Hi Mimi, > Kernel patch "ima: limit the number of open-writers integrity > violations" prevents superfluous "open-writers" violations. Add > corresponding LTP tests. > Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zohar@xxxxxxxxxxxxx/ > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > .../integrity/ima/tests/ima_violations.sh | 87 ++++++++++++++++++- > 1 file changed, 86 insertions(+), 1 deletion(-) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > index 7f0382fb8..65c5c3a92 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh > @@ -8,7 +8,7 @@ > TST_SETUP="setup" > TST_CLEANUP="cleanup" > -TST_CNT=3 > +TST_CNT=6 > REQUIRED_BUILTIN_POLICY="tcb" > REQUIRED_POLICY_CONTENT='violations.policy' > @@ -60,6 +60,17 @@ close_file_write() > exec 4>&- > } > +open_file_write2() > +{ > + exec 5> $FILE || exit 1 maybe: exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed" Because tst_brk TBROK calls test cleanup. Plain exit kills everything. We also have ROD, but that requires binaries ('exec' is a shell builtin). (It applies to the third patch as well.) > + echo 'test writing2' >&5 > +} > + > +close_file_write2() > +{ > + exec 5>&- > +} > + > get_count() > { > local search="$1" > @@ -160,6 +171,80 @@ test3() > tst_sleep 2s > } > +test4() > +{ > + tst_res TINFO "verify limiting single open writer violation" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_read > + close_file_read > + > + close_file_write > + > + validate $num_violations $count $search 1 > +} > + > +test5() > +{ > + tst_res TINFO "verify limiting multiple open writers violations" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_write2 > + open_file_read > + close_file_read > + close_file_write2 > + > + open_file_read > + close_file_read > + > + close_file_write > + > + validate $num_violations $count $search 1 nit: safer to quote validate "$num_violations" "$count" "$search" 1 > +} > + > +test6() > +{ > + tst_res TINFO "verify new open writer causes additional violation" > + > + local search="open_writers" > + local count num_violations > + > + read num_violations < $IMA_VIOLATIONS > + count="$(get_count $search)" > + > + open_file_write > + open_file_read > + close_file_read > + > + open_file_read > + close_file_read > + close_file_write > + > + open_file_write > + open_file_read > + close_file_read > + close_file_write > + validate $num_violations $count $search 2 And here. Kind regards, Petr
