Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2191017pxp;
        Mon, 7 Mar 2022 10:04:09 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxpAjEVJTdhVrUvkUvT8STgvl37f6qtOXYXDfhf6lZd28G4/js6a6+06hoX2Fxqxfw0K9Fv
X-Received: by 2002:a17:903:1011:b0:151:bd0e:bc5c with SMTP id a17-20020a170903101100b00151bd0ebc5cmr13292872plb.79.1646676249168;
        Mon, 07 Mar 2022 10:04:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646676249; cv=none;
        d=google.com; s=arc-20160816;
        b=W3YsT9GHOyxWV4vrktiJ5dNcdT3zQzFKj9k1I6SNSqNLgAD8aojdxSM10TOd/AIFDi
         OossE/HITZynQ8GfIF/bZwYDkq8yvmf+HFV3SzG8ps/GUukTnLod8XeEZrvrTvseBiFu
         DEH0wX29PK2m9xx9v694ejnzg3vi9U8maWyij7Dd3ZBqWHnrm4qcA2U99z1oSsPYUBLh
         tfGvJWRFrC7xzXsq7J5TSxI4PMNgo2Hnf6Lqkua7Tlo8kI/F72+zYF4FHb4FscHFz27p
         Z9R6sgsIT5jtRebGHuXvaE9Fd7FGiOJHnXNSXICqzBh4KXgTnia0ErccIt5WSyMPx8qa
         Vylg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :content-language:accept-language:in-reply-to:references:message-id
         :date:thread-index:thread-topic:subject:cc:to:from;
        bh=PcqUqSkEOvrXxL4TYk2PF+y+G4RUzbCDFCldnUBUPRA=;
        b=NjhCmfZbNuRWG6fUCk9vTQCdLG3dg1LUF0xqFBKR31TjgPrE4t8TYPLvb0aFxNKPgY
         1+Ofg7sYY29Mvoa9ZY8kNWN/E9ZVMWBm+tD9oPHM4+s+v08Gtqa47gKaJ4xw4S+egDbP
         fGvnk6sxwOaHQm6rzgXKIAB3ntculV2V8lrSBnAz1MFtfAcXy4VVoPFPQfmZvqC5Tf1J
         U2qwN5OKNGOFGrT3yQrUfJ6RQCYLIB53HTck7QCNJ6ojjJOGN7UBrPhYPrppjNOyf6q4
         /t7P6t7oiC2/gOEpCzGIRbVuu8ggLGJhAtqw0b/isaBAuGD+n0teG380BOBM2jn+tsNm
         91Tg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k5-20020a17090ad08500b001bf6d2ed1a3si2854597pju.31.2022.03.07.10.03.48;
        Mon, 07 Mar 2022 10:04:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237827AbiCGLKB convert rfc822-to-8bit (ORCPT
        <rfc822;anthony.2lannoy@gmail.com> + 99 others);
        Mon, 7 Mar 2022 06:10:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45638 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241559AbiCGLJS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Mar 2022 06:09:18 -0500
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2DA173064;
        Mon,  7 Mar 2022 02:31:54 -0800 (PST)
Received: from fraeml711-chm.china.huawei.com (unknown [172.18.147.207])
        by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4KBvqS3Rl4z67bhp;
        Mon,  7 Mar 2022 18:30:28 +0800 (CST)
Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by
 fraeml711-chm.china.huawei.com (10.206.15.60) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21; Mon, 7 Mar 2022 11:31:52 +0100
Received: from fraeml714-chm.china.huawei.com ([10.206.15.33]) by
 fraeml714-chm.china.huawei.com ([10.206.15.33]) with mapi id 15.01.2308.021;
 Mon, 7 Mar 2022 11:31:52 +0100
From:   Roberto Sassu <roberto.sassu@huawei.com>
To:     Mimi Zohar <zohar@linux.ibm.com>,
        "shuah@kernel.org" <shuah@kernel.org>,
        "ast@kernel.org" <ast@kernel.org>,
        "daniel@iogearbox.net" <daniel@iogearbox.net>,
        "andrii@kernel.org" <andrii@kernel.org>, "yhs@fb.com" <yhs@fb.com>,
        "kpsingh@kernel.org" <kpsingh@kernel.org>,
        "revest@chromium.org" <revest@chromium.org>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
CC:     "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>,
        "linux-kselftest@vger.kernel.org" <linux-kselftest@vger.kernel.org>,
        "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA
Thread-Topic: [PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA
Thread-Index: AQHYLiawVJiGIoJTAUWtCyWVLc4li6yyskqAgAEMPpA=
Date:   Mon, 7 Mar 2022 10:31:52 +0000
Message-ID: <54a2b65856e4439f9170dfd86bbeb975@huawei.com>
References: <20220302111404.193900-1-roberto.sassu@huawei.com>
 <9be81980b1849dc60b46ad0672b667b6b5365f2d.camel@linux.ibm.com>
In-Reply-To: <9be81980b1849dc60b46ad0672b667b6b5365f2d.camel@linux.ibm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.204.63.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Sunday, March 6, 2022 8:24 PM
> On Wed, 2022-03-02 at 12:13 +0100, Roberto Sassu wrote:
> > Extend the interoperability with IMA, to give wider flexibility for the
> > implementation of integrity-focused LSMs based on eBPF.
> >
> > Patch 1 fixes some style issues.
> >
> > Patches 2-6 give the ability to eBPF-based LSMs to take advantage of the
> > measurement capability of IMA without needing to setup a policy in IMA
> > (those LSMs might implement the policy capability themselves).
> >
> > Patches 7-9 allow eBPF-based LSMs to evaluate files read by the kernel.
> 
> The tests seem to only work when neither a builtin IMA policy or a
> custom policy is previously loaded.

Hi Mimi

unfortunately yes. If there are more generic rules,
the number of samples differs from that expected.

For example, if you have an existing rule like:

measure func=BPRM_CHECK mask=MAY_EXEC

you will have:

test_test_ima:PASS:run_measured_process #1 0 nsec
test_test_ima:FAIL:num_samples_or_err unexpected
                num_samples_or_err: actual 2 != expected 1

Test #1 fails because also ima_setup.sh is measured.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua