diff options
| author |   Roberto Sassu <roberto.sassu@huawei.com> | 2022-03-02 12:14:04 +0100 |
|---|---|---|
| committer |   Alexei Starovoitov <ast@kernel.org> | 2022-03-10 18:57:55 -0800 |
| commit | 7bae42b68d7f070a346fde4c7c1ce182f2284933 (patch) | |
| tree | 4b6611d6f456f2f2ef7c44e1ce579cffece0ef11 /tools/testing/selftests/bpf/prog_tests/test_ima.c | |
| parent | selftests/bpf: Add test for bpf_lsm_kernel_read_file() (diff) | |
| download | wireguard-linux-7bae42b68d7f070a346fde4c7c1ce182f2284933.tar.xz wireguard-linux-7bae42b68d7f070a346fde4c7c1ce182f2284933.zip | |
selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA policy
Check that bpf_kernel_read_file() denies the reading of an IMA policy, by
ensuring that ima_setup.sh exits with an error.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220302111404.193900-10-roberto.sassu@huawei.com
Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests/test_ima.c')
| -rw-r--r-- | tools/testing/selftests/bpf/prog_tests/test_ima.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c index b13a141c4220..b13feceb38f1 100644 --- a/tools/testing/selftests/bpf/prog_tests/test_ima.c +++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c @@ -59,6 +59,7 @@ static void test_init(struct ima__bss *bss) bss->use_ima_file_hash = false; bss->enable_bprm_creds_for_exec = false; bss->enable_kernel_read_file = false; + bss->test_deny = false; } void test_test_ima(void) @@ -200,6 +201,22 @@ void test_test_ima(void) ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash"); + /* + * Test #6 + * - Goal: ensure that the kernel_read_file hook denies an operation + * - Expected result: 0 samples + */ + test_init(skel->bss); + skel->bss->enable_kernel_read_file = true; + skel->bss->test_deny = true; + err = _run_measured_process(measured_dir, &skel->bss->monitored_pid, + "load-policy"); + if (CHECK(!err, "run_measured_process #6", "err = %d\n", err)) + goto close_clean; + + err = ring_buffer__consume(ringbuf); + ASSERT_EQ(err, 0, "num_samples_or_err"); + close_clean: snprintf(cmd, sizeof(cmd), "./ima_setup.sh cleanup %s", measured_dir); err = system(cmd); |