Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.2.y 2022-03-11T02:57:55Z 2022-03-11T02:57:55Z Roberto Sassu roberto.sassu@huawei.com 2022-03-02T11:14:03Z urn:sha1:e6dcf7bbf37c9ae72b0bc3a09d5f91dd1f5c19e1 Test the ability of bpf_lsm_kernel_read_file() to call the sleepable functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a measurement of a loaded IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20220302111404.193900-9-roberto.sassu@huawei.com 2022-03-11T02:57:54Z Roberto Sassu roberto.sassu@huawei.com 2022-03-02T11:14:01Z urn:sha1:91e8fa254dbd0890c34286acdc12e96412305840 Verify that bpf_ima_inode_hash() returns a non-fresh digest after a file write, and that bpf_ima_file_hash() returns a fresh digest. Verification is done by requesting the digest from the bprm_creds_for_exec hook, called before ima_bprm_check(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20220302111404.193900-7-roberto.sassu@huawei.com 2020-12-11T06:14:32Z KP Singh kpsingh@kernel.org 2020-12-11T01:07:11Z urn:sha1:b4fe9fec51ef48011f11c2da4099f0b530449c92 Currently, ima_setup.sh spews outputs from commands like mkfs and dd on the terminal without taking into account the verbosity level of the test framework. Update test_progs to set the environment variable SELFTESTS_VERBOSE=1 when a verbose output is requested. This environment variable is then used by ima_setup.sh (and can be used by other similar scripts) to obey the verbosity level of the test harness without needing to re-implement command line options for verbosity. In "silent" mode, the script saves the output to a temporary file, the contents of which are echoed back to stderr when the script encounters an error. Fixes: 34b82d3ac105 ("bpf: Add a selftest for bpf_ima_inode_hash") Reported-by: Andrii Nakryiko <andrii@kernel.org> Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: KP Singh <kpsingh@kernel.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201211010711.3716917-1-kpsingh@kernel.org 2020-12-03T19:20:21Z KP Singh kpsingh@google.com 2020-12-03T19:14:37Z urn:sha1:ffebecd9d49542046c5ecbb410af01e016636e19 The file was formatted with spaces instead of tabs and went unnoticed as checkpatch.pl did not complain (probably because this is a shell script). Re-indent it with tabs to be consistent with other scripts. Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201203191437.666737-5-kpsingh@chromium.org 2020-12-03T19:20:21Z KP Singh kpsingh@google.com 2020-12-03T19:14:35Z urn:sha1:1ee076719d4e14c005f375c50731ed44eb48fee4 SecurityFS may not be mounted even if it is enabled in the kernel config. So, check if the mount exists in /proc/mounts by parsing the file and, if not, mount it on /sys/kernel/security. Fixes: 34b82d3ac105 ("bpf: Add a selftest for bpf_ima_inode_hash") Reported-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201203191437.666737-3-kpsingh@chromium.org 2020-12-03T19:20:20Z KP Singh kpsingh@google.com 2020-12-03T19:14:34Z urn:sha1:3db980449bc3b9765c78210787bcbf4305636982 losetup on busybox does not output the name of loop device on using -f with --show. It also doesn't support -j to find the loop devices for a given backing file. losetup is updated to use "-a" which is available on busybox. blkid does not support options (-s and -o) to only display the uuid, so parse the output instead. Not all environments have mkfs.ext4, the test requires a loop device with a backing image file which could formatted with any filesystem. Update to using mkfs.ext2 which is available on busybox. Fixes: 34b82d3ac105 ("bpf: Add a selftest for bpf_ima_inode_hash") Reported-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201203191437.666737-2-kpsingh@chromium.org 2020-11-25T23:25:47Z KP Singh kpsingh@google.com 2020-11-24T15:12:10Z urn:sha1:34b82d3ac1058653b3de7be4697b55f67533b1f1 The test does the following: - Mounts a loopback filesystem and appends the IMA policy to measure executions only on this file-system. Restricting the IMA policy to a particular filesystem prevents a system-wide IMA policy change. - Executes an executable copied to this loopback filesystem. - Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and checks if the call succeeded and checks if a hash was calculated. The test shells out to the added ima_setup.sh script as the setup is better handled in a shell script and is more complicated to do in the test program or even shelling out individual commands from C. The list of required configs (i.e. IMA, SECURITYFS, IMA_{WRITE,READ}_POLICY) for running this test are also updated. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> (limit policy rule to loopback mount) Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20201124151210.1081188-4-kpsingh@chromium.org