From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v3 05/10] IMA: Read required policy from file
Date: Tue, 4 Feb 2025 12:17:48 +0100 [thread overview]
Message-ID: <20250204111748.GA1454574@pevik> (raw)
In-Reply-To: <3c7dee2c281867aa279c9d556e4aa62a7e865d36.camel@linux.ibm.com>
Hi MImi,
...
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh
> > @@ -1,6 +1,7 @@
> > #!/bin/sh
> > # SPDX-License-Identifier: GPL-2.0-or-later
> > # Copyright (c) 2021 Microsoft Corporation
> > +# Copyright (c) Linux Test Project, 2021-2025
> > # Author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> > #
> > # Verify measurement of SELinux policy hash and state.
> > @@ -14,15 +15,12 @@ TST_CNT=2
> > TST_SETUP="setup"
> > TST_MIN_KVER="5.12"
> >
> > -FUNC_CRITICAL_DATA='func=CRITICAL_DATA'
> > -REQUIRED_POLICY="^measure.*$FUNC_CRITICAL_DATA"
> > +REQUIRED_POLICY_CONTENT='selinux.policy'
> The selinux.policy contains a specific critical data measurement rule:
> measure func=CRITICAL_DATA label=selinux. However the test would work with the
> generic policy rule "measure func=CRITICAL_DATA", which can be specified on the .
> boot command line via "ima_policy=critical_data".
> As long as being able to read the IMA policy is required, in addition to checking
> whether the specific critical data rule exists, check whether the generic rule exists
> before loading the specific one.
> Perhaps all that is needed is defining REQUIRED_BUILTIN_POLICY like:
> REQUIRED_BUILTIN_POLICY="critical_data"
Thanks for a hint, I'll retest ima_policy=critical_data and add it as an
alternative (as a separate patch). In a meanwhile I (hopefully) fixed all
mistakes in the commit messages and merged. Thanks a lot for your patient
review!
...
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-02-04 11:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 11:29 [LTP] [PATCH v3 00/10] LTP tests: load predefined policy, enhancements Petr Vorel
2025-01-14 11:29 ` [LTP] [PATCH v3 01/10] ima_violations.sh: Fix log detection Petr Vorel
2025-01-23 17:37 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh Petr Vorel
2025-01-23 17:38 ` Mimi Zohar
2025-02-03 15:46 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 03/10] IMA: Move requirement check to ima_setup.sh Petr Vorel
2025-01-23 17:38 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 04/10] IMA: Add example policy for ima_violations.sh Petr Vorel
2025-02-03 15:51 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 05/10] IMA: Read required policy from file Petr Vorel
2025-01-23 17:39 ` Mimi Zohar
2025-02-04 11:17 ` Petr Vorel [this message]
2025-01-14 11:29 ` [LTP] [PATCH v3 06/10] ima_violations.sh: Declare tcb builtin policy Petr Vorel
2025-01-23 17:45 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 07/10] ima_setup.sh: Add digest index detection for ima-buf format Petr Vorel
2025-02-03 16:00 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 08/10] ima_setup.sh: Allow to load predefined policy Petr Vorel
2025-02-03 16:31 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 09/10] ima_measurements.sh: Check policy for test3 Petr Vorel
2025-01-23 17:39 ` Mimi Zohar
2025-01-14 11:29 ` [LTP] [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA Petr Vorel
2025-01-23 17:39 ` Mimi Zohar
2025-01-31 9:26 ` Cyril Hrubis
2025-01-31 12:09 ` Petr Vorel
2025-01-23 17:37 ` [LTP] [PATCH v3 00/10] LTP tests: load predefined policy, enhancements Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250204111748.GA1454574@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox