On Tue, 2023-02-14 at 16:22 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Add ima_policy_check.awk to check for possible overlapping of a rule being > added by a test with the existing IMA policy (policy replacement by IMA at > the first policy load is not taken into account). > > ima_policy_check.awk expects as input the rule to be added, followed by the > IMA policy. > > It returns a bit mask with the following values: > - 1: invalid new rule; > - 2: overlap of the new rule with an existing rule in the IMA policy; > - 4: new rule exists in the IMA policy. > > Values can be individually checked by the test executing the awk script, to > determine what to do (abort loading, print a warning in case of overlap, > avoid adding an existing rule). > > The bit mask allows the test to see multiple statements regarding the new > rule. For example, if the test added anyway an overlapping rule, it could > also see that the policy already contains it at the next test execution, > and does not add it again. > > Since ima_policy_check.awk uses GNU extensions (such as the or() function, > or the fourth argument of split()), add gawk as dependency for the CI. > > Finally add ima_policy_check.test, to ensure that the awk script behaves as > expected. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Roberto, I dropped a couple of your patches from the "next-testing" branch, assuming the "Introduce expect_pass_if() and expect_fail_if()" and this patch are prerequisites for the "Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks" patch. thanks, Mimi
