bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* test_ima passing only first time
@ 2021-03-10 21:57 Andrii Nakryiko
  2021-03-18 16:04 ` KP Singh
  0 siblings, 1 reply; 4+ messages in thread
From: Andrii Nakryiko @ 2021-03-10 21:57 UTC (permalink / raw)
  To: KP Singh, bpf

Hey KP,

test_ima is passing only the very first time I run it in my VM. Alexei
earlier reported similar issues. If you run it second time without
restarting the VM, you get the following:

10+0 records in
10+0 records out
10485760 bytes (10 MB, 10 MiB) copied, 0.00425121 s, 2.5 GB/s
mke2fs 1.45.0 (6-Mar-2019)
Discarding device blocks: done
Creating filesystem with 10240 1k blocks and 2560 inodes
Filesystem UUID: b9927426-1d29-458f-b2a0-8fe56455d209
Superblock backups stored on blocks:
        8193

Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

./ima_setup.sh: line 53: /sys/kernel/security/ima/policy: Permission denied
test_test_ima:PASS:skel_load 0 nsec
test_test_ima:PASS:ringbuf 0 nsec
test_test_ima:PASS:attach 0 nsec
test_test_ima:PASS:mkdtemp 0 nsec
test_test_ima:FAIL:71
#128 test_ima:FAIL

Do you see it on your side? Do you have any idea what's wrong?

Also, see that super-descriptive `test_test_ima:FAIL:71` line? That's
the reason I'm always bitching about CHECK_FAIL() use. At least this
one is not inside some loop.

-- Andrii

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: test_ima passing only first time
  2021-03-10 21:57 test_ima passing only first time Andrii Nakryiko
@ 2021-03-18 16:04 ` KP Singh
  2021-03-18 23:22   ` KP Singh
  0 siblings, 1 reply; 4+ messages in thread
From: KP Singh @ 2021-03-18 16:04 UTC (permalink / raw)
  To: Andrii Nakryiko; +Cc: bpf

Sorry I totally missed this email. Taking a look now.

On Wed, Mar 10, 2021 at 10:57 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> Hey KP,
>
> test_ima is passing only the very first time I run it in my VM. Alexei
> earlier reported similar issues. If you run it second time without
> restarting the VM, you get the following:
>
> 10+0 records in
> 10+0 records out
> 10485760 bytes (10 MB, 10 MiB) copied, 0.00425121 s, 2.5 GB/s
> mke2fs 1.45.0 (6-Mar-2019)
> Discarding device blocks: done
> Creating filesystem with 10240 1k blocks and 2560 inodes
> Filesystem UUID: b9927426-1d29-458f-b2a0-8fe56455d209
> Superblock backups stored on blocks:
>         8193
>
> Allocating group tables: done
> Writing inode tables: done
> Writing superblocks and filesystem accounting information: done
>
> ./ima_setup.sh: line 53: /sys/kernel/security/ima/policy: Permission denied
> test_test_ima:PASS:skel_load 0 nsec
> test_test_ima:PASS:ringbuf 0 nsec
> test_test_ima:PASS:attach 0 nsec
> test_test_ima:PASS:mkdtemp 0 nsec
> test_test_ima:FAIL:71
> #128 test_ima:FAIL
>
> Do you see it on your side? Do you have any idea what's wrong?
>
> Also, see that super-descriptive `test_test_ima:FAIL:71` line? That's
> the reason I'm always bitching about CHECK_FAIL() use. At least this
> one is not inside some loop.
>
> -- Andrii

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: test_ima passing only first time
  2021-03-18 16:04 ` KP Singh
@ 2021-03-18 23:22   ` KP Singh
  2021-03-18 23:37     ` Alexei Starovoitov
  0 siblings, 1 reply; 4+ messages in thread
From: KP Singh @ 2021-03-18 23:22 UTC (permalink / raw)
  To: Andrii Nakryiko; +Cc: bpf

On Thu, Mar 18, 2021 at 5:04 PM KP Singh <kpsingh@kernel.org> wrote:
>
> Sorry I totally missed this email. Taking a look now.

KP, You top posted in a hurry.

>
> On Wed, Mar 10, 2021 at 10:57 PM Andrii Nakryiko
> <andrii.nakryiko@gmail.com> wrote:
> >
> > Hey KP,
> >
> > test_ima is passing only the very first time I run it in my VM. Alexei
> > earlier reported similar issues. If you run it second time without
> > restarting the VM, you get the following:
> >
> > 10+0 records in
> > 10+0 records out
> > 10485760 bytes (10 MB, 10 MiB) copied, 0.00425121 s, 2.5 GB/s
> > mke2fs 1.45.0 (6-Mar-2019)
> > Discarding device blocks: done
> > Creating filesystem with 10240 1k blocks and 2560 inodes
> > Filesystem UUID: b9927426-1d29-458f-b2a0-8fe56455d209
> > Superblock backups stored on blocks:
> >         8193
> >
> > Allocating group tables: done
> > Writing inode tables: done
> > Writing superblocks and filesystem accounting information: done
> >
> > ./ima_setup.sh: line 53: /sys/kernel/security/ima/policy: Permission denied
> > test_test_ima:PASS:skel_load 0 nsec
> > test_test_ima:PASS:ringbuf 0 nsec
> > test_test_ima:PASS:attach 0 nsec
> > test_test_ima:PASS:mkdtemp 0 nsec
> > test_test_ima:FAIL:71
> > #128 test_ima:FAIL
> >
> > Do you see it on your side? Do you have any idea what's wrong?

Works for me :) Well, works on the CI image and config I mean.

I did the following local change to get a bash prompt from vmtest.sh

I will send a patch that adds a flag so that one can get a shell to
debug instead of
powering the VM off.

diff --git a/tools/testing/selftests/bpf/vmtest.sh
b/tools/testing/selftests/bpf/vmtest.sh
index 22554894db99..710c73fe1b77 100755
--- a/tools/testing/selftests/bpf/vmtest.sh
+++ b/tools/testing/selftests/bpf/vmtest.sh
@@ -175,7 +175,8 @@ echo "130" > "/root/${EXIT_STATUS_FILE}"
        stdbuf -oL -eL ${command}
        echo "\$?" > "/root/${EXIT_STATUS_FILE}"
 } 2>&1 | tee "/root/${LOG_FILE}"
-poweroff -f
+# poweroff -f
+bash
 EOF

        sudo chmod a+x "${init_script}"

 ./vmtest.sh -- "./test_progs -t test_ima"

[...]

[root@(none) bpf]# ./test_progs -t test_ima
#128 test_ima:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
[root@(none) bpf]# ./test_progs -t test_ima
[...]
#128 test_ima:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
[root@(none) bpf]# ./test_progs -t test_ima
[...]
#128 test_ima:OK

Here's the kernel config that the BPF CI uses:

cat ~/.bpf_selftests/latest.config | grep IMA | grep -v "^#"
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
CONFIG_IMA_DEFAULT_HASH="sha1"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

The important bit is having CONFIG_IMA_WRITE_POLICY and CONFIG_IMA_READ_POLICY
which allows reading and overriding the IMA policy.

> >
> > Also, see that super-descriptive `test_test_ima:FAIL:71` line? That's
> > the reason I'm always bitching about CHECK_FAIL() use. At least this

I will send a patch to add more descriptive error messages, in these
it will be something
like

"error while running command ..."

- KP

> > one is not inside some loop.
> >
> > -- Andrii

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: test_ima passing only first time
  2021-03-18 23:22   ` KP Singh
@ 2021-03-18 23:37     ` Alexei Starovoitov
  0 siblings, 0 replies; 4+ messages in thread
From: Alexei Starovoitov @ 2021-03-18 23:37 UTC (permalink / raw)
  To: KP Singh; +Cc: Andrii Nakryiko, bpf

On Thu, Mar 18, 2021 at 4:24 PM KP Singh <kpsingh@kernel.org> wrote:
>
> The important bit is having CONFIG_IMA_WRITE_POLICY and CONFIG_IMA_READ_POLICY
> which allows reading and overriding the IMA policy.

I was missing that. Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-18 23:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-10 21:57 test_ima passing only first time Andrii Nakryiko
2021-03-18 16:04 ` KP Singh
2021-03-18 23:22   ` KP Singh
2021-03-18 23:37     ` Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).