| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzbDKX8+AaueNngEeGnWQLfN0Fy+jgcxrwbeLeVfVh0E9Q@mail.gmail.com>
Date: Thu, 26 Nov 2020 20:29:16 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: KP Singh <kpsingh@...omium.org>
Cc: James Morris <jmorris@...ei.org>,
open list <linux-kernel@...r.kernel.org>,
bpf <bpf@...r.kernel.org>, linux-security-module@...r.kernel.org,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Florent Revest <revest@...omium.org>,
Brendan Jackman <jackmanb@...omium.org>,
Mimi Zohar <zohar@...ux.ibm.com>
Subject: Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash
On Tue, Nov 24, 2020 at 7:16 AM KP Singh <kpsingh@...omium.org> wrote:
>
> From: KP Singh <kpsingh@...gle.com>
>
> The test does the following:
>
> - Mounts a loopback filesystem and appends the IMA policy to measure
> executions only on this file-system. Restricting the IMA policy to a
> particular filesystem prevents a system-wide IMA policy change.
> - Executes an executable copied to this loopback filesystem.
> - Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and
> checks if the call succeeded and checks if a hash was calculated.
>
> The test shells out to the added ima_setup.sh script as the setup is
> better handled in a shell script and is more complicated to do in the
> test program or even shelling out individual commands from C.
>
> The list of required configs (i.e. IMA, SECURITYFS,
> IMA_{WRITE,READ}_POLICY) for running this test are also updated.
>
> Signed-off-by: KP Singh <kpsingh@...gle.com>
> ---
> tools/testing/selftests/bpf/config | 4 +
> tools/testing/selftests/bpf/ima_setup.sh | 80 +++++++++++++++++++
> .../selftests/bpf/prog_tests/test_ima.c | 74 +++++++++++++++++
> tools/testing/selftests/bpf/progs/ima.c | 28 +++++++
> 4 files changed, 186 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/ima_setup.sh
> create mode 100644 tools/testing/selftests/bpf/prog_tests/test_ima.c
> create mode 100644 tools/testing/selftests/bpf/progs/ima.c
>
[...]
> +cleanup() {
> + local tmp_dir="$1"
> + local mount_img="${tmp_dir}/test.img"
> + local mount_dir="${tmp_dir}/mnt"
> +
> + local loop_devices=$(losetup -j ${mount_img} -O NAME --noheadings)
libbpf and kernel-patches CIs are using BusyBox environment which has
losetup that doesn't support -j option. Is there some way to work
around that? What we have is this:
BusyBox v1.31.1 () multi-call binary.
Usage: losetup [-rP] [-o OFS] {-f|LOOPDEV} FILE: associate loop devices
losetup -c LOOPDEV: reread file size
losetup -d LOOPDEV: disassociate
losetup -a: show status
losetup -f: show next free loop device
-o OFS Start OFS bytes into FILE
-P Scan for partitions
-r Read-only
-f Show/use next free loop device
> + for loop_dev in "${loop_devices}"; do
> + losetup -d $loop_dev
> + done
> +
> + umount ${mount_dir}
> + rm -rf ${tmp_dir}
> +}
> +
[...]
Powered by blists - more mailing lists