Kernel patch "ima: limit the number of open-writers integrity violations" prevents superfluous "open-writers" violations. Add corresponding LTP tests. Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@xxxxxxxxxxxxx/ Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> --- .../integrity/ima/tests/ima_violations.sh | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 7f0382fb8..65c5c3a92 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -8,7 +8,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" -TST_CNT=3 +TST_CNT=6 REQUIRED_BUILTIN_POLICY="tcb" REQUIRED_POLICY_CONTENT='violations.policy' @@ -60,6 +60,17 @@ close_file_write() exec 4>&- } +open_file_write2() +{ + exec 5> $FILE || exit 1 + echo 'test writing2' >&5 +} + +close_file_write2() +{ + exec 5>&- +} + get_count() { local search="$1" @@ -160,6 +171,80 @@ test3() tst_sleep 2s } +test4() +{ + tst_res TINFO "verify limiting single open writer violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + + close_file_write + + validate $num_violations $count $search 1 +} + +test5() +{ + tst_res TINFO "verify limiting multiple open writers violations" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_write2 + open_file_read + close_file_read + close_file_write2 + + open_file_read + close_file_read + + close_file_write + + validate $num_violations $count $search 1 +} + +test6() +{ + tst_res TINFO "verify new open writer causes additional violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + close_file_write + + open_file_write + open_file_read + close_file_read + close_file_write + validate $num_violations $count $search 2 +} + . ima_setup.sh . daemonlib.sh tst_run -- 2.48.1
