From: Yonghong Song <yhs@fb.com>
To: KP Singh <kpsingh@chromium.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
James Morris <jmorris@namei.org>,
open list <linux-kernel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Petr Vorel <pvorel@suse.cz>
Subject: Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash
Date: Mon, 23 Nov 2020 11:00:22 -0800 [thread overview]
Message-ID: <1aef0681-a19d-cda3-8d64-4f7340045818@fb.com> (raw)
In-Reply-To: <7f4e1733-175e-288d-8c6c-4adc12f17ad5@fb.com>
On 11/23/20 10:54 AM, Yonghong Song wrote:
>
>
> On 11/23/20 10:46 AM, KP Singh wrote:
>> On Mon, Nov 23, 2020 at 7:36 PM Yonghong Song <yhs@fb.com> wrote:
>>>
>>>
>>>
>>> On 11/23/20 10:27 AM, KP Singh wrote:
>>>> [...]
>>>>
>>>>>>>
>>>>>>> Even if a custom policy has been loaded, potentially additional
>>>>>>> measurements unrelated to this test would be included the
>>>>>>> measurement
>>>>>>> list. One way of limiting a rule to a specific test is by loopback
>>>>>>> mounting a file system and defining a policy rule based on the
>>>>>>> loopback
>>>>>>> mount unique uuid.
>>>>>>
>>>>>> Thanks Mimi!
>>>>>>
>>>>>> I wonder if we simply limit this to policy to /tmp and run an
>>>>>> executable
>>>>>> from /tmp (like test_local_storage.c does).
>>>>>>
>>>>>> The only side effect would be of extra hashes being calculated on
>>>>>> binaries run from /tmp which is not too bad I guess?
>>>>>
>>>>> The builtin measurement policy (ima_policy=tcb") explicitly defines a
>>>>> rule to not measure /tmp files. Measuring /tmp results in a lot of
>>>>> measurements.
>>>>>
>>>>> {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags =
>>>>> IMA_FSMAGIC},
>>>>>
>>>>>>
>>>>>> We could do the loop mount too, but I am guessing the most clean way
>>>>>> would be to shell out to mount from the test? Are there some other
>>>>>> examples
>>>>>> of IMA we could look at?
>>>>>
>>>>> LTP loopback mounts a filesystem, since /tmp is not being measured
>>>>> with
>>>>> the builtin "tcb" policy. Defining new policy rules should be limited
>>>>> to the loopback mount. This would pave the way for defining IMA-
>>>>> appraisal signature verification policy rules, without impacting the
>>>>> running system.
>>>>
>>>> +Andrii
>>>>
>>>> Do you think we can split the IMA test out,
>>>> have a little shell script that does the loopback mount, gets the
>>>> FS UUID, updates the IMA policy and then runs a C program?
>>>>
>>>> This would also allow "test_progs" to be independent of CONFIG_IMA.
>>>>
>>>> I am guessing the structure would be something similar
>>>> to test_xdp_redirect.sh
>>>
>>> Look at sk_assign test.
>>>
>>> sk_assign.c: if (CHECK_FAIL(system("ip link set dev lo up")))
>>> sk_assign.c: if (CHECK_FAIL(system("ip route add local default dev
>>> lo")))
>>> sk_assign.c: if (CHECK_FAIL(system("ip -6 route add local default dev
>>> lo")))
>>> sk_assign.c: if (CHECK_FAIL(system("tc qdisc add dev lo clsact")))
>>> sk_assign.c: if (CHECK(system(tc_cmd), "BPF load failed;"
>>>
>>> You can use "system" to invoke some bash commands to simulate a script
>>> in the tests.
>>
>> Heh, that's what I was trying to avoid, I need to parse the output to
>> the get
>> the name of which loop device was assigned and then call a command like:
>>
>> # blkid /dev/loop0
>> /dev/loop0: UUID="607ed7ce-3fad-4236-8faf-8ab744f23e01" TYPE="ext3"
>>
>> Running simple commands with "system" seems okay but parsing output
>> is a bit too much :)
>>
>> I read about:
>>
>> https://man7.org/linux/man-pages/man4/loop.4.html
>>
>> But I still need to create a backing file, format it and then get the
>> UUID.
>>
>> Any simple trick that I may be missing?
>
> Maybe you can create a bash script on your prog_test files and do
> system("./<>.sh"). In the shell script, you can use all the bash magic
> (sed, awk, etc) to parse and store the needed result in a temp file, and
> after a successful system(""), you just read that temp file. Does this
> work?
I guess under the current framework, you can also create a .sh file
manually and place it into tools/testing/selftests/bpf directory
and call it in your prog_tests .c file with system("./<>.sh")...
>
>> - KP
>>
>>>
>>>>
>>>> - KP
>>>>
>>>>>
>>>>> Mimi
>>>>>
next prev parent reply other threads:[~2020-11-23 19:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-21 0:50 [PATCH bpf-next v2 1/3] ima: Implement ima_inode_hash KP Singh
2020-11-21 0:50 ` [PATCH bpf-next v2 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode KP Singh
2020-11-21 6:54 ` Yonghong Song
2020-11-21 0:50 ` [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash KP Singh
2020-11-23 13:24 ` Mimi Zohar
2020-11-23 14:06 ` KP Singh
2020-11-23 15:10 ` Mimi Zohar
2020-11-23 18:27 ` KP Singh
2020-11-23 18:36 ` Yonghong Song
2020-11-23 18:46 ` KP Singh
2020-11-23 18:54 ` Yonghong Song
2020-11-23 19:00 ` Yonghong Song [this message]
2020-11-21 6:48 ` [PATCH bpf-next v2 1/3] ima: Implement ima_inode_hash Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1aef0681-a19d-cda3-8d64-4f7340045818@fb.com \
--to=yhs@fb.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=revest@chromium.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.