Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

From: Mimi Zohar
Date: Mon Nov 23 2020 - 08:25:34 EST


On Sat, 2020-11-21 at 00:50 +0000, KP Singh wrote:
> From: KP Singh <kpsingh@xxxxxxxxxx>
>
> - Update the IMA policy before executing the test binary (this is not an
> override of the policy, just an append that ensures that hashes are
> calculated on executions).

Assuming the builtin policy has been replaced with a custom policy and
CONFIG_IMA_WRITE_POLICY is enabled, then yes the rule is appended. If
a custom policy has not yet been loaded, loading this rule becomes the
defacto custom policy.

Even if a custom policy has been loaded, potentially additional
measurements unrelated to this test would be included the measurement
list. One way of limiting a rule to a specific test is by loopback
mounting a file system and defining a policy rule based on the loopback
mount unique uuid.

Mimi