> On Tue, 2025-03-04 at 09:44 -0500, Mimi Zohar wrote: > > On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote: > > > Hi Mimi,
> > > > Add support for the number of expected violations. Include the > > > > expected number of violations in the output. > > > Unfortunately this works only on fixed kernel (e.g. the one with v1 of > > > your > > > "ima: limit both open-writers and ToMToU violations" kernel patchset [1] > > > (I haven't built v2 [2], but it's really just > > > s/IMA_LIMIT_VIOLATIONS/IMA_EMITTED_OPENWRITERS/ => it will work) > > > Testing on any other kernel it fails on first testing after reboot: > > Hi Petr, > > I only tested by specifying the "ima_policy=tcb" on the boot command line. > > This > > failure happens when loading the test specific policy rules. If setup() is > > called before loading the test specific policy rules, forcing the $LOG file > > violation at setup() would be too early. > Sorry, that doesn't seem to be the case. > With the changes to validate(), even the original tests will only work on a > new > kernel. I'll rework the patch set, so at least the original tests will > continue > to work. +1, thank you! Kind regards, Petr > Mimi
