On Thu, 2021-04-01 at 17:12 -0700, Fan Wu wrote: > Hello, > > We are trying to extend the IMA apprise action. To prevent breaking the > system, we want to collect existing apprise-related tests, but I find > there are not many tests related in the LTP project. > > As far as I am aware, only evm_overlay and kexec tests are testing with > a policy that contains a apprise rule. But they do not test the file > execution (exec/mmap/mproject syscalls with various args) we are > focusing on. > > I am wondering, are all available tests in the LTP? Also, I am looking > for suggestions for testing apprise. Right. By "appraise", I assume you mean signed files. Until file data and metadata are distributed together, the public key is loaded onto the IMA keyring, and an appropriate IMA policy is loaded, generic "appraise" testing is kind of difficult. Distro kernel images is an exception as they are signed, the associated public key may be loaded on the platform keyring, and the IMA arch specific policies define IMA policy rules that require the kernel image to be signed, with all of this in place there are kexec tests. Once Nayna's "ima: kernel build support for loading the kernel module signing key" patch set, generic kernel module tests could be written as well. In general, if additional IMA appraise policy rules need to be loaded, they need to be limited to the test environment to avoid affecting the running system. For example, both LTP and bpf IMA policy rules are limited to the loopback mounted filesystems. If you know how to generically solve the above requirements, adding additional "appraise" tests would be very welcome. thanks, Mimi
