[PATCH v3 00/10] LTP tests: load predefined policy, enhancements

Petr Vorel <pvorel@xxxxxxx> · Tue, 14 Jan 2025 12:29:05 +0100

Changes v2->v3:
* Rewrite verifying logic if policy needs to be loaded and how it is
  loaded.
* Allow testing when policy is not reliable, but relax failures to TCONF.
* Add TCB policy example.
* Document LTP_IMA_LOAD_POLICY in doc/users/setup_tests.rst.
* Fix test policy installation (previously wrong Makefile).
* Removed some of the previous commits ("ima_kexec.sh: Relax result on
  unreadable policy to TCONF", "ima_violations.sh: Check for a required policy",
  "ima_setup: Print warning when policy not readable").
* More cleanup.

TODO: ima_measurements.sh and ima_violations.sh use detection for
ima_policy=tcb builtin policy. But if example policy is loaded there is
no longer tcb policy. Not sure how to fix it - some tooling might not
support reboot, thus I wanted to use ima_policy=tcb, which previously
worked.

Petr Vorel (10):
  ima_violations.sh: Fix log detection
  IMA: Add TCB policy as an example for ima_measurements.sh
  IMA: Move requirement check to ima_setup.sh
  IMA: Add example policy for ima_violations.sh
  IMA: Read required policy from file
  ima_violations.sh: Declare tcb builtin policy
  ima_setup.sh: Add digest index detection for ima-buf format
  ima_setup.sh: Allow to load predefined policy
  ima_measurements.sh: Check policy for test3
  tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

 doc/users/setup_tests.rst                     |   3 +
 .../kernel/security/integrity/ima/README.md   |  12 ++
 .../security/integrity/ima/datafiles/Makefile |   4 +-
 .../ima/datafiles/ima_measurements/Makefile   |  11 ++
 .../ima/datafiles/ima_measurements/tcb.policy |  20 +++
 .../ima/datafiles/ima_violations/Makefile     |  11 ++
 .../ima_violations/violations.policy          |   2 +
 .../integrity/ima/tests/evm_overlay.sh        |   3 +-
 .../security/integrity/ima/tests/ima_kexec.sh |  20 +--
 .../security/integrity/ima/tests/ima_keys.sh  |  48 ++-----
 .../integrity/ima/tests/ima_measurements.sh   |  19 ++-
 .../integrity/ima/tests/ima_selinux.sh        |  23 ++-
 .../security/integrity/ima/tests/ima_setup.sh | 135 +++++++++++++++---
 .../integrity/ima/tests/ima_violations.sh     |  15 +-
 testcases/lib/tst_test.sh                     |   4 +-
 15 files changed, 235 insertions(+), 95 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/Makefile
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy

-- 
2.47.1