On Thu, Dec 3, 2020 at 6:56 AM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Wed, Dec 2, 2020 at 4:58 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> >
> > From: KP Singh <kpsingh@xxxxxxxxxx>
> >
> > The ima selftest restricts its scope to a test filesystem image
> > mounted on a loop device and prevents permanent ima policy changes for
> > the whole system.
> >
> > Fixes: 34b82d3ac105 ("bpf: Add a selftest for bpf_ima_inode_hash")
> > Reported-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> > tools/testing/selftests/bpf/config | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
> > index 365bf9771b07..37e1f303fc11 100644
> > --- a/tools/testing/selftests/bpf/config
> > +++ b/tools/testing/selftests/bpf/config
> > @@ -43,3 +43,4 @@ CONFIG_IMA=y
> > CONFIG_SECURITYFS=y
> > CONFIG_IMA_WRITE_POLICY=y
> > CONFIG_IMA_READ_POLICY=y
> > +CONFIG_BLK_DEV_LOOP=y
> > --
>
>
> You mentioned also that CONFIG_LSM="selinux,bpf,integrity" is needed,
> no? Let's add that as well?
I did not add it because we did not do it when we added "bpf" to the list and
I also don't think selinux is really required here which might be worse in
some cases (e.g. when the required config options for
SELinux are not selected).
Also, when one selects CONFIG_BPF_LSM or CONFIG_IMA from make
menuconfig / nconfig, we get "bpf" and "integrity" appended by default:
We can add a comment that says that says:
"Please ensure "bpf" and "integrity" are present in CONFIG_LSM"
Now, I was not sure if adding a comment would break any scripts that people
have that parse this file, so I avoided it. But overriding the string
completely
might not be a good idea.
>
> > 2.29.2.576.ga3fc446d84-goog
> >
