Skip to content

Commit fca83df

Browse files
pevikpevik
committed
ima_setup.sh: Quit the test on unsuitable IMA policy
Fixing 2 bug: 1) Test wrongly continued testing on SUT with unsuitable IMA policy when LTP_IMA_LOAD_POLICY=1 was *not* set. That caused ima_keys.sh and ima_kexec.sh TFAIL instead of TCONF. 2) Also don't attempt to load policy when needed but LTP_IMA_LOAD_POLICY=1 was *not* set. This also reverts a5c4714 ("ima_measurements.sh: Check policy for test3") which required the previous behavior. To restore behavior in the future loading policy will need to be rewritten to allow check only for a particular test or ima_measurements.sh can be split to require TCB policy only for 3rd test. Fixes: aac97cc ("ima_setup.sh: Allow to load predefined policy") Signed-off-by: Petr Vorel <[email protected]>
1 parent a9786c9 commit fca83df

File tree

2 files changed

+7
-9
lines changed

2 files changed

+7
-9
lines changed

testcases/kernel/security/integrity/ima/tests/ima_measurements.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ test3()
7777
tst_res TINFO "verify not measuring user files"
7878
tst_check_cmds sudo || return
7979

80-
if [ "$IMA_POLICY_CHECKED" != 1 ]; then
80+
if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
8181
tst_res TCONF "test requires specific policy, try load it with LTP_IMA_LOAD_POLICY=1"
8282
return
8383
fi

testcases/kernel/security/integrity/ima/tests/ima_setup.sh

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -190,10 +190,10 @@ verify_ima_policy()
190190
while read line; do
191191
if ! grep -q "$line" $IMA_POLICY; then
192192
tst_res TINFO "WARNING: missing required policy content: '$line'"
193+
IMA_MISSING_POLICY_CONTENT=1
193194
return 1
194195
fi
195196
done < $file
196-
IMA_POLICY_CHECKED=1
197197
else
198198
tst_res TINFO "policy is not readable, failure will be treated as TCONF"
199199
IMA_FAIL="TCONF"
@@ -208,13 +208,11 @@ load_ima_policy()
208208
{
209209
local file="$TST_DATAROOT/$REQUIRED_POLICY_CONTENT"
210210

211-
if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$IMA_POLICY_CHECKED" != 1 ]; then
212-
tst_res TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
213-
return 0
214-
fi
215-
216-
if [ "$IMA_POLICY_CHECKED" = 1 ]; then
217-
tst_res TINFO "valid policy already loaded, ignore LTP_IMA_LOAD_POLICY=1"
211+
if [ "$LTP_IMA_LOAD_POLICY" != 1 ]; then
212+
if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
213+
tst_brk TCONF "missing required policy, example policy can be loaded with LTP_IMA_LOAD_POLICY=1"
214+
fi
215+
return
218216
fi
219217

220218
tst_res TINFO "trying to load '$file' policy:"

0 commit comments

Comments
 (0)