Skip to content

Commit

Permalink
tetragon: Add TestLSMIMAHash
Browse files Browse the repository at this point in the history
Adding test for ImaHash Post action.

Signed-off-by: Andrei Fedotov <[email protected]>
  • Loading branch information
anfedotoff committed Sep 2, 2024
1 parent a45ee28 commit 600decb
Showing 1 changed file with 71 additions and 0 deletions.
71 changes: 71 additions & 0 deletions pkg/sensors/tracing/lsm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ package tracing

import (
"context"
"crypto/sha256"
"encoding/hex"
"os"
"os/exec"
"strconv"
Expand Down Expand Up @@ -240,3 +242,72 @@ spec:
err = jsonchecker.JsonTestCheck(t, ec.NewUnorderedEventChecker(lsmChecker))
assert.NoError(t, err)
}

func TestLSMIMAHash(t *testing.T) {
if !bpf.HasLSMPrograms() || !kernels.EnableLargeProgs() || !kernels.EnableIMA() || !kernels.MinKernelVersion("5.11") {
t.Skip()
}
var doneWG, readyWG sync.WaitGroup
defer doneWG.Wait()

ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
defer cancel()

testBin := testutils.RepoRootPath("contrib/tester-progs/nop")
pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))

configHook := `
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "lsm"
spec:
lsmhooks:
- hook: "bprm_check_security"
args:
- index: 0
type: "linux_binprm"
selectors:
- matchPIDs:
- operator: In
followForks: true
isNamespacePID: false
values:
- ` + pidStr + `
matchActions:
- action: Post
imaHash: true
`

configHookRaw := []byte(configHook)
err := os.WriteFile(testConfigFile, configHookRaw, 0644)
if err != nil {
t.Fatalf("writeFile(%s): err %s", testConfigFile, err)
}
hasher := sha256.New()
s, err := os.ReadFile(testBin)
if err != nil {
t.Fatalf("ReadFile(%s): err %s", testBin, err)
}
hasher.Write(s)
lsmChecker := ec.NewProcessLsmChecker("lsm-ima-checker").
WithFunctionName(sm.Suffix("bprm_check_security")).
WithProcess(ec.NewProcessChecker().
WithBinary(sm.Suffix(tus.Conf().SelfBinary))).
WithImaHash(sm.Full("sha256:" + hex.EncodeToString(hasher.Sum(nil))))
obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid())
if err != nil {
t.Fatalf("GetDefaultObserverWithFile error: %s", err)
}
observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
readyWG.Wait()

testCmd := exec.Command(testBin)

if err := testCmd.Run(); err != nil {
t.Fatalf("failed to run %s: %s", testCmd, err)
}

err = jsonchecker.JsonTestCheck(t, ec.NewUnorderedEventChecker(lsmChecker))
assert.NoError(t, err)
}

0 comments on commit 600decb

Please sign in to comment.