Skip to content

GitLab

Switch branch/tag
History Find file
Clone
bpf: Add a selftest for bpf_ima_inode_hash
KP Singh authored 

The test does the following:

- Mounts a loopback filesystem and appends the IMA policy to measure
  executions only on this file-system. Restricting the IMA policy to
  a particular filesystem prevents a system-wide IMA policy change.
- Executes an executable copied to this loopback filesystem.
- Calls the bpf_ima_inode_hash in the bprm_committed_creds hook and
  checks if the call succeeded and checks if a hash was calculated.

The test shells out to the added ima_setup.sh script as the setup is
better handled in a shell script and is more complicated to do in the
test program or even shelling out individual commands from C.

The list of required configs (i.e. IMA, SECURITYFS,
IMA_{WRITE,READ}_POLICY) for running this test are also updated.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com> (limit policy rule to loopback mount)
Signed-off-by: default avatarKP Singh <kpsingh@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarYonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20201124151210.1081188-4-kpsingh@chromium.org
34b82d3a
Name Last commit Last update
..
benchs
gnu
map_tests
prog_tests
progs
verifier
.gitignore
Makefile
README.rst
bench.c
bench.h
bpf_legacy.h
bpf_rand.h
bpf_rlimit.h
bpf_tcp_helpers.h
bpf_util.h
btf_helpers.c
btf_helpers.h
cgroup_helpers.c
cgroup_helpers.h
config
flow_dissector_load.c
flow_dissector_load.h
get_cgroup_id_user.c
ima_setup.sh
netcnt_common.h
network_helpers.c
network_helpers.h
settings
test_bpftool.py
test_bpftool.sh
test_bpftool_build.sh
test_bpftool_metadata.sh
test_btf.h
test_cgroup_storage.c
test_cpp.cpp
test_current_pid_tgid_new_ns.c
test_dev_cgroup.c
test_flow_dissector.c
test_flow_dissector.sh
test_ftrace.sh
test_iptunnel_common.h
test_kmod.sh
test_lirc_mode2.sh
test_lirc_mode2_user.c
test_lpm_map.c
test_lru_map.c
test_lwt_ip_encap.sh
test_lwt_seg6local.sh
test_maps.c
test_maps.h
test_netcnt.c
test_offload.py
test_progs.c
test_progs.h
test_select_reuseport_common.h
test_skb_cgroup_id.sh
test_skb_cgroup_id_user.c
test_sock.c
test_sock_addr.c
test_sock_addr.sh
test_socket_cookie.c
test_sockmap.c
test_stub.c
test_sysctl.c
test_tag.c
test_tc_edt.sh
test_tc_redirect.sh
test_tc_tunnel.sh
test_tcp_check_syncookie.sh
test_tcp_check_syncookie_user.c
test_tcp_hdr_options.h
test_tcpbpf.h
test_tcpnotify.h
test_tcpnotify_user.c
test_tunnel.sh
test_verifier.c
test_verifier_log.c
test_xdp_meta.sh
test_xdp_redirect.sh
test_xdp_veth.sh
test_xdp_vlan.sh
test_xdp_vlan_mode_generic.sh
test_xdp_vlan_mode_native.sh
test_xdping.sh
testing_helpers.c
testing_helpers.h
trace_helpers.c
trace_helpers.h
urandom_read.c
with_addr.sh
with_tunnels.sh
xdping.c
xdping.h
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7