Re: [ima-evm-utils: PATCH v2 1/1] Change license to LGPL-2.0-or-later and GPL-2.0-or-later

ed-off-by: Dmitry Kasatkin > > Acked-by: Dmitry Kasatkin > > Acked-by: Petr Vorel > > Acked-by: Mimi Zohar > > Acked-by: Stefan Berger > > Acked-by: Vitaly Chikunov > > Acked-by: Ken Goldman > > Acked-by: James Bottomley > > Acked-by: Bru

Re: [ima-evm-utils PATCH] Add copies of the license text

PDX License Identifier, the special exception for linking with the > OpenSSL library (WITH cryptsetup-OpenSSL-exception) was removed. With > the relicensing of OpenSSL 3 or later to the Apache 2 license, the > special exception is no longer necessary. Thanks for restoring these files!

[PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings

PIs EVP_DigestInit_ex(3), EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot EVP_Q_digest(3). Signed-off-by: Petr Vorel --- .../integrity/ima/src/ima_boot_aggregate.c| 32 +++ 1 file changed, 32 insertions(+) diff --git a/testcases/kernel/security/integrity/

[PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure

fread() should read 1 byte, quit when it fails it. This fixes warning: ignoring return value of ‘fread’ declared with attribute ‘warn_unused_result’ [-Wunused-result]. Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/src/ima_boot_aggregate.c | 3 ++- 1 file changed, 2

Re: [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure

Hi all, both patches merged. Kind regards, Petr

Re: [PATCH 2/3] ima_setup.sh: Allow to load predefined policy

Hi Mimi, all, ... > +load_ima_policy() > +{ > + local policy="$(ls $TST_DATAROOT/*.policy 2>/dev/null)" > + > + if [ "$LTP_IMA_LOAD_POLICY" != 1 -a "$policy" -a -f "$policy" ]; then > + tst_res TINFO "NOTE: set LTP_IMA_LOAD_POLICY=1 to load policy > for this test" > +

[PATCH 2/3] ima_setup.sh: Allow to load predefined policy

-off-by: Petr Vorel --- .../kernel/security/integrity/ima/README.md | 6 +++ .../integrity/ima/tests/ima_measurements.sh | 17 +- .../security/integrity/ima/tests/ima_setup.sh | 52 --- 3 files changed, 66 insertions(+), 9 deletions(-) diff --git a/testcases/kernel

[PATCH 3/3] ima_{kexec,keys,selinux}: Set minimal kernel version

Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 1 + testcases/kernel/security/integrity/ima/tests/ima_keys.sh| 1 + testcases/kernel/security/integrity/ima/tests/ima_selinux.sh | 1 + 3 files changed, 3 insertions(+) diff --git a/testcases/kerne

[PATCH 1/3] ima: Add TCB policy as an example

Signed-off-by: Petr Vorel --- .../ima/datafiles/ima_measurements/tcb.policy | 20 +++ 1 file changed, 20 insertions(+) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_measurements/tcb.policy diff --git a/testcases/kernel/security/integrity/ima

[PATCH 0/3] LTP tests: load predefined policy

From: Petr Vorel Hi Mimi, all, this effort allows to load policy LTP provides as example via LTP_IMA_LOAD_POLICY=1 environment variable (off by default). This should allow better coverage for these who just run runtest/ima. But it requires tooling which runs LTP to do the restart after each

Re: [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh

> On Tue, 2024-12-31 at 13:23 +0100, Petr Vorel wrote: > > Hi Mimi, > > > Hi Petr, > > > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > > > Suggested-by: Mimi Zohar > > > > Signed-off-by: Petr Vorel > > > > --- > &

Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

also be included in the IMA-measurement list that previously weren't > included. LGTM. Reviewed-by: Petr Vorel Kind regards, Petr > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > Signed-off-by: Mimi Zohar > --- > security/integrity/ima/ima_po

Re: [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh

> Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > Suggested-by: Mimi Zohar > > Signed-off-by: Petr Vorel > > --- > > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + > > 1 file changed, 1 insertion(+) > >

Re: [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy

> Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > [snip] > > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > > @@ -1,7 +1,7 @@ > > #!/bin/sh > > # SP

[PATCH] IMA: measure.policy: limit dont_measure tmpfs policy to func=FILE_CHECK

") Also remove leading 0 from tmpfs magic (to match IMA docs and tcb.policy). Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- .../security/integrity/ima/datafiles/ima_policy/measure.policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/se

Re: [LTP] [PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

> Hi! > Maybe a bit more description wouldn't hurt here. E.g. that we are > printing a hint on a failure that selinux or apparmor may have caused > the failure and we want a knob to disable it and use it for IMA.` +1, this patch merged with the above explanation. Thanks! Kind regards, Petr

Re: [PATCH] IMA: measure.policy: limit dont_measure tmpfs policy to func=FILE_CHECK

Hi Mimi, > On Mon, 2025-02-03 at 22:02 +0100, Petr Vorel wrote: > > add func=FILE_CHECK to dont_measure tmpfs > > Similarly to tcb.policy limit dont_measure tmpfs policy to func=FILE_CHECK. > > This allows to do extra measurements, e.g. kexec boot command line,

Re: [PATCH v3 05/10] IMA: Read required policy from file

Hi MImi, ... > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_selinux.sh > > @@ -1,6 +1,7 @@ > >  #!/bin/sh > >  # SPDX-License-Identifier: GPL-2.0-or-later > >  # Copyright (c) 2021 Microsoft Corporation > > +# Copyright (c) Linux Test Project, 2021-2025 > >  # Author: Lakshmi Ramasubr

[PATCH COMMITTED 0/2] IMA test fixes

From: Petr Vorel Hi Mimi, all, I fixed 2 regressions I found in the previous implementation. I'm planning to solve problem with ima_measurements.sh (second commit). There is also other problem with loading kexec.policy and then running ima_measurements.sh on SUT with ima_policy=tcb

[PATCH COMMITTED 1/2] ima_measurements.sh: Fix exit code condition

Condition is "$? -ne 0", therefore negative if command passed to if. This was hidden until fix in the next commit. Fixes: 4c74c7dc69 ("IMA: Read required policy from file") Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_measurements.sh | 2 +

[PATCH COMMITTED 2/2] ima_setup.sh: Quit the test on unsuitable IMA policy

rd test. Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy") Signed-off-by: Petr Vorel --- .../integrity/ima/tests/ima_measurements.sh| 2 +- .../security/integrity/ima/tests/ima_setup.sh | 14 ++ 2 files changed, 7 insertions(+), 9 deletions(-

Re: [PATCH 2/3] ima_setup.sh: Allow to load predefined policy

Hi Mimi, all, > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy > > if available. This should be used only if tooling running LTP tests > > allows to reboot afterwards (because policy may

Re: [LTP] [PATCH v3] doc: correct the build steps for open_posix_testsuite

Hi Xiubo Li, > './configure --with-open-posix-testsuite' is needed just before > generating the Makefiles. Thanks! Reviewed-by: Petr Vorel Kind regards, Petr

Re: [PATCH 3/3] ima_{kexec,keys,selinux}: Set minimal kernel version

Hi Mimi, > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > > The functionality IMHO was not backported to the enterprise kernels. > > This helps to avoid false positive in ima_kexec.sh: > > ima_kexec 1 TWARN: policy not readable, it might not contain required >

Re: [PATCH 1/3] ima: Add TCB policy as an example

Hi Mimi, > Hi Petr, > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > > Signed-off-by: Petr Vorel > Except for the "dont_measure " rule, the "dont_measure" rules are for > pseudo filesystems. Including a "dont_measure " policy rule was

Re: [PATCH 2/3] ima_setup.sh: Allow to load predefined policy

> On Wed, 2024-12-11 at 20:48 +0100, Petr Vorel wrote: > > Hi Mimi, all, > > > On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > > > > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy > > > > if available. This should

[PATCH v2 4/8] ima_setup: Print warning when policy not readable

t readable. This is better because in previous case test always failed due TWARN but result is actually unknown (e.g. don't expect missing policy, return 1 as failure only when policy is readable and checking with grep failed). Fixes: 3843e2d6fb ("IMA: Add policy related helpe

[PATCH v2 0/8] LTP tests: load predefined policy, enhancements

for example policy as an variant to ima_policy=tcb command line parameter. * Use LTP shell loader for ima_boot_aggregate.c and ima_mmap.c Petr Vorel (8): IMA: Add TCB policy as an example for ima_measurements.sh ima_setup.sh: Allow to load predefined policy tst_test.sh: IMA: Allow to disable

[PATCH v2 3/8] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- @Cyril: or should we use the opposite approach - by default unused and declare tests where should be used? I guess tests for typical userspace tools should use it (e.g. runtest/commands or tests which use tst_net.sh). testcases/kernel

[PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy

policy itself to be signed). Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/README.md | 12 + .../integrity/ima/tests/ima_measurements.sh | 17 +- .../security/integrity/ima/tests/ima_setup.sh | 54 --- 3 files changed, 74 insertions(+), 9 deletions

[PATCH v2 5/8] ima_kexec.sh: Move checking policy if readable to ima_setup.sh

It will be reused. Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_kexec.sh | 8 ++-- .../kernel/security/integrity/ima/tests/ima_setup.sh | 10 ++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/testcases/kernel/security/integrity/ima

[PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh

Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs) as suggested by Mimi. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Petr Vorel --- I would like to check in ima_measurements.sh for this policy as an variant to ima_policy=tcb command

[PATCH v2 7/8] ima_violations.sh: Check for a required policy

Add check for ^func=FILE_CHECK' Signed-off-by: Petr Vorel Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_violations.sh| 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.

[PATCH v2 8/8] [RFC] ima_kexec.sh: Relax result on unreadable policy to TCONF

t") Reported-by: Martin Doucha Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/test

[PATCH v2 6/8] IMA: Add example policy for ima_violations.sh

Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + 1 file changed, 1 insertion(+) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_violations/violations.policy diff --git a/testcases/kernel

[PATCH] ima_violations.sh: Fix log detection

, install auditd Fixes: https://github.com/linux-test-project/ltp/issues/372 Signed-off-by: Petr Vorel --- Hi Mimi, all, or should we drop /var/log/messages support entirely? I remember some old systems had problem (not sure if bug in old kernel or /var/log/messages was not somehow reliable

[PATCH v3 03/10] IMA: Move requirement check to ima_setup.sh

Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/evm_overlay.sh | 3 +-- .../kernel/security/integrity/ima/tests/ima_measurements.sh | 6 +++--- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 +- 3 files changed, 9 insertions(+), 6 deletions

[PATCH v3 00/10] LTP tests: load predefined policy, enhancements

ents.sh and ima_violations.sh use detection for ima_policy=tcb builtin policy. But if example policy is loaded there is no longer tcb policy. Not sure how to fix it - some tooling might not support reboot, thus I wanted to use ima_policy=tcb, which previously worked. Petr Vorel (10): ima_violations.sh:

[PATCH v3 01/10] ima_violations.sh: Fix log detection

, install auditd Fixes: https://github.com/linux-test-project/ltp/issues/372 Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests

[PATCH v3 02/10] IMA: Add TCB policy as an example for ima_measurements.sh

Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs) as suggested by Mimi. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Petr Vorel --- .../security/integrity/ima/datafiles/Makefile | 4 ++-- .../ima/datafiles/ima_measurements/Makefile

[PATCH v3 04/10] IMA: Add example policy for ima_violations.sh

Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/datafiles/Makefile | 2 +- .../integrity/ima/datafiles/ima_violations/Makefile | 11 +++ .../ima/datafiles/ima_violations/violations.policy| 2 ++ 3 files changed, 14 insertions(+), 1

[PATCH v3 08/10] ima_setup.sh: Allow to load predefined policy

policy itself to be signed). Signed-off-by: Petr Vorel --- doc/users/setup_tests.rst | 3 + .../kernel/security/integrity/ima/README.md | 12 .../security/integrity/ima/tests/ima_kexec.sh | 1 + .../security/integrity/ima/tests/ima_keys.sh | 1 + .../integrity/ima

[PATCH v3 10/10] tst_test.sh: IMA: Allow to disable LSM warnings and use it for IMA

Suggested-by: Mimi Zohar Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 1 + testcases/lib/tst_test.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima

[PATCH v3 09/10] ima_measurements.sh: Check policy for test3

First two tests are working with ima_policy=tcb, but 3rd test requires more specific policy. Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_measurements.sh | 5 + 1 file changed, 5 insertions(+) diff --git a/testcases/kernel/security/integrity/ima/tests

[PATCH v3 07/10] ima_setup.sh: Add digest index detection for ima-buf format

ima-buf format might be loaded via loading policy in the next commit. Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b

[PATCH v3 05/10] IMA: Read required policy from file

(actual content of /sys/kernel/security/ima/policy) When missing CONFIG_IMA_READ_POLICY=y on required policy convert: test, but convert TFAIL => TCONF. Signed-off-by: Petr Vorel --- .../security/integrity/ima/tests/ima_kexec.sh | 19 ++ .../security/integrity/ima/tests/ima_keys.sh |

[PATCH v3 06/10] ima_violations.sh: Declare tcb builtin policy

IMA builtin policy contains required rules, allow using it. This helps more reliable results on kernels without CONFIG_IMA_READ_POLICY=y. Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/ima/tests/ima_violations.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/testcases

[RFC PATCH] IMA: Remove evm_overlay.sh

Proof of concept, it was never fixed in the kernel. Instead we should have some basic EVM tests. Signed-off-by: Petr Vorel --- runtest/ima | 1 - .../kernel/security/integrity/ima/README.md | 64 - .../integrity/ima/tests/evm_overlay.sh

Re: [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy

Hi Mimi, ... > > Do I understand correctly you talk about policy containing > > func=POLICY_CHECK [1]? > Yes. On a secure boot enabled system, the architecture specific policy might > require the IMA policy itself to be signed. > Snippet from ima_fs.c: > #if IS_ENABLED(CONFIG_INTEGRITY_MACHIN

Re: [PATCH v2 1/8] IMA: Add TCB policy as an example for ima_measurements.sh

Hi Mimi, > Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > Taken from IMA docs [1], removed dont_measure fsmagic=0x1021994 (tmpfs) > > as suggested by Mimi. > > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > > Signe

Re: [PATCH v2 2/8] ima_setup.sh: Allow to load predefined policy

Hi Mimi, > On Tue, 2024-12-31 at 11:00 +0100, Petr Vorel wrote: > > > Hi Petr, > > > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > > [snip] > > > > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > > > &g

Re: [PATCH] ima: ignore suffixed policy rule comments

Hi Mimi, > Lines beginning with '#' in the IMA policy are comments and are ignored. > Instead of placing the rule and comment on separate lines, allow the > comment to be suffixed to the IMA policy rule. +1 Reviewed-by: Petr Vorel Kind regards, Petr > Sig

Re: [PATCH v2 6/8] IMA: Add example policy for ima_violations.sh

Hi Mimi, > Hi Petr, > On Fri, 2024-12-13 at 23:20 +0100, Petr Vorel wrote: > > Suggested-by: Mimi Zohar > > Signed-off-by: Petr Vorel > > --- > > .../integrity/ima/datafiles/ima_violations/violations.policy | 1 + > > 1 file changed, 1 insertion(+) &g

Re: [LTP] [PATCH] ima_violations.sh: Fix condition evaluation

Hi Li, > On Fri, Mar 14, 2025 at 8:43 PM Petr Vorel wrote: > > Evaluation "-gt 0" needs to be together with expectation of empty > > $expected_violations. Therefore use [ ... -a ... ] comparator to avoid > > -eq comparison against empty $expected_violations.

[PATCH] ima_violations.sh: Fix condition evaluation

support multiple violations") Signed-off-by: Petr Vorel --- .../kernel/security/integrity/ima/tests/ima_violations.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/inte

[PATCH] tst_security.sh: Use the same value for checkreqprot

nce other tests), which is always better. Fixes: 36c695e497 ("tst_security.sh: Add helper tst_update_selinux_state()") Signed-off-by: Petr Vorel --- @SELinux developers: FYI tst_security.sh is used in LTP test in ima_selinux.sh [1] test. Kind regards, Petr [1] https://github.com/linux-tes

Re: [LTP] [PATCH 2/2] ima_selinux.sh: Detect SELinux before loading policy

Hi Andrea, > Hi! > On 2/17/25 14:08, Petr Vorel wrote: > > Adding TST_SETUP_EARLY to run test specific setup before loading policy. > > That allows to avoid loading IMA policy (which usually request reboot) > > if the test would be skipped anyway. > > Fixes: aac97

[PATCH COMMITTED] ima_setup.sh: Quit the test on unsuitable IMA policy

rd test. Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy") Signed-off-by: Petr Vorel --- .../integrity/ima/tests/ima_measurements.sh| 2 +- .../security/integrity/ima/tests/ima_setup.sh | 14 ++ 2 files changed, 7 insertions(+), 9 deletions(-

Re: [LTP] [PATCH 1/2] tst_security.sh: Fix SELinux detection

Hi Andrea, > Hi! Thanks for your review, merged as a needed fix. Kind regards, Petr > Reviewed-by: Andrea Cervesato > On 2/17/25 14:08, Petr Vorel wrote: > > Some SLES15 versions create /selinux directory which fails the detection > > if SELinux is actually not enabled

[PATCH 1/2] tst_security.sh: Fix SELinux detection

in kernel 3.0 in commit 7a627e3b9a2b ("SELINUX: add /sys/fs/selinux mount point to put selinuxfs") 14 years is enough, kernel 3.0 is not even supported in current LTP and we don't even support /selinux in C API (tst_security.c). Fixes: e7b804df65 ("shell: Add tst_security.s

[PATCH 2/2] ima_selinux.sh: Detect SELinux before loading policy

Adding TST_SETUP_EARLY to run test specific setup before loading policy. That allows to avoid loading IMA policy (which usually request reboot) if the test would be skipped anyway. Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy") Signed-off-by: Petr Vorel --- testca

Re: [PATCH 2/2] ima_selinux.sh: Detect SELinux before loading policy

Hi, > Adding TST_SETUP_EARLY to run test specific setup before loading policy. > That allows to avoid loading IMA policy (which usually request reboot) > if the test would be skipped anyway. > Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy") >

[PATCH 1/2] ima_setup.sh: Postpone loading policy after test setup

eboot). Therefore first check $REQUIRED_BUILTIN_POLICY (value of ima_policy kernel cmdline parameter, it can TCONF), then run the test specific setup and finally run the policy if needed. Fixes: aac97cca96 ("ima_setup.sh: Allow to load predefined policy") Signed-off-by: Petr Vorel --- Li

Re: [RFC PATCH] IMA: Remove evm_overlay.sh

Hi Mimi, Ignaz, > Proof of concept, it was never fixed in the kernel. > Instead we should have some basic EVM tests. gently ping. Is evm_overlay.sh test useful for you? Otherwise I'll delete it. Kind regards, Petr > Signed-off-by: Petr Vorel > -

Re: [PATCH v3 5/5] ima_violations.sh: require kernel v6.14 for minimizing violations tests

Hi Mimi, > Depending on the IMA policy and the number of violations, the kernel > patches for minimizing the number of open-writers and ToMToU (Time of > Measure Time of Use) violations may be a major performance improvement. I would prefer this to be squashed into "ima_violations.sh: additional

Re: [PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

Hi Mimi, ... > > > + exec 3< $LOG || tst_brk TBROK "failed to read log file" > > > tst_res TINFO "using log $LOG" > > If you don't mind, I would reverse the order to get info about which log is > > used: > > tst_res TINFO "using log $LOG" > > exec 3< $LOG || tst_brk TBROK "failed to re

Re: [PATCH v2 1/4] ima_violations.sh: force $LOG ToMToU violation earlier

; $LOG || tst_brk TBROK "failed to read log file" Or, if it's needed to for some reason to run it before (no idea why, but I might miss something), I would merge it as: exec 3< $LOG || tst_brk TBROK "failed to read $LOG" tst_res TINFO "using log $LOG" Reviewed-by: Petr Vorel Kind regards, Petr

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

Hi Mimi, > Add support for the number of expected violations. Include the > expected number of violations in the output. Unfortunately this works only on fixed kernel (e.g. the one with v1 of your "ima: limit both open-writers and ToMToU violations" kernel patchset [1] (I haven't built v2 [2], b

Re: [PATCH v2 2/4] ima_violations.sh: Update validate() to support multiple violations

> On Tue, 2025-03-04 at 09:44 -0500, Mimi Zohar wrote: > > On Tue, 2025-03-04 at 14:31 +0100, Petr Vorel wrote: > > > Hi Mimi, > > > > Add support for the number of expected violations. Include the > > > > expected number of violations in the output. &g

Re: [PATCH] ima_kexec.sh: Detect kernel image from BOOT_IMAGE from /proc/cmdline

Hi all, > Default value was suitable only for x86_64. This helps to use other > archs on distros which set $BOOT_IMAGE. FYI merged. Kind regards, Petr

Re: [PATCH] ima_selinux.sh: Require ima_policy=critical_data kernel cmdline

Hi all, > Test requires not only func=CRITICAL_DATA IMA policy content but also > ima_policy=critical_data kernel cmdline. Without cmdline no measures are > done. FYI merged. Kind regards, Petr > https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-policy-critical-data > https://git.ker

Re: [PATCH v3 1/5] ima_violations.sh: force $LOG ToMToU violation earlier

Hi Mimi, > Violation tests are dependent on searching the $LOG file, which may > itself result in a ToMToU violation. Preempt getting an additional > violation during the tests by forcing the $LOG ToMToU violation > earlier. FYI I already merged this from v2 (modified, just swap TINFO message wi

Re: [PATCH 2/2] ima_setup.sh: Check 'cat' exit code when loading policy

Hi Mimi, all, > Parsing stderr should be enough, but check also 'cat' exit code > in case of error message change or other problem. FYI patchset merged. Kind regards, Petr

Re: [RFC PATCH] IMA: Remove evm_overlay.sh

Hi Mimi, Ignaz, > On Fri, 2025-03-07 at 11:24 +0100, Petr Vorel wrote: > > Hi Mimi, Ignaz, > > > Proof of concept, it was never fixed in the kernel. > > > Instead we should have some basic EVM tests. > > gently ping. Is evm_overlay.sh test useful for

Re: [PATCH 2/2] ima: limit the number of ToMToU integrity violations

Hi Mimi, Tested-by: Petr Vorel Kind regards, Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

> On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > >

Re: [PATCH 1/2] ima: limit the number of open-writers integrity violations

Hi Mimi, Tested-by: Petr Vorel Kind regards, Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

> On Fri, 2025-02-21 at 09:16 +0100, Petr Vorel wrote: > > > On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > >

[PATCH] ima_selinux.sh: Require ima_policy=critical_data kernel cmdline

/commit/?id=fdd1ffe8a812 Fixes: 4944a63ed9 ("IMA: Add test for SELinux measurement") Signed-off-by: Petr Vorel --- FYI this is supposed to be applied on the top of "ima_setup.sh: Postpone loading policy after test setup" patchset https://patchwork.ozlabs.org/project/ltp/list/

[PATCH] ima_kexec.sh: Detect kernel image from BOOT_IMAGE from /proc/cmdline

Default value was suitable only for x86_64. This helps to use other archs on distros which set $BOOT_IMAGE. Signed-off-by: Petr Vorel --- NOTE: this will not help for non-x86_64 archs on distros which don't specify BOOT_IMAGE on kernel command line (e.g. aarch64 or ppc64le). But unless

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

Hi Mimi, > Kernel patch "ima: limit the number of ToMToU integrity violations" > prevents superfluous ToMToU violations. Add corresponding LTP tests. > Link: > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zo...@linux.ibm.com/ > Signed-off-by: Mimi Zohar Unfortunately tests

Re: [PATCH 1/2] ima: limit the number of open-writers integrity violations

> Limit the number of open-writers integrity violations for an existing > file open for write to one. After the existing file open for write > closes (__fput), subsequent open-writers integrity violations may occur. LGTM. Reviewed-by: Petr Vorel I also did a regression testing on LT

Re: [PATCH 2/2] ima: limit the number of ToMToU integrity violations

Hi Mimi, LGTM. Reviewed-by: Petr Vorel Kind regards, Petr

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

Hi Mimi, > Hi Mimi, > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > Link: > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zo...@linux.ibm.com/ > > Signed-off-by: Mimi Zohar

Re: [RFC PATCH 1/3] Update validate() to support multiple violations

Hi Mimi, > Add support for the number of expected violations. Include the > expected number of violations in the output. > Signed-off-by: Mimi Zohar > --- > .../security/integrity/ima/tests/ima_violations.sh | 10 -- > 1 file changed, 8 insertions(+), 2 deletions(-) > diff --git a

Re: [RFC PATCH 2/3] ima: additional open-writer violation tests

Hi Mimi, > Kernel patch "ima: limit the number of open-writers integrity > violations" prevents superfluous "open-writers" violations. Add > corresponding LTP tests. > Link: > https://lore.kernel.org/linux-integrity/20250219162131.416719-2-zo...@linux.ibm.com/ > Signed-off-by: Mimi Zohar > ---

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

> On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > Hi Mimi, > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > prevents superfluous ToMToU violations.  Add corresponding LTP tests. > > > Link:

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

> On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > > > Hi Mimi, > > > > > > Kernel patch "ima: limit the

[PATCH 2/2] ima_setup.sh: Check 'cat' exit code when loading policy

Parsing stderr should be enough, but check also 'cat' exit code in case of error message change or other problem. Signed-off-by: Petr Vorel --- New in v2. testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 6 ++ 1 file changed, 6 insertions(+) diff --git a/testca

[COMMITTED][PATCH] ima_violations.sh: Fix min kernel version for test4+

h: require kernel v6.14 for minimizing violations tests") Signed-off-by: Petr Vorel --- Hi Mimi, all, I'm sorry not catching this: https://lore.kernel.org/linux-integrity/174319448478.2953471.5705766506609559454.pr-tracker-...@kernel.org/T/#t We got this because openSUSE Tumbleweed reach