From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID
Date: Wed, 12 Oct 2022 16:39:53 +0200 [thread overview]
Message-ID: <Y0bRucMo4gV7B5lw@pevik> (raw)
In-Reply-To: <39e9f8468b43b7d7a916e2b3e643aa233d161a81.camel@linux.ibm.com>
Hi Mimi,
> Hi Petr,
> On Wed, 2022-10-12 at 13:54 +0200, Petr Vorel wrote:
> > For some reason ima_violations.sh works, when run as the first test after boot
> > (at least with only "ima_policy=tcb" setup), but not when whole ima runtest file
> > is run (as there are tests run before it). I'm still trying to figure out
> > what's wrong.
> Sounds like initially the tests are run with the builtin "tcb" policy.
Yes, since LTP does not support reboot and IMA ima_measurements.sh requires
ima_policy=tcb, I configured VM to run all tests with ima_policy=tcb.
> Loading any IMA policy rules replaces the existing builtin policy with
> the new custom policy.
Yes, done in ima_policy.sh, which is the second test (valid policy: measure.policy).
Thus only ima_measurements.sh and ima_policy.sh are run with ima_policy=tcb.
I haven't had a time to look into ascii_runtime_measurements, but this changed
with fsuuid= (previously was working, now vails in ima_violations.sh).
I'll have look soon (I'm wasting your time if I ask before proper debugging).
As I wrote before, it'd be great if 1) running whole runtest/ima worked (either
TPASS or TCONF detect missing something in kernel or in kernel params, ...).
2) running any single tests also TPASS or TCONF.
Testers then could run tests with a different setup (builtin policies, custom
policies, ...).
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2022-10-12 14:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 16:43 [LTP] [PATCH] security/ima: limit the scope of the LTP policy rules based on the UUID Mimi Zohar
2022-10-06 21:02 ` Petr Vorel
2022-10-06 22:55 ` Mimi Zohar
2022-10-07 5:27 ` Petr Vorel
2022-10-07 12:56 ` Mimi Zohar
2022-10-10 10:41 ` Petr Vorel
2022-10-10 11:43 ` Petr Vorel
2022-10-12 2:47 ` Mimi Zohar
2022-10-12 11:54 ` Petr Vorel
2022-10-12 13:02 ` Mimi Zohar
2022-10-12 14:39 ` Petr Vorel [this message]
2022-12-15 18:39 ` Petr Vorel
2022-12-15 23:29 ` Mimi Zohar
2022-12-16 8:08 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0bRucMo4gV7B5lw@pevik \
--to=pvorel@suse.cz \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox