diff mbox series

bpf: Fix IMA test

Message ID 20230308103713.1681200-1-roberto.sassu@huaweicloud.com (mailing list archive)
State Accepted
Commit 12fabae03ca6474fd571bf6ddb37d009533305d6
Delegated to: BPF
Headers show
Series bpf: Fix IMA test | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-2 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-5 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-7 success Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-8 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-4 success Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_maps on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-12 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-14 success Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for test_progs on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-17 fail Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-18 success Logs for test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-19 success Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for test_progs_no_alu32 on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-22 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-24 success Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for test_progs_no_alu32_parallel on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-27 success Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for test_progs_no_alu32_parallel on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-29 success Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-30 success Logs for test_progs_parallel on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-32 success Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-33 success Logs for test_progs_parallel on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-34 success Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-35 success Logs for test_verifier on aarch64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-36 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-37 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-38 success Logs for test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-21 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for test_progs_no_alu32_parallel on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-31 success Logs for test_progs_parallel on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-11 success Logs for test_maps on s390x with gcc
netdev/tree_selection success Not a local patch

Commit Message

Roberto Sassu March 8, 2023, 10:37 a.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
still returned also non-fresh digests.

Correct the test by accepting both cases. If the samples returned are 1,
assume that the commit above is applied and that the returned digest is
fresh. If the samples returned are 2, assume that the commit above is not
applied, and check both the non-fresh and fresh digest.

Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
Reported by: David Vernet <void@manifault.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
 1 file changed, 21 insertions(+), 8 deletions(-)

Comments

Roberto Sassu March 8, 2023, 10:40 a.m. UTC | #1
On Wed, 2023-03-08 at 11:37 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>

The title should have been selftests/bpf: ...

Will send a new version once I get the test result.

Roberto

> Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> still returned also non-fresh digests.
> 
> Correct the test by accepting both cases. If the samples returned are 1,
> assume that the commit above is applied and that the returned digest is
> fresh. If the samples returned are 2, assume that the commit above is not
> applied, and check both the non-fresh and fresh digest.
> 
> Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
> Reported by: David Vernet <void@manifault.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
>  1 file changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> index b13feceb38f..810b14981c2 100644
> --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> @@ -70,7 +70,7 @@ void test_test_ima(void)
>  	u64 bin_true_sample;
>  	char cmd[256];
>  
> -	int err, duration = 0;
> +	int err, duration = 0, fresh_digest_idx = 0;
>  	struct ima *skel = NULL;
>  
>  	skel = ima__open_and_load();
> @@ -129,7 +129,15 @@ void test_test_ima(void)
>  	/*
>  	 * Test #3
>  	 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
> -	 * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
> +	 * - Expected result:
> +	 *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
> +	 *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
> +	 *     not applied
> +	 *
> +	 * If commit 62622dab0a28 ("ima: return IMA digest value only when
> +	 * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
> +	 * to give a non-fresh digest, hence the correct result is 1 instead of
> +	 * 2.
>  	 */
>  	test_init(skel->bss);
>  
> @@ -144,13 +152,18 @@ void test_test_ima(void)
>  		goto close_clean;
>  
>  	err = ring_buffer__consume(ringbuf);
> -	ASSERT_EQ(err, 2, "num_samples_or_err");
> -	ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> -	ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
> -	ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
> +	ASSERT_GE(err, 1, "num_samples_or_err");
> +	if (err == 2) {
> +		ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> +		ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
> +			  "sample_equal_or_err");
> +		fresh_digest_idx = 1;
> +	}
> +
> +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
>  	/* IMA refreshed the digest. */
> -	ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
> -		   "sample_different_or_err");
> +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
> +		   "sample_equal_or_err");
>  
>  	/*
>  	 * Test #4
Matt Bobrowski March 8, 2023, 11:03 a.m. UTC | #2
Ha! I was literally in the midst of sending through a patch for
this. Thanks for also taking a look and beating me to it!

This LGTM, feel free to add:

Reviewed-by: Matt Bobrowski <mattbobrowski@google.com>

On Wed, Mar 08, 2023 at 11:37:13AM +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> still returned also non-fresh digests.
> 
> Correct the test by accepting both cases. If the samples returned are 1,
> assume that the commit above is applied and that the returned digest is
> fresh. If the samples returned are 2, assume that the commit above is not
> applied, and check both the non-fresh and fresh digest.
> 
> Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
> Reported by: David Vernet <void@manifault.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
>  1 file changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> index b13feceb38f..810b14981c2 100644
> --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> @@ -70,7 +70,7 @@ void test_test_ima(void)
>  	u64 bin_true_sample;
>  	char cmd[256];
>  
> -	int err, duration = 0;
> +	int err, duration = 0, fresh_digest_idx = 0;
>  	struct ima *skel = NULL;
>  
>  	skel = ima__open_and_load();
> @@ -129,7 +129,15 @@ void test_test_ima(void)
>  	/*
>  	 * Test #3
>  	 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
> -	 * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
> +	 * - Expected result:
> +	 *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
> +	 *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
> +	 *     not applied
> +	 *
> +	 * If commit 62622dab0a28 ("ima: return IMA digest value only when
> +	 * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
> +	 * to give a non-fresh digest, hence the correct result is 1 instead of
> +	 * 2.
>  	 */
>  	test_init(skel->bss);
>  
> @@ -144,13 +152,18 @@ void test_test_ima(void)
>  		goto close_clean;
>  
>  	err = ring_buffer__consume(ringbuf);
> -	ASSERT_EQ(err, 2, "num_samples_or_err");
> -	ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> -	ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
> -	ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
> +	ASSERT_GE(err, 1, "num_samples_or_err");
> +	if (err == 2) {
> +		ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> +		ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
> +			  "sample_equal_or_err");
> +		fresh_digest_idx = 1;
> +	}
> +
> +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
>  	/* IMA refreshed the digest. */
> -	ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
> -		   "sample_different_or_err");
> +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
> +		   "sample_equal_or_err");
>  
>  	/*
>  	 * Test #4
> -- 
> 2.25.1
> 
/M
Roberto Sassu March 8, 2023, 12:05 p.m. UTC | #3
On Wed, 2023-03-08 at 11:03 +0000, Matt Bobrowski wrote:
> Ha! I was literally in the midst of sending through a patch for
> this. Thanks for also taking a look and beating me to it!
> 
> This LGTM, feel free to add:
> 
> Reviewed-by: Matt Bobrowski <mattbobrowski@google.com>

Thanks.

I have only one remain question. Should we accept the old behavior, or
simply reject it?

Roberto

> On Wed, Mar 08, 2023 at 11:37:13AM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> > flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> > digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> > still returned also non-fresh digests.
> > 
> > Correct the test by accepting both cases. If the samples returned are 1,
> > assume that the commit above is applied and that the returned digest is
> > fresh. If the samples returned are 2, assume that the commit above is not
> > applied, and check both the non-fresh and fresh digest.
> > 
> > Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
> > Reported by: David Vernet <void@manifault.com>
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >  .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
> >  1 file changed, 21 insertions(+), 8 deletions(-)
> > 
> > diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > index b13feceb38f..810b14981c2 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > @@ -70,7 +70,7 @@ void test_test_ima(void)
> >  	u64 bin_true_sample;
> >  	char cmd[256];
> >  
> > -	int err, duration = 0;
> > +	int err, duration = 0, fresh_digest_idx = 0;
> >  	struct ima *skel = NULL;
> >  
> >  	skel = ima__open_and_load();
> > @@ -129,7 +129,15 @@ void test_test_ima(void)
> >  	/*
> >  	 * Test #3
> >  	 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
> > -	 * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
> > +	 * - Expected result:
> > +	 *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
> > +	 *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
> > +	 *     not applied
> > +	 *
> > +	 * If commit 62622dab0a28 ("ima: return IMA digest value only when
> > +	 * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
> > +	 * to give a non-fresh digest, hence the correct result is 1 instead of
> > +	 * 2.
> >  	 */
> >  	test_init(skel->bss);
> >  
> > @@ -144,13 +152,18 @@ void test_test_ima(void)
> >  		goto close_clean;
> >  
> >  	err = ring_buffer__consume(ringbuf);
> > -	ASSERT_EQ(err, 2, "num_samples_or_err");
> > -	ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > -	ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
> > -	ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
> > +	ASSERT_GE(err, 1, "num_samples_or_err");
> > +	if (err == 2) {
> > +		ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > +		ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
> > +			  "sample_equal_or_err");
> > +		fresh_digest_idx = 1;
> > +	}
> > +
> > +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
> >  	/* IMA refreshed the digest. */
> > -	ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
> > -		   "sample_different_or_err");
> > +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
> > +		   "sample_equal_or_err");
> >  
> >  	/*
> >  	 * Test #4
> > -- 
> > 2.25.1
> > 
> /M
Matt Bobrowski March 8, 2023, 12:24 p.m. UTC | #4
On Wed, Mar 08, 2023 at 01:05:45PM +0100, Roberto Sassu wrote:
> On Wed, 2023-03-08 at 11:03 +0000, Matt Bobrowski wrote:
> > Ha! I was literally in the midst of sending through a patch for
> > this. Thanks for also taking a look and beating me to it!
> > 
> > This LGTM, feel free to add:
> > 
> > Reviewed-by: Matt Bobrowski <mattbobrowski@google.com>
> 
> Thanks.
> 
> I have only one remain question. Should we accept the old behavior, or
> simply reject it?

I assume you mean whether we should continue supporting the old,
arguably incorrect, behavior in this test? I'm of the opinion that it
is OK, given that this is how the API behaved prior to commit
62622dab0a28.

I'll let others also chime in and share their .02 though...

> > On Wed, Mar 08, 2023 at 11:37:13AM +0100, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > 
> > > Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> > > flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> > > digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> > > still returned also non-fresh digests.
> > > 
> > > Correct the test by accepting both cases. If the samples returned are 1,
> > > assume that the commit above is applied and that the returned digest is
> > > fresh. If the samples returned are 2, assume that the commit above is not
> > > applied, and check both the non-fresh and fresh digest.
> > > 
> > > Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
> > > Reported by: David Vernet <void@manifault.com>
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > ---
> > >  .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
> > >  1 file changed, 21 insertions(+), 8 deletions(-)
> > > 
> > > diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > > index b13feceb38f..810b14981c2 100644
> > > --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > > +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > > @@ -70,7 +70,7 @@ void test_test_ima(void)
> > >  	u64 bin_true_sample;
> > >  	char cmd[256];
> > >  
> > > -	int err, duration = 0;
> > > +	int err, duration = 0, fresh_digest_idx = 0;
> > >  	struct ima *skel = NULL;
> > >  
> > >  	skel = ima__open_and_load();
> > > @@ -129,7 +129,15 @@ void test_test_ima(void)
> > >  	/*
> > >  	 * Test #3
> > >  	 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
> > > -	 * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
> > > +	 * - Expected result:
> > > +	 *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
> > > +	 *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
> > > +	 *     not applied
> > > +	 *
> > > +	 * If commit 62622dab0a28 ("ima: return IMA digest value only when
> > > +	 * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
> > > +	 * to give a non-fresh digest, hence the correct result is 1 instead of
> > > +	 * 2.
> > >  	 */
> > >  	test_init(skel->bss);
> > >  
> > > @@ -144,13 +152,18 @@ void test_test_ima(void)
> > >  		goto close_clean;
> > >  
> > >  	err = ring_buffer__consume(ringbuf);
> > > -	ASSERT_EQ(err, 2, "num_samples_or_err");
> > > -	ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > > -	ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
> > > -	ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
> > > +	ASSERT_GE(err, 1, "num_samples_or_err");
> > > +	if (err == 2) {
> > > +		ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > > +		ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
> > > +			  "sample_equal_or_err");
> > > +		fresh_digest_idx = 1;
> > > +	}
> > > +
> > > +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
> > >  	/* IMA refreshed the digest. */
> > > -	ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
> > > -		   "sample_different_or_err");
> > > +	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
> > > +		   "sample_equal_or_err");
> > >  
> > >  	/*
> > >  	 * Test #4
> > > -- 
> > > 2.25.1

/M
Andrii Nakryiko March 8, 2023, 7:17 p.m. UTC | #5
On Wed, Mar 8, 2023 at 2:41 AM Roberto Sassu
<roberto.sassu@huaweicloud.com> wrote:
>
> On Wed, 2023-03-08 at 11:37 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
>
> The title should have been selftests/bpf: ...
>
> Will send a new version once I get the test result.

I fixed up prefix and Reported-by tag, pushed to bpf-next. Thanks for the fix!

>
> Roberto
>
> > Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> > flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> > digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> > still returned also non-fresh digests.
> >
> > Correct the test by accepting both cases. If the samples returned are 1,
> > assume that the commit above is applied and that the returned digest is
> > fresh. If the samples returned are 2, assume that the commit above is not
> > applied, and check both the non-fresh and fresh digest.
> >
> > Fixes: 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
> > Reported by: David Vernet <void@manifault.com>
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >  .../selftests/bpf/prog_tests/test_ima.c       | 29 ++++++++++++++-----
> >  1 file changed, 21 insertions(+), 8 deletions(-)
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > index b13feceb38f..810b14981c2 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
> > @@ -70,7 +70,7 @@ void test_test_ima(void)
> >       u64 bin_true_sample;
> >       char cmd[256];
> >
> > -     int err, duration = 0;
> > +     int err, duration = 0, fresh_digest_idx = 0;
> >       struct ima *skel = NULL;
> >
> >       skel = ima__open_and_load();
> > @@ -129,7 +129,15 @@ void test_test_ima(void)
> >       /*
> >        * Test #3
> >        * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
> > -      * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
> > +      * - Expected result:
> > +      *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
> > +      *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
> > +      *     not applied
> > +      *
> > +      * If commit 62622dab0a28 ("ima: return IMA digest value only when
> > +      * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
> > +      * to give a non-fresh digest, hence the correct result is 1 instead of
> > +      * 2.
> >        */
> >       test_init(skel->bss);
> >
> > @@ -144,13 +152,18 @@ void test_test_ima(void)
> >               goto close_clean;
> >
> >       err = ring_buffer__consume(ringbuf);
> > -     ASSERT_EQ(err, 2, "num_samples_or_err");
> > -     ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > -     ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
> > -     ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
> > +     ASSERT_GE(err, 1, "num_samples_or_err");
> > +     if (err == 2) {
> > +             ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
> > +             ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
> > +                       "sample_equal_or_err");
> > +             fresh_digest_idx = 1;
> > +     }
> > +
> > +     ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
> >       /* IMA refreshed the digest. */
> > -     ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
> > -                "sample_different_or_err");
> > +     ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
> > +                "sample_equal_or_err");
> >
> >       /*
> >        * Test #4
>
patchwork-bot+netdevbpf@kernel.org March 8, 2023, 7:20 p.m. UTC | #6
Hello:

This patch was applied to bpf/bpf-next.git (master)
by Andrii Nakryiko <andrii@kernel.org>:

On Wed,  8 Mar 2023 11:37:13 +0100 you wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Commit 62622dab0a28 ("ima: return IMA digest value only when IMA_COLLECTED
> flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
> digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
> still returned also non-fresh digests.
> 
> [...]

Here is the summary with links:
  - bpf: Fix IMA test
    https://git.kernel.org/bpf/bpf-next/c/12fabae03ca6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c
index b13feceb38f..810b14981c2 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_ima.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c
@@ -70,7 +70,7 @@  void test_test_ima(void)
 	u64 bin_true_sample;
 	char cmd[256];
 
-	int err, duration = 0;
+	int err, duration = 0, fresh_digest_idx = 0;
 	struct ima *skel = NULL;
 
 	skel = ima__open_and_load();
@@ -129,7 +129,15 @@  void test_test_ima(void)
 	/*
 	 * Test #3
 	 * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
-	 * - Expected result: 2 samples (/bin/true: non-fresh, fresh)
+	 * - Expected result:
+	 *   1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
+	 *   2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
+	 *     not applied
+	 *
+	 * If commit 62622dab0a28 ("ima: return IMA digest value only when
+	 * IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
+	 * to give a non-fresh digest, hence the correct result is 1 instead of
+	 * 2.
 	 */
 	test_init(skel->bss);
 
@@ -144,13 +152,18 @@  void test_test_ima(void)
 		goto close_clean;
 
 	err = ring_buffer__consume(ringbuf);
-	ASSERT_EQ(err, 2, "num_samples_or_err");
-	ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
-	ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
-	ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err");
+	ASSERT_GE(err, 1, "num_samples_or_err");
+	if (err == 2) {
+		ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
+		ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
+			  "sample_equal_or_err");
+		fresh_digest_idx = 1;
+	}
+
+	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
 	/* IMA refreshed the digest. */
-	ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample,
-		   "sample_different_or_err");
+	ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
+		   "sample_equal_or_err");
 
 	/*
 	 * Test #4