diff mbox series

[v2,4/8] ima_setup: Print warning when policy not readable

Message ID 20241213222014.1580991-5-pvorel@suse.cz (mailing list archive)
State New
Headers show
Series LTP tests: load predefined policy, enhancements | expand

Commit Message

Petr Vorel Dec. 13, 2024, 10:20 p.m. UTC
check_ima_policy_content() now prints TINFO message when policy is not
readable and it does not return 1 in this case. Therefore
"'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not
be signed" TWARN message in ima_kexec.sh is not printed when policy is
not readable.

This is better because in previous case test always failed due TWARN but
result is actually unknown (e.g. don't expect missing policy, return 1
as failure only when policy is readable and checking with grep failed).

Fixes: 3843e2d6fb ("IMA: Add policy related helpers")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cf769ac751..e958dd3334 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -94,8 +94,11 @@  check_ima_policy_content()
 	local pattern="$1"
 	local grep_params="${2--q}"
 
-	check_policy_readable || return 1
-	grep $grep_params "$pattern" $IMA_POLICY
+	if check_policy_readable; then
+		grep $grep_params "$pattern" $IMA_POLICY
+	else
+		tst_res TINFO "WARNING: policy not readable, can't check policy for '$pattern' (possible false positives)"
+	fi
 }
 
 require_ima_policy_content()