selftests/bpf: Fix IMA test · tjh.dev/kernel@12fabae

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

selftests/bpf: Fix IMA test

Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
still returned also non-fresh digests.

Correct the test by accepting both cases. If the samples returned are 1,
assume that the commit above is applied and that the returned digest is
fresh. If the samples returned are 2, assume that the commit above is not
applied, and check both the non-fresh and fresh digest.

Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
Reported-by: David Vernet <void@manifault.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Matt Bobrowski <mattbobrowski@google.com>
Link: https://lore.kernel.org/bpf/20230308103713.1681200-1-roberto.sassu@huaweicloud.com

authored by

Roberto Sassu and committed by

Andrii Nakryiko 3 years ago 12fabae0 d1d51a62

+21 -8

1 changed file

expand all

tools

testing

selftests

bpf

prog_tests

test_ima.c

+21 -8

tools/testing/selftests/bpf/prog_tests/test_ima.c

··· 70 70 u64 bin_true_sample; 71 71 char cmd[256]; 72 72 73 - int err, duration = 0; 73 + int err, duration = 0, fresh_digest_idx = 0; 74 74 struct ima *skel = NULL; 75 75 76 76 skel = ima__open_and_load(); ··· 129 129 /* 130 130 * Test #3 131 131 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest 132 - * - Expected result: 2 samples (/bin/true: non-fresh, fresh) 132 + * - Expected result: 133 + * 1 sample (/bin/true: fresh) if commit 62622dab0a28 applied 134 + * 2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is 135 + * not applied 136 + * 137 + * If commit 62622dab0a28 ("ima: return IMA digest value only when 138 + * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses 139 + * to give a non-fresh digest, hence the correct result is 1 instead of 140 + * 2. 133 141 */ 134 142 test_init(skel->bss); 135 143 ··· 152 144 goto close_clean; 153 145 154 146 err = ring_buffer__consume(ringbuf); 155 - ASSERT_EQ(err, 2, "num_samples_or_err"); 156 - ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); 157 - ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash"); 158 - ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err"); 147 + ASSERT_GE(err, 1, "num_samples_or_err"); 148 + if (err == 2) { 149 + ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); 150 + ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, 151 + "sample_equal_or_err"); 152 + fresh_digest_idx = 1; 153 + } 154 + 155 + ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash"); 159 156 /* IMA refreshed the digest. */ 160 - ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample, 161 - "sample_different_or_err"); 157 + ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample, 158 + "sample_equal_or_err"); 162 159 163 160 /* 164 161 * Test #4