[4/6] ima: Code cleanup

Message ID 1546827989-43569-5-git-send-email-zhang.jia@linux.alibaba.com
State Superseded
Delegated to: Petr Vorel
Headers show
Series
  • Untitled series #84658
Related show

Commit Message

Jia Zhang Jan. 7, 2019, 2:26 a.m.
- Don't use the legacy policy function name in policy files.
- Use the variable IMA_POLICY instead of hard code path.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
---
 testcases/kernel/security/integrity/ima/policy/measure.policy         | 2 +-
 testcases/kernel/security/integrity/ima/policy/measure.policy-invalid | 2 +-
 testcases/kernel/security/integrity/ima/tests/ima_policy.sh           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

Comments

Mimi Zohar Jan. 14, 2019, 9:09 p.m. | #1
On Mon, 2019-01-07 at 10:26 +0800, Jia Zhang wrote:
> - Don't use the legacy policy function name in policy files.

The name change is from PATH_CHECK to FILE_CHECK, nothing to do with
"policy".

> - Use the variable IMA_POLICY instead of hard code path.
> 
> Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

After removing the word "policy" above,

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  testcases/kernel/security/integrity/ima/policy/measure.policy         | 2 +-
>  testcases/kernel/security/integrity/ima/policy/measure.policy-invalid | 2 +-
>  testcases/kernel/security/integrity/ima/tests/ima_policy.sh           | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy b/testcases/kernel/security/integrity/ima/policy/measure.policy
> index c68e722..9976ddf 100644
> --- a/testcases/kernel/security/integrity/ima/policy/measure.policy
> +++ b/testcases/kernel/security/integrity/ima/policy/measure.policy
> @@ -13,4 +13,4 @@ dont_measure fsmagic=0x01021994
>  dont_measure fsmagic=0x73636673
>  measure func=FILE_MMAP mask=MAY_EXEC
>  measure func=BPRM_CHECK mask=MAY_EXEC
> -measure func=PATH_CHECK mask=MAY_READ uid=0
> +measure func=FILE_CHECK mask=MAY_READ uid=0
> diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
> index e406757..04dff89 100644
> --- a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
> +++ b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
> @@ -13,4 +13,4 @@ dont_measure fsmagic=0x01021994
>  dnt_measure fsmagic=0x73636673
>  measure func=FILE_MMAP mask=MAY_EXEC
>  measure func=BPRM_CHECK mask=MAY_EXEC
> -measure func=PATH_CHECK mask=MAY_READ uid=0
> +measure func=FILE_CHECK mask=MAY_READ uid=0
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> index 64aa8cb..a0c7869 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
> @@ -28,7 +28,7 @@ check_policy_writable()
>  {
>  	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
> 
> -	[ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err"
> +	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
>  	# CONFIG_IMA_READ_POLICY
>  	echo "" 2> log > $IMA_POLICY
>  	grep -q "Device or resource busy" log && tst_brk TCONF "$err"

Patch

diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy b/testcases/kernel/security/integrity/ima/policy/measure.policy
index c68e722..9976ddf 100644
--- a/testcases/kernel/security/integrity/ima/policy/measure.policy
+++ b/testcases/kernel/security/integrity/ima/policy/measure.policy
@@ -13,4 +13,4 @@  dont_measure fsmagic=0x01021994
 dont_measure fsmagic=0x73636673
 measure func=FILE_MMAP mask=MAY_EXEC
 measure func=BPRM_CHECK mask=MAY_EXEC
-measure func=PATH_CHECK mask=MAY_READ uid=0
+measure func=FILE_CHECK mask=MAY_READ uid=0
diff --git a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
index e406757..04dff89 100644
--- a/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
+++ b/testcases/kernel/security/integrity/ima/policy/measure.policy-invalid
@@ -13,4 +13,4 @@  dont_measure fsmagic=0x01021994
 dnt_measure fsmagic=0x73636673
 measure func=FILE_MMAP mask=MAY_EXEC
 measure func=BPRM_CHECK mask=MAY_EXEC
-measure func=PATH_CHECK mask=MAY_READ uid=0
+measure func=FILE_CHECK mask=MAY_READ uid=0
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 64aa8cb..a0c7869 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -28,7 +28,7 @@  check_policy_writable()
 {
 	local err="IMA policy already loaded and kernel not configured to enable multiple writes to it (need CONFIG_IMA_WRITE_POLICY=y)"
 
-	[ -f /sys/kernel/security/ima/policy ] || tst_brk TCONF "$err"
+	[ -f $IMA_POLICY ] || tst_brk TCONF "$err"
 	# CONFIG_IMA_READ_POLICY
 	echo "" 2> log > $IMA_POLICY
 	grep -q "Device or resource busy" log && tst_brk TCONF "$err"