Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot. Skip testing in that case.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b This fixes errors: ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed) https://openqa.suse.de/tests/18723792#step/ima_conditionals/6 ima_conditionals 1 TINFO: verify measuring user files when requested via uid echo: write error: Permission denied ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed Ideally there would be test which check that unsigned policy cannot be written. Signed-off-by: Petr Vorel <[email protected]> --- .../security/integrity/ima/tests/ima_conditionals.sh | 11 ++++++++++- .../kernel/security/integrity/ima/tests/ima_policy.sh | 5 ++++- .../kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh index b59f330cac..9125616890 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2021 VPI Engineering -# Copyright (c) 2021 Petr Vorel <[email protected]> +# Copyright (c) 2021-2025 Petr Vorel <[email protected]> # Author: Alex Henrie <[email protected]> # # Verify that conditional rules work. @@ -10,8 +10,16 @@ # support") from v5.16. TST_NEEDS_CMDS="cat chgrp chown id sg sudo" +TST_SETUP="setup" TST_CNT=1 +setup() +{ + if check_need_signed_policy; then + tst_brk TCONF "policy have to be signed" + fi +} + verify_measurement() { local request="$1" @@ -22,6 +30,7 @@ verify_measurement() local value="$(id -u $user)" [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)" + # needs to be checked each run (not in setup) require_policy_writable ROD rm -f $test_file diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 1c4763d838..490c8b6c2e 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -61,12 +61,15 @@ test2() load_policy $VALID_POLICY & p2=$! wait "$p1"; rc1=$? wait "$p2"; rc2=$? + if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then tst_res TFAIL "policy opened concurrently" elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then tst_res TPASS "policy was loaded just by one process and able to loaded multiple times" + elif check_need_signed_policy; then + tst_res TCONF "policy have to be signed" else - tst_res TFAIL "problem loading or extending policy (may require policy to be signed)" + tst_res TFAIL "problem loading or extending policy" fi } diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 83fcefb4fc..2a7d651818 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -449,6 +449,13 @@ require_evmctl() fi } +# 56dc986a6b20b ("ima: require signed IMA policy when UEFI secure boot is enabled") # v6.5-rc4 +check_need_signed_policy() +{ + tst_secureboot_enabled && tst_kvcmp -ge '6.5' && tst_require_kconfigs \ + 'CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY' +} + # loop device is needed to use only for tmpfs TMPDIR="${TMPDIR:-/tmp}" if tst_supported_fs -d $TMPDIR -s "tmpfs"; then -- 2.51.0
