Test the ability of bpf_lsm_kernel_read_file() to call the sleepable functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a measurement of a loaded IMA policy.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/testing/selftests/bpf/ima_setup.sh | 2 ++ .../selftests/bpf/prog_tests/test_ima.c | 3 +- tools/testing/selftests/bpf/progs/ima.c | 28 ++++++++++++++++--- 3 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh index 8e62581113a3..82530f19f85a 100755 --- a/tools/testing/selftests/bpf/ima_setup.sh +++ b/tools/testing/selftests/bpf/ima_setup.sh @@ -51,6 +51,7 @@ setup()
ensure_mount_securityfs echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE} + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${mount_dir}/policy_test }
cleanup() { @@ -74,6 +75,7 @@ run() local mount_dir="${tmp_dir}/mnt" local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
+ echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE} exec "${copied_bin_path}" }
diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c index 62bf0e830453..c4a62d7b70df 100644 --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c @@ -97,8 +97,9 @@ void test_test_ima(void) /* * 1 sample with use_ima_file_hash = false * 2 samples with use_ima_file_hash = true (./ima_setup.sh, /bin/true) + * 1 sample with use_ima_file_hash = true (IMA policy) */ - ASSERT_EQ(err, 3, "num_samples_or_err"); + ASSERT_EQ(err, 4, "num_samples_or_err"); ASSERT_NEQ(ima_hash_from_bpf, 0, "ima_hash");
close_clean: diff --git a/tools/testing/selftests/bpf/progs/ima.c b/tools/testing/selftests/bpf/progs/ima.c index 9bb63f96cfc0..9b4c03f30a1c 100644 --- a/tools/testing/selftests/bpf/progs/ima.c +++ b/tools/testing/selftests/bpf/progs/ima.c @@ -20,8 +20,7 @@ char _license[] SEC("license") = "GPL";
bool use_ima_file_hash;
-SEC("lsm.s/bprm_committed_creds") -void BPF_PROG(ima, struct linux_binprm *bprm) +static void ima_test_common(struct file *file) { u64 ima_hash = 0; u64 *sample; @@ -31,10 +30,10 @@ void BPF_PROG(ima, struct linux_binprm *bprm) pid = bpf_get_current_pid_tgid() >> 32; if (pid == monitored_pid) { if (!use_ima_file_hash) - ret = bpf_ima_inode_hash(bprm->file->f_inode, &ima_hash, + ret = bpf_ima_inode_hash(file->f_inode, &ima_hash, sizeof(ima_hash)); else - ret = bpf_ima_file_hash(bprm->file, &ima_hash, + ret = bpf_ima_file_hash(file, &ima_hash, sizeof(ima_hash)); if (ret < 0 || ima_hash == 0) return; @@ -49,3 +48,24 @@ void BPF_PROG(ima, struct linux_binprm *bprm)
return; } + +SEC("lsm.s/bprm_committed_creds") +void BPF_PROG(ima, struct linux_binprm *bprm) +{ + ima_test_common(bprm->file); +} + +SEC("lsm.s/kernel_read_file") +int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id, + bool contents) +{ + if (!contents) + return 0; + + if (id != READING_POLICY) + return 0; + + ima_test_common(file); + + return 0; +}