  tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

 doc/users/setup_tests.rst                     |   3 +
 .../kernel/security/integrity/ima/README.md   |  12 ++
 .../security/integrity/ima/datafiles/Makefile |   4 +-
 .../ima/datafiles/ima_measurements/Makefile   |  11 ++
 .../ima/datafiles/ima_measurements/tcb.policy |  20 +++
 .../ima/datafiles/ima_violations/Makefile     |  11 ++
 .../ima_violations/violations.policy          |   2 +
 .../integrity/ima/tests/evm_overlay.sh        |   3 +-
 .../security/integrity/ima/tests/ima_kexec.sh |  20 +--
 .../security/integrity/ima/tests/ima_keys.sh  |  48 ++-----
 .../integrity/ima/tests/ima_measurements.sh   |  19 ++-
 .../integrity/ima/tests/ima_selinux.sh        |  23 ++-
 .../security/integrity/ima/tests/ima_setup.sh | 135 +++++++++++++++---
 .../integrity/ima/tests/ima_violations.sh     |  15 +-
 testcases/lib/tst_test.sh                     |   4 +-
 15 files changed, 235 insertions(+), 95 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy

-- 
2.47.1

[PATCH v3 01/10] ima_violations.sh: Fix log detection

[Petr Vorel]

Fix TBROK on systems which does not have /var/log/messages
(any modern distro is using systemd) not auditd installed:

    ima_violations 1 TBROK: log /var/log/messages does not exist (bug in detection?)

Instead TCONF with more meaningful message:

    ima_violations 1 TCONF: log file not found, install auditd

Fixes: https://github.com/linux-test-project/ltp/issues/372
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/tests/ima_violations.sh   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 0f710dea2e..b2b597ad08 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -23,8 +23,10 @@ setup()
 		PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit`
 		sysctl -wq kernel.printk_ratelimit=0
 	fi
-	[ -f "$LOG" ] || \
-		tst_brk TBROK "log $LOG does not exist (bug in detection?)"
+
+	if [ ! -e "$LOG" ]; then
+		tst_brk TCONF "log file not found, install auditd"
+	fi
 	tst_res TINFO "using log $LOG"
 }
 
-- 
2.47.1

[PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh

[Petr Vorel]

Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs)
as suggested by Mimi.

[1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../security/integrity/ima/datafiles/Makefile |  4 ++--
 .../ima/datafiles/ima_measurements/Makefile   | 11 ++++++++++
 .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy

diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 200fd3f4d3..0f2b4fdb11 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0-or-later
-# Copyright (c) Linux Test Project, 2019-2020
+# Copyright (c) Linux Test Project, 2019-2025
 # Copyright (c) 2020 Microsoft Corporation
 # Copyright (C) 2009, Cisco Systems Inc.
 # Ngie Cooper, July 2009
@@ -8,6 +8,6 @@ top_srcdir	?= ../../../../../..
 
 include	$(top_srcdir)/include/mk/env_pre.mk
 
-SUBDIRS	:= ima_kexec ima_keys ima_policy ima_selinux
+SUBDIRS	:= ima_kexec ima_keys ima_measurements ima_policy ima_selinux
 
 include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
new file mode 100644
index 0000000000..6317f2bf85
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2025
+
+top_srcdir	?= ../../../../../../..
+
+include	$(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR		:= testcases/data/ima_measurements
+INSTALL_TARGETS	:= *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
new file mode 100644
index 0000000000..1e4a932bf0
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
@@ -0,0 +1,20 @@
+dont_measure fsmagic=0x9fa0
+dont_measure fsmagic=0x62656572
+dont_measure fsmagic=0x64626720
+dont_measure fsmagic=0x1021994 func=FILE_CHECK
+dont_measure fsmagic=0x1cd1
+dont_measure fsmagic=0x42494e4d
+dont_measure fsmagic=0x73636673
+dont_measure fsmagic=0xf97cff8c
+dont_measure fsmagic=0x43415d53
+dont_measure fsmagic=0x27e0eb
+dont_measure fsmagic=0x63677270
+dont_measure fsmagic=0x6e736673
+dont_measure fsmagic=0xde5e81e4
+measure func=MMAP_CHECK mask=MAY_EXEC
+measure func=BPRM_CHECK mask=MAY_EXEC
+measure func=FILE_CHECK mask=^MAY_READ euid=0
+measure func=FILE_CHECK mask=^MAY_READ uid=0
+measure func=MODULE_CHECK
+measure func=FIRMWARE_CHECK
+measure func=POLICY_CHECK
-- 
2.47.1

[PATCH v3 03/10] IMA: Move requirement check to ima_setup.sh

[Petr Vorel]

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/tests/evm_overlay.sh      | 3 +--
 .../kernel/security/integrity/ima/tests/ima_measurements.sh | 6 +++---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh  | 6 +++++-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
index 12b2a28c25..6a48f63aaa 100755
--- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -9,6 +9,7 @@
 TST_SETUP="setup"
 TST_CLEANUP="cleanup"
 TST_CNT=4
+REQUIRED_BUILTIN_POLICY="appraise_tcb"
 
 setup()
 {
@@ -17,8 +18,6 @@ setup()
 	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
 	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
 
-	require_ima_policy_cmdline "appraise_tcb"
-
 	lower="$TST_MNTPOINT/lower"
 	upper="$TST_MNTPOINT/upper"
 	work="$TST_MNTPOINT/work"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 1da2aa6a51..ca9d73b4aa 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -1,19 +1,19 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2021 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Verify that measurements are added to the measurement list based on policy.
+# Test requires ima_policy=tcb.
 
 TST_NEEDS_CMDS="awk cut sed"
 TST_SETUP="setup"
 TST_CNT=3
+REQUIRED_BUILTIN_POLICY="tcb"
 
 setup()
 {
-	require_ima_policy_cmdline "tcb"
-
 	TEST_FILE="$PWD/test.txt"
 	[ -f "$IMA_POLICY" ] || tst_res TINFO "not using default policy"
 }
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index fc0e769729..2a578ceb45 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 
 TST_TESTFUNC="test"
@@ -180,6 +180,10 @@ ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
+	if [ "$REQUIRED_BUILTIN_POLICY" ]; then
+		require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY"
+	fi
+
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
 
-- 
2.47.1

[PATCH v3 04/10] IMA: Add example policy for ima_violations.sh

[Petr Vorel]

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/datafiles/Makefile  |  2 +-
 .../integrity/ima/datafiles/ima_violations/Makefile   | 11 +++++++++++
 .../ima/datafiles/ima_violations/violations.policy    |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy

diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 0f2b4fdb11..2013bfc918 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -8,6 +8,6 @@ top_srcdir	?= ../../../../../..
 
 include	$(top_srcdir)/include/mk/env_pre.mk
 
-SUBDIRS	:= ima_kexec ima_keys ima_measurements ima_policy ima_selinux
+SUBDIRS	:= ima_kexec ima_keys ima_measurements ima_policy ima_selinux ima_violations
 
 include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
new file mode 100644
index 0000000000..58d474f076
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2025
+
+top_srcdir	?= ../../../../../../..
+
+include	$(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR		:= testcases/data/ima_violations
+INSTALL_TARGETS	:= *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
new file mode 100644
index 0000000000..466b8c5a64
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
@@ -0,0 +1,2 @@
+measure func=FILE_CHECK mask=^MAY_READ euid=0
+measure func=FILE_CHECK mask=^MAY_READ uid=0
-- 
2.47.1

[PATCH v3 05/10] IMA: Read required policy from file

[Petr Vorel]

Previously snipped of required policy was as a string or regexp.
Loading required policy from file allows to move code to ima_setup.sh.
This is a preparation for loading IMA policy from file.

Check can be done on one or both:
1) IMA builtin policy (based on /proc/cmdline)
2) IMA policy content (actual content of /sys/kernel/security/ima/policy)

When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert TFAIL => TCONF.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../security/integrity/ima/tests/ima_kexec.sh | 19 ++----
 .../security/integrity/ima/tests/ima_keys.sh  | 47 ++++---------
 .../integrity/ima/tests/ima_measurements.sh   |  8 ++-
 .../integrity/ima/tests/ima_selinux.sh        | 22 +++---
 .../security/integrity/ima/tests/ima_setup.sh | 68 ++++++++++++++-----
 .../integrity/ima/tests/ima_violations.sh     |  8 ++-
 6 files changed, 92 insertions(+), 80 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
index 3446bc24bf..95e6186bb5 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2020 Microsoft Corporation
-# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2020-2025 Petr Vorel <pvorel@suse.cz>
 # Author: Lachlan Sneff <t-josne@linux.microsoft.com>
 #
 # Verify that kexec cmdline is measured correctly.
@@ -14,7 +14,7 @@ TST_SETUP="setup"
 TST_MIN_KVER="5.3"
 
 IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
-REQUIRED_POLICY='^measure.*func=KEXEC_CMDLINE'
+REQUIRED_POLICY_CONTENT='kexec.policy'
 
 measure()
 {
@@ -46,11 +46,6 @@ setup()
 	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
 		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
 	fi
-
-	if check_policy_readable; then
-		require_ima_policy_content "$REQUIRED_POLICY"
-		policy_readable=1
-	fi
 }
 
 kexec_failure_hint()
@@ -79,7 +74,6 @@ kexec_test()
 {
 	local param="$1"
 	local cmdline="$2"
-	local res=TFAIL
 	local kexec_cmd
 
 	kexec_cmd="$param=$cmdline"
@@ -97,13 +91,10 @@ kexec_test()
 
 	ROD kexec -su
 	if ! measure "$cmdline"; then
-		if [ "$policy_readable" != 1 ]; then
-			tst_res TWARN "policy not readable, it might not contain required policy '$REQUIRED_POLICY'"
-			res=TBROK
-		fi
-		tst_brk $res "unable to find a correct measurement"
+		tst_res $IMA_FAIL "unable to find a correct measurement"
+	else
+		tst_res TPASS "kexec cmdline was measured correctly"
 	fi
-	tst_res TPASS "kexec cmdline was measured correctly"
 }
 
 test()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index ff32eb6c43..a2e9c77738 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2020 Microsoft Corporation
-# Copyright (c) 2020-2021 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2020-2025 Petr Vorel <pvorel@suse.cz>
 # Author: Lachlan Sneff <t-josne@linux.microsoft.com>
 #
 # Verify that keys are measured correctly based on policy.
@@ -12,38 +12,24 @@ TST_SETUP=setup
 TST_CLEANUP=cleanup
 TST_MIN_KVER="5.6"
 
-FUNC_KEYCHECK='func=KEY_CHECK'
-REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK"
+REQUIRED_POLICY_CONTENT='keycheck.policy'
 
 setup()
 {
-	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
-	require_valid_policy_template
-}
+	local line
 
-cleanup()
-{
-	tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
-}
+	require_policy_readable
 
-require_valid_policy_template()
-{
 	while read line; do
-	if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
-		tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK"
-	fi
-	done < $TST_TMPDIR/policy.txt
+		if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then
+			tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK"
+		fi
+	done < $IMA_POLICY
 }
 
-check_keys_policy()
+cleanup()
 {
-	local pattern="$1"
-
-	if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then
-		tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK"
-		return 1
-	fi
-	return 0
+	tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
 }
 
 # Based on https://lkml.org/lkml/2019/12/13/564.
@@ -51,12 +37,10 @@ check_keys_policy()
 test1()
 {
 	local keycheck_lines i keyrings templates
-	local pattern='keyrings=[^[:space:]]+'
 	local test_file="file.txt" tmp_file="file2.txt"
 
 	tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
 
-	check_keys_policy "$pattern" > $tmp_file || return
 	keycheck_lines=$(cat $tmp_file)
 	keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
 		sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
@@ -87,7 +71,7 @@ test1()
 		fi
 
 		if [ "$digest" != "$expected_digest" ]; then
-			tst_res TFAIL "incorrect digest was found for $keyring keyring"
+			tst_res $IMA_FAIL "incorrect digest was found for $keyring keyring"
 			return
 		fi
 	done
@@ -105,13 +89,10 @@ test2()
 
 	local cert_file="$TST_DATAROOT/x509_ima.der"
 	local keyring_name="key_import_test"
-	local pattern="keyrings=[^[:space:]]*$keyring_name"
 	local temp_file="file.txt"
 
 	tst_res TINFO "verify measurement of certificate imported into a keyring"
 
-	check_keys_policy "$pattern" >/dev/null || return
-
 	KEYRING_ID=$(keyctl newring $keyring_name @s) || \
 		tst_brk TBROK "unable to create a new keyring"
 
@@ -126,19 +107,19 @@ test2()
 		tst_hexdump -d > $temp_file
 
 	if [ ! -s $temp_file ]; then
-		tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
+		tst_res $IMA_FAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
 		return
 	fi
 
 	if ! openssl x509 -in $temp_file -inform der > /dev/null; then
-		tst_res TFAIL "logged certificate is not a valid x509 certificate"
+		tst_res $IMA_FAIL "logged certificate is not a valid x509 certificate"
 		return
 	fi
 
 	if cmp -s $temp_file $cert_file; then
 		tst_res TPASS "logged certificate matches the original"
 	else
-		tst_res TFAIL "logged certificate does not match original"
+		tst_res $IMA_FAIL "logged certificate does not match original"
 	fi
 }
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index ca9d73b4aa..41d53aa03b 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -11,6 +11,7 @@ TST_NEEDS_CMDS="awk cut sed"
 TST_SETUP="setup"
 TST_CNT=3
 REQUIRED_BUILTIN_POLICY="tcb"
+REQUIRED_POLICY_CONTENT='tcb.policy'
 
 setup()
 {
@@ -70,6 +71,7 @@ test3()
 	local user="nobody"
 	local dir="$PWD/user"
 	local file="$dir/test.txt"
+	local cmd="grep $file $ASCII_MEASUREMENTS"
 
 	# Default policy does not measure user files
 	tst_res TINFO "verify not measuring user files"
@@ -87,7 +89,11 @@ test3()
 	sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
 	cd ..
 
-	EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS"
+	if tst_rod "$cmd" 2> /dev/null; then
+		tst_res TPASS "$cmd failed as expected"
+	else
+		tst_res $IMA_FAIL "$cmd passed unexpectedly"
+	fi
 }
 
 . ima_setup.sh
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
index 75f9ba84e4..45fd741b5f 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2021 Microsoft Corporation
+# Copyright (c) Linux Test Project, 2021-2025
 # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
 #
 # Verify measurement of SELinux policy hash and state.
@@ -14,15 +15,12 @@ TST_CNT=2
 TST_SETUP="setup"
 TST_MIN_KVER="5.12"
 
-FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
-REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
+REQUIRED_POLICY_CONTENT='selinux.policy'
 
 setup()
 {
 	SELINUX_DIR=$(tst_get_selinux_dir)
 	[ "$SELINUX_DIR" ] || tst_brk TCONF "SELinux is not enabled"
-
-	require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
 }
 
 # Format of the measured SELinux state data.
@@ -45,7 +43,7 @@ validate_policy_capabilities()
 		measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print $inx}')
 		expected_value=$(cat "$SELINUX_DIR/policy_capabilities/$measured_cap")
 		if [ "$measured_value" != "$expected_value" ]; then
-			tst_res TFAIL "$measured_cap: expected: $expected_value, got: $digest"
+			tst_res $IMA_FAIL "$measured_cap: expected: $expected_value, got: $digest"
 			return
 		fi
 
@@ -75,7 +73,7 @@ test1()
 	# in kernel memory for SELinux
 	line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1)
 	if [ -z "$line" ]; then
-		tst_res TFAIL "SELinux policy hash not measured"
+		tst_res $IMA_FAIL "SELinux policy hash not measured"
 		return
 	fi
 
@@ -86,7 +84,7 @@ test1()
 		tst_brk TCONF "cannot compute digest for $algorithm"
 
 	if [ "$policy_digest" != "$expected_policy_digest" ]; then
-		tst_res TFAIL "Digest mismatch: expected: $expected_policy_digest, got: $policy_digest"
+		tst_res $IMA_FAIL "Digest mismatch: expected: $expected_policy_digest, got: $policy_digest"
 		return
 	fi
 
@@ -116,7 +114,7 @@ test2()
 	# state matches that currently set for SELinux
 	line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1)
 	if [ -z "$line" ]; then
-		tst_res TFAIL "SELinux state not measured"
+		tst_res $IMA_FAIL "SELinux state not measured"
 		return
 	fi
 
@@ -129,7 +127,7 @@ test2()
 	tst_brk TCONF "cannot compute digest for $algorithm"
 
 	if [ "$digest" != "$expected_digest" ]; then
-		tst_res TFAIL "digest mismatch: expected: $expected_digest, got: $digest"
+		tst_res $IMA_FAIL "digest mismatch: expected: $expected_digest, got: $digest"
 		return
 	fi
 
@@ -146,20 +144,20 @@ test2()
 	enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $4}')
 	expected_enforced_value=$(cat $SELINUX_DIR/enforce)
 	if [ "$expected_enforced_value" != "$enforced_value" ]; then
-		tst_res TFAIL "enforce: expected: $expected_enforced_value, got: $enforced_value"
+		tst_res $IMA_FAIL "enforce: expected: $expected_enforced_value, got: $enforced_value"
 		return
 	fi
 
 	checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $6}')
 	expected_checkreqprot_value=$(cat $SELINUX_DIR/checkreqprot)
 	if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ]; then
-		tst_res TFAIL "checkreqprot: expected: $expected_checkreqprot_value, got: $checkreqprot_value"
+		tst_res $IMA_FAIL "checkreqprot: expected: $expected_checkreqprot_value, got: $checkreqprot_value"
 		return
 	fi
 
 	initialized_value=$(echo $measured_data | awk -F'[=;]' '{print $2}')
 	if [ "$initialized_value" != "1" ]; then
-		tst_res TFAIL "initialized: expected 1, got: $initialized_value"
+		tst_res $IMA_FAIL "initialized: expected 1, got: $initialized_value"
 		return
 	fi
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 2a578ceb45..af5584951c 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -19,6 +19,9 @@ SYSFS="/sys"
 UMOUNT=
 TST_FS_TYPE="ext3"
 
+IMA_FAIL="TFAIL"
+IMA_BROK="TBROK"
+
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
 compute_digest()
 {
@@ -85,21 +88,9 @@ require_policy_writable()
 check_ima_policy_content()
 {
 	local pattern="$1"
-	local grep_params="${2--q}"
 
 	check_policy_readable || return 1
-	grep $grep_params "$pattern" $IMA_POLICY
-}
-
-require_ima_policy_content()
-{
-	local pattern="$1"
-	local grep_params="${2--q}"
-
-	require_policy_readable
-	if ! grep $grep_params "$pattern" $IMA_POLICY; then
-		tst_brk TCONF "IMA policy does not specify '$pattern'"
-	fi
+	grep -q "$pattern" $IMA_POLICY
 }
 
 check_ima_policy_cmdline()
@@ -158,6 +149,51 @@ print_ima_config()
 	tst_res TINFO "/proc/cmdline: $(cat /proc/cmdline)"
 }
 
+# Check for required
+# 1) IMA builtin policy (based on /proc/cmdline)
+# 2) IMA policy content (actual content of /sys/kernel/security/ima/policy)
+# When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert TFAIL => TCONF.
+# $REQUIRED_POLICY_CONTENT: file with required IMA policy
+# $REQUIRED_BUILTIN_POLICY: IMA policy specified as kernel cmdline
+verify_ima_policy()
+{
+	local check_content line
+	local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
+
+	if [ -z "$REQUIRED_POLICY_CONTENT" -a -z "$REQUIRED_BUILTIN_POLICY" ]; then
+		return 0
+	fi
+
+	if [ -n "$REQUIRED_POLICY_CONTENT" ]; then
+		check_content=1
+		if [ -n "$REQUIRED_BUILTIN_POLICY" ] && check_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY"; then
+			tst_res TINFO "booted with IMA policy: $REQUIRED_BUILTIN_POLICY"
+			return 0
+		fi
+	elif [ -n "$REQUIRED_BUILTIN_POLICY" ]; then
+		require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY"
+	fi
+
+	if [ "$check_content" = 1 ]; then
+		[ -e $file ] || tst_brk TBROK "policy file '$file' does not exist (LTPROOT=$LTPROOT)"
+		tst_res TINFO "test requires IMA policy:"
+		cat $file
+		if check_policy_readable; then
+			# check IMA policy content
+			while read line; do
+				if ! grep -q "$line" $IMA_POLICY; then
+					tst_brk TCONF "missing required policy '$line'"
+				fi
+				IMA_POLICY_CHECKED=1
+			done < $file
+		else
+			tst_res TINFO "policy is not readable, failure will be treated as TCONF"
+			IMA_FAIL="TCONF"
+			IMA_BROK="TCONF"
+		fi
+	fi
+}
+
 ima_setup()
 {
 	SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)"
@@ -180,9 +216,7 @@ ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
-	if [ "$REQUIRED_BUILTIN_POLICY" ]; then
-		require_ima_policy_cmdline "$REQUIRED_BUILTIN_POLICY"
-	fi
+	verify_ima_policy
 
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
@@ -290,7 +324,7 @@ ima_check()
 		algorithm=$(cat tmp | cut -d'|' -f1)
 		digest=$(cat tmp | cut -d'|' -f2)
 	else
-		tst_brk TBROK "failed to get algorithm/digest for '$test_file'"
+		tst_brk $IMA_BROK "failed to get algorithm/digest for '$test_file'"
 	fi
 
 	tst_res TINFO "computing digest for $algorithm algorithm"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index b2b597ad08..1852e8bc74 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
 # Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Test whether ToMToU and open_writer violations invalidatethe PCR and are logged.
@@ -10,6 +10,8 @@ TST_SETUP="setup"
 TST_CLEANUP="cleanup"
 TST_CNT=3
 
+REQUIRED_POLICY_CONTENT='violations.policy'
+
 setup()
 {
 	FILE="test.txt"
@@ -83,11 +85,11 @@ validate()
 				tst_sleep 1s
 			fi
 		else
-			tst_res TFAIL "$search violation not added"
+			tst_res $IMA_FAIL "$search violation not added"
 			return
 		fi
 	done
-	tst_res TFAIL "$search not found in $LOG"
+	tst_res $IMA_FAIL "$search not found in $LOG"
 }
 
 test1()
-- 
2.47.1

[PATCH v3 06/10] ima_violations.sh: Declare tcb builtin policy

[Petr Vorel]

IMA builtin policy contains required rules, allow using it.
This helps more reliable results on kernels without
CONFIG_IMA_READ_POLICY=y.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
index 1852e8bc74..37d8d473c2 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
@@ -10,6 +10,7 @@ TST_SETUP="setup"
 TST_CLEANUP="cleanup"
 TST_CNT=3
 
+REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='violations.policy'
 
 setup()
-- 
2.47.1

[PATCH v3 07/10] ima_setup.sh: Add digest index detection for ima-buf format

[Petr Vorel]

ima-buf format might be loaded via loading policy in the next commit.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index af5584951c..1f01f18cf6 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -242,7 +242,7 @@ set_digest_index()
 	# parse digest index
 	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
 	case "$template" in
-	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
+	ima|ima-buf|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
 	*)
 		# using ima_template_fmt kernel parameter
 		local IFS="|"
-- 
2.47.1

[PATCH v3 08/10] ima_setup.sh: Allow to load predefined policy

[Petr Vorel]

environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
if available. This should be used only if tooling running LTP tests
allows to reboot afterwards because policy may be writable only once,
e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
other.

Loading may fail due various reasons (e.g. previously mentioned missing
CONFIG_IMA_WRITE_POLICY=y and policy already loaded or when secure boot is
enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an
appraise func=POLICY_CHECK appraise_type=imasig rule is loaded, requiring the
IMA policy itself to be signed).

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 doc/users/setup_tests.rst                     |  3 +
 .../kernel/security/integrity/ima/README.md   | 12 ++++
 .../security/integrity/ima/tests/ima_kexec.sh |  1 +
 .../security/integrity/ima/tests/ima_keys.sh  |  1 +
 .../integrity/ima/tests/ima_measurements.sh   |  2 +-
 .../integrity/ima/tests/ima_selinux.sh        |  1 +
 .../security/integrity/ima/tests/ima_setup.sh | 72 ++++++++++++++++---
 7 files changed, 82 insertions(+), 10 deletions(-)

diff --git a/doc/users/setup_tests.rst b/doc/users/setup_tests.rst
index 721ec6bb5e..9d7f9b2cd9 100644
--- a/doc/users/setup_tests.rst
+++ b/doc/users/setup_tests.rst
@@ -59,6 +59,9 @@ users.
        both up and down with this multiplier. This is not yet implemented in the
        shell API.
 
+   * - LTP_IMA_LOAD_POLICY
+     - Load IMA example policy, see :master:`testcases/kernel/security/integrity/ima/README.md`.
+
    * - LTP_VIRT_OVERRIDE
      - Overrides virtual machine detection in the test library. Setting it to
        empty string, tells the library that system is not a virtual machine.
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 5b261a1914..c5b3db1a5a 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -8,6 +8,18 @@ CONFIG_INTEGRITY=y
 CONFIG_IMA=y
 ```
 
+### Loading policy for testing (optional)
+Setting environment variable `LTP_IMA_LOAD_POLICY=1` tries to load example
+policy if available. This should be used only if tooling running LTP tests
+allows to reboot afterwards because policy may be writable only once, e.g.
+missing `CONFIG_IMA_WRITE_POLICY=y`, or policies can influence each other.
+
+Loading may fail due various reasons (e.g. previously mentioned missing
+`CONFIG_IMA_WRITE_POLICY=y` and policy already loaded or when secure boot is
+enabled and the kernel is configured with `CONFIG_IMA_ARCH_POLICY` enabled, an
+`appraise func=POLICY_CHECK appraise_type=imasig` rule is loaded, requiring the
+IMA policy itself to be signed).
+
 ### IMA measurement tests
 `ima_measurements.sh` require builtin IMA tcb policy to be loaded
 (`ima_policy=tcb` kernel parameter).
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
index 95e6186bb5..5d178494b7 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -7,6 +7,7 @@
 # Verify that kexec cmdline is measured correctly.
 # Test attempts to kexec the existing running kernel image.
 # To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="grep kexec sed"
 TST_CNT=3
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index a2e9c77738..fb1636a8b8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -5,6 +5,7 @@
 # Author: Lachlan Sneff <t-josne@linux.microsoft.com>
 #
 # Verify that keys are measured correctly based on policy.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="cmp cut grep sed"
 TST_CNT=2
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 41d53aa03b..c42c31c898 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -5,7 +5,7 @@
 # Author: Mimi Zohar <zohar@linux.ibm.com>
 #
 # Verify that measurements are added to the measurement list based on policy.
-# Test requires ima_policy=tcb.
+# Test requires either ima_policy=tcb or example policy loadable with LTP_IMA_LOAD_POLICY=1.
 
 TST_NEEDS_CMDS="awk cut sed"
 TST_SETUP="setup"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
index 45fd741b5f..97c5d64ec5 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
@@ -5,6 +5,7 @@
 # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
 #
 # Verify measurement of SELinux policy hash and state.
+# Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
 #
 # Relevant kernel commits:
 # * fdd1ffe8a812 ("selinux: include a consumer of the new IMA critical data hook")
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 1f01f18cf6..5213763ee0 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -75,14 +75,20 @@ require_policy_readable()
 	fi
 }
 
-require_policy_writable()
+check_policy_writable()
 {
-	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
-
-	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
-	# CONFIG_IMA_READ_POLICY
+	[ -f $IMA_POLICY ] || return 1
+	# workaround for kernels < v4.18 without fix
+	# ffb122de9a60b ("ima: Reflect correct permissions for policy")
 	echo "" 2> log > $IMA_POLICY
-	grep -q "Device or resource busy" log && tst_brk TCONF "$err"
+	grep -q "Device or resource busy" log && return 1
+	return 0
+}
+
+require_policy_writable()
+{
+	check_policy_writable || tst_brk TCONF \
+		"IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
 }
 
 check_ima_policy_content()
@@ -182,16 +188,58 @@ verify_ima_policy()
 			# check IMA policy content
 			while read line; do
 				if ! grep -q "$line" $IMA_POLICY; then
-					tst_brk TCONF "missing required policy '$line'"
+					tst_res TINFO "WARNING: missing required policy content: '$line'"
+					return 1
 				fi
-				IMA_POLICY_CHECKED=1
 			done < $file
+			IMA_POLICY_CHECKED=1
 		else
 			tst_res TINFO "policy is not readable, failure will be treated as TCONF"
 			IMA_FAIL="TCONF"
 			IMA_BROK="TCONF"
+			return 1
 		fi
 	fi
+	return 0
+}
+
+load_ima_policy()
+{
+	local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
+
+	if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then
+		tst_res TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
+		return 0
+	fi
+
+	if [ "$IMA_POLICY_CHECKED" = 1 ]; then
+		tst_res TINFO "valid policy already loaded, ignore LTP_IMA_LOAD_POLICY=1"
+	fi
+
+	tst_res TINFO "trying to load '$file' policy:"
+	cat $file
+	if ! check_policy_writable; then
+		tst_res TINFO "WARNING: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y), reboot required, failures will be treated as TCONF"
+		IMA_FAIL="TCONF"
+		IMA_BROK="TCONF"
+		LTP_IMA_LOAD_POLICY=
+		return
+	fi
+
+	cat "$file" 2> log > $IMA_POLICY
+	if grep -q "Device or resource busy" log; then
+		tst_brk TBROK "loading policy failed"
+	fi
+
+	if grep -q "write error: Permission denied" log; then
+		tst_brk TCONF "loading unsigned policy failed"
+	fi
+
+	IMA_POLICY_LOADED=1
+
+	tst_res TINFO "example policy successfully loaded"
+	IMA_FAIL="TFAIL"
+	IMA_BROK="TBROK"
 }
 
 ima_setup()
@@ -216,7 +264,9 @@ ima_setup()
 		cd "$TST_MNTPOINT"
 	fi
 
-	verify_ima_policy
+	if ! verify_ima_policy; then
+		load_ima_policy
+	fi
 
 	[ -n "$TST_SETUP_CALLER" ] && $TST_SETUP_CALLER
 }
@@ -230,6 +280,10 @@ ima_cleanup()
 	for dir in $UMOUNT; do
 		umount $dir
 	done
+
+	if [ "$IMA_POLICY_LOADED" = 1 ]; then
+		tst_res TINFO "WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended"
+	fi
 }
 
 set_digest_index()
-- 
2.47.1

[PATCH v3 09/10] ima_measurements.sh: Check policy for test3

[Petr Vorel]

First two tests are working with ima_policy=tcb,
but 3rd test requires more specific policy.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../kernel/security/integrity/ima/tests/ima_measurements.sh  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index c42c31c898..35acc6ea78 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -77,6 +77,11 @@ test3()
 	tst_res TINFO "verify not measuring user files"
 	tst_check_cmds sudo || return
 
+	if [ "$IMA_POLICY_CHECKED" != 1 ]; then
+		tst_res TCONF "test requires specific policy, try load it with LTP_IMA_LOAD_POLICY=1"
+		return
+	fi
+
 	if ! id $user >/dev/null 2>/dev/null; then
 		tst_res TCONF "missing system user $user (wrong installation)"
 		return
-- 
2.47.1

[PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

[Petr Vorel]

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 1 +
 testcases/lib/tst_test.sh                                  | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 5213763ee0..69ee5a3d65 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -11,6 +11,7 @@ TST_CLEANUP_CALLER="$TST_CLEANUP"
 TST_CLEANUP="ima_cleanup"
 TST_NEEDS_ROOT=1
 TST_MOUNT_DEVICE=1
+TST_SKIP_LSM_WARNINGS=1
 
 # TST_MOUNT_DEVICE can be unset, therefore specify explicitly
 TST_NEEDS_TMPDIR=1
diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
index cfdae02300..2b797705e3 100644
--- a/testcases/lib/tst_test.sh
+++ b/testcases/lib/tst_test.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0-or-later
-# Copyright (c) Linux Test Project, 2014-2022
+# Copyright (c) Linux Test Project, 2014-2025
 # Author: Cyril Hrubis <chrubis@suse.cz>
 #
 # LTP test library for shell.
@@ -81,7 +81,7 @@ _tst_do_exit()
 	fi
 
 	if [ $TST_BROK -gt 0 -o $TST_FAIL -gt 0 -o $TST_WARN -gt 0 ]; then
-		_tst_check_security_modules
+		[ -z "$TST_SKIP_LSM_WARNINGS" ] && _tst_check_security_modules
 	fi
 
 	cat >&2 << EOF
-- 
2.47.1

Re: [PATCH v3 00/10] LTP tests: load predefined policy, enhancements

[Mimi Zohar]

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Changes v2->v3:
> * Rewrite verifying logic if policy needs to be loaded and how it is
>   loaded.
> * Allow testing when policy is not reliable, but relax failures to TCONF.
> * Add TCB policy example.
> * Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
> * Fix test policy installation (previously wrong Makefile).
> * Removed some of the previous commits ("ima_kexec.sh: Relax result on
>   unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
>   "ima_setup: Print warning when policy not readable").
> * More cleanup.

Very nice patch set.  Thank you!

> 
> TODO: ima_measurements.sh and ima_violations.sh use detection for
> ima_policy=tcb builtin policy. But if example policy is loaded there is
> no longer tcb policy. Not sure how to fix it - some tooling might not
> support reboot, thus I wanted to use ima_policy=tcb, which previously
> worked.

The specific policy rules are mostly a subset of the tcb policy.  The only time that
loading a specific policy first is an issue is when it is the one and only custom
policy allowed to be loaded.  One possible method of avoiding this problem, would be
to require running the ima_measurements.sh first.

Mimi

Re: [PATCH v3 01/10] ima_violations.sh: Fix log detection

[Mimi Zohar]

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Fix TBROK on systems which does not have /var/log/messages
> (any modern distro is using systemd) not auditd installed:

-> and auditd is not installed:

> 
>     ima_violations 1 TBROK: log /var/log/messages does not exist (bug in
> detection?)
> 
> Instead TCONF with more meaningful message:
> 
>     ima_violations 1 TCONF: log file not found, install auditd
> 
> Fixes: https://github.com/linux-test-project/ltp/issues/372

Perhaps /var/log/messages was being rate limited.

> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  .../kernel/security/integrity/ima/tests/ima_violations.sh   | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 0f710dea2e..b2b597ad08 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -23,8 +23,10 @@ setup()
>  		PRINTK_RATE_LIMIT=`sysctl -n kernel.printk_ratelimit`
>  		sysctl -wq kernel.printk_ratelimit=0
>  	fi
> -	[ -f "$LOG" ] || \
> -		tst_brk TBROK "log $LOG does not exist (bug in detection?)"
> +
> +	if [ ! -e "$LOG" ]; then
> +		tst_brk TCONF "log file not found, install auditd"
> +	fi
>  	tst_res TINFO "using log $LOG"
>  }
>  

Re: [PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh

[Mimi Zohar]

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs)
> as suggested by Mimi.

I backtracked on my original suggestion.  Instead of removing the tmpfs rule, qualify
it as you did below.

-> qualified the "dont_measure fsmagic=0x1021994" (tmpfs) rule to the file open hook
[2].

> 
> [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

[2] Kernel commit 7eef7c8bac9a ("ima: limit the builtin 'tcb' dont_measure tmpfs
policy rule")

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  .../security/integrity/ima/datafiles/Makefile |  4 ++--
>  .../ima/datafiles/ima_measurements/Makefile   | 11 ++++++++++
>  .../ima/datafiles/ima_measurements/tcb.policy | 20 +++++++++++++++++++
>  3 files changed, 33 insertions(+), 2 deletions(-)
>  create mode 100644
> testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
>  create mode 100644
> testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> 
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile
> b/testcases/kernel/security/integrity/ima/datafiles/Makefile
> index 200fd3f4d3..0f2b4fdb11 100644
> --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
> +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
> @@ -1,5 +1,5 @@
>  # SPDX-License-Identifier: GPL-2.0-or-later
> -# Copyright (c) Linux Test Project, 2019-2020
> +# Copyright (c) Linux Test Project, 2019-2025
>  # Copyright (c) 2020 Microsoft Corporation
>  # Copyright (C) 2009, Cisco Systems Inc.
>  # Ngie Cooper, July 2009
> @@ -8,6 +8,6 @@ top_srcdir	?= ../../../../../..
>  
>  include	$(top_srcdir)/include/mk/env_pre.mk
>  
> -SUBDIRS	:= ima_kexec ima_keys ima_policy ima_selinux
> +SUBDIRS	:= ima_kexec ima_keys ima_measurements ima_policy ima_selinux
>  
>  include $(top_srcdir)/include/mk/generic_trunk_target.mk
> diff --git
> a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
> b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
> new file mode 100644
> index 0000000000..6317f2bf85
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
> @@ -0,0 +1,11 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) Linux Test Project, 2025
> +
> +top_srcdir	?= ../../../../../../..
> +
> +include	$(top_srcdir)/include/mk/env_pre.mk
> +
> +INSTALL_DIR		:= testcases/data/ima_measurements
> +INSTALL_TARGETS	:= *.policy
> +
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git
> a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> new file mode 100644
> index 0000000000..1e4a932bf0
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> @@ -0,0 +1,20 @@
> +dont_measure fsmagic=0x9fa0
> +dont_measure fsmagic=0x62656572
> +dont_measure fsmagic=0x64626720
> +dont_measure fsmagic=0x1021994 func=FILE_CHECK
> +dont_measure fsmagic=0x1cd1
> +dont_measure fsmagic=0x42494e4d
> +dont_measure fsmagic=0x73636673
> +dont_measure fsmagic=0xf97cff8c
> +dont_measure fsmagic=0x43415d53
> +dont_measure fsmagic=0x27e0eb
> +dont_measure fsmagic=0x63677270
> +dont_measure fsmagic=0x6e736673
> +dont_measure fsmagic=0xde5e81e4
> +measure func=MMAP_CHECK mask=MAY_EXEC
> +measure func=BPRM_CHECK mask=MAY_EXEC
> +measure func=FILE_CHECK mask=^MAY_READ euid=0
> +measure func=FILE_CHECK mask=^MAY_READ uid=0
> +measure func=MODULE_CHECK
> +measure func=FIRMWARE_CHECK
> +measure func=POLICY_CHECK

Re: [PATCH v3 03/10] IMA: Move requirement check to ima_setup.sh

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH v3 05/10] IMA: Read required policy from file

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Previously snipped of required policy was as a string or regexp.
> Loading required policy from file allows to move code to ima_setup.sh.
> This is a preparation for loading IMA policy from file.
> 
> Check can be done on one or both:
> 1) IMA builtin policy (based on /proc/cmdline)
> 2) IMA policy content (actual content of /sys/kernel/security/ima/policy)
> 
> When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert
> TFAIL => TCONF.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks, Petr.  Really nice patch.  Below is an improvement suggestion.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> index 75f9ba84e4..45fd741b5f 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> @@ -1,6 +1,7 @@
>  #!/bin/sh
>  # SPDX-License-Identifier: GPL-2.0-or-later
>  # Copyright (c) 2021 Microsoft Corporation
> +# Copyright (c) Linux Test Project, 2021-2025
>  # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>  #
>  # Verify measurement of SELinux policy hash and state.
> @@ -14,15 +15,12 @@ TST_CNT=2
>  TST_SETUP="setup"
>  TST_MIN_KVER="5.12"
>  
> -FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> -REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> +REQUIRED_POLICY_CONTENT='selinux.policy'

The selinux.policy contains a specific critical data measurement rule:
measure func=CRITICAL_DATA label=selinux.  However the test would work with the
generic policy rule "measure func=CRITICAL_DATA", which can be specified on the . 
boot command line via "ima_policy=critical_data".

As long as being able to read the IMA policy is required, in addition to checking
whether the specific critical data rule exists, check whether the generic rule exists
before loading the specific one.

Perhaps all that is needed is defining REQUIRED_BUILTIN_POLICY like:
REQUIRED_BUILTIN_POLICY="critical_data"

>  
>  setup()
>  {
>  	SELINUX_DIR=$(tst_get_selinux_dir)
>  	[ "$SELINUX_DIR" ] || tst_brk TCONF "SELinux is not enabled"
> -
> -	require_ima_policy_content "$REQUIRED_POLICY" '-E' >
> $TST_TMPDIR/policy.txt
>  }
>  
>  # Format of the measured SELinux state data.
> @@ -45,7 +43,7 @@ validate_policy_capabilities()
>  		measured_value=$(echo $1 | awk -F'[=;]' -v inx="$inx" '{print
> $inx}')
>  		expected_value=$(cat
> "$SELINUX_DIR/policy_capabilities/$measured_cap")
>  		if [ "$measured_value" != "$expected_value" ]; then
> -			tst_res TFAIL "$measured_cap: expected: $expected_value,
> got: $digest"
> +			tst_res $IMA_FAIL "$measured_cap: expected:
> $expected_value, got: $digest"
>  			return
>  		fi
>  
> @@ -75,7 +73,7 @@ test1()
>  	# in kernel memory for SELinux
>  	line=$(grep -E "selinux-policy-hash" $ASCII_MEASUREMENTS | tail -1)
>  	if [ -z "$line" ]; then
> -		tst_res TFAIL "SELinux policy hash not measured"
> +		tst_res $IMA_FAIL "SELinux policy hash not measured"
>  		return
>  	fi
>  
> @@ -86,7 +84,7 @@ test1()
>  		tst_brk TCONF "cannot compute digest for $algorithm"
>  
>  	if [ "$policy_digest" != "$expected_policy_digest" ]; then
> -		tst_res TFAIL "Digest mismatch: expected: $expected_policy_digest,
> got: $policy_digest"
> +		tst_res $IMA_FAIL "Digest mismatch: expected:
> $expected_policy_digest, got: $policy_digest"
>  		return
>  	fi
>  
> @@ -116,7 +114,7 @@ test2()
>  	# state matches that currently set for SELinux
>  	line=$(grep -E "selinux-state" $ASCII_MEASUREMENTS | tail -1)
>  	if [ -z "$line" ]; then
> -		tst_res TFAIL "SELinux state not measured"
> +		tst_res $IMA_FAIL "SELinux state not measured"
>  		return
>  	fi
>  
> @@ -129,7 +127,7 @@ test2()
>  	tst_brk TCONF "cannot compute digest for $algorithm"
>  
>  	if [ "$digest" != "$expected_digest" ]; then
> -		tst_res TFAIL "digest mismatch: expected: $expected_digest, got:
> $digest"
> +		tst_res $IMA_FAIL "digest mismatch: expected: $expected_digest,
> got: $digest"
>  		return
>  	fi
>  
> @@ -146,20 +144,20 @@ test2()
>  	enforced_value=$(echo $measured_data | awk -F'[=;]' '{print $4}')
>  	expected_enforced_value=$(cat $SELINUX_DIR/enforce)
>  	if [ "$expected_enforced_value" != "$enforced_value" ]; then
> -		tst_res TFAIL "enforce: expected: $expected_enforced_value, got:
> $enforced_value"
> +		tst_res $IMA_FAIL "enforce: expected: $expected_enforced_value,
> got: $enforced_value"
>  		return
>  	fi
>  
>  	checkreqprot_value=$(echo $measured_data | awk -F'[=;]' '{print $6}')
>  	expected_checkreqprot_value=$(cat $SELINUX_DIR/checkreqprot)
>  	if [ "$expected_checkreqprot_value" != "$checkreqprot_value" ]; then
> -		tst_res TFAIL "checkreqprot: expected:
> $expected_checkreqprot_value, got: $checkreqprot_value"
> +		tst_res $IMA_FAIL "checkreqprot: expected:
> $expected_checkreqprot_value, got: $checkreqprot_value"
>  		return
>  	fi
>  
>  	initialized_value=$(echo $measured_data | awk -F'[=;]' '{print $2}')
>  	if [ "$initialized_value" != "1" ]; then
> -		tst_res TFAIL "initialized: expected 1, got: $initialized_value"
> +		tst_res $IMA_FAIL "initialized: expected 1, got:
> $initialized_value"
>  		return
>  	fi

Re: [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks, Petr. 

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 1 +
>  testcases/lib/tst_test.sh                                  | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 5213763ee0..69ee5a3d65 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -11,6 +11,7 @@ TST_CLEANUP_CALLER="$TST_CLEANUP"
>  TST_CLEANUP="ima_cleanup"
>  TST_NEEDS_ROOT=1
>  TST_MOUNT_DEVICE=1
> +TST_SKIP_LSM_WARNINGS=1
>  
>  # TST_MOUNT_DEVICE can be unset, therefore specify explicitly
>  TST_NEEDS_TMPDIR=1
> diff --git a/testcases/lib/tst_test.sh b/testcases/lib/tst_test.sh
> index cfdae02300..2b797705e3 100644
> --- a/testcases/lib/tst_test.sh
> +++ b/testcases/lib/tst_test.sh
> @@ -1,6 +1,6 @@
>  #!/bin/sh
>  # SPDX-License-Identifier: GPL-2.0-or-later
> -# Copyright (c) Linux Test Project, 2014-2022
> +# Copyright (c) Linux Test Project, 2014-2025
>  # Author: Cyril Hrubis <chrubis@suse.cz>
>  #
>  # LTP test library for shell.
> @@ -81,7 +81,7 @@ _tst_do_exit()
>  	fi
>  
>  	if [ $TST_BROK -gt 0 -o $TST_FAIL -gt 0 -o $TST_WARN -gt 0 ]; then
> -		_tst_check_security_modules
> +		[ -z "$TST_SKIP_LSM_WARNINGS" ] && _tst_check_security_modules
>  	fi
>  
>  	cat >&2 << EOF

Re: [PATCH v3 09/10] ima_measurements.sh: Check policy for test3

[Mimi Zohar]

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> First two tests are working with ima_policy=tcb,
> but 3rd test requires more specific policy.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Sorry I'm not seeing the difference between "ima_policy=tcb" and the specific policy.
The patch itself looks correct and should allow the test to work even without
specifying the "tcb" policy on the boot command line.

After fixing the patch description, feel free to add:

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>


> ---
>  .../kernel/security/integrity/ima/tests/ima_measurements.sh  | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> index c42c31c898..35acc6ea78 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
> @@ -77,6 +77,11 @@ test3()
>  	tst_res TINFO "verify not measuring user files"
>  	tst_check_cmds sudo || return
>  
> +	if [ "$IMA_POLICY_CHECKED" != 1 ]; then
> +		tst_res TCONF "test requires specific policy, try load it with
> LTP_IMA_LOAD_POLICY=1"
> +		return
> +	fi
> +
>  	if ! id $user >/dev/null 2>/dev/null; then
>  		tst_res TCONF "missing system user $user (wrong installation)"
>  		return

Re: [PATCH v3 06/10] ima_violations.sh: Declare tcb builtin policy

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> IMA builtin policy contains required rules, allow using it.
> This helps more reliable results on kernels without
> CONFIG_IMA_READ_POLICY=y.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks, Petr.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> index 1852e8bc74..37d8d473c2 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh
> @@ -10,6 +10,7 @@ TST_SETUP="setup"
>  TST_CLEANUP="cleanup"
>  TST_CNT=3
>  
> +REQUIRED_BUILTIN_POLICY="tcb"
>  REQUIRED_POLICY_CONTENT='violations.policy'
>  
>  setup()

Re: [LTP] [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

[Cyril Hrubis]

Hi!
Maybe a bit more description wouldn't hurt here. E.g. that we are
printing a hint on a failure that selinux or apparmor may have caused
the failure and we want a knob to disable it and use it for IMA.`

Otherwise it looks good:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

Re: [LTP] [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

[Petr Vorel]

> Hi!
> Maybe a bit more description wouldn't hurt here. E.g. that we are
> printing a hint on a failure that selinux or apparmor may have caused
> the failure and we want a knob to disable it and use it for IMA.`

+1, this patch merged with the above explanation.

Thanks!

Kind regards,
Petr

Re: [PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh

[Mimi Zohar]

> > diff --git
> > a/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > new file mode 100644
> > index 0000000000..1e4a932bf0
> > --- /dev/null
> > +++
> > b/testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
> > @@ -0,0 +1,20 @@
> > +dont_measure fsmagic=0x9fa0
> > +dont_measure fsmagic=0x62656572
> > +dont_measure fsmagic=0x64626720
> > +dont_measure fsmagic=0x1021994 func=FILE_CHECK

Petr, to avoid test failures datafiles/ima_policy/measure.policy should be similarly
constrained.

thanks,

Mimi

> > +dont_measure fsmagic=0x1cd1
> > +dont_measure fsmagic=0x42494e4d
> > +dont_measure fsmagic=0x73636673
> > +dont_measure fsmagic=0xf97cff8c
> > +dont_measure fsmagic=0x43415d53
> > +dont_measure fsmagic=0x27e0eb
> > +dont_measure fsmagic=0x63677270
> > +dont_measure fsmagic=0x6e736673
> > +dont_measure fsmagic=0xde5e81e4
> > +measure func=MMAP_CHECK mask=MAY_EXEC
> > +measure func=BPRM_CHECK mask=MAY_EXEC
> > +measure func=FILE_CHECK mask=^MAY_READ euid=0
> > +measure func=FILE_CHECK mask=^MAY_READ uid=0
> > +measure func=MODULE_CHECK
> > +measure func=FIRMWARE_CHECK
> > +measure func=POLICY_CHECK
> 
> 

Re: [PATCH v3 04/10] IMA: Add example policy for ima_violations.sh

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Thanks, Peter.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH v3 07/10] ima_setup.sh: Add digest index detection for ima-buf format

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> ima-buf format might be loaded via loading policy in the next commit.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>


"ima-buf" is used in "[PATCH v3 05/10] IMA: Read required policy from file".

Otherwise, 
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index af5584951c..1f01f18cf6 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -242,7 +242,7 @@ set_digest_index()
>  	# parse digest index
>  	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
>  	case "$template" in
> -	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
> +	ima|ima-buf|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
>  	*)
>  		# using ima_template_fmt kernel parameter
>  		local IFS="|"

Re: [PATCH v3 08/10] ima_setup.sh: Allow to load predefined policy

[Mimi Zohar]

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> if available. This should be used only if tooling running LTP tests
> allows to reboot afterwards because policy may be writable only once,
> e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> other.
> 
> Loading may fail due various reasons (e.g. previously mentioned missing
> CONFIG_IMA_WRITE_POLICY=y and policy already loaded or when secure boot is
> enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an
> appraise func=POLICY_CHECK appraise_type=imasig rule is loaded, requiring the
> IMA policy itself to be signed).
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Looks good.  Thanks, Petr.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH v3 05/10] IMA: Read required policy from file

[Petr Vorel]

Hi MImi,

...
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > @@ -1,6 +1,7 @@
> >  #!/bin/sh
> >  # SPDX-License-Identifier: GPL-2.0-or-later
> >  # Copyright (c) 2021 Microsoft Corporation
> > +# Copyright (c) Linux Test Project, 2021-2025
> >  # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> >  #
> >  # Verify measurement of SELinux policy hash and state.
> > @@ -14,15 +15,12 @@ TST_CNT=2
> >  TST_SETUP="setup"
> >  TST_MIN_KVER="5.12"
> >  
> > -FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> > -REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> > +REQUIRED_POLICY_CONTENT='selinux.policy'

> The selinux.policy contains a specific critical data measurement rule:
> measure func=CRITICAL_DATA label=selinux.  However the test would work with the
> generic policy rule "measure func=CRITICAL_DATA", which can be specified on the . 
> boot command line via "ima_policy=critical_data".

> As long as being able to read the IMA policy is required, in addition to checking
> whether the specific critical data rule exists, check whether the generic rule exists
> before loading the specific one.

> Perhaps all that is needed is defining REQUIRED_BUILTIN_POLICY like:
> REQUIRED_BUILTIN_POLICY="critical_data"

Thanks for a hint, I'll retest ima_policy=critical_data and add it as an
alternative (as a separate patch). In a meanwhile I (hopefully) fixed all
mistakes in the commit messages and merged. Thanks a lot for your patient
review!

...

Kind regards,
Petr