e6dcf7bbf3
Test the ability of bpf_lsm_kernel_read_file() to call the sleepable functions bpf_ima_inode_hash() or bpf_ima_file_hash() to obtain a measurement of a loaded IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20220302111404.193900-9-roberto.sassu@huawei.com
157 lines
3.3 KiB
Bash
Executable File
157 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
set -e
|
|
set -u
|
|
set -o pipefail
|
|
|
|
IMA_POLICY_FILE="/sys/kernel/security/ima/policy"
|
|
TEST_BINARY="/bin/true"
|
|
VERBOSE="${SELFTESTS_VERBOSE:=0}"
|
|
LOG_FILE="$(mktemp /tmp/ima_setup.XXXX.log)"
|
|
|
|
usage()
|
|
{
|
|
echo "Usage: $0 <setup|cleanup|run|modify-bin|restore-bin|load-policy> <existing_tmp_dir>"
|
|
exit 1
|
|
}
|
|
|
|
ensure_mount_securityfs()
|
|
{
|
|
local securityfs_dir=$(grep "securityfs" /proc/mounts | awk '{print $2}')
|
|
|
|
if [ -z "${securityfs_dir}" ]; then
|
|
securityfs_dir=/sys/kernel/security
|
|
mount -t securityfs security "${securityfs_dir}"
|
|
fi
|
|
|
|
if [ ! -d "${securityfs_dir}" ]; then
|
|
echo "${securityfs_dir}: securityfs is not mounted" && exit 1
|
|
fi
|
|
}
|
|
|
|
setup()
|
|
{
|
|
local tmp_dir="$1"
|
|
local mount_img="${tmp_dir}/test.img"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
|
|
mkdir -p ${mount_dir}
|
|
|
|
dd if=/dev/zero of="${mount_img}" bs=1M count=10
|
|
|
|
losetup -f "${mount_img}"
|
|
local loop_device=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
|
|
|
|
mkfs.ext2 "${loop_device:?}"
|
|
mount "${loop_device}" "${mount_dir}"
|
|
|
|
cp "${TEST_BINARY}" "${mount_dir}"
|
|
local mount_uuid="$(blkid ${loop_device} | sed 's/.*UUID="\([^"]*\)".*/\1/')"
|
|
|
|
ensure_mount_securityfs
|
|
echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}
|
|
echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${mount_dir}/policy_test
|
|
}
|
|
|
|
cleanup() {
|
|
local tmp_dir="$1"
|
|
local mount_img="${tmp_dir}/test.img"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
|
|
local loop_devices=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
|
|
|
|
for loop_dev in "${loop_devices}"; do
|
|
losetup -d $loop_dev
|
|
done
|
|
|
|
umount ${mount_dir}
|
|
rm -rf ${tmp_dir}
|
|
}
|
|
|
|
run()
|
|
{
|
|
local tmp_dir="$1"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
|
|
|
|
exec "${copied_bin_path}"
|
|
}
|
|
|
|
modify_bin()
|
|
{
|
|
local tmp_dir="$1"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
|
|
|
|
echo "mod" >> "${copied_bin_path}"
|
|
}
|
|
|
|
restore_bin()
|
|
{
|
|
local tmp_dir="$1"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
|
|
|
|
truncate -s -4 "${copied_bin_path}"
|
|
}
|
|
|
|
load_policy()
|
|
{
|
|
local tmp_dir="$1"
|
|
local mount_dir="${tmp_dir}/mnt"
|
|
|
|
echo ${mount_dir}/policy_test > ${IMA_POLICY_FILE} 2> /dev/null
|
|
}
|
|
|
|
catch()
|
|
{
|
|
local exit_code="$1"
|
|
local log_file="$2"
|
|
|
|
if [[ "${exit_code}" -ne 0 ]]; then
|
|
cat "${log_file}" >&3
|
|
fi
|
|
|
|
rm -f "${log_file}"
|
|
exit ${exit_code}
|
|
}
|
|
|
|
main()
|
|
{
|
|
[[ $# -ne 2 ]] && usage
|
|
|
|
local action="$1"
|
|
local tmp_dir="$2"
|
|
|
|
[[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
|
|
|
|
if [[ "${action}" == "setup" ]]; then
|
|
setup "${tmp_dir}"
|
|
elif [[ "${action}" == "cleanup" ]]; then
|
|
cleanup "${tmp_dir}"
|
|
elif [[ "${action}" == "run" ]]; then
|
|
run "${tmp_dir}"
|
|
elif [[ "${action}" == "modify-bin" ]]; then
|
|
modify_bin "${tmp_dir}"
|
|
elif [[ "${action}" == "restore-bin" ]]; then
|
|
restore_bin "${tmp_dir}"
|
|
elif [[ "${action}" == "load-policy" ]]; then
|
|
load_policy "${tmp_dir}"
|
|
else
|
|
echo "Unknown action: ${action}"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
trap 'catch "$?" "${LOG_FILE}"' EXIT
|
|
|
|
if [[ "${VERBOSE}" -eq 0 ]]; then
|
|
# Save the stderr to 3 so that we can output back to
|
|
# it incase of an error.
|
|
exec 3>&2 1>"${LOG_FILE}" 2>&1
|
|
fi
|
|
|
|
main "$@"
|
|
rm -f "${LOG_FILE}"
|