Merge branch 'Fixes for ima selftest'

anakryiko · anakryiko · commit a8b415c9bde6 · 2020-12-03T11:20:21.000-08:00
KP Singh says:

====================

From: KP Singh &lt;kpsingh@google.com&gt;

# v3 -&gt; v4

* Fix typos.
* Update commit message for the indentation patch.
* Added Andrii's acks.

# v2 -&gt; v3

* Added missing tags.
* Indentation fixes + some other fixes suggested by Andrii.
* Re-indent file to tabs.

The selftest for the bpf_ima_inode_hash helper uses a shell script to
setup the system for ima. While this worked without an issue on recent
desktop distros, it failed on environments with stripped out shells like
busybox which is also used by the bpf CI.

This series fixes the assumptions made on the availablity of certain
command line switches and the expectation that securityfs being mounted
by default.

It also adds the missing kernel config dependencies in
tools/testing/selftests/bpf and, lastly, changes the indentation of
ima_setup.sh to use tabs.
====================

Signed-off-by: Andrii Nakryiko &lt;andrii@kernel.org&gt;
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
@@ -43,3 +43,4 @@ CONFIG_IMA=y
 CONFIG_SECURITYFS=y
 CONFIG_IMA_WRITE_POLICY=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_BLK_DEV_LOOP=y
diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh
@@ -3,78 +3,97 @@
 
 set -e
 set -u
+set -o pipefail
 
 IMA_POLICY_FILE="/sys/kernel/security/ima/policy"
 TEST_BINARY="/bin/true"
 
 usage()
 {
-        echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>"
-        exit 1
+	echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>"
+	exit 1
+}
+
+ensure_mount_securityfs()
+{
+	local securityfs_dir=$(grep "securityfs" /proc/mounts | awk '{print $2}')
+
+	if [ -z "${securityfs_dir}" ]; then
+		securityfs_dir=/sys/kernel/security
+		mount -t securityfs security "${securityfs_dir}"
+	fi
+
+	if [ ! -d "${securityfs_dir}" ]; then
+		echo "${securityfs_dir}: securityfs is not mounted" && exit 1
+	fi
 }
 
 setup()
 {
-        local tmp_dir="$1"
-        local mount_img="${tmp_dir}/test.img"
-        local mount_dir="${tmp_dir}/mnt"
-        local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
-        mkdir -p ${mount_dir}
+	local tmp_dir="$1"
+	local mount_img="${tmp_dir}/test.img"
+	local mount_dir="${tmp_dir}/mnt"
+	local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
+	mkdir -p ${mount_dir}
+
+	dd if=/dev/zero of="${mount_img}" bs=1M count=10
 
-        dd if=/dev/zero of="${mount_img}" bs=1M count=10
+	losetup -f "${mount_img}"
+	local loop_device=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
 
-        local loop_device="$(losetup --find --show ${mount_img})"
+	mkfs.ext2 "${loop_device:?}"
+	mount "${loop_device}" "${mount_dir}"
 
-        mkfs.ext4 "${loop_device}"
-        mount "${loop_device}" "${mount_dir}"
+	cp "${TEST_BINARY}" "${mount_dir}"
+	local mount_uuid="$(blkid ${loop_device} | sed 's/.*UUID="\([^"]*\)".*/\1/')"
 
-        cp "${TEST_BINARY}" "${mount_dir}"
-        local mount_uuid="$(blkid -s UUID -o value ${loop_device})"
-        echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}
+	ensure_mount_securityfs
+	echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE}
 }
 
 cleanup() {
-        local tmp_dir="$1"
-        local mount_img="${tmp_dir}/test.img"
-        local mount_dir="${tmp_dir}/mnt"
+	local tmp_dir="$1"
+	local mount_img="${tmp_dir}/test.img"
+	local mount_dir="${tmp_dir}/mnt"
+
+	local loop_devices=$(losetup -a | grep ${mount_img:?} | cut -d ":" -f1)
 
-        local loop_devices=$(losetup -j ${mount_img} -O NAME --noheadings)
-        for loop_dev in "${loop_devices}"; do
-                losetup -d $loop_dev
-        done
+	for loop_dev in "${loop_devices}"; do
+		losetup -d $loop_dev
+	done
 
-        umount ${mount_dir}
-        rm -rf ${tmp_dir}
+	umount ${mount_dir}
+	rm -rf ${tmp_dir}
 }
 
 run()
 {
-        local tmp_dir="$1"
-        local mount_dir="${tmp_dir}/mnt"
-        local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
+	local tmp_dir="$1"
+	local mount_dir="${tmp_dir}/mnt"
+	local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})"
 
-        exec "${copied_bin_path}"
+	exec "${copied_bin_path}"
 }
 
 main()
 {
-        [[ $# -ne 2 ]] && usage
-
-        local action="$1"
-        local tmp_dir="$2"
-
-        [[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
-
-        if [[ "${action}" == "setup" ]]; then
-                setup "${tmp_dir}"
-        elif [[ "${action}" == "cleanup" ]]; then
-                cleanup "${tmp_dir}"
-        elif [[ "${action}" == "run" ]]; then
-                run "${tmp_dir}"
-        else
-                echo "Unknown action: ${action}"
-                exit 1
-        fi
+	[[ $# -ne 2 ]] && usage
+
+	local action="$1"
+	local tmp_dir="$2"
+
+	[[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
+
+	if [[ "${action}" == "setup" ]]; then
+		setup "${tmp_dir}"
+	elif [[ "${action}" == "cleanup" ]]; then
+		cleanup "${tmp_dir}"
+	elif [[ "${action}" == "run" ]]; then
+		run "${tmp_dir}"
+	else
+		echo "Unknown action: ${action}"
+		exit 1
+	fi
 }
 
 main "$@"
