| Message ID | 20250220160054.12149-3-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC,1/3] Update validate() to support multiple violations | expand |
Hi Mimi, > Kernel patch "ima: limit the number of ToMToU integrity violations" > prevents superfluous ToMToU violations. Add corresponding LTP tests. > Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Unfortunately tests fail on both mainline kernel and kernel with your patches. Any hint what could be wrong? Mainline kernel (on kernel with your patches it looks the same): ima_violations 1 TINFO: Running: ima_violations.sh ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem) tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint ima_violations 1 TINFO: timeout per run is 0h 5m 0s ima_violations 1 TINFO: IMA kernel config: ima_violations 1 TINFO: CONFIG_IMA=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device ima_violations 1 TINFO: test requires IMA policy: measure func=FILE_CHECK mask=^MAY_READ euid=0 measure func=FILE_CHECK mask=^MAY_READ uid=0 ima_violations 1 TINFO: SUT has required policy content ima_violations 1 TINFO: using log /var/log/audit/audit.log ima_violations 1 TINFO: verify open writers violation ima_violations 1 TFAIL: open_writers too many violations added ima_violations 2 TINFO: verify ToMToU violation ima_violations 2 TFAIL: ToMToU too many violations added ima_violations 3 TINFO: verify open_writers using mmapped files tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s ima_mmap.c:38: TINFO: sleep 3s ima_violations 3 TFAIL: open_writers too many violations added ima_mmap.c:41: TPASS: test completed Summary: passed 1 failed 0 broken 0 skipped 0 warnings 0 ima_violations 4 TINFO: verify limiting single open writer violation ima_violations 4 TFAIL: open_writers too many violations added ima_violations 5 TINFO: verify limiting multiple open writers violations ima_violations 5 TFAIL: open_writers too many violations added ima_violations 6 TINFO: verify new open writer causes additional violation ima_violations 6 TFAIL: open_writers too many violations added ima_violations 7 TINFO: verify limiting single open reader ToMToU violations ima_violations 7 TFAIL: ToMToU too many violations added ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation ima_violations 8 TFAIL: ToMToU too many violations added Kind regards, Petr
Hi Mimi, > Hi Mimi, > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > Unfortunately tests fail on both mainline kernel and kernel with your patches. > Any hint what could be wrong? > Mainline kernel (on kernel with your patches it looks the same): I'm sorry, I accidentally tested only on vanilla kernel. Rerunning tests with updated kernel. Is it this considered as a security feature? If yes, than failures on vanilla kernel are ok, we just need to later add kernel hashes to let testers know about missing backports. If it's a feature (not to be backported) we should test new feature only on newer kernels. Kind regards, Petr > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs filesystem) > tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: test requires IMA policy: > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > ima_violations 1 TINFO: SUT has required policy content > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TFAIL: open_writers too many violations added > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TFAIL: ToMToU too many violations added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TFAIL: open_writers too many violations added > ima_mmap.c:41: TPASS: test completed > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TFAIL: open_writers too many violations added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TFAIL: open_writers too many violations added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TFAIL: open_writers too many violations added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TFAIL: ToMToU too many violations added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TFAIL: ToMToU too many violations added > Kind regards, > Petr
On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > Hi Mimi, > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > Link: > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Unfortunately tests fail on both mainline kernel and kernel with your patches. The new LTP IMA violations patches should fail without the associated kernel patches. > > Any hint what could be wrong? Of course it's dependent on the IMA policy. The tests assume being booted with the IMA TCB measurement policy or similar policy being loaded. Can you share the IMA policy? e.g. cat /sys/kernel/security/ima/policy thanks, Mimi > > Mainline kernel (on kernel with your patches it looks the same): > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.13.0-2.g0127a37-default #1 SMP > PREEMPT_DYNAMIC Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.cKm34XVZk2 as tmpdir (tmpfs > filesystem) > tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 > /tmp/LTP_ima_violations.cKm34XVZk2/mntpoint > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.13.0-2.g0127a37- > default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 > plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 > resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto > security=apparmor ignore_loglevel > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: test requires IMA policy: > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > ima_violations 1 TINFO: SUT has required policy content > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TFAIL: open_writers too many violations added > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TFAIL: ToMToU too many violations added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.13.0-2.g0127a37-default #1 SMP PREEMPT_DYNAMIC > Thu Jan 23 11:21:55 UTC 2025 (0127a37) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow > the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TFAIL: open_writers too many violations added > ima_mmap.c:41: TPASS: test completed > > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TFAIL: open_writers too many violations added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TFAIL: open_writers too many violations added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TFAIL: open_writers too many violations added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TFAIL: ToMToU too many violations added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TFAIL: ToMToU too many violations added > > Kind regards, > Petr >
> On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > Hi Mimi, > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > Link: > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > The new LTP IMA violations patches should fail without the associated kernel patches. > > Any hint what could be wrong? > Of course it's dependent on the IMA policy. The tests assume being booted with the IMA > TCB measurement policy or similar policy being loaded. Can you share the IMA policy? > e.g. cat /sys/kernel/security/ima/policy > thanks, > Mimi Now testing on kernel *with* your patches. First run always fails, regardless whether using ima_policy=tcb or /opt/ltp/testcases/data/ima_violations/violations.policy). Kind regards, Petr First run fails: # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh (policy is /opt/ltp/testcases/data/ima_violations/violations.policy) ima_violations 1 TINFO: Running: ima_violations.sh ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.XR34KhtnDM as tmpdir (tmpfs filesystem) tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.XR34KhtnDM/mntpoint ima_violations 1 TINFO: timeout per run is 0h 5m 0s ima_violations 1 TINFO: IMA kernel config: ima_violations 1 TINFO: CONFIG_IMA=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device ima_violations 1 TINFO: test requires IMA policy: measure func=FILE_CHECK mask=^MAY_READ euid=0 measure func=FILE_CHECK mask=^MAY_READ uid=0 ima_violations 1 TINFO: WARNING: missing required policy content: 'measure func=FILE_CHECK mask=^MAY_READ euid=0' ima_violations 1 TINFO: trying to load '/opt/ltp/testcases/data/ima_violations/violations.policy' policy: measure func=FILE_CHECK mask=^MAY_READ euid=0 measure func=FILE_CHECK mask=^MAY_READ uid=0 ima_violations 1 TINFO: example policy successfully loaded ima_violations 1 TINFO: using log /var/log/audit/audit.log ima_violations 1 TINFO: verify open writers violation ima_violations 1 TFAIL: open_writers too many violations added: 2 - 0 ima_violations 2 TINFO: verify ToMToU violation ima_violations 2 TPASS: 1 ToMToU violation(s) added ima_violations 3 TINFO: verify open_writers using mmapped files tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s ima_mmap.c:38: TINFO: sleep 3s ima_violations 3 TPASS: 1 open_writers violation(s) added ima_mmap.c:41: TPASS: test completed Summary: passed 1 failed 0 broken 0 skipped 0 warnings 0 ima_violations 4 TINFO: verify limiting single open writer violation ima_violations 4 TPASS: 1 open_writers violation(s) added ima_violations 5 TINFO: verify limiting multiple open writers violations ima_violations 5 TPASS: 1 open_writers violation(s) added ima_violations 6 TINFO: verify new open writer causes additional violation ima_violations 6 TPASS: 2 open_writers violation(s) added ima_violations 7 TINFO: verify limiting single open reader ToMToU violations ima_violations 7 TPASS: 1 ToMToU violation(s) added ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation ima_violations 8 TPASS: 2 ToMToU violation(s) added ima_violations 9 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot recommended Summary: passed 7 failed 1 broken 0 skipped 0 warnings 0 Second run is ok: # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh ima_violations 1 TINFO: Running: ima_violations.sh ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux ima_violations 1 TINFO: Using /var/tmp/LTP_ima_violations.SWERFjvPTp as tmpdir (btrfs filesystem) ima_violations 1 TINFO: timeout per run is 0h 5m 0s ima_violations 1 TINFO: IMA kernel config: ima_violations 1 TINFO: CONFIG_IMA=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_violations 1 TINFO: test requires IMA policy: measure func=FILE_CHECK mask=^MAY_READ euid=0 measure func=FILE_CHECK mask=^MAY_READ uid=0 ima_violations 1 TINFO: SUT has required policy content ima_violations 1 TINFO: using log /var/log/audit/audit.log ima_violations 1 TINFO: verify open writers violation ima_violations 1 TPASS: 1 open_writers violation(s) added ima_violations 2 TINFO: verify ToMToU violation ima_violations 2 TPASS: 1 ToMToU violation(s) added ima_violations 3 TINFO: verify open_writers using mmapped files tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s ima_mmap.c:38: TINFO: sleep 3s ima_violations 3 TPASS: 1 open_writers violation(s) added ima_mmap.c:41: TPASS: test completed Summary: passed 1 failed 0 broken 0 skipped 0 warnings 0 ima_violations 4 TINFO: verify limiting single open writer violation ima_violations 4 TPASS: 1 open_writers violation(s) added ima_violations 5 TINFO: verify limiting multiple open writers violations ima_violations 5 TPASS: 1 open_writers violation(s) added ima_violations 6 TINFO: verify new open writer causes additional violation ima_violations 6 TPASS: 2 open_writers violation(s) added ima_violations 7 TINFO: verify limiting single open reader ToMToU violations ima_violations 7 TPASS: 1 ToMToU violation(s) added ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation ima_violations 8 TPASS: 2 ToMToU violation(s) added Summary: passed 8 failed 0 broken 0 skipped 0 warnings 0 Reboot and running with ima_policy=tcb also fails on the first time: # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh tmpfs is skipped ima_violations 1 TINFO: Running: ima_violations.sh ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.FKQSfezAwR as tmpdir (tmpfs filesystem) tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.FKQSfezAwR/mntpoint ima_violations 1 TINFO: timeout per run is 0h 5m 0s ima_violations 1 TINFO: IMA kernel config: ima_violations 1 TINFO: CONFIG_IMA=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_policy=tcb ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device ima_violations 1 TINFO: booted with IMA policy: tcb ima_violations 1 TINFO: using log /var/log/audit/audit.log ima_violations 1 TINFO: verify open writers violation ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1 ima_violations 2 TINFO: verify ToMToU violation ima_violations 2 TPASS: 1 ToMToU violation(s) added ima_violations 3 TINFO: verify open_writers using mmapped files tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s ima_mmap.c:38: TINFO: sleep 3s ima_violations 3 TPASS: 1 open_writers violation(s) added ima_mmap.c:41: TPASS: test completed Summary: passed 1 failed 0 broken 0 skipped 0 warnings 0 ima_violations 4 TINFO: verify limiting single open writer violation ima_violations 4 TPASS: 1 open_writers violation(s) added ima_violations 5 TINFO: verify limiting multiple open writers violations ima_violations 5 TPASS: 1 open_writers violation(s) added ima_violations 6 TINFO: verify new open writer causes additional violation ima_violations 6 TPASS: 2 open_writers violation(s) added ima_violations 7 TINFO: verify limiting single open reader ToMToU violations ima_violations 7 TPASS: 1 ToMToU violation(s) added ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation ima_violations 8 TPASS: 2 ToMToU violation(s) added Summary: passed 7 failed 1 broken 0 skipped 0 warnings 0 Second and later run is again OK # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh tmpfs is skipped ima_violations 1 TINFO: Running: ima_violations.sh ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.1Qf6qJuSoo as tmpdir (tmpfs filesystem) tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 /tmp/LTP_ima_violations.1Qf6qJuSoo/mntpoint ima_violations 1 TINFO: timeout per run is 0h 5m 0s ima_violations 1 TINFO: IMA kernel config: ima_violations 1 TINFO: CONFIG_IMA=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102-default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto security=apparmor ignore_loglevel ima_policy=tcb ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device ima_violations 1 TINFO: booted with IMA policy: tcb ima_violations 1 TINFO: using log /var/log/audit/audit.log ima_violations 1 TINFO: verify open writers violation ima_violations 1 TPASS: 1 open_writers violation(s) added ima_violations 2 TINFO: verify ToMToU violation ima_violations 2 TPASS: 1 ToMToU violation(s) added ima_violations 3 TINFO: verify open_writers using mmapped files tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow the execution tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s ima_mmap.c:38: TINFO: sleep 3s ima_violations 3 TPASS: 1 open_writers violation(s) added ima_mmap.c:41: TPASS: test completed Summary: passed 1 failed 0 broken 0 skipped 0 warnings 0 ima_violations 4 TINFO: verify limiting single open writer violation ima_violations 4 TPASS: 1 open_writers violation(s) added ima_violations 5 TINFO: verify limiting multiple open writers violations ima_violations 5 TPASS: 1 open_writers violation(s) added ima_violations 6 TINFO: verify new open writer causes additional violation ima_violations 6 TPASS: 2 open_writers violation(s) added ima_violations 7 TINFO: verify limiting single open reader ToMToU violations ima_violations 7 TPASS: 1 ToMToU violation(s) added ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation ima_violations 8 TPASS: 2 ToMToU violation(s) added Summary: passed 8 failed 0 broken 0 skipped 0 warnings 0
On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > Hi Mimi, > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > > > Link: > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > > > The new LTP IMA violations patches should fail without the associated kernel patches. > > > > Any hint what could be wrong? > > > Of course it's dependent on the IMA policy. The tests assume being booted with the > > IMA > > TCB measurement policy or similar policy being loaded. Can you share the IMA policy? > > e.g. cat /sys/kernel/security/ima/policy > > > thanks, > > > Mimi > > Now testing on kernel *with* your patches. First run always fails, regardless > whether using ima_policy=tcb or > /opt/ltp/testcases/data/ima_violations/violations.policy). > > Kind regards, > Petr I'm not seeing that on my test machine. Could there be other things running on your system causing violations. In anycase, your original test was less exacting. Similarly, instead of "-eq", try using "-qe" in the following test and removing the subsequent new "gt" test. if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then > > First run fails: > > # LTP_IMA_LOAD_POLICY=1 LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" > ima_violations.sh > (policy is /opt/ltp/testcases/data/ima_violations/violations.policy) > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.XR34KhtnDM as tmpdir (tmpfs > filesystem) > tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 > /tmp/LTP_ima_violations.XR34KhtnDM/mntpoint > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102- > default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 > plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 > resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto > security=apparmor ignore_loglevel > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: test requires IMA policy: > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > ima_violations 1 TINFO: WARNING: missing required policy content: 'measure > func=FILE_CHECK mask=^MAY_READ euid=0' > ima_violations 1 TINFO: trying to load > '/opt/ltp/testcases/data/ima_violations/violations.policy' policy: > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > ima_violations 1 TINFO: example policy successfully loaded > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TFAIL: open_writers too many violations added: 2 - 0 > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TPASS: 1 ToMToU violation(s) added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow > the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TPASS: 1 open_writers violation(s) added > ima_mmap.c:41: TPASS: test completed > > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TPASS: 1 open_writers violation(s) added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TPASS: 1 open_writers violation(s) added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TPASS: 2 open_writers violation(s) added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TPASS: 1 ToMToU violation(s) added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TPASS: 2 ToMToU violation(s) added > ima_violations 9 TINFO: WARNING: policy loaded via LTP_IMA_LOAD_POLICY=1, reboot > recommended > > Summary: > passed 7 > failed 1 > broken 0 > skipped 0 > warnings 0 > > Second run is ok: > # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /var/tmp/LTP_ima_violations.SWERFjvPTp as tmpdir (btrfs > filesystem) > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102- > default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 > plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 > resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto > security=apparmor ignore_loglevel > ima_violations 1 TINFO: test requires IMA policy: > measure func=FILE_CHECK mask=^MAY_READ euid=0 > measure func=FILE_CHECK mask=^MAY_READ uid=0 > ima_violations 1 TINFO: SUT has required policy content > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TPASS: 1 open_writers violation(s) added > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TPASS: 1 ToMToU violation(s) added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow > the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TPASS: 1 open_writers violation(s) added > ima_mmap.c:41: TPASS: test completed > > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TPASS: 1 open_writers violation(s) added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TPASS: 1 open_writers violation(s) added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TPASS: 2 open_writers violation(s) added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TPASS: 1 ToMToU violation(s) added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TPASS: 2 ToMToU violation(s) added > > Summary: > passed 8 > failed 0 > broken 0 > skipped 0 > warnings 0 > > Reboot and running with ima_policy=tcb also fails on the first time: > > # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh > tmpfs is skipped > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.FKQSfezAwR as tmpdir (tmpfs > filesystem) > tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 > /tmp/LTP_ima_violations.FKQSfezAwR/mntpoint > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102- > default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 > plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 > resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto > security=apparmor ignore_loglevel ima_policy=tcb > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: booted with IMA policy: tcb > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TFAIL: open_writers too many violations added: 3 - 1 > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TPASS: 1 ToMToU violation(s) added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow > the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TPASS: 1 open_writers violation(s) added > ima_mmap.c:41: TPASS: test completed > > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TPASS: 1 open_writers violation(s) added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TPASS: 1 open_writers violation(s) added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TPASS: 2 open_writers violation(s) added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TPASS: 1 ToMToU violation(s) added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TPASS: 2 ToMToU violation(s) added > > Summary: > passed 7 > failed 1 > broken 0 > skipped 0 > warnings 0 > > Second and later run is again OK > # LTPROOT="/opt/ltp" PATH="/opt/ltp/testcases/bin:$PATH" ima_violations.sh > tmpfs is skipped > ima_violations 1 TINFO: Running: ima_violations.sh > ima_violations 1 TINFO: Tested kernel: Linux ts 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 x86_64 x86_64 GNU/Linux > ima_violations 1 TINFO: Using /tmp/LTP_ima_violations.1Qf6qJuSoo as tmpdir (tmpfs > filesystem) > tst_device.c:99: TINFO: Found free device 0 '/dev/loop0' > ima_violations 1 TINFO: Formatting ext3 with opts='/dev/loop0' > ima_violations 1 TINFO: Mounting device: mount -t ext3 /dev/loop0 > /tmp/LTP_ima_violations.1Qf6qJuSoo/mntpoint > ima_violations 1 TINFO: timeout per run is 0h 5m 0s > ima_violations 1 TINFO: IMA kernel config: > ima_violations 1 TINFO: CONFIG_IMA=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_PCR_IDX=10 > ima_violations 1 TINFO: CONFIG_IMA_LSM_RULES=y > ima_violations 1 TINFO: CONFIG_IMA_NG_TEMPLATE=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH_SHA256=y > ima_violations 1 TINFO: CONFIG_IMA_DEFAULT_HASH="sha256" > ima_violations 1 TINFO: CONFIG_IMA_READ_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE=y > ima_violations 1 TINFO: CONFIG_IMA_ARCH_POLICY=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_BOOTPARAM=y > ima_violations 1 TINFO: CONFIG_IMA_APPRAISE_MODSIG=y > ima_violations 1 TINFO: CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > ima_violations 1 TINFO: CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > ima_violations 1 TINFO: CONFIG_IMA_DISABLE_HTABLE=y > ima_violations 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.14.0-rc3-1.gb6b4102- > default root=UUID=e36b2366-1af2-4408-903c-1fca82c60f4c splash=silent video=1024x768 > plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 > resume=/dev/disk/by-uuid/c3b865f9-5d5b-410e-a6d1-9ebcf721584c mitigations=auto > security=apparmor ignore_loglevel ima_policy=tcb > ima_violations 1 TINFO: $TMPDIR is on tmpfs => run on loop device > ima_violations 1 TINFO: booted with IMA policy: tcb > ima_violations 1 TINFO: using log /var/log/audit/audit.log > ima_violations 1 TINFO: verify open writers violation > ima_violations 1 TPASS: 1 open_writers violation(s) added > ima_violations 2 TINFO: verify ToMToU violation > ima_violations 2 TPASS: 1 ToMToU violation(s) added > ima_violations 3 TINFO: verify open_writers using mmapped files > tst_test.c:1900: TINFO: LTP version: 20250130-22-gcd2215702f > tst_test.c:1904: TINFO: Tested kernel: 6.14.0-rc3-1.gb6b4102-default #1 SMP > PREEMPT_DYNAMIC Thu Feb 20 12:26:55 UTC 2025 (b6b4102) x86_64 > tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz' > tst_kconfig.c:676: TINFO: CONFIG_FAULT_INJECTION kernel option detected which might slow > the execution > tst_test.c:1722: TINFO: Overall timeout per run is 0h 02m 00s > ima_mmap.c:38: TINFO: sleep 3s > ima_violations 3 TPASS: 1 open_writers violation(s) added > ima_mmap.c:41: TPASS: test completed > > Summary: > passed 1 > failed 0 > broken 0 > skipped 0 > warnings 0 > ima_violations 4 TINFO: verify limiting single open writer violation > ima_violations 4 TPASS: 1 open_writers violation(s) added > ima_violations 5 TINFO: verify limiting multiple open writers violations > ima_violations 5 TPASS: 1 open_writers violation(s) added > ima_violations 6 TINFO: verify new open writer causes additional violation > ima_violations 6 TPASS: 2 open_writers violation(s) added > ima_violations 7 TINFO: verify limiting single open reader ToMToU violations > ima_violations 7 TPASS: 1 ToMToU violation(s) added > ima_violations 8 TINFO: verify new open reader causes additional ToMToU violation > ima_violations 8 TPASS: 2 ToMToU violation(s) added > > Summary: > passed 8 > failed 0 > broken 0 > skipped 0 > warnings 0 >
Hi Petr, On Thu, 2025-02-20 at 19:46 +0100, Petr Vorel wrote: > Is it this considered as a security feature? If yes, than failures on vanilla > kernel are ok, we just need to later add kernel hashes to let testers know about > missing backports. If it's a feature (not to be backported) we should test new > feature only on newer kernels. I posted these LTP patches as RFC since the kernel patches themselves haven't been upstreamed. I'm still waiting for some kernel patch reviews. Posting these LTP patches might help with that. Having multiple open-writers or ToMToU violations doesn't provide any benefit in terms of attestation. It just clutters the audit log and the IMA measurement list. Not extending the TPM would be a performance improvement. I'm not sure it would be classified as a security feature or bug fix. Mimi
On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > > Hi Mimi, > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > > > > > Link: > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > > > > > The new LTP IMA violations patches should fail without the associated kernel > > > patches. > > > > > > Any hint what could be wrong? > > > > > Of course it's dependent on the IMA policy. The tests assume being booted with the > > > IMA > > > TCB measurement policy or similar policy being loaded. Can you share the IMA > > > policy? > > > e.g. cat /sys/kernel/security/ima/policy > > > > > thanks, > > > > > Mimi > > > > Now testing on kernel *with* your patches. First run always fails, regardless > > whether using ima_policy=tcb or > > /opt/ltp/testcases/data/ima_violations/violations.policy). > > > > Kind regards, > > Petr > > I'm not seeing that on my test machine. Could there be other things running on your > system causing violations. In anycase, your original test was less exacting. > Similarly, > instead of "-eq", try using "-qe" in the following test and removing the subsequent new > "gt" test. -> "-ge" > > if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then >
> On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > > > Hi Mimi, > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > > > > Link: > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > > > > The new LTP IMA violations patches should fail without the associated kernel > > > > patches. > > > > > Any hint what could be wrong? > > > > Of course it's dependent on the IMA policy. The tests assume being booted with the > > > > IMA > > > > TCB measurement policy or similar policy being loaded. Can you share the IMA > > > > policy? > > > > e.g. cat /sys/kernel/security/ima/policy > > > > thanks, > > > > Mimi > > > Now testing on kernel *with* your patches. First run always fails, regardless > > > whether using ima_policy=tcb or > > > /opt/ltp/testcases/data/ima_violations/violations.policy). > > > Kind regards, > > > Petr > > I'm not seeing that on my test machine. Could there be other things running on your > > system causing violations. In anycase, your original test was less exacting. > > Similarly, > > instead of "-eq", try using "-qe" in the following test and removing the subsequent new > > "gt" test. > -> "-ge" Sure, changing to -ge fixes the problem: if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then I guess we need "-ge" for older kernels (unless "fix" for stable). Should we accept "$expected_violations || $expected_violations + 1" for new kernels to avoid problems like the one on my system. I wonder if the problem was somehow caused by the fact that I built kernel. OTOH it's build by OBS (official openSUSE build service). I don't expect you'd have time to look into it, in case you're interested and have time sending a links to rpm binary and src package. https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm Kind regards, Petr > > if [ $(($num_violations_new - $num_violations)) -eq $expected_violations ]; then
On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > > > > Hi Mimi, > > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > > > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > > > > > > Link: > > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > > > > > > The new LTP IMA violations patches should fail without the associated kernel > > > > > patches. > > > > > > > Any hint what could be wrong? > > > > > > Of course it's dependent on the IMA policy. The tests assume being booted with > > > > > the > > > > > IMA > > > > > TCB measurement policy or similar policy being loaded. Can you share the IMA > > > > > policy? > > > > > e.g. cat /sys/kernel/security/ima/policy > > > > > > thanks, > > > > > > Mimi > > > > > Now testing on kernel *with* your patches. First run always fails, regardless > > > > whether using ima_policy=tcb or > > > > /opt/ltp/testcases/data/ima_violations/violations.policy). > > > > > Kind regards, > > > > Petr > > > > I'm not seeing that on my test machine. Could there be other things running on your > > > system causing violations. In anycase, your original test was less exacting. > > > Similarly, > > > instead of "-eq", try using "-qe" in the following test and removing the subsequent > > > new > > > "gt" test. > > > -> "-ge" > > Sure, changing to -ge fixes the problem: > if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then > > I guess we need "-ge" for older kernels (unless "fix" for stable). Should we > accept "$expected_violations || $expected_violations + 1" for new kernels to > avoid problems like the one on my system. The problem is that we don't control what else is running on the system. So there could be other violations independent of these tests. I'll have to think about it some more and get back to you. (There's no rush to do anything with these LTP IMA violation tests.) > > I wonder if the problem was somehow caused by the fact that I built kernel. OTOH > it's build by OBS (official openSUSE build service). As long as you weren't building the kernel and running the tests at the same, I doubt it would be the problem. > > I don't expect you'd have time to look into it, in case you're interested and > have time sending a links to rpm binary and src package. Ok. > > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm > thanks, Mimi
> On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote: > > > > > > > Hi Mimi, > > > > > > > > Kernel patch "ima: limit the number of ToMToU integrity violations" > > > > > > > > prevents superfluous ToMToU violations. Add corresponding LTP tests. > > > > > > > > Link: > > > > > > > > https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ > > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > Unfortunately tests fail on both mainline kernel and kernel with your patches. > > > > > > The new LTP IMA violations patches should fail without the associated kernel > > > > > > patches. > > > > > > > Any hint what could be wrong? > > > > > > Of course it's dependent on the IMA policy. The tests assume being booted with > > > > > > the > > > > > > IMA > > > > > > TCB measurement policy or similar policy being loaded. Can you share the IMA > > > > > > policy? > > > > > > e.g. cat /sys/kernel/security/ima/policy > > > > > > thanks, > > > > > > Mimi > > > > > Now testing on kernel *with* your patches. First run always fails, regardless > > > > > whether using ima_policy=tcb or > > > > > /opt/ltp/testcases/data/ima_violations/violations.policy). > > > > > Kind regards, > > > > > Petr > > > > I'm not seeing that on my test machine. Could there be other things running on your > > > > system causing violations. In anycase, your original test was less exacting. > > > > Similarly, > > > > instead of "-eq", try using "-qe" in the following test and removing the subsequent > > > > new > > > > "gt" test. > > > -> "-ge" > > Sure, changing to -ge fixes the problem: > > if [ $(($num_violations_new - $num_violations)) -ge $expected_violations ]; then > > I guess we need "-ge" for older kernels (unless "fix" for stable). Should we > > accept "$expected_violations || $expected_violations + 1" for new kernels to > > avoid problems like the one on my system. > The problem is that we don't control what else is running on the system. So there could > be other violations independent of these tests. I'll have to think about it some more and > get back to you. (There's no rush to do anything with these LTP IMA violation tests.) OK, thank you. The worse scenario would be to use less precise variant "-ge". > > I wonder if the problem was somehow caused by the fact that I built kernel. OTOH > > it's build by OBS (official openSUSE build service). > As long as you weren't building the kernel and running the tests at the same, I doubt it > would be the problem. Understand, just something on openSUSE Tumbleweed system. Kind regards, Petr > > I don't expect you'd have time to look into it, in case you're interested and > > have time sending a links to rpm binary and src package. > Ok. > > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/x86_64/kernel-default-6.14~rc3-1.1.gb6b4102.x86_64.rpm > > https://download.opensuse.org/repositories/home:/pevik:/ima-limit-open-writers-ToMToU/standard/src/kernel-source-6.14~rc3-1.1.gb6b4102.src.rpm > thanks, > Mimi
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 65c5c3a92..5b6d7e993 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -8,7 +8,7 @@ TST_SETUP="setup" TST_CLEANUP="cleanup" -TST_CNT=6 +TST_CNT=8 REQUIRED_BUILTIN_POLICY="tcb" REQUIRED_POLICY_CONTENT='violations.policy' @@ -245,6 +245,50 @@ test6() validate $num_violations $count $search 2 } +test7() +{ + tst_res TINFO "verify limiting single open reader ToMToU violations" + + local search="ToMToU" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_read + open_file_write + close_file_write + + open_file_write + close_file_write + close_file_read + + validate $num_violations $count $search 1 +} + +test8() +{ + tst_res TINFO "verify new open reader causes additional ToMToU violation" + + local search="ToMToU" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_read + open_file_write + close_file_write + close_file_read + + open_file_read + open_file_write + close_file_write + close_file_read + + validate $num_violations $count $search 2 +} + . ima_setup.sh . daemonlib.sh tst_run
Kernel patch "ima: limit the number of ToMToU integrity violations" prevents superfluous ToMToU violations. Add corresponding LTP tests. Link: https://lore.kernel.org/linux-integrity/20250219162131.416719-3-zohar@linux.ibm.com/ Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- .../integrity/ima/tests/ima_violations.sh | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-)