On Tue, Dec 1, 2020 at 8:15 PM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Tue, Dec 1, 2020 at 6:39 AM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> >
> > From: KP Singh <kpsingh@xxxxxxxxxx>
> >
> > Update the commands to use the bare minimum options so that it works
> > in busybox environments.
> >
> > Fixes: 34b82d3ac105 ("bpf: Add a selftest for bpf_ima_inode_hash")
> > Reported-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> > tools/testing/selftests/bpf/ima_setup.sh | 9 ++++++---
> > 1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh
> > index 15490ccc5e55..ed29bde26a12 100755
> > --- a/tools/testing/selftests/bpf/ima_setup.sh
> > +++ b/tools/testing/selftests/bpf/ima_setup.sh
> > @@ -3,6 +3,7 @@
> >
> > set -e
> > set -u
> > +set -o pipefail
> >
> > IMA_POLICY_FILE="/sys/kernel/security/ima/policy"
> > TEST_BINARY="/bin/true"
> > @@ -23,9 +24,10 @@ setup()
> >
> > dd if=/dev/zero of="${mount_img}" bs=1M count=10
>
> This, and few more commands in this script, produce a bunch of output
> directly to stdout and stderr. Can you please silence it? If you need
> that output for debugging, than you can check verbosity mode in
> test_progs and pass extra parameters, if necessary.
>
>
> >
> > - local loop_device="$(losetup --find --show ${mount_img})"
> > + losetup -f "${mount_img}"
>
> This doesn't work :(
>
> [root@(none) selftests]# ./ima_setup.sh setup /tmp/ima_measurednsymal
> + set -e
> + set -u
> + set -o pipefail
> + IMA_POLICY_FILE=/sys/kernel/security/ima/policy
> + TEST_BINARY=/bin/true
> + main setup /tmp/ima_measurednsymal
> + [[ 2 -ne 2 ]]
> + local action=setup
> + local tmp_dir=/tmp/ima_measurednsymal
> + [[ ! -d /tmp/ima_measurednsymal ]]
> + [[ setup == \s\e\t\u\p ]]
> + setup /tmp/ima_measurednsymal
> + local tmp_dir=/tmp/ima_measurednsymal
> + local mount_img=/tmp/ima_measurednsymal/test.img
> + local mount_dir=/tmp/ima_measurednsymal/mnt
> ++ basename /bin/true
> + local copied_bin_path=/tmp/ima_measurednsymal/mnt/true
> + mkdir -p /tmp/ima_measurednsymal/mnt
> + dd if=/dev/zero of=/tmp/ima_measurednsymal/test.img bs=1M count=10
> 10+0 records in
> 10+0 records out
> 10485760 bytes (10.0MB) copied, 0.044713 seconds, 223.6MB/s
> + losetup -f /tmp/ima_measurednsymal/test.img
> losetup: /tmp/ima_measurednsymal/test.img: No such file or directory
> [root@(none) selftests]# ls -la /tmp/ima_measurednsymal/test.img
> -rw-r--r-- 1 root root 10485760 Dec 1 19:13
> /tmp/ima_measurednsymal/test.img
> [root@(none) selftests]# losetup -f /tmp/ima_measurednsymal/test.img
> losetup: /tmp/ima_measurednsymal/test.img: No such file or directory
>
>
> I have zero context on what IMA is and know nothing about loop
> devices, so can't really investigate much, sorry...
>
So after some debugging by using the same image as the bpf CI
we noticed the following needs to be done:
* SecurityFS needs to be mounted
* "integrity" should be in CONFIG_LSM
* mkfs.ext2 should be used instead of mkfs.ext4
* The second patch of the series does not work as the image does not have a
/dev/disk/by-uuid directory.
* The test image does have a blkid command but it ignores the options passed to
only print the UUID.
I will send the fixes and, for the future, we can:
* Document / script how to run selftests against the CI image
(and possibly a few other pre-canned images) without need to setup or
configure things like travis CI for each fork / developer.
* Use this before we send patches so that we can avoid similar
troubles in the future.
