From: Yonghong Song <yhs@fb.com>
To: KP Singh <kpsingh@chromium.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
James Morris <jmorris@namei.org>,
open list <linux-kernel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Petr Vorel <pvorel@suse.cz>
Subject: Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash
Date: Mon, 23 Nov 2020 11:00:22 -0800 [thread overview]
Message-ID: <1aef0681-a19d-cda3-8d64-4f7340045818@fb.com> (raw)
In-Reply-To: <7f4e1733-175e-288d-8c6c-4adc12f17ad5@fb.com>
On 11/23/20 10:54 AM, Yonghong Song wrote:
>
>
> On 11/23/20 10:46 AM, KP Singh wrote:
>> On Mon, Nov 23, 2020 at 7:36 PM Yonghong Song <yhs@fb.com> wrote:
>>>
>>>
>>>
>>> On 11/23/20 10:27 AM, KP Singh wrote:
>>>> [...]
>>>>
>>>>>>>
>>>>>>> Even if a custom policy has been loaded, potentially additional
>>>>>>> measurements unrelated to this test would be included the
>>>>>>> measurement
>>>>>>> list. One way of limiting a rule to a specific test is by loopback
>>>>>>> mounting a file system and defining a policy rule based on the
>>>>>>> loopback
>>>>>>> mount unique uuid.
>>>>>>
>>>>>> Thanks Mimi!
>>>>>>
>>>>>> I wonder if we simply limit this to policy to /tmp and run an
>>>>>> executable
>>>>>> from /tmp (like test_local_storage.c does).
>>>>>>
>>>>>> The only side effect would be of extra hashes being calculated on
>>>>>> binaries run from /tmp which is not too bad I guess?
>>>>>
>>>>> The builtin measurement policy (ima_policy=tcb") explicitly defines a
>>>>> rule to not measure /tmp files. Measuring /tmp results in a lot of
>>>>> measurements.
>>>>>
>>>>> {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags =
>>>>> IMA_FSMAGIC},
>>>>>
>>>>>>
>>>>>> We could do the loop mount too, but I am guessing the most clean way
>>>>>> would be to shell out to mount from the test? Are there some other
>>>>>> examples
>>>>>> of IMA we could look at?
>>>>>
>>>>> LTP loopback mounts a filesystem, since /tmp is not being measured
>>>>> with
>>>>> the builtin "tcb" policy. Defining new policy rules should be limited
>>>>> to the loopback mount. This would pave the way for defining IMA-
>>>>> appraisal signature verification policy rules, without impacting the
>>>>> running system.
>>>>
>>>> +Andrii
>>>>
>>>> Do you think we can split the IMA test out,
>>>> have a little shell script that does the loopback mount, gets the
>>>> FS UUID, updates the IMA policy and then runs a C program?
>>>>
>>>> This would also allow "test_progs" to be independent of CONFIG_IMA.
>>>>
>>>> I am guessing the structure would be something similar
>>>> to test_xdp_redirect.sh
>>>
>>> Look at sk_assign test.
>>>
>>> sk_assign.c: if (CHECK_FAIL(system("ip link set dev lo up")))
>>> sk_assign.c: if (CHECK_FAIL(system("ip route add local default dev
>>> lo")))
>>> sk_assign.c: if (CHECK_FAIL(system("ip -6 route add local default dev
>>> lo")))
>>> sk_assign.c: if (CHECK_FAIL(system("tc qdisc add dev lo clsact")))
>>> sk_assign.c: if (CHECK(system(tc_cmd), "BPF load failed;"
>>>
>>> You can use "system" to invoke some bash commands to simulate a script
>>> in the tests.
>>
>> Heh, that's what I was trying to avoid, I need to parse the output to
>> the get
>> the name of which loop device was assigned and then call a command like:
>>
>> # blkid /dev/loop0
>> /dev/loop0: UUID="607ed7ce-3fad-4236-8faf-8ab744f23e01" TYPE="ext3"
>>
>> Running simple commands with "system" seems okay but parsing output
>> is a bit too much :)
>>
>> I read about:
>>
>> https://man7.org/linux/man-pages/man4/loop.4.html
>>
>> But I still need to create a backing file, format it and then get the
>> UUID.
>>
>> Any simple trick that I may be missing?
>
> Maybe you can create a bash script on your prog_test files and do
> system("./<>.sh"). In the shell script, you can use all the bash magic
> (sed, awk, etc) to parse and store the needed result in a temp file, and
> after a successful system(""), you just read that temp file. Does this
> work?
I guess under the current framework, you can also create a .sh file
manually and place it into tools/testing/selftests/bpf directory
and call it in your prog_tests .c file with system("./<>.sh")...
>
>> - KP
>>
>>>
>>>>
>>>> - KP
>>>>
>>>>>
>>>>> Mimi
>>>>>
next prev parent reply other threads:[~2020-11-23 19:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-21 0:50 [PATCH bpf-next v2 1/3] ima: Implement ima_inode_hash KP Singh
2020-11-21 0:50 ` [PATCH bpf-next v2 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode KP Singh
2020-11-21 6:54 ` Yonghong Song
2020-11-21 0:50 ` [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash KP Singh
2020-11-23 13:24 ` Mimi Zohar
2020-11-23 14:06 ` KP Singh
2020-11-23 15:10 ` Mimi Zohar
2020-11-23 18:27 ` KP Singh
2020-11-23 18:36 ` Yonghong Song
2020-11-23 18:46 ` KP Singh
2020-11-23 18:54 ` Yonghong Song
2020-11-23 19:00 ` Yonghong Song [this message]
2020-11-21 6:48 ` [PATCH bpf-next v2 1/3] ima: Implement ima_inode_hash Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1aef0681-a19d-cda3-8d64-4f7340045818@fb.com \
--to=yhs@fb.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=revest@chromium.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).