On Wed, 2023-02-15 at 18:39 -0500, Mimi Zohar wrote: > On Tue, 2023-02-14 at 16:22 +0100, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > Add ima_policy_check.awk to check for possible overlapping of a rule being > > added by a test with the existing IMA policy (policy replacement by IMA at > > the first policy load is not taken into account). > > > > ima_policy_check.awk expects as input the rule to be added, followed by the > > IMA policy. > > > > It returns a bit mask with the following values: > > - 1: invalid new rule; > > - 2: overlap of the new rule with an existing rule in the IMA policy; > > - 4: new rule exists in the IMA policy. > > > > Values can be individually checked by the test executing the awk script, to > > determine what to do (abort loading, print a warning in case of overlap, > > avoid adding an existing rule). > > > > The bit mask allows the test to see multiple statements regarding the new > > rule. For example, if the test added anyway an overlapping rule, it could > > also see that the policy already contains it at the next test execution, > > and does not add it again. > > > > Since ima_policy_check.awk uses GNU extensions (such as the or() function, > > or the fourth argument of split()), add gawk as dependency for the CI. > > > > Finally add ima_policy_check.test, to ensure that the awk script behaves as > > expected. > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Roberto, I dropped a couple of your patches from the "next-testing" > branch, assuming the "Introduce expect_pass_if() and expect_fail_if()" > and this patch are prerequisites for the "Add tests for MMAP_CHECK and > MMAP_CHECK_REQPROT hooks" patch. Yes, I send the latter after the former two are in the repo. Thanks Roberto
