[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACYkzJ5ZJ_yu=dXM5-jXEO5p5WzpXDT5EdT0agL1pgdNRqGamw@mail.gmail.com>
Date: Wed, 25 Nov 2020 03:55:29 +0100
From: KP Singh <kpsingh@...omium.org>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: James Morris <jmorris@...ei.org>,
open list <linux-kernel@...r.kernel.org>,
bpf <bpf@...r.kernel.org>,
Linux Security Module list
<linux-security-module@...r.kernel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Florent Revest <revest@...omium.org>,
Brendan Jackman <jackmanb@...omium.org>
Subject: Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash
On Wed, Nov 25, 2020 at 3:20 AM Mimi Zohar <zohar@...ux.ibm.com> wrote:
>
> On Tue, 2020-11-24 at 15:12 +0000, KP Singh wrote:
> > diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh
> > new file mode 100644
> > index 000000000000..15490ccc5e55
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/ima_setup.sh
> > @@ -0,0 +1,80 @@
> > +#!/bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +
> > +set -e
> > +set -u
> > +
> > +IMA_POLICY_FILE="/sys/kernel/security/ima/policy"
> > +TEST_BINARY="/bin/true"
> > +
> > +usage()
> > +{
> > + echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>"
> > + exit 1
> > +}
> > +
> > +setup()
> > +{
> > + local tmp_dir="$1"
> > + local mount_img="${tmp_dir}/test.img"
> > + local mount_dir="${tmp_dir}/mnt"
> > + local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
> > + mkdir -p ${mount_dir}
> > +
> > + dd if=/dev/zero of="${mount_img}" bs=1M count=10
> > +
> > + local loop_device="$(losetup --find --show ${mount_img})"
> > +
> > + mkfs.ext4 "${loop_device}"
> > + mount "${loop_device}" "${mount_dir}"
> > +
> > + cp "${TEST_BINARY}" "${mount_dir}"
> > + local mount_uuid="$(blkid -s UUID -o value ${loop_device})"
> > + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}
>
> Anyone using IMA, normally define policy rules requiring the policy
> itself to be signed. Instead of writing the policy rules, write the
The goal of this self test is to not fully test the IMA functionality but check
if the BPF helper works and returns a hash with the minimal possible IMA
config dependencies. And it seems like we can accomplish this by simply
writing the policy to securityfs directly.
>From what I noticed, IMA_APPRAISE_REQUIRE_POLICY_SIGS
requires configuring a lot of other kernel options
(IMA_APPRAISE, ASYMMETRIC_KEYS etc.) that seem
like too much for bpf self tests to depend on.
I guess we can independently add selftests for IMA which represent
a more real IMA configuration. Hope this sounds reasonable?
> signed policy file pathname. Refer to dracut commit 479b5cd9
> ("98integrity: support validating the IMA policy file signature").
>
> Both enabling IMA_APPRAISE_REQUIRE_POLICY_SIGS and the builtin
> "appraise_tcb" policy require loading a signed policy.
Thanks for the pointers.
- KP
>
> Mimi
>
Powered by blists - more mailing lists