Re: [LTP] [PATCH v3 00/10] LTP tests: load predefined policy, enhancements

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Petr,

On Tue, 2025-01-14 at 12:29 +0100, Petr Vorel wrote:
> Changes v2->v3:
> * Rewrite verifying logic if policy needs to be loaded and how it is
>   loaded.
> * Allow testing when policy is not reliable, but relax failures to TCONF.
> * Add TCB policy example.
> * Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
> * Fix test policy installation (previously wrong Makefile).
> * Removed some of the previous commits ("ima_kexec.sh: Relax result on
>   unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
>   "ima_setup: Print warning when policy not readable").
> * More cleanup.

Very nice patch set.  Thank you!

> 
> TODO: ima_measurements.sh and ima_violations.sh use detection for
> ima_policy=tcb builtin policy. But if example policy is loaded there is
> no longer tcb policy. Not sure how to fix it - some tooling might not
> support reboot, thus I wanted to use ima_policy=tcb, which previously
> worked.

The specific policy rules are mostly a subset of the tcb policy.  The only time that
loading a specific policy first is an issue is when it is the one and only custom
policy allowed to be loaded.  One possible method of avoiding this problem, would be
to require running the ima_measurements.sh first.

Mimi

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp