selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA policy
Check that bpf_kernel_read_file() denies the reading of an IMA policy, by ensuring that ima_setup.sh exits with an error. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20220302111404.193900-10-roberto.sassu@huawei.com
This commit is contained in:
Roberto Sassu
Alexei Starovoitov
parent
e6dcf7bbf3
commit
7bae42b68d
|
|
@ -59,6 +59,7 @@ static void test_init(struct ima__bss *bss)
|
|||
bss->use_ima_file_hash = false;
|
||||
bss->enable_bprm_creds_for_exec = false;
|
||||
bss->enable_kernel_read_file = false;
|
||||
bss->test_deny = false;
|
||||
}
|
||||
|
||||
void test_test_ima(void)
|
||||
|
|
@ -200,6 +201,22 @@ void test_test_ima(void)
|
|||
ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
|
||||
ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash");
|
||||
|
||||
/*
|
||||
* Test #6
|
||||
* - Goal: ensure that the kernel_read_file hook denies an operation
|
||||
* - Expected result: 0 samples
|
||||
*/
|
||||
test_init(skel->bss);
|
||||
skel->bss->enable_kernel_read_file = true;
|
||||
skel->bss->test_deny = true;
|
||||
err = _run_measured_process(measured_dir, &skel->bss->monitored_pid,
|
||||
"load-policy");
|
||||
if (CHECK(!err, "run_measured_process #6", "err = %d\n", err))
|
||||
goto close_clean;
|
||||
|
||||
err = ring_buffer__consume(ringbuf);
|
||||
ASSERT_EQ(err, 0, "num_samples_or_err");
|
||||
|
||||
close_clean:
|
||||
snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir);
|
||||
err = system(cmd);
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ char _license[] SEC("license") = "GPL";
|
|||
bool use_ima_file_hash;
|
||||
bool enable_bprm_creds_for_exec;
|
||||
bool enable_kernel_read_file;
|
||||
bool test_deny;
|
||||
|
||||
static void ima_test_common(struct file *file)
|
||||
{
|
||||
|
|
@ -51,6 +52,17 @@ static void ima_test_common(struct file *file)
|
|||
return;
|
||||
}
|
||||
|
||||
static int ima_test_deny(void)
|
||||
{
|
||||
u32 pid;
|
||||
|
||||
pid = bpf_get_current_pid_tgid() >> 32;
|
||||
if (pid == monitored_pid && test_deny)
|
||||
return -EPERM;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
SEC("lsm.s/bprm_committed_creds")
|
||||
void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm)
|
||||
{
|
||||
|
|
@ -71,6 +83,8 @@ SEC("lsm.s/kernel_read_file")
|
|||
int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id,
|
||||
bool contents)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (!enable_kernel_read_file)
|
||||
return 0;
|
||||
|
||||
|
|
@ -80,6 +94,10 @@ int BPF_PROG(kernel_read_file, struct file *file, enum kernel_read_file_id id,
|
|||
if (id != READING_POLICY)
|
||||
return 0;
|
||||
|
||||
ret = ima_test_deny();
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ima_test_common(file);
|
||||
return 0;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue