[PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash
Andrii Nakryiko
andrii.nakryiko at gmail.com
Fri Nov 27 04:29:16 UTC 2020
On Tue, Nov 24, 2020 at 7:16 AM KP Singh <kpsingh at chromium.org> wrote:
>
> From: KP Singh <kpsingh at google.com>
>
> The test does the following:
>
> - Mounts a loopback filesystem and appends the IMA policy to measure
> executions only on this file-system. Restricting the IMA policy to a
> particular filesystem prevents a system-wide IMA policy change.
> - Executes an executable copied to this loopback filesystem.
> - Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and
> checks if the call succeeded and checks if a hash was calculated.
>
> The test shells out to the added ima_setup.sh script as the setup is
> better handled in a shell script and is more complicated to do in the
> test program or even shelling out individual commands from C.
>
> The list of required configs (i.e. IMA, SECURITYFS,
> IMA_{WRITE,READ}_POLICY) for running this test are also updated.
>
> Signed-off-by: KP Singh <kpsingh at google.com>
> ---
> tools/testing/selftests/bpf/config | 4 +
> tools/testing/selftests/bpf/ima_setup.sh | 80 +++++++++++++++++++
> .../selftests/bpf/prog_tests/test_ima.c | 74 +++++++++++++++++
> tools/testing/selftests/bpf/progs/ima.c | 28 +++++++
> 4 files changed, 186 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/ima_setup.sh
> create mode 100644 tools/testing/selftests/bpf/prog_tests/test_ima.c
> create mode 100644 tools/testing/selftests/bpf/progs/ima.c
>
[...]
> +cleanup() {
> + local tmp_dir="$1"
> + local mount_img="${tmp_dir}/test.img"
> + local mount_dir="${tmp_dir}/mnt"
> +
> + local loop_devices=$(losetup -j ${mount_img} -O NAME --noheadings)
libbpf and kernel-patches CIs are using BusyBox environment which has
losetup that doesn't support -j option. Is there some way to work
around that? What we have is this:
BusyBox v1.31.1 () multi-call binary.
Usage: losetup [-rP] [-o OFS] {-f|LOOPDEV} FILE: associate loop devices
losetup -c LOOPDEV: reread file size
losetup -d LOOPDEV: disassociate
losetup -a: show status
losetup -f: show next free loop device
-o OFS Start OFS bytes into FILE
-P Scan for partitions
-r Read-only
-f Show/use next free loop device
> + for loop_dev in "${loop_devices}"; do
> + losetup -d $loop_dev
> + done
> +
> + umount ${mount_dir}
> + rm -rf ${tmp_dir}
> +}
> +
[...]
More information about the Linux-security-module-archive
mailing list