From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh
Date: Tue, 31 Dec 2024 13:23:40 +0100 [thread overview]
Message-ID: <20241231122340.GE36475@pevik> (raw)
In-Reply-To: <35af7de88f6961817a9df23c55104d20c32d2680.camel@linux.ibm.com>
Hi Mimi,
> Hi Petr,
> On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote:
> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > ---
> > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 +
> > 1 file changed, 1 insertion(+)
> > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > new file mode 100644
> > index 0000000000..5734c7617f
> > --- /dev/null
> > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy
> > @@ -0,0 +1 @@
> > +func=FILE_CHECK
> "[PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh"
> contains two rules to measure files opened by root on file open.
> measure func=FILE_CHECK mask=^MAY_READ euid=0
> measure func=FILE_CHECK mask=^MAY_READ uid=0
> If the 'tcb' or equivalent policy is loaded, there is no need to load another
> policy rule.
I guess I'll move check for builtin policy loaded via kernel command line
parameter also to ima_setup.sh to avoid loading example policy when there is a
required builtin policy loaded. I also wonder what is a common approach - don't
try to load custom example policy when there is builtin policy loaded?
My goal was to allow more broad IMA testing based on different setup:
* running tests with ima_policy=tcb builtin policy (current approach). Many
tests will be skipped due missing required policy content.
* running tests without any builtin policy + load a custom policy + reboot via
LTP_IMA_LOAD_POLICY=1 (this patchset), but this should be probably be done only
if required (or even none) builtin policy is loaded.
* Ideally not require CONFIG_IMA_READ_POLICY=y as some distros does not have it
(but then it is hard to detect whether failures are real bugs or just false
positives due not having a proper policy). Maybe convert TBROK/TFAIL to TCONF if
policy content is required but cannot be read due CONFIG_IMA_READ_POLICY (and
custom policy with proper content was not loaded).
But you may have an idea what is more useful (brings more test coverage).
Kind regards,
Petr
> Thanks,
> Mimi
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2024-12-31 12:24 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 22:20 [LTP] [PATCH v2 0/8] LTP tests: load predefined policy, enhancements Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh Petr Vorel
2024-12-31 16:01 ` Mimi Zohar
2025-01-03 11:57 ` Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy Petr Vorel
2024-12-30 20:43 ` Mimi Zohar
2024-12-31 10:00 ` Petr Vorel
2024-12-31 14:54 ` Mimi Zohar
2025-01-03 12:09 ` Petr Vorel
2025-01-03 12:18 ` Petr Vorel
2025-01-03 15:31 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 4/8] ima_setup: Print warning when policy not readable Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh Petr Vorel
2024-12-13 22:20 ` [LTP] [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh Petr Vorel
2024-12-31 3:43 ` Mimi Zohar
2024-12-31 10:40 ` Petr Vorel
2024-12-31 12:23 ` Petr Vorel [this message]
2024-12-31 15:34 ` Mimi Zohar
2025-01-03 19:02 ` Petr Vorel
2025-01-07 18:29 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 7/8] ima_violations.sh: Check for a required policy Petr Vorel
2024-12-31 3:42 ` Mimi Zohar
2024-12-13 22:20 ` [LTP] [PATCH v2 8/8] [RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241231122340.GE36475@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox