Commit 12fabae0 authored by Roberto Sassu's avatar Roberto Sassu Committed by Andrii Nakryiko

selftests/bpf: Fix IMA test

Commit 62622dab ("ima: return IMA digest value only when IMA_COLLECTED
flag is set") caused bpf_ima_inode_hash() to refuse to give non-fresh
digests. IMA test #3 assumed the old behavior, that bpf_ima_inode_hash()
still returned also non-fresh digests.

Correct the test by accepting both cases. If the samples returned are 1,
assume that the commit above is applied and that the returned digest is
fresh. If the samples returned are 2, assume that the commit above is not
applied, and check both the non-fresh and fresh digest.

Fixes: 62622dab ("ima: return IMA digest value only when IMA_COLLECTED flag is set")
Reported-by: default avatarDavid Vernet <void@manifault.com>
Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Reviewed-by: default avatarMatt Bobrowski <mattbobrowski@google.com>
Link: https://lore.kernel.org/bpf/20230308103713.1681200-1-roberto.sassu@huaweicloud.com
parent d1d51a62
...@@ -70,7 +70,7 @@ void test_test_ima(void) ...@@ -70,7 +70,7 @@ void test_test_ima(void)
u64 bin_true_sample; u64 bin_true_sample;
char cmd[256]; char cmd[256];
int err, duration = 0; int err, duration = 0, fresh_digest_idx = 0;
struct ima *skel = NULL; struct ima *skel = NULL;
skel = ima__open_and_load(); skel = ima__open_and_load();
...@@ -129,7 +129,15 @@ void test_test_ima(void) ...@@ -129,7 +129,15 @@ void test_test_ima(void)
/* /*
* Test #3 * Test #3
* - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest * - Goal: confirm that bpf_ima_inode_hash() returns a non-fresh digest
* - Expected result: 2 samples (/bin/true: non-fresh, fresh) * - Expected result:
* 1 sample (/bin/true: fresh) if commit 62622dab0a28 applied
* 2 samples (/bin/true: non-fresh, fresh) if commit 62622dab0a28 is
* not applied
*
* If commit 62622dab0a28 ("ima: return IMA digest value only when
* IMA_COLLECTED flag is set") is applied, bpf_ima_inode_hash() refuses
* to give a non-fresh digest, hence the correct result is 1 instead of
* 2.
*/ */
test_init(skel->bss); test_init(skel->bss);
...@@ -144,13 +152,18 @@ void test_test_ima(void) ...@@ -144,13 +152,18 @@ void test_test_ima(void)
goto close_clean; goto close_clean;
err = ring_buffer__consume(ringbuf); err = ring_buffer__consume(ringbuf);
ASSERT_EQ(err, 2, "num_samples_or_err"); ASSERT_GE(err, 1, "num_samples_or_err");
ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash"); if (err == 2) {
ASSERT_NEQ(ima_hash_from_bpf[1], 0, "ima_hash"); ASSERT_NEQ(ima_hash_from_bpf[0], 0, "ima_hash");
ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample, "sample_equal_or_err"); ASSERT_EQ(ima_hash_from_bpf[0], bin_true_sample,
"sample_equal_or_err");
fresh_digest_idx = 1;
}
ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], 0, "ima_hash");
/* IMA refreshed the digest. */ /* IMA refreshed the digest. */
ASSERT_NEQ(ima_hash_from_bpf[1], bin_true_sample, ASSERT_NEQ(ima_hash_from_bpf[fresh_digest_idx], bin_true_sample,
"sample_different_or_err"); "sample_equal_or_err");
/* /*
* Test #4 * Test #4
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment