[PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash
KP Singh
kpsingh at chromium.org
Sat Nov 21 00:50:54 UTC 2020
From: KP Singh <kpsingh at google.com>
- Update the IMA policy before executing the test binary (this is not an
override of the policy, just an append that ensures that hashes are
calculated on executions).
- Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check
if the call succeeded and a hash was calculated.
Acked-by: Yonghong Song <yhs at fb.com>
Signed-off-by: KP Singh <kpsingh at google.com>
---
tools/testing/selftests/bpf/config | 3 ++
.../selftests/bpf/prog_tests/test_lsm.c | 32 +++++++++++++++++++
tools/testing/selftests/bpf/progs/lsm.c | 7 +++-
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
index 2118e23ac07a..4b5764031368 100644
--- a/tools/testing/selftests/bpf/config
+++ b/tools/testing/selftests/bpf/config
@@ -39,3 +39,6 @@ CONFIG_BPF_JIT=y
CONFIG_BPF_LSM=y
CONFIG_SECURITY=y
CONFIG_LIRC=y
+CONFIG_IMA=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
index 6ab29226c99b..bcb050a296a4 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
@@ -52,6 +52,28 @@ int exec_cmd(int *monitored_pid)
return -EINVAL;
}
+#define IMA_POLICY "measure func=BPRM_CHECK"
+
+/* This does not override the policy, IMA policy updates are
+ * append only, so this just ensures that "measure func=BPRM_CHECK"
+ * is in the policy. IMA does not allow us to remove this line once
+ * it is added.
+ */
+static int update_ima_policy(void)
+{
+ int fd, ret = 0;
+
+ fd = open("/sys/kernel/security/ima/policy", O_WRONLY);
+ if (fd < 0)
+ return -errno;
+
+ if (write(fd, IMA_POLICY, sizeof(IMA_POLICY)) == -1)
+ ret = -errno;
+
+ close(fd);
+ return ret;
+}
+
void test_test_lsm(void)
{
struct lsm *skel = NULL;
@@ -66,6 +88,10 @@ void test_test_lsm(void)
if (CHECK(err, "attach", "lsm attach failed: %d\n", err))
goto close_prog;
+ err = update_ima_policy();
+ if (CHECK(err, "update_ima_policy", "err %d\n", err))
+ goto close_prog;
+
err = exec_cmd(&skel->bss->monitored_pid);
if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno))
goto close_prog;
@@ -83,6 +109,12 @@ void test_test_lsm(void)
CHECK(skel->bss->mprotect_count != 1, "mprotect_count",
"mprotect_count = %d\n", skel->bss->mprotect_count);
+ CHECK(skel->data->ima_hash_ret < 0, "ima_hash_ret",
+ "ima_hash_ret = %ld\n", skel->data->ima_hash_ret);
+
+ CHECK(skel->bss->ima_hash == 0, "ima_hash",
+ "ima_hash = %lu\n", skel->bss->ima_hash);
+
syscall(__NR_setdomainname, &buf, -2L);
syscall(__NR_setdomainname, 0, -3L);
syscall(__NR_setdomainname, ~0L, -4L);
diff --git a/tools/testing/selftests/bpf/progs/lsm.c b/tools/testing/selftests/bpf/progs/lsm.c
index ff4d343b94b5..5adc193e414d 100644
--- a/tools/testing/selftests/bpf/progs/lsm.c
+++ b/tools/testing/selftests/bpf/progs/lsm.c
@@ -35,6 +35,8 @@ char _license[] SEC("license") = "GPL";
int monitored_pid = 0;
int mprotect_count = 0;
int bprm_count = 0;
+long ima_hash_ret = -1;
+u64 ima_hash = 0;
SEC("lsm/file_mprotect")
int BPF_PROG(test_int_hook, struct vm_area_struct *vma,
@@ -65,8 +67,11 @@ int BPF_PROG(test_void_hook, struct linux_binprm *bprm)
__u32 key = 0;
__u64 *value;
- if (monitored_pid == pid)
+ if (monitored_pid == pid) {
bprm_count++;
+ ima_hash_ret = bpf_ima_inode_hash(bprm->file->f_inode,
+ &ima_hash, sizeof(ima_hash));
+ }
bpf_copy_from_user(args, sizeof(args), (void *)bprm->vma->vm_mm->arg_start);
bpf_copy_from_user(args, sizeof(args), (void *)bprm->mm->arg_start);
--
2.29.2.454.gaff20da3a2-goog
More information about the Linux-security-module-archive
mailing list