On Thu, Mar 18, 2021 at 5:04 PM KP Singh <kpsingh@xxxxxxxxxx> wrote:
>
> Sorry I totally missed this email. Taking a look now.
KP, You top posted in a hurry.
>
> On Wed, Mar 10, 2021 at 10:57 PM Andrii Nakryiko
> <andrii.nakryiko@xxxxxxxxx> wrote:
> >
> > Hey KP,
> >
> > test_ima is passing only the very first time I run it in my VM. Alexei
> > earlier reported similar issues. If you run it second time without
> > restarting the VM, you get the following:
> >
> > 10+0 records in
> > 10+0 records out
> > 10485760 bytes (10 MB, 10 MiB) copied, 0.00425121 s, 2.5 GB/s
> > mke2fs 1.45.0 (6-Mar-2019)
> > Discarding device blocks: done
> > Creating filesystem with 10240 1k blocks and 2560 inodes
> > Filesystem UUID: b9927426-1d29-458f-b2a0-8fe56455d209
> > Superblock backups stored on blocks:
> > 8193
> >
> > Allocating group tables: done
> > Writing inode tables: done
> > Writing superblocks and filesystem accounting information: done
> >
> > ./ima_setup.sh: line 53: /sys/kernel/security/ima/policy: Permission denied
> > test_test_ima:PASS:skel_load 0 nsec
> > test_test_ima:PASS:ringbuf 0 nsec
> > test_test_ima:PASS:attach 0 nsec
> > test_test_ima:PASS:mkdtemp 0 nsec
> > test_test_ima:FAIL:71
> > #128 test_ima:FAIL
> >
> > Do you see it on your side? Do you have any idea what's wrong?
Works for me :) Well, works on the CI image and config I mean.
I did the following local change to get a bash prompt from vmtest.sh
I will send a patch that adds a flag so that one can get a shell to
debug instead of
powering the VM off.
diff --git a/tools/testing/selftests/bpf/vmtest.sh
b/tools/testing/selftests/bpf/vmtest.sh
index 22554894db99..710c73fe1b77 100755
--- a/tools/testing/selftests/bpf/vmtest.sh
+++ b/tools/testing/selftests/bpf/vmtest.sh
@@ -175,7 +175,8 @@ echo "130" > "/root/${EXIT_STATUS_FILE}"
stdbuf -oL -eL ${command}
echo "\$?" > "/root/${EXIT_STATUS_FILE}"
} 2>&1 | tee "/root/${LOG_FILE}"
-poweroff -f
+# poweroff -f
+bash
EOF
sudo chmod a+x "${init_script}"
./vmtest.sh -- "./test_progs -t test_ima"
[...]
[root@(none) bpf]# ./test_progs -t test_ima
#128 test_ima:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
[root@(none) bpf]# ./test_progs -t test_ima
[...]
#128 test_ima:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
[root@(none) bpf]# ./test_progs -t test_ima
[...]
#128 test_ima:OK
Here's the kernel config that the BPF CI uses:
cat ~/.bpf_selftests/latest.config | grep IMA | grep -v "^#"
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
CONFIG_IMA_DEFAULT_HASH="sha1"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
The important bit is having CONFIG_IMA_WRITE_POLICY and CONFIG_IMA_READ_POLICY
which allows reading and overriding the IMA policy.
> >
> > Also, see that super-descriptive `test_test_ima:FAIL:71` line? That's
> > the reason I'm always bitching about CHECK_FAIL() use. At least this
I will send a patch to add more descriptive error messages, in these
it will be something
like
"error while running command ..."
- KP
> > one is not inside some loop.
> >
> > -- Andrii
