Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp66183pxu; Tue, 24 Nov 2020 18:59:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRuIWp0Rin+hkAyaNkx5PuP1KajS+Z1xPJwovj8u0LS0NT9PskfPonm7YLiIbg5XWzwFzl X-Received: by 2002:a17:906:d72:: with SMTP id s18mr1369964ejh.110.1606273190910; Tue, 24 Nov 2020 18:59:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606273190; cv=none; d=google.com; s=arc-20160816; b=G3mUmJm2vxRN3/Q8JgHk1Z55+kE7GfcA923E3PGCz5+mw4dkZWnO63R9V///fYkJcY +jJCznSJhIVlDm8DigApzxCTbqH9VbilnCAo2pNSUVs12w3XQkFZ5lrk0/dBoAC2yOgB jvrq3G+oWzr5Uvw7lSmk3bJY+j7kCOYrIusYEDDPhjr2YJUJtvjO4tVaXtpfMirEsDYm wUiVL17fFL0HGBOSIhprTyTitfBbXsXdlPpH2ILVk8fCMZcLZOm+EOpmY9Yfzj5bOK3j bHlhtew/W7lwKyzN89rUvBp6eIaocsqrsPOc3g32f0stA1TReRjqjm1adChgngZuSpjj YNFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wVLUYjo0mTqXMXhyI9y/4N/cU1rDAW9Wrg6NPzTE/+4=; b=ZvFCAtI9d5JGeh56p5YZbJOQMWUF9wup6blo3F+Jf2XLODx5kejxtNriiFxHcFxq5Q BnC6iuem4C+/6meH3O+2y/9CfEvq/AqskP5+lLSR8w7vis63mFVbX2ilFigPba2G5fhE NRj6qLRQ9Ti3Cq9ypI/sNEL5AuR5Ievvw5e4eNgiDbY0uB6lNVU0Xx+0R8rHoNDHTLIH mWFaZrP+dbmdcgMAoEg7rlVYsLNouH+hpBh29/Af2ucfob55VlRjcNmTGDf5JbEThutC v/C3Q3PXmIOV4IxjBZRU/569MEKHeWPfxaofcf5OrRRGq9QlhLI3b0gz9g3OckE4o8Kt tjeQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DApjdGFF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qu18si484805ejb.438.2020.11.24.18.59.28; Tue, 24 Nov 2020 18:59:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DApjdGFF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726938AbgKYCz6 (ORCPT + 99 others); Tue, 24 Nov 2020 21:55:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725876AbgKYCz6 (ORCPT ); Tue, 24 Nov 2020 21:55:58 -0500 Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55198C0613D4 for ; Tue, 24 Nov 2020 18:55:42 -0800 (PST) Received: by mail-lf1-x141.google.com with SMTP id d20so1002171lfe.11 for ; Tue, 24 Nov 2020 18:55:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wVLUYjo0mTqXMXhyI9y/4N/cU1rDAW9Wrg6NPzTE/+4=; b=DApjdGFFu/IxkXaaimxU/0ewXnDvcxY15TGVMdZyW2tvcNQJz/tHsGpKQ66lGMG5KQ mLBYocW3+ik856F/vTfGAw0XLMoUWgYMDbh2Oy9XTUErY5jxdrC25LyeZr2tTaPrtEkk H/O6sPC1ETyCRxgOi9MckQ1N7c1ZaLL9q7rOw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wVLUYjo0mTqXMXhyI9y/4N/cU1rDAW9Wrg6NPzTE/+4=; b=bv/fF9Ys80AcJ4SmyYxI7p5uyJqvPGRSgYF3lfIA+WdKsmYrAHgAz7NNTjTYXVxmM3 XpwdEp4xLWU8d4wh9S0H63wk40a2PqCTPTfblZlURpvjfi1DGxJUksPDmQH2RJrkH8Do MNkUQthOXPicg2+dhZkEWiS/HJE2/wXlTXFMRjhl9kGLDtNDUozsRnqxP1LWY/JCiEEQ MI5+aWYQbc2PCBbU+P+zi+Ql7clMApIynv+ouyPv5NrT4m7RiG+H5d/Bvw0f6D9fq6zq mUYk6q9GEXeJtCKtPSlQMi0q6QTNe0mIjgYo9O5NaZ14/zbwXndlhr0wOZas5YvvzjEW t1Vw== X-Gm-Message-State: AOAM532tw5sPhQ+KMGhALYZjkTQ4U/hKJ5tDLIcdQM4gLOZEqgeOxPKn Pcn8MXD/Zg+QAq0nv/s/T1vKVSHr5h74BeAsh08fcsSL1skmdQ== X-Received: by 2002:ac2:51a4:: with SMTP id f4mr434422lfk.365.1606272940838; Tue, 24 Nov 2020 18:55:40 -0800 (PST) MIME-Version: 1.0 References: <20201124151210.1081188-1-kpsingh@chromium.org> <20201124151210.1081188-4-kpsingh@chromium.org> In-Reply-To: From: KP Singh Date: Wed, 25 Nov 2020 03:55:29 +0100 Message-ID: Subject: Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash To: Mimi Zohar Cc: James Morris , open list , bpf , Linux Security Module list , Alexei Starovoitov , Daniel Borkmann , Florent Revest , Brendan Jackman Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 25, 2020 at 3:20 AM Mimi Zohar wrote: > > On Tue, 2020-11-24 at 15:12 +0000, KP Singh wrote: > > diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh > > new file mode 100644 > > index 000000000000..15490ccc5e55 > > --- /dev/null > > +++ b/tools/testing/selftests/bpf/ima_setup.sh > > @@ -0,0 +1,80 @@ > > +#!/bin/bash > > +# SPDX-License-Identifier: GPL-2.0 > > + > > +set -e > > +set -u > > + > > +IMA_POLICY_FILE="/sys/kernel/security/ima/policy" > > +TEST_BINARY="/bin/true" > > + > > +usage() > > +{ > > + echo "Usage: $0 " > > + exit 1 > > +} > > + > > +setup() > > +{ > > + local tmp_dir="$1" > > + local mount_img="${tmp_dir}/test.img" > > + local mount_dir="${tmp_dir}/mnt" > > + local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})" > > + mkdir -p ${mount_dir} > > + > > + dd if=/dev/zero of="${mount_img}" bs=1M count=10 > > + > > + local loop_device="$(losetup --find --show ${mount_img})" > > + > > + mkfs.ext4 "${loop_device}" > > + mount "${loop_device}" "${mount_dir}" > > + > > + cp "${TEST_BINARY}" "${mount_dir}" > > + local mount_uuid="$(blkid -s UUID -o value ${loop_device})" > > + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE} > > Anyone using IMA, normally define policy rules requiring the policy > itself to be signed. Instead of writing the policy rules, write the The goal of this self test is to not fully test the IMA functionality but check if the BPF helper works and returns a hash with the minimal possible IMA config dependencies. And it seems like we can accomplish this by simply writing the policy to securityfs directly. From what I noticed, IMA_APPRAISE_REQUIRE_POLICY_SIGS requires configuring a lot of other kernel options (IMA_APPRAISE, ASYMMETRIC_KEYS etc.) that seem like too much for bpf self tests to depend on. I guess we can independently add selftests for IMA which represent a more real IMA configuration. Hope this sounds reasonable? > signed policy file pathname. Refer to dracut commit 479b5cd9 > ("98integrity: support validating the IMA policy file signature"). > > Both enabling IMA_APPRAISE_REQUIRE_POLICY_SIGS and the builtin > "appraise_tcb" policy require loading a signed policy. Thanks for the pointers. - KP > > Mimi >