kernel/tools/testing/selftests/bpf/progs/ima.c, branch linux-6.2.y

selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA policy

2022-03-11T02:57:55Z

Check that bpf_kernel_read_file() denies the reading of an IMA policy, by ensuring that ima_setup.sh exits with an error. Signed-off-by: Roberto Sassu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220302111404.193900-10-roberto.sassu@huawei.com

selftests/bpf: Add test for bpf_lsm_kernel_read_file()

2022-03-11T02:57:55Z

Test the ability of bpf_lsm_kernel_read_file() to call the sleepable functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a measurement of a loaded IMA policy. Signed-off-by: Roberto Sassu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220302111404.193900-9-roberto.sassu@huawei.com

selftests/bpf: Check if the digest is refreshed after a file write

2022-03-11T02:57:54Z

Verify that bpf_ima_inode_hash() returns a non-fresh digest after a file write, and that bpf_ima_file_hash() returns a fresh digest. Verification is done by requesting the digest from the bprm_creds_for_exec hook, called before ima_bprm_check(). Signed-off-by: Roberto Sassu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220302111404.193900-7-roberto.sassu@huawei.com

selftests/bpf: Add test for bpf_ima_file_hash()

2022-03-11T02:57:54Z

Add new test to ensure that bpf_ima_file_hash() returns the digest of the executed files. Signed-off-by: Roberto Sassu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220302111404.193900-6-roberto.sassu@huawei.com

selftests/bpf: Move sample generation code to ima_test_common()

2022-03-11T02:57:54Z

Move sample generator code to ima_test_common() so that the new function can be called by multiple LSM hooks. Signed-off-by: Roberto Sassu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220302111404.193900-5-roberto.sassu@huawei.com

bpf/selftests: Update the IMA test to use BPF ring buffer

2021-02-05T00:35:05Z

Instead of using shared global variables between userspace and BPF, use the ring buffer to send the IMA hash on the BPF ring buffer. This helps in validating both IMA and the usage of the ringbuffer in sleepable programs. Signed-off-by: KP Singh Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210204193622.3367275-3-kpsingh@kernel.org

bpf: Add a selftest for bpf_ima_inode_hash

2020-11-25T23:25:47Z

The test does the following: - Mounts a loopback filesystem and appends the IMA policy to measure executions only on this file-system. Restricting the IMA policy to a particular filesystem prevents a system-wide IMA policy change. - Executes an executable copied to this loopback filesystem. - Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and checks if the call succeeded and checks if a hash was calculated. The test shells out to the added ima_setup.sh script as the setup is better handled in a shell script and is more complicated to do in the test program or even shelling out individual commands from C. The list of required configs (i.e. IMA, SECURITYFS, IMA_{WRITE,READ}_POLICY) for running this test are also updated. Suggested-by: Mimi Zohar (limit policy rule to loopback mount) Signed-off-by: KP Singh Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20201124151210.1081188-4-kpsingh@chromium.org