[PATCH v2 6/6] selftests/bpf: Add test for bpf_lsm_kernel_read_file()
Roberto Sassu
roberto.sassu at huawei.com
Tue Feb 15 16:20:17 UTC 2022
> From: Shuah Khan [mailto:skhan at linuxfoundation.org]
> Sent: Tuesday, February 15, 2022 5:11 PM
> On 2/15/22 5:40 AM, Roberto Sassu wrote:
> > Test the ability of bpf_lsm_kernel_read_file() to call the sleepable
> > functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a
> > measurement of a loaded IMA policy.
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > ---
> > tools/testing/selftests/bpf/ima_setup.sh | 2 ++
> > .../selftests/bpf/prog_tests/test_ima.c | 3 +-
> > tools/testing/selftests/bpf/progs/ima.c | 28 ++++++++++++++++---
> > 3 files changed, 28 insertions(+), 5 deletions(-)
> >
> > diff --git a/tools/testing/selftests/bpf/ima_setup.sh
> b/tools/testing/selftests/bpf/ima_setup.sh
> > index 8e62581113a3..82530f19f85a 100755
> > --- a/tools/testing/selftests/bpf/ima_setup.sh
> > +++ b/tools/testing/selftests/bpf/ima_setup.sh
> > @@ -51,6 +51,7 @@ setup()
> >
> > ensure_mount_securityfs
> > echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" >
> ${IMA_POLICY_FILE}
> > + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" >
> ${mount_dir}/policy_test
> > }
> >
> > cleanup() {
> > @@ -74,6 +75,7 @@ run()
> > local mount_dir="${tmp_dir}/mnt"
> > local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
> >
> > + echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE}
> > exec "${copied_bin_path}"
> > }
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > index 62bf0e830453..c4a62d7b70df 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > @@ -97,8 +97,9 @@ void test_test_ima(void)
> > /*
> > * 1 sample with use_ima_file_hash = false
> > * 2 samples with use_ima_file_hash = true (./ima_setup.sh, /bin/true)
> > + * 1 sample with use_ima_file_hash = true (IMA policy)
> > */
> > - ASSERT_EQ(err, 3, "num_samples_or_err");
> > + ASSERT_EQ(err, 4, "num_samples_or_err");
> > ASSERT_NEQ(ima_hash_from_bpf, 0, "ima_hash");
> >
> > close_clean:
> > diff --git a/tools/testing/selftests/bpf/progs/ima.c
> b/tools/testing/selftests/bpf/progs/ima.c
> > index 9bb63f96cfc0..9b4c03f30a1c 100644
> > --- a/tools/testing/selftests/bpf/progs/ima.c
> > +++ b/tools/testing/selftests/bpf/progs/ima.c
> > @@ -20,8 +20,7 @@ char _license[] SEC("license") = "GPL";
> >
> > bool use_ima_file_hash;
> >
> > -SEC("lsm.s/bprm_committed_creds")
> > -void BPF_PROG(ima, struct linux_binprm *bprm)
> > +static void ima_test_common(struct file *file)
> > {
> > u64 ima_hash = 0;
> > u64 *sample;
> > @@ -31,10 +30,10 @@ void BPF_PROG(ima, struct linux_binprm *bprm)
> > pid = bpf_get_current_pid_tgid() >> 32;
> > if (pid == monitored_pid) {
> > if (!use_ima_file_hash)
> > - ret = bpf_ima_inode_hash(bprm->file->f_inode,
> &ima_hash,
> > + ret = bpf_ima_inode_hash(file->f_inode, &ima_hash,
> > sizeof(ima_hash));
> > else
> > - ret = bpf_ima_file_hash(bprm->file, &ima_hash,
> > + ret = bpf_ima_file_hash(file, &ima_hash,
> > sizeof(ima_hash));
> > if (ret < 0 || ima_hash == 0)
>
> Is this considered an error? Does it make sense for this test to be
> void type and not return the error to its callers? One of the callers
> below seems to care for return values.
The user space side of the test (test_ima.c) seems to check the
number of samples obtained from the ring buffer. A failure here
would result in the sample not being sent to that component.
Another test, as you suggest, could be to ensure that the
kernel_read_file hook is able to deny operations. I would check
this in a separate test.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
> > return;
> > @@ -49,3 +48,24 @@ void BPF_PROG(ima, struct linux_binprm *bprm)
> >
> > return;
> > }
> > +
> > +SEC("lsm.s/bprm_committed_creds")
> > +void BPF_PROG(ima, struct linux_binprm *bprm)
> > +{
> > + ima_test_common(bprm->file);
> > +}
> > +
> > +SEC("lsm.s/kernel_read_file")
> > +int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id,
> > + bool contents)
> > +{
> > + if (!contents)
> > + return 0;
> > +
> > + if (id != READING_POLICY)
> > + return 0;
> > +
> > + ima_test_common(file);
>
> This one here.
>
> > +
> > + return 0;
> > +}
> >
>
> thanks,
> -- Shuah
More information about the Linux-security-module-archive
mailing list