Fixing 2 bug:
1) Test wrongly continued testing on SUT with unsuitable IMA policy when
LTP_IMA_LOAD_POLICY=1 was *not* set. That caused ima_keys.sh and
ima_kexec.sh TFAIL instead of TCONF.
2) Also don't attempt to load policy when needed but LTP_IMA_LOAD_POLICY=1
was *not* set.
This also reverts a5c47143b5 ("ima_measurements.sh: Check policy for test3")
which required the previous behavior. To restore behavior in the future
loading policy will need to be rewritten to allow check only for a
particular test or ima_measurements.sh can be split to require TCB
policy only for 3rd test.
Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy")
Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
---
.../integrity/ima/tests/ima_measurements.sh | 2 +-
.../security/integrity/ima/tests/ima_setup.sh | 14 ++++++--------
2 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index d1e41b789a..60350f3926 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -77,7 +77,7 @@ test3()
tst_res TINFO "verify not measuring user files"
tst_check_cmds sudo || return
- if [ "$IMA_POLICY_CHECKED" != 1 ]; then
+ if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
tst_res TCONF "test requires specific policy, try load it with LTP_IMA_LOAD_POLICY=1"
return
fi
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 69ee5a3d65..366e1257dc 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -190,10 +190,10 @@ verify_ima_policy()
while read line; do
if ! grep -q "$line" $IMA_POLICY; then
tst_res TINFO "WARNING: missing required policy content: '$line'"
+ IMA_MISSING_POLICY_CONTENT=1
return 1
fi
done < $file
- IMA_POLICY_CHECKED=1
else
tst_res TINFO "policy is not readable, failure will be treated as TCONF"
IMA_FAIL="TCONF"
@@ -208,13 +208,11 @@ load_ima_policy()
{
local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
- if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then
- tst_res TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
- return 0
- fi
-
- if [ "$IMA_POLICY_CHECKED" = 1 ]; then
- tst_res TINFO "valid policy already loaded, ignore LTP_IMA_LOAD_POLICY=1"
+ if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then
+ if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
+ tst_brk TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
+ fi
+ return
fi
tst_res TINFO "trying to load '$file' policy:"
--
2.47.2
