bpf: Add a selftest for bpf_ima_inode_hash

CONFIG_BPF_LSM=y

CONFIG_SECURITY=y

CONFIG_LIRC=y

CONFIG_IMA=y

CONFIG_SECURITYFS=y

CONFIG_IMA_WRITE_POLICY=y

CONFIG_IMA_READ_POLICY=y

#!/bin/bash

# SPDX-License-Identifier: GPL-2.0

set -e

set -u

IMA_POLICY_FILE="/sys/kernel/security/ima/policy"

TEST_BINARY="/bin/true"

usage()

{

        echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>"

        exit 1

}

setup()

{

        local tmp_dir="$1"

        local mount_img="${tmp_dir}/test.img"

        local mount_dir="${tmp_dir}/mnt"

        local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"

        mkdir -p ${mount_dir}

        dd if=/dev/zero of="${mount_img}" bs=1M count=10

        local loop_device="$(losetup --find --show ${mount_img})"

        mkfs.ext4 "${loop_device}"

        mount "${loop_device}" "${mount_dir}"

        cp "${TEST_BINARY}" "${mount_dir}"

        local mount_uuid="$(blkid -s UUID -o value ${loop_device})"

        echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}

}

cleanup() {

        local tmp_dir="$1"

        local mount_img="${tmp_dir}/test.img"

        local mount_dir="${tmp_dir}/mnt"

        local loop_devices=$(losetup -j ${mount_img} -O NAME --noheadings)

        for loop_dev in "${loop_devices}"; do

                losetup -d $loop_dev

        done

        umount ${mount_dir}

        rm -rf ${tmp_dir}

}

run()

{

        local tmp_dir="$1"

        local mount_dir="${tmp_dir}/mnt"

        local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"

        exec "${copied_bin_path}"

}

main()

{

        [[ $# -ne 2 ]] && usage

        local action="$1"

        local tmp_dir="$2"

        [[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1

        if [[ "${action}" == "setup" ]]; then

                setup "${tmp_dir}"

        elif [[ "${action}" == "cleanup" ]]; then

                cleanup "${tmp_dir}"

        elif [[ "${action}" == "run" ]]; then

                run "${tmp_dir}"

        else

                echo "Unknown action: ${action}"

                exit 1

        fi

}

main "$@"

// SPDX-License-Identifier: GPL-2.0

/*

 * Copyright (C) 2020 Google LLC.

 */

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <sys/wait.h>

#include <test_progs.h>

#include "ima.skel.h"

static int run_measured_process(const char *measured_dir, u32 *monitored_pid)

{

	int child_pid, child_status;

	child_pid = fork();

	if (child_pid == 0) {

		*monitored_pid = getpid();

		execlp("./ima_setup.sh", "./ima_setup.sh", "run", measured_dir,

		       NULL);

		exit(errno);

	} else if (child_pid > 0) {

		waitpid(child_pid, &child_status, 0);

		return WEXITSTATUS(child_status);

	}

	return -EINVAL;

}

void test_test_ima(void)

{

	char measured_dir_template[] = "/tmp/ima_measuredXXXXXX";

	const char *measured_dir;

	char cmd[256];

	int err, duration = 0;

	struct ima *skel = NULL;

	skel = ima__open_and_load();

	if (CHECK(!skel, "skel_load", "skeleton failed\n"))

		goto close_prog;

	err = ima__attach(skel);

	if (CHECK(err, "attach", "attach failed: %d\n", err))

		goto close_prog;

	measured_dir = mkdtemp(measured_dir_template);

	if (CHECK(measured_dir == NULL, "mkdtemp", "err %d\n", errno))

		goto close_prog;

	snprintf(cmd, sizeof(cmd), "./ima_setup.sh setup %s", measured_dir);

	if (CHECK_FAIL(system(cmd)))

		goto close_clean;

	err = run_measured_process(measured_dir, &skel->bss->monitored_pid);

	if (CHECK(err, "run_measured_process", "err = %d\n", err))

		goto close_clean;

	CHECK(skel->data->ima_hash_ret < 0, "ima_hash_ret",

	      "ima_hash_ret = %ld\n", skel->data->ima_hash_ret);

	CHECK(skel->bss->ima_hash == 0, "ima_hash",

	      "ima_hash = %lu\n", skel->bss->ima_hash);

close_clean:

	snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir);

	CHECK_FAIL(system(cmd));

close_prog:

	ima__destroy(skel);

}

// SPDX-License-Identifier: GPL-2.0

/*

 * Copyright 2020 Google LLC.

 */

#include "vmlinux.h"

#include <errno.h>

#include <bpf/bpf_helpers.h>

#include <bpf/bpf_tracing.h>

long ima_hash_ret = -1;

u64 ima_hash = 0;

u32 monitored_pid = 0;

char _license[] SEC("license") = "GPL";

SEC("lsm.s/bprm_committed_creds")

int BPF_PROG(ima, struct linux_binprm *bprm)

{

	u32 pid = bpf_get_current_pid_tgid() >> 32;

	if (pid == monitored_pid)

		ima_hash_ret = bpf_ima_inode_hash(bprm->file->f_inode,

						  &ima_hash, sizeof(ima_hash));

	return 0;

}