* [PATCH 0/2] LTP IMA pre-release fixes
@ 2025-09-12 7:32 Petr Vorel
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
0 siblings, 2 replies; 9+ messages in thread
From: Petr Vorel @ 2025-09-12 7:32 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, linux-integrity, selinux, Cyril Hrubis,
Coiby Xu
Hi,
important is the second patch. It'd be good to merge it before upcoming
LTP release (1-2 weeks).
Kind regards,
Petr
Petr Vorel (2):
ima_policy.sh: Optimize check for policy writable
ima_{conditionals,policy}: Handle policy required to be signed
.../security/integrity/ima/tests/ima_conditionals.sh | 11 ++++++++++-
.../security/integrity/ima/tests/ima_policy.sh | 12 ++++++------
.../kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++++
3 files changed, 23 insertions(+), 7 deletions(-)
--
2.51.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/2] ima_policy.sh: Optimize check for policy writable
2025-09-12 7:32 [PATCH 0/2] LTP IMA pre-release fixes Petr Vorel
@ 2025-09-12 7:32 ` Petr Vorel
2025-09-12 13:18 ` Mimi Zohar
` (2 more replies)
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
1 sibling, 3 replies; 9+ messages in thread
From: Petr Vorel @ 2025-09-12 7:32 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, linux-integrity, selinux, Cyril Hrubis,
Coiby Xu
Previously policy was checked in setup and in all tests
(redundant in test1). It should be enough to test in setup and after
write in test1, but let's being careful and test before writing the
policy in load_policy().
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../kernel/security/integrity/ima/tests/ima_policy.sh | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index af1fb0028c..1c4763d838 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2009 IBM Corporation
-# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
# Author: Mimi Zohar <zohar@linux.ibm.com>
#
# Test replacing the default integrity measurement policy.
@@ -11,8 +11,6 @@ TST_CNT=2
setup()
{
- require_policy_writable
-
VALID_POLICY="$TST_DATAROOT/measure.policy"
[ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
@@ -24,6 +22,7 @@ load_policy()
{
local ret
+ require_policy_writable
exec 2>/dev/null 4>$IMA_POLICY
[ $? -eq 0 ] || exit 1
@@ -43,7 +42,6 @@ test1()
local p1
- require_policy_writable
load_policy $INVALID_POLICY & p1=$!
wait "$p1"
if [ $? -ne 0 ]; then
@@ -59,7 +57,6 @@ test2()
local p1 p2 rc1 rc2
- require_policy_writable
load_policy $VALID_POLICY & p1=$!
load_policy $VALID_POLICY & p2=$!
wait "$p1"; rc1=$?
--
2.51.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed
2025-09-12 7:32 [PATCH 0/2] LTP IMA pre-release fixes Petr Vorel
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
@ 2025-09-12 7:32 ` Petr Vorel
2025-09-12 13:23 ` Mimi Zohar
2025-09-15 12:12 ` Cyril Hrubis
1 sibling, 2 replies; 9+ messages in thread
From: Petr Vorel @ 2025-09-12 7:32 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Mimi Zohar, linux-integrity, selinux, Cyril Hrubis,
Coiby Xu
Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
Skip testing in that case.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
This fixes errors:
ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
ima_conditionals 1 TINFO: verify measuring user files when requested via uid
echo: write error: Permission denied
ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
Ideally there would be test which check that unsigned policy cannot be
written.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../security/integrity/ima/tests/ima_conditionals.sh | 11 ++++++++++-
.../kernel/security/integrity/ima/tests/ima_policy.sh | 5 ++++-
.../kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index b59f330cac..9125616890 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2021 VPI Engineering
-# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+# Copyright (c) 2021-2025 Petr Vorel <pvorel@suse.cz>
# Author: Alex Henrie <alexh@vpitech.com>
#
# Verify that conditional rules work.
@@ -10,8 +10,16 @@
# support") from v5.16.
TST_NEEDS_CMDS="cat chgrp chown id sg sudo"
+TST_SETUP="setup"
TST_CNT=1
+setup()
+{
+ if check_need_signed_policy; then
+ tst_brk TCONF "policy have to be signed"
+ fi
+}
+
verify_measurement()
{
local request="$1"
@@ -22,6 +30,7 @@ verify_measurement()
local value="$(id -u $user)"
[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+ # needs to be checked each run (not in setup)
require_policy_writable
ROD rm -f $test_file
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 1c4763d838..490c8b6c2e 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -61,12 +61,15 @@ test2()
load_policy $VALID_POLICY & p2=$!
wait "$p1"; rc1=$?
wait "$p2"; rc2=$?
+
if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then
tst_res TFAIL "policy opened concurrently"
elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then
tst_res TPASS "policy was loaded just by one process and able to loaded multiple times"
+ elif check_need_signed_policy; then
+ tst_res TCONF "policy have to be signed"
else
- tst_res TFAIL "problem loading or extending policy (may require policy to be signed)"
+ tst_res TFAIL "problem loading or extending policy"
fi
}
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 83fcefb4fc..2a7d651818 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -449,6 +449,13 @@ require_evmctl()
fi
}
+# 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4
+check_need_signed_policy()
+{
+ tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \
+ 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY'
+}
+
# loop device is needed to use only for tmpfs
TMPDIR="${TMPDIR:-/tmp}"
if tst_supported_fs -d $TMPDIR -s "tmpfs"; then
--
2.51.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] ima_policy.sh: Optimize check for policy writable
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
@ 2025-09-12 13:18 ` Mimi Zohar
2025-09-15 8:10 ` [LTP] " Avinesh Kumar
2025-09-15 11:55 ` Cyril Hrubis
2 siblings, 0 replies; 9+ messages in thread
From: Mimi Zohar @ 2025-09-12 13:18 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: linux-integrity, selinux, Cyril Hrubis, Coiby Xu
On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote:
> Previously policy was checked in setup and in all tests
> (redundant in test1). It should be enough to test in setup and after
> write in test1, but let's being careful and test before writing the
> policy in load_policy().
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Thanks, Petr.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
@ 2025-09-12 13:23 ` Mimi Zohar
2025-09-16 16:41 ` Petr Vorel
2025-09-15 12:12 ` Cyril Hrubis
1 sibling, 1 reply; 9+ messages in thread
From: Mimi Zohar @ 2025-09-12 13:23 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: linux-integrity, selinux, Cyril Hrubis, Coiby Xu
On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote:
> Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
> Skip testing in that case.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
>
> This fixes errors:
>
> ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
> ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
> https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
>
> ima_conditionals 1 TINFO: verify measuring user files when requested via uid
> echo: write error: Permission denied
> ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
>
> Ideally there would be test which check that unsigned policy cannot be
> written.
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Thanks, Petr.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
At some point, consider adding support for signing policy rules, if the
private/public keypair is provided.
Mimi
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH 1/2] ima_policy.sh: Optimize check for policy writable
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
2025-09-12 13:18 ` Mimi Zohar
@ 2025-09-15 8:10 ` Avinesh Kumar
2025-09-15 11:55 ` Cyril Hrubis
2 siblings, 0 replies; 9+ messages in thread
From: Avinesh Kumar @ 2025-09-15 8:10 UTC (permalink / raw)
To: Petr Vorel; +Cc: ltp, Coiby Xu, selinux, linux-integrity
Hi,
On Friday, September 12, 2025 9:32:08 AM CEST Petr Vorel wrote:
> Previously policy was checked in setup and in all tests
> (redundant in test1). It should be enough to test in setup and after
> write in test1, but let's being careful and test before writing the
nit:
s/let's being/let's be
> policy in load_policy().
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Avinesh Kumar <akumar@suse.de>
for both the patches.
Regards,
Avinesh
> ---
> .../kernel/security/integrity/ima/tests/ima_policy.sh | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> index af1fb0028c..1c4763d838 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> @@ -1,7 +1,7 @@
> #!/bin/sh
> # SPDX-License-Identifier: GPL-2.0-or-later
> # Copyright (c) 2009 IBM Corporation
> -# Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
> +# Copyright (c) 2018-2025 Petr Vorel <pvorel@suse.cz>
> # Author: Mimi Zohar <zohar@linux.ibm.com>
> #
> # Test replacing the default integrity measurement policy.
> @@ -11,8 +11,6 @@ TST_CNT=2
>
> setup()
> {
> - require_policy_writable
> -
> VALID_POLICY="$TST_DATAROOT/measure.policy"
> [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY"
>
> @@ -24,6 +22,7 @@ load_policy()
> {
> local ret
>
> + require_policy_writable
> exec 2>/dev/null 4>$IMA_POLICY
> [ $? -eq 0 ] || exit 1
>
> @@ -43,7 +42,6 @@ test1()
>
> local p1
>
> - require_policy_writable
> load_policy $INVALID_POLICY & p1=$!
> wait "$p1"
> if [ $? -ne 0 ]; then
> @@ -59,7 +57,6 @@ test2()
>
> local p1 p2 rc1 rc2
>
> - require_policy_writable
> load_policy $VALID_POLICY & p1=$!
> load_policy $VALID_POLICY & p2=$!
> wait "$p1"; rc1=$?
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] ima_policy.sh: Optimize check for policy writable
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
2025-09-12 13:18 ` Mimi Zohar
2025-09-15 8:10 ` [LTP] " Avinesh Kumar
@ 2025-09-15 11:55 ` Cyril Hrubis
2 siblings, 0 replies; 9+ messages in thread
From: Cyril Hrubis @ 2025-09-15 11:55 UTC (permalink / raw)
To: Petr Vorel; +Cc: ltp, Mimi Zohar, linux-integrity, selinux, Coiby Xu
Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
2025-09-12 13:23 ` Mimi Zohar
@ 2025-09-15 12:12 ` Cyril Hrubis
1 sibling, 0 replies; 9+ messages in thread
From: Cyril Hrubis @ 2025-09-15 12:12 UTC (permalink / raw)
To: Petr Vorel; +Cc: ltp, Mimi Zohar, linux-integrity, selinux, Coiby Xu
Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed
2025-09-12 13:23 ` Mimi Zohar
@ 2025-09-16 16:41 ` Petr Vorel
0 siblings, 0 replies; 9+ messages in thread
From: Petr Vorel @ 2025-09-16 16:41 UTC (permalink / raw)
To: Mimi Zohar; +Cc: ltp, linux-integrity, selinux, Cyril Hrubis, Coiby Xu, Li Wang
Hi Mimi,
[ Cc Li, although I have no idea if Fedora even runs LTP IMA tests ]
> On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote:
> > Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
> > Skip testing in that case.
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
> > This fixes errors:
> > ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
> > ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
> > https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
> > ima_conditionals 1 TINFO: verify measuring user files when requested via uid
> > echo: write error: Permission denied
> > ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
> > Ideally there would be test which check that unsigned policy cannot be
> > written.
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> Thanks, Petr.
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Thanks for your review, merged!
> At some point, consider adding support for signing policy rules, if the
> private/public keypair is provided.
I'm not against it, but I'm not sure if I find time for this (as usual patches
are welcome). If I understand the docs [1] [2] it depends on
CONFIG_SYSTEM_TRUSTED_KEYS, right?
Fedora builds with CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem", but ship config
with CONFIG_SYSTEM_TRUSTED_KEYS="" ("We are resetting this value to facilitate
local builds" - makes perfectly sense), other distros (at least openSUSE
Tumbleweed and Debian) build with CONFIG_SYSTEM_TRUSTED_KEYS="".
I doubt that Fedora private key will be exposed for testing. Therefore this
feature is IMHO useful for mainline testing, but not for distro testing, right?
But again, I'm not against merging the patch (if anybody is willing to implement
it).
Kind regards,
Petr
[1] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#build-kernel-with-ima-ca-key-on-keyring
[2] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate
> Mimi
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-09-16 16:41 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-12 7:32 [PATCH 0/2] LTP IMA pre-release fixes Petr Vorel
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
2025-09-12 13:18 ` Mimi Zohar
2025-09-15 8:10 ` [LTP] " Avinesh Kumar
2025-09-15 11:55 ` Cyril Hrubis
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
2025-09-12 13:23 ` Mimi Zohar
2025-09-16 16:41 ` Petr Vorel
2025-09-15 12:12 ` Cyril Hrubis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).