selftests/bpf: Add test for bpf_lsm_kernel_read_file()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Test the ability of bpf_lsm_kernel_read_file() to call the sleepable
functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a
measurement of a loaded IMA policy.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220302111404.193900-9-roberto.sassu@huawei.com

authored by

Roberto Sassu and committed by

Alexei Starovoitov 4 years ago e6dcf7bb df6b3039

+49 -1

3 changed files

expand all

tools

testing

selftests

bpf

ima_setup.sh

prog_tests

test_ima.c

progs

ima.c

+12 -1

tools/testing/selftests/bpf/ima_setup.sh

··· 12 12 13 13 usage() 14 14 { 15 - echo "Usage: $0 <setup|cleanup|run|modify-bin|restore-bin> <existing_tmp_dir>" 15 + echo "Usage: $0 <setup|cleanup|run|modify-bin|restore-bin|load-policy> <existing_tmp_dir>" 16 16 exit 1 17 17 } 18 18 ··· 51 51 52 52 ensure_mount_securityfs 53 53 echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE} 54 + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${mount_dir}/policy_test 54 55 } 55 56 56 57 cleanup() { ··· 96 95 truncate -s -4 "${copied_bin_path}" 97 96 } 98 97 98 + load_policy() 99 + { 100 + local tmp_dir="$1" 101 + local mount_dir="${tmp_dir}/mnt" 102 + 103 + echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE} 2> /dev/null 104 + } 105 + 99 106 catch() 100 107 { 101 108 local exit_code="$1" ··· 136 127 modify_bin "${tmp_dir}" 137 128 elif [[ "${action}" == "restore-bin" ]]; then 138 129 restore_bin "${tmp_dir}" 130 + elif [[ "${action}" == "load-policy" ]]; then 131 + load_policy "${tmp_dir}" 139 132 else 140 133 echo "Unknown action: ${action}" 141 134 exit 1

+19

tools/testing/selftests/bpf/prog_tests/test_ima.c

··· 58 58 59 59 bss->use_ima_file_hash = false; 60 60 bss->enable_bprm_creds_for_exec = false; 61 + bss->enable_kernel_read_file = false; 61 62 } 62 63 63 64 void test_test_ima(void) ··· 181 180 "restore-bin"); 182 181 if (CHECK(err, "restore-bin #3", "err = %d\n", err)) 183 182 goto close_clean; 183 + 184 + /* 185 + * Test #5 186 + * - Goal: obtain a sample from the kernel_read_file hook 187 + * - Expected result: 2 samples (./ima_setup.sh, policy_test) 188 + */ 189 + test_init(skel->bss); 190 + skel->bss->use_ima_file_hash = true; 191 + skel->bss->enable_kernel_read_file = true; 192 + err = _run_measured_process(measured_dir, &skel->bss->monitored_pid, 193 + "load-policy"); 194 + if (CHECK(err, "run_measured_process #5", "err = %d\n", err)) 195 + goto close_clean; 196 + 197 + err = ring_buffer__consume(ringbuf); 198 + ASSERT_EQ(err, 2, "num_samples_or_err"); 199 + ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); 200 + ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash"); 184 201 185 202 close_clean: 186 203 snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir);

+18

tools/testing/selftests/bpf/progs/ima.c

··· 20 20 21 21 bool use_ima_file_hash; 22 22 bool enable_bprm_creds_for_exec; 23 + bool enable_kernel_read_file; 23 24 24 25 static void ima_test_common(struct file *file) 25 26 { ··· 64 63 return 0; 65 64 66 65 ima_test_common(bprm->file); 66 + return 0; 67 + } 68 + 69 + SEC("lsm.s/kernel_read_file") 70 + int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id, 71 + bool contents) 72 + { 73 + if (!enable_kernel_read_file) 74 + return 0; 75 + 76 + if (!contents) 77 + return 0; 78 + 79 + if (id != READING_POLICY) 80 + return 0; 81 + 82 + ima_test_common(file); 67 83 return 0; 68 84 }