[PATCH v3 9/9] selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA policy
Roberto Sassu
roberto.sassu at huawei.com
Wed Mar 2 11:14:04 UTC 2022
Check that bpf_kernel_read_file() denies the reading of an IMA policy, by
ensuring that ima_setup.sh exits with an error.
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
.../selftests/bpf/prog_tests/test_ima.c | 17 +++++++++++++++++
tools/testing/selftests/bpf/progs/ima.c | 18 ++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
index b13a141c4220..b13feceb38f1 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
@@ -59,6 +59,7 @@ static void test_init(struct ima__bss *bss)
bss->use_ima_file_hash = false;
bss->enable_bprm_creds_for_exec = false;
bss->enable_kernel_read_file = false;
+ bss->test_deny = false;
}
void test_test_ima(void)
@@ -200,6 +201,22 @@ void test_test_ima(void)
ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
+ /*
+ * Test #6
+ * - Goal: ensure that the kernel_read_file hook denies an operation
+ * - Expected result: 0 samples
+ */
+ test_init(skel->bss);
+ skel->bss->enable_kernel_read_file = true;
+ skel->bss->test_deny = true;
+ err = _run_measured_process(measured_dir, &skel->bss->monitored_pid,
+ "load-policy");
+ if (CHECK(!err, "run_measured_process #6", "err = %d\n", err))
+ goto close_clean;
+
+ err = ring_buffer__consume(ringbuf);
+ ASSERT_EQ(err, 0, "num_samples_or_err");
+
close_clean:
snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir);
err = system(cmd);
diff --git a/tools/testing/selftests/bpf/progs/ima.c b/tools/testing/selftests/bpf/progs/ima.c
index e3ce943c5c3d..e16a2c208481 100644
--- a/tools/testing/selftests/bpf/progs/ima.c
+++ b/tools/testing/selftests/bpf/progs/ima.c
@@ -21,6 +21,7 @@ char _license[] SEC("license") = "GPL";
bool use_ima_file_hash;
bool enable_bprm_creds_for_exec;
bool enable_kernel_read_file;
+bool test_deny;
static void ima_test_common(struct file *file)
{
@@ -51,6 +52,17 @@ static void ima_test_common(struct file *file)
return;
}
+static int ima_test_deny(void)
+{
+ u32 pid;
+
+ pid = bpf_get_current_pid_tgid() >> 32;
+ if (pid == monitored_pid && test_deny)
+ return -EPERM;
+
+ return 0;
+}
+
SEC("lsm.s/bprm_committed_creds")
void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm)
{
@@ -71,6 +83,8 @@ SEC("lsm.s/kernel_read_file")
int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id,
bool contents)
{
+ int ret;
+
if (!enable_kernel_read_file)
return 0;
@@ -80,6 +94,10 @@ int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id,
if (id != READING_POLICY)
return 0;
+ ret = ima_test_deny();
+ if (ret < 0)
+ return ret;
+
ima_test_common(file);
return 0;
}
--
2.32.0
More information about the Linux-security-module-archive
mailing list