bpf: Add a selftest for bpf_ima_inode_hash
The test does the following:
- Mounts a loopback filesystem and appends the IMA policy to measure
executions only on this file-system. Restricting the IMA policy to
a particular filesystem prevents a system-wide IMA policy change.
- Executes an executable copied to this loopback filesystem.
- Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and
checks if the call succeeded and checks if a hash was calculated.
The test shells out to the added ima_setup.sh script as the setup is
better handled in a shell script and is more complicated to do in the
test program or even shelling out individual commands from C.
The list of required configs (i.e. IMA, SECURITYFS,
IMA_{WRITE,READ}_POLICY) for running this test are also updated.
Suggested-by: Mimi Zohar <zohar@linux.ibm.com> (limit policy rule to loopback mount)
Signed-off-by: 
KP Singh <kpsingh@google.com>
Signed-off-by: 
Daniel Borkmann <daniel@iogearbox.net>
Acked-by: 
Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20201124151210.1081188-4-kpsingh@chromium.org
Showing
- tools/testing/selftests/bpf/config 4 additions, 0 deletionstools/testing/selftests/bpf/config
- tools/testing/selftests/bpf/ima_setup.sh 80 additions, 0 deletionstools/testing/selftests/bpf/ima_setup.sh
- tools/testing/selftests/bpf/prog_tests/test_ima.c 74 additions, 0 deletionstools/testing/selftests/bpf/prog_tests/test_ima.c
- tools/testing/selftests/bpf/progs/ima.c 28 additions, 0 deletionstools/testing/selftests/bpf/progs/ima.c
Please register or sign in to comment