selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA policy

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Check that bpf_kernel_read_file() denies the reading of an IMA policy, by
ensuring that ima_setup.sh exits with an error.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220302111404.193900-10-roberto.sassu@huawei.com

authored by

Roberto Sassu and committed by

Alexei Starovoitov 4 years ago 7bae42b6 e6dcf7bb

+35

2 changed files

expand all

tools

testing

selftests

bpf

prog_tests

test_ima.c

progs

ima.c

+17

tools/testing/selftests/bpf/prog_tests/test_ima.c

··· 59 59 bss->use_ima_file_hash = false; 60 60 bss->enable_bprm_creds_for_exec = false; 61 61 bss->enable_kernel_read_file = false; 62 + bss->test_deny = false; 62 63 } 63 64 64 65 void test_test_ima(void) ··· 200 199 ASSERT_EQ(err, 2, "num_samples_or_err"); 201 200 ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); 202 201 ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash"); 202 + 203 + /* 204 + * Test #6 205 + * - Goal: ensure that the kernel_read_file hook denies an operation 206 + * - Expected result: 0 samples 207 + */ 208 + test_init(skel->bss); 209 + skel->bss->enable_kernel_read_file = true; 210 + skel->bss->test_deny = true; 211 + err = _run_measured_process(measured_dir, &skel->bss->monitored_pid, 212 + "load-policy"); 213 + if (CHECK(!err, "run_measured_process #6", "err = %d\n", err)) 214 + goto close_clean; 215 + 216 + err = ring_buffer__consume(ringbuf); 217 + ASSERT_EQ(err, 0, "num_samples_or_err"); 203 218 204 219 close_clean: 205 220 snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir);

+18

tools/testing/selftests/bpf/progs/ima.c

··· 21 21 bool use_ima_file_hash; 22 22 bool enable_bprm_creds_for_exec; 23 23 bool enable_kernel_read_file; 24 + bool test_deny; 24 25 25 26 static void ima_test_common(struct file *file) 26 27 { ··· 52 51 return; 53 52 } 54 53 54 + static int ima_test_deny(void) 55 + { 56 + u32 pid; 57 + 58 + pid = bpf_get_current_pid_tgid() >> 32; 59 + if (pid == monitored_pid && test_deny) 60 + return -EPERM; 61 + 62 + return 0; 63 + } 64 + 55 65 SEC("lsm.s/bprm_committed_creds") 56 66 void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm) 57 67 { ··· 83 71 int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id, 84 72 bool contents) 85 73 { 74 + int ret; 75 + 86 76 if (!enable_kernel_read_file) 87 77 return 0; 88 78 ··· 93 79 94 80 if (id != READING_POLICY) 95 81 return 0; 82 + 83 + ret = ima_test_deny(); 84 + if (ret < 0) 85 + return ret; 96 86 97 87 ima_test_common(file); 98 88 return 0;

Configure Feed

Configure Feed