git.osdn.net Git - tomoyo/tomoyo-test1.git/commit

author	KP Singh <kpsingh@google.com>
	Tue, 24 Nov 2020 15:12:10 +0000 (15:12 +0000)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Wed, 25 Nov 2020 23:25:47 +0000 (00:25 +0100)
commit	34b82d3ac1058653b3de7be4697b55f67533b1f1
tree	446d0619ca0cf5c22e8698e90f92f908170e8879	tree \| snapshot
parent	27672f0d280a3f286a410a8db2004f46ace72a17	commit \| diff

bpf: Add a selftest for bpf_ima_inode_hash

The test does the following:

- Mounts a loopback filesystem and appends the IMA policy to measure
  executions only on this file-system. Restricting the IMA policy to
  a particular filesystem prevents a system-wide IMA policy change.
- Executes an executable copied to this loopback filesystem.
- Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and
  checks if the call succeeded and checks if a hash was calculated.

The test shells out to the added ima_setup.sh script as the setup is
better handled in a shell script and is more complicated to do in the
test program or even shelling out individual commands from C.

The list of required configs (i.e. IMA, SECURITYFS,
IMA_{WRITE,READ}_POLICY) for running this test are also updated.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com> (limit policy rule to loopback mount)
Signed-off-by: KP Singh <kpsingh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20201124151210.1081188-4-kpsingh@chromium.org

tools/testing/selftests/bpf/config		diff \| blob \| history
tools/testing/selftests/bpf/ima_setup.sh	[new file with mode: 0755]	blob
tools/testing/selftests/bpf/prog_tests/test_ima.c	[new file with mode: 0644]	blob
tools/testing/selftests/bpf/progs/ima.c	[new file with mode: 0644]	blob