Kernel patch "ima: limit the number of open-writers integrity violations" prevents superfluous "open-writers" violations. Add corresponding LTP tests. Link: https://lore.kernel.org/linux-integrity/20250228205505.476845-2-zohar@xxxxxxxxxxxxx/ Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> --- .../integrity/ima/tests/ima_violations.sh | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 3f9f1d342..578cb1402 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -8,7 +8,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" -TST_CNT=3 +TST_CNT=6 REQUIRED_BUILTIN_POLICY="tcb" REQUIRED_POLICY_CONTENT='violations.policy' @@ -61,6 +61,17 @@ close_file_write() exec 4>&- } +open_file_write2() +{ + exec 5> $FILE || tst_brk TBROK "exec 5> $FILE failed" + echo 'test writing2' >&5 +} + +close_file_write2() +{ + exec 5>&- +} + get_count() { local search="$1" @@ -161,6 +172,80 @@ test3() tst_sleep 2s } +test4() +{ + tst_res TINFO "verify limiting single open writer violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + + close_file_write + + validate "$num_violations" "$count" "$search" 1 +} + +test5() +{ + tst_res TINFO "verify limiting multiple open writers violations" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_write2 + open_file_read + close_file_read + close_file_write2 + + open_file_read + close_file_read + + close_file_write + + validate "$num_violations" "$count" "$search" 1 +} + +test6() +{ + tst_res TINFO "verify new open writer causes additional violation" + + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read + close_file_read + + open_file_read + close_file_read + close_file_write + + open_file_write + open_file_read + close_file_read + close_file_write + validate "$num_violations" "$count" "$search" 2 +} + . ima_setup.sh . daemonlib.sh tst_run -- 2.48.1
