Hi Mimi, > Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Signed-off-by: Petr Vorel <pvorel@xxxxxxx> > > --- > > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + > > 1 file changed, 1 insertion(+) > > create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > new file mode 100644 > > index 0000000000..5734c7617f > > --- /dev/null > > +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy > > @@ -0,0 +1 @@ > > +func=FILE_CHECK > "[PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh" > contains two rules to measure files opened by root on file open. > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > If the 'tcb' or equivalent policy is loaded, there is no need to load another > policy rule. I guess I'll move check for builtin policy loaded via kernel command line parameter also to ima_setup.sh to avoid loading example policy when there is a required builtin policy loaded. I also wonder what is a common approach - don't try to load custom example policy when there is builtin policy loaded? My goal was to allow more broad IMA testing based on different setup: * running tests with ima_policy=tcb builtin policy (current approach). Many tests will be skipped due missing required policy content. * running tests without any builtin policy + load a custom policy + reboot via LTP_IMA_LOAD_POLICY=1 (this patchset), but this should be probably be done only if required (or even none) builtin policy is loaded. * Ideally not require CONFIG_IMA_READ_POLICY=y as some distros does not have it (but then it is hard to detect whether failures are real bugs or just false positives due not having a proper policy). Maybe convert TBROK/TFAIL to TCONF if policy content is required but cannot be read due CONFIG_IMA_READ_POLICY (and custom policy with proper content was not loaded). But you may have an idea what is more useful (brings more test coverage). Kind regards, Petr > Thanks, > Mimi
