| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cad0ea25-8567-368a-1f99-b4adc7440a7f@fb.com>
Date: Fri, 20 Nov 2020 10:11:51 -0800
From: Yonghong Song <yhs@...com>
To: KP Singh <kpsingh@...omium.org>, James Morris <jmorris@...ei.org>,
<linux-kernel@...r.kernel.org>, <bpf@...r.kernel.org>,
<linux-security-module@...r.kernel.org>
CC: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Florent Revest <revest@...omium.org>,
Brendan Jackman <jackmanb@...omium.org>,
Mimi Zohar <zohar@...ux.ibm.com>
Subject: Re: [PATCH bpf-next 3/3] bpf: Update LSM selftests for
bpf_ima_inode_hash
On 11/20/20 5:17 AM, KP Singh wrote:
> From: KP Singh <kpsingh@...gle.com>
>
> - Update the IMA policy before executing the test binary (this is not an
> override of the policy, just an append that ensures that hashes are
> calculated on executions).
>
> - Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check
> if the call succeeded and a hash was calculated.
>
> Signed-off-by: KP Singh <kpsingh@...gle.com>
LGTM with a few nits below.
Acked-by: Yonghong Song <yhs@...com>
> ---
> tools/testing/selftests/bpf/config | 3 ++
> .../selftests/bpf/prog_tests/test_lsm.c | 32 +++++++++++++++++++
> tools/testing/selftests/bpf/progs/lsm.c | 7 +++-
> 3 files changed, 41 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
> index 2118e23ac07a..4b5764031368 100644
> --- a/tools/testing/selftests/bpf/config
> +++ b/tools/testing/selftests/bpf/config
> @@ -39,3 +39,6 @@ CONFIG_BPF_JIT=y
> CONFIG_BPF_LSM=y
> CONFIG_SECURITY=y
> CONFIG_LIRC=y
> +CONFIG_IMA=y
> +CONFIG_IMA_WRITE_POLICY=y
> +CONFIG_IMA_READ_POLICY=y
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
> index 6ab29226c99b..3f5d64adb233 100644
> --- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c
> +++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
> @@ -52,6 +52,28 @@ int exec_cmd(int *monitored_pid)
> return -EINVAL;
> }
>
[...]
> +
> void test_test_lsm(void)
> {
> struct lsm *skel = NULL;
> @@ -66,6 +88,10 @@ void test_test_lsm(void)
> if (CHECK(err, "attach", "lsm attach failed: %d\n", err))
> goto close_prog;
>
> + err = update_ima_policy();
> + if (CHECK(err != 0, "update_ima_policy", "error = %d\n", err))
> + goto close_prog;
"err != 0" => err?
"error = %d" => "err %d" for consistency with other usage in this function.
> +
> err = exec_cmd(&skel->bss->monitored_pid);
> if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno))
> goto close_prog;
> @@ -83,6 +109,12 @@ void test_test_lsm(void)
> CHECK(skel->bss->mprotect_count != 1, "mprotect_count",
> "mprotect_count = %d\n", skel->bss->mprotect_count);
>
> + CHECK(skel->data->ima_hash_ret < 0, "ima_hash_ret",
> + "ima_hash_ret = %d\n", skel->data->ima_hash_ret);
> +
> + CHECK(skel->bss->ima_hash == 0, "ima_hash",
> + "ima_hash = %lu\n", skel->bss->ima_hash);
> +
> syscall(__NR_setdomainname, &buf, -2L);
> syscall(__NR_setdomainname, 0, -3L);
> syscall(__NR_setdomainname, ~0L, -4L);
> diff --git a/tools/testing/selftests/bpf/progs/lsm.c b/tools/testing/selftests/bpf/progs/lsm.c
> index ff4d343b94b5..b0f9639e4b0a 100644
> --- a/tools/testing/selftests/bpf/progs/lsm.c
> +++ b/tools/testing/selftests/bpf/progs/lsm.c
> @@ -35,6 +35,8 @@ char _license[] SEC("license") = "GPL";
> int monitored_pid = 0;
> int mprotect_count = 0;
> int bprm_count = 0;
> +int ima_hash_ret = -1;
The helper returns type "long", but "int" type here should be fine too.
> +u64 ima_hash = 0;
>
> SEC("lsm/file_mprotect")
> int BPF_PROG(test_int_hook, struct vm_area_struct *vma,
> @@ -65,8 +67,11 @@ int BPF_PROG(test_void_hook, struct linux_binprm *bprm)
> __u32 key = 0;
> __u64 *value;
>
> - if (monitored_pid == pid)
> + if (monitored_pid == pid) {
> bprm_count++;
> + ima_hash_ret = bpf_ima_inode_hash(bprm->file->f_inode,
> + &ima_hash, sizeof(ima_hash));
> + }
>
> bpf_copy_from_user(args, sizeof(args), (void *)bprm->vma->vm_mm->arg_start);
> bpf_copy_from_user(args, sizeof(args), (void *)bprm->mm->arg_start);
>
Powered by blists - more mailing lists