This reverts commit 31bb2bbdd3ecfe4b4557d3678f80fe61ace340d0. c38b528783 demonstrated a bug introuduced by 31bb2bbdd3 on SUT on kernel without CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
on tmpfs TMPDIR fails on umount: ... ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y) ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y) umount: /tmp/LTP_ima_policy.23MpPS2XWr/mntpoint: target is busy. ima_policy 2 TINFO: umount(/tmp/LTP_ima_policy.23MpPS2XWr/mntpoint) failed, try 1 ... ima_policy 2 TINFO: Likely gvfsd-trash is probing newly mounted fs, kill it to speed up tests. on non-tmpfs TMPDIR (fails to remove temporary directory): ... ima_policy 2 ima_policy 2 TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y) TCONF: IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y) rm: cannot remove '/var/tmp/LTP_ima_policy.bujyrIYMGz': No such file or directory Both errors are caused due load_policy() calling require_policy_writable(), which calls tst_brk(). load_policy() spaws a new process, therefore it should not call tst_brk (or otherwise exit a test) because ima_cleanup() is then called twice (which causes the above problems). Reported-by: Avinesh Kumar <[email protected]> Reported-by: Petr Cervinka <[email protected]> Signed-off-by: Petr Vorel <[email protected]> --- .../kernel/security/integrity/ima/tests/ima_policy.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 490c8b6c2e..d66f261a81 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2025 Petr Vorel <[email protected]> +# Copyright (c) 2018-2020 Petr Vorel <[email protected]> # Author: Mimi Zohar <[email protected]> # # Test replacing the default integrity measurement policy. @@ -11,6 +11,8 @@ TST_CNT=2 setup() { + require_policy_writable + VALID_POLICY="$TST_DATAROOT/measure.policy" [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" @@ -18,11 +20,13 @@ setup() [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" } +# NOTE: function spaws a new process, therefore it should not call tst_brk() +# (or otherwise exit a test), because that calls ima_cleanup() twice (which +# breaks umount on TMPDIR or removing TMPDIR). load_policy() { local ret - require_policy_writable exec 2>/dev/null 4>$IMA_POLICY [ $? -eq 0 ] || exit 1 @@ -42,6 +46,7 @@ test1() local p1 + require_policy_writable load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then @@ -57,6 +62,7 @@ test2() local p1 p2 rc1 rc2 + require_policy_writable load_policy $VALID_POLICY & p1=$! load_policy $VALID_POLICY & p2=$! wait "$p1"; rc1=$? -- 2.51.0
