Message ID | 20201120131708.3237864-3-kpsingh@chromium.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [bpf-next,1/3] ima: Implement ima_inode_hash | expand |
On 11/20/20 5:17 AM, KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > - Update the IMA policy before executing the test binary (this is not an > override of the policy, just an append that ensures that hashes are > calculated on executions). > > - Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check > if the call succeeded and a hash was calculated. > > Signed-off-by: KP Singh <kpsingh@google.com> LGTM with a few nits below. Acked-by: Yonghong Song <yhs@fb.com> > --- > tools/testing/selftests/bpf/config | 3 ++ > .../selftests/bpf/prog_tests/test_lsm.c | 32 +++++++++++++++++++ > tools/testing/selftests/bpf/progs/lsm.c | 7 +++- > 3 files changed, 41 insertions(+), 1 deletion(-) > > diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config > index 2118e23ac07a..4b5764031368 100644 > --- a/tools/testing/selftests/bpf/config > +++ b/tools/testing/selftests/bpf/config > @@ -39,3 +39,6 @@ CONFIG_BPF_JIT=y > CONFIG_BPF_LSM=y > CONFIG_SECURITY=y > CONFIG_LIRC=y > +CONFIG_IMA=y > +CONFIG_IMA_WRITE_POLICY=y > +CONFIG_IMA_READ_POLICY=y > diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c > index 6ab29226c99b..3f5d64adb233 100644 > --- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c > +++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c > @@ -52,6 +52,28 @@ int exec_cmd(int *monitored_pid) > return -EINVAL; > } > [...] > + > void test_test_lsm(void) > { > struct lsm *skel = NULL; > @@ -66,6 +88,10 @@ void test_test_lsm(void) > if (CHECK(err, "attach", "lsm attach failed: %d\n", err)) > goto close_prog; > > + err = update_ima_policy(); > + if (CHECK(err != 0, "update_ima_policy", "error = %d\n", err)) > + goto close_prog; "err != 0" => err? "error = %d" => "err %d" for consistency with other usage in this function. > + > err = exec_cmd(&skel->bss->monitored_pid); > if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno)) > goto close_prog; > @@ -83,6 +109,12 @@ void test_test_lsm(void) > CHECK(skel->bss->mprotect_count != 1, "mprotect_count", > "mprotect_count = %d\n", skel->bss->mprotect_count); > > + CHECK(skel->data->ima_hash_ret < 0, "ima_hash_ret", > + "ima_hash_ret = %d\n", skel->data->ima_hash_ret); > + > + CHECK(skel->bss->ima_hash == 0, "ima_hash", > + "ima_hash = %lu\n", skel->bss->ima_hash); > + > syscall(__NR_setdomainname, &buf, -2L); > syscall(__NR_setdomainname, 0, -3L); > syscall(__NR_setdomainname, ~0L, -4L); > diff --git a/tools/testing/selftests/bpf/progs/lsm.c b/tools/testing/selftests/bpf/progs/lsm.c > index ff4d343b94b5..b0f9639e4b0a 100644 > --- a/tools/testing/selftests/bpf/progs/lsm.c > +++ b/tools/testing/selftests/bpf/progs/lsm.c > @@ -35,6 +35,8 @@ char _license[] SEC("license") = "GPL"; > int monitored_pid = 0; > int mprotect_count = 0; > int bprm_count = 0; > +int ima_hash_ret = -1; The helper returns type "long", but "int" type here should be fine too. > +u64 ima_hash = 0; > > SEC("lsm/file_mprotect") > int BPF_PROG(test_int_hook, struct vm_area_struct *vma, > @@ -65,8 +67,11 @@ int BPF_PROG(test_void_hook, struct linux_binprm *bprm) > __u32 key = 0; > __u64 *value; > > - if (monitored_pid == pid) > + if (monitored_pid == pid) { > bprm_count++; > + ima_hash_ret = bpf_ima_inode_hash(bprm->file->f_inode, > + &ima_hash, sizeof(ima_hash)); > + } > > bpf_copy_from_user(args, sizeof(args), (void *)bprm->vma->vm_mm->arg_start); > bpf_copy_from_user(args, sizeof(args), (void *)bprm->mm->arg_start); >
On Fri, Nov 20, 2020 at 7:11 PM Yonghong Song <yhs@fb.com> wrote: > > > > On 11/20/20 5:17 AM, KP Singh wrote: > > From: KP Singh <kpsingh@google.com> > > > > - Update the IMA policy before executing the test binary (this is not an > > override of the policy, just an append that ensures that hashes are > > calculated on executions). > > > > - Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check > > if the call succeeded and a hash was calculated. > > > > Signed-off-by: KP Singh <kpsingh@google.com> > > LGTM with a few nits below. > > Acked-by: Yonghong Song <yhs@fb.com> > > > --- > > tools/testing/selftests/bpf/config | 3 ++ [...] > > } > > > [...] > > + > > void test_test_lsm(void) > > { > > struct lsm *skel = NULL; > > @@ -66,6 +88,10 @@ void test_test_lsm(void) > > if (CHECK(err, "attach", "lsm attach failed: %d\n", err)) > > goto close_prog; > > > > + err = update_ima_policy(); > > + if (CHECK(err != 0, "update_ima_policy", "error = %d\n", err)) > > + goto close_prog; > > "err != 0" => err? > "error = %d" => "err %d" for consistency with other usage in this function. Done. > > > + > > err = exec_cmd(&skel->bss->monitored_pid); > > if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno)) > > goto close_prog; > > @@ -83,6 +109,12 @@ void test_test_lsm(void) [...] > > int mprotect_count = 0; > > int bprm_count = 0; > > +int ima_hash_ret = -1; > > The helper returns type "long", but "int" type here should be fine too. Changed it to long for correctness.
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config index 2118e23ac07a..4b5764031368 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -39,3 +39,6 @@ CONFIG_BPF_JIT=y CONFIG_BPF_LSM=y CONFIG_SECURITY=y CONFIG_LIRC=y +CONFIG_IMA=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c index 6ab29226c99b..3f5d64adb233 100644 --- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c +++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c @@ -52,6 +52,28 @@ int exec_cmd(int *monitored_pid) return -EINVAL; } +#define IMA_POLICY "measure func=BPRM_CHECK" + +/* This does not override the policy, IMA policy updates are + * append only, so this just ensures that "measure func=BPRM_CHECK" + * is in the policy. IMA does not allow us to remove this line once + * it is added. + */ +static int update_ima_policy(void) +{ + int fd, ret = 0; + + fd = open("/sys/kernel/security/ima/policy", O_WRONLY); + if (fd < 0) + return -errno; + + if (write(fd, IMA_POLICY, sizeof(IMA_POLICY)) == -1) + ret = -errno; + + close(fd); + return ret; +} + void test_test_lsm(void) { struct lsm *skel = NULL; @@ -66,6 +88,10 @@ void test_test_lsm(void) if (CHECK(err, "attach", "lsm attach failed: %d\n", err)) goto close_prog; + err = update_ima_policy(); + if (CHECK(err != 0, "update_ima_policy", "error = %d\n", err)) + goto close_prog; + err = exec_cmd(&skel->bss->monitored_pid); if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno)) goto close_prog; @@ -83,6 +109,12 @@ void test_test_lsm(void) CHECK(skel->bss->mprotect_count != 1, "mprotect_count", "mprotect_count = %d\n", skel->bss->mprotect_count); + CHECK(skel->data->ima_hash_ret < 0, "ima_hash_ret", + "ima_hash_ret = %d\n", skel->data->ima_hash_ret); + + CHECK(skel->bss->ima_hash == 0, "ima_hash", + "ima_hash = %lu\n", skel->bss->ima_hash); + syscall(__NR_setdomainname, &buf, -2L); syscall(__NR_setdomainname, 0, -3L); syscall(__NR_setdomainname, ~0L, -4L); diff --git a/tools/testing/selftests/bpf/progs/lsm.c b/tools/testing/selftests/bpf/progs/lsm.c index ff4d343b94b5..b0f9639e4b0a 100644 --- a/tools/testing/selftests/bpf/progs/lsm.c +++ b/tools/testing/selftests/bpf/progs/lsm.c @@ -35,6 +35,8 @@ char _license[] SEC("license") = "GPL"; int monitored_pid = 0; int mprotect_count = 0; int bprm_count = 0; +int ima_hash_ret = -1; +u64 ima_hash = 0; SEC("lsm/file_mprotect") int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @@ -65,8 +67,11 @@ int BPF_PROG(test_void_hook, struct linux_binprm *bprm) __u32 key = 0; __u64 *value; - if (monitored_pid == pid) + if (monitored_pid == pid) { bprm_count++; + ima_hash_ret = bpf_ima_inode_hash(bprm->file->f_inode, + &ima_hash, sizeof(ima_hash)); + } bpf_copy_from_user(args, sizeof(args), (void *)bprm->vma->vm_mm->arg_start); bpf_copy_from_user(args, sizeof(args), (void *)bprm->mm->arg_start);