--- /dev/null
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Christian Brauner <brauner@kernel.org> */
+
+/*
+ * Test BPF LSM block device integrity hooks with dm-verity.
+ *
+ * Creates a dm-verity device over loopback, which triggers
+ * security_bdev_setintegrity() during verity_preresume().
+ * Verifies that the BPF program correctly tracks the integrity
+ * metadata in its hashmap.
+ */
+
+#define _GNU_SOURCE
+#include <test_progs.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include "lsm_bdev.skel.h"
+
+/* Must match the definition in progs/lsm_bdev.c. */
+struct verity_info {
+ __u8 has_roothash;
+ __u8 sig_valid;
+ __u32 setintegrity_cnt;
+};
+
+#define DATA_SIZE_MB 8
+#define HASH_SIZE_MB 1
+#define DM_NAME "bpf_test_verity"
+#define DM_DEV_PATH "/dev/mapper/" DM_NAME
+
+/* Run a command and optionally capture the first line of stdout. */
+static int run_cmd(const char *cmd, char *out, size_t out_sz)
+{
+ FILE *fp;
+ int ret;
+
+ fp = popen(cmd, "r");
+ if (!fp)
+ return -1;
+
+ if (out && out_sz > 0) {
+ if (!fgets(out, out_sz, fp))
+ out[0] = '\0';
+ /* strip trailing newline */
+ out[strcspn(out, "\n")] = '\0';
+ }
+
+ ret = pclose(fp);
+ return WIFEXITED(ret) ? WEXITSTATUS(ret) : -1;
+}
+
+static bool has_prerequisites(void)
+{
+ if (getuid() != 0) {
+ printf("SKIP: must be root\n");
+ return false;
+ }
+
+ if (run_cmd("modprobe loop 2>/dev/null", NULL, 0) &&
+ run_cmd("ls /dev/loop-control 2>/dev/null", NULL, 0)) {
+ printf("SKIP: no loop device support\n");
+ return false;
+ }
+
+ if (run_cmd("modprobe dm-verity 2>/dev/null", NULL, 0) &&
+ run_cmd("dmsetup targets 2>/dev/null | grep -q verity", NULL, 0)) {
+ printf("SKIP: dm-verity module not available\n");
+ return false;
+ }
+
+ if (run_cmd("which veritysetup >/dev/null 2>&1", NULL, 0)) {
+ printf("SKIP: veritysetup not found\n");
+ return false;
+ }
+
+ return true;
+}
+
+void test_lsm_bdev(void)
+{
+ char data_img[] = "/tmp/bpf_verity_data_XXXXXX";
+ char hash_img[] = "/tmp/bpf_verity_hash_XXXXXX";
+ char data_loop[64] = {};
+ char hash_loop[64] = {};
+ char roothash[256] = {};
+ char cmd[512];
+ int data_fd = -1, hash_fd = -1;
+ struct lsm_bdev *skel = NULL;
+ struct verity_info val;
+ struct stat st;
+ __u32 dev_key;
+ int err;
+
+ if (!has_prerequisites()) {
+ test__skip();
+ return;
+ }
+
+ /* Clean up any stale device from a previous crashed run. */
+ snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME);
+ run_cmd(cmd, NULL, 0);
+
+ /* Create temporary image files. */
+ data_fd = mkstemp(data_img);
+ if (!ASSERT_OK_FD(data_fd, "mkstemp data"))
+ return;
+
+ hash_fd = mkstemp(hash_img);
+ if (!ASSERT_OK_FD(hash_fd, "mkstemp hash"))
+ goto cleanup;
+
+ if (!ASSERT_OK(ftruncate(data_fd, DATA_SIZE_MB * 1024 * 1024),
+ "truncate data"))
+ goto cleanup;
+
+ if (!ASSERT_OK(ftruncate(hash_fd, HASH_SIZE_MB * 1024 * 1024),
+ "truncate hash"))
+ goto cleanup;
+
+ close(data_fd);
+ data_fd = -1;
+ close(hash_fd);
+ hash_fd = -1;
+
+ /* Set up loop devices. */
+ snprintf(cmd, sizeof(cmd),
+ "losetup --find --show %s 2>/dev/null", data_img);
+ if (!ASSERT_OK(run_cmd(cmd, data_loop, sizeof(data_loop)),
+ "losetup data"))
+ goto teardown;
+
+ snprintf(cmd, sizeof(cmd),
+ "losetup --find --show %s 2>/dev/null", hash_img);
+ if (!ASSERT_OK(run_cmd(cmd, hash_loop, sizeof(hash_loop)),
+ "losetup hash"))
+ goto teardown;
+
+ /* Format the dm-verity device and capture the root hash. */
+ snprintf(cmd, sizeof(cmd),
+ "veritysetup format %s %s 2>/dev/null | "
+ "grep -i 'root hash' | awk '{print $NF}'",
+ data_loop, hash_loop);
+ if (!ASSERT_OK(run_cmd(cmd, roothash, sizeof(roothash)),
+ "veritysetup format"))
+ goto teardown;
+
+ if (!ASSERT_GT((int)strlen(roothash), 0, "roothash not empty"))
+ goto teardown;
+
+ /* Load and attach BPF program before activating dm-verity. */
+ skel = lsm_bdev__open_and_load();
+ if (!ASSERT_OK_PTR(skel, "skel open_and_load"))
+ goto teardown;
+
+ err = lsm_bdev__attach(skel);
+ if (!ASSERT_OK(err, "skel attach"))
+ goto teardown;
+
+ /* Activate dm-verity — triggers verity_preresume() hooks. */
+ snprintf(cmd, sizeof(cmd),
+ "veritysetup open %s %s %s %s 2>/dev/null",
+ data_loop, DM_NAME, hash_loop, roothash);
+ if (!ASSERT_OK(run_cmd(cmd, NULL, 0), "veritysetup open"))
+ goto teardown;
+
+ /* Get the dm device's dev_t. */
+ if (!ASSERT_OK(stat(DM_DEV_PATH, &st), "stat dm dev"))
+ goto remove_dm;
+
+ dev_key = (__u32)st.st_rdev;
+
+ /* Look up the device in the BPF map and verify. */
+ err = bpf_map__lookup_elem(skel->maps.verity_devices,
+ &dev_key, sizeof(dev_key),
+ &val, sizeof(val), 0);
+ if (!ASSERT_OK(err, "map lookup"))
+ goto remove_dm;
+
+ ASSERT_EQ(val.has_roothash, 1, "has_roothash");
+ ASSERT_EQ(val.sig_valid, 0, "sig_valid (unsigned)");
+ /*
+ * verity_preresume() always calls security_bdev_setintegrity()
+ * for the roothash. The signature-validity call only happens
+ * when CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG is enabled.
+ */
+ ASSERT_GE(val.setintegrity_cnt, 1, "setintegrity_cnt min");
+ ASSERT_LE(val.setintegrity_cnt, 2, "setintegrity_cnt max");
+
+ /* Verify that the alloc hook fired at least once. */
+ ASSERT_GT(skel->bss->alloc_count, 0, "alloc_count");
+
+remove_dm:
+ snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME);
+ run_cmd(cmd, NULL, 0);
+
+teardown:
+ if (data_loop[0]) {
+ snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null",
+ data_loop);
+ run_cmd(cmd, NULL, 0);
+ }
+ if (hash_loop[0]) {
+ snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null",
+ hash_loop);
+ run_cmd(cmd, NULL, 0);
+ }
+
+cleanup:
+ lsm_bdev__destroy(skel);
+ if (data_fd >= 0)
+ close(data_fd);
+ if (hash_fd >= 0)
+ close(hash_fd);
+ unlink(data_img);
+ unlink(hash_img);
+}
--- /dev/null
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Christian Brauner <brauner@kernel.org> */
+
+/*
+ * BPF LSM block device integrity tracker for dm-verity.
+ *
+ * Tracks block devices in a hashmap keyed by bd_dev. When dm-verity
+ * calls security_bdev_setintegrity() during verity_preresume(), the
+ * setintegrity hook records the roothash and signature-validity data.
+ * The free hook cleans up when the device goes away. The alloc hook
+ * counts allocations for test validation.
+ *
+ * The sleepable hooks exercise bpf_copy_from_user() to verify that
+ * the sleepable classification actually permits sleepable helpers.
+ */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct verity_info {
+ __u8 has_roothash; /* LSM_INT_DMVERITY_ROOTHASH seen */
+ __u8 sig_valid; /* LSM_INT_DMVERITY_SIG_VALID value (non-NULL = valid) */
+ __u32 setintegrity_cnt; /* total setintegrity calls for this dev */
+};
+
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, 64);
+ __type(key, __u32); /* dev_t from bdev->bd_dev */
+ __type(value, struct verity_info);
+} verity_devices SEC(".maps");
+
+/* Global counters exposed to userspace via skeleton bss. */
+int alloc_count;
+
+char _license[] SEC("license") = "GPL";
+
+SEC("lsm.s/bdev_setintegrity")
+int BPF_PROG(bdev_setintegrity, struct block_device *bdev,
+ enum lsm_integrity_type type, const void *value, size_t size)
+{
+ struct verity_info zero = {};
+ struct verity_info *info;
+ __u32 dev;
+ char buf;
+
+ /*
+ * Exercise a sleepable helper to confirm the verifier
+ * allows it in this sleepable hook.
+ */
+ (void)bpf_copy_from_user(&buf, sizeof(buf), NULL);
+
+ dev = bdev->bd_dev;
+
+ info = bpf_map_lookup_elem(&verity_devices, &dev);
+ if (!info) {
+ bpf_map_update_elem(&verity_devices, &dev, &zero, BPF_NOEXIST);
+ info = bpf_map_lookup_elem(&verity_devices, &dev);
+ if (!info)
+ return 0;
+ }
+
+ if (type == LSM_INT_DMVERITY_ROOTHASH)
+ info->has_roothash = 1;
+ else if (type == LSM_INT_DMVERITY_SIG_VALID)
+ info->sig_valid = (value != NULL);
+
+ __sync_fetch_and_add(&info->setintegrity_cnt, 1);
+
+ return 0;
+}
+
+SEC("lsm/bdev_free_security")
+void BPF_PROG(bdev_free_security, struct block_device *bdev)
+{
+ __u32 dev = bdev->bd_dev;
+
+ bpf_map_delete_elem(&verity_devices, &dev);
+}
+
+SEC("lsm.s/bdev_alloc_security")
+int BPF_PROG(bdev_alloc_security, struct block_device *bdev)
+{
+ char buf;
+
+ /*
+ * Exercise a sleepable helper to confirm the verifier
+ * allows it in this sleepable hook.
+ */
+ (void)bpf_copy_from_user(&buf, sizeof(buf), NULL);
+
+ __sync_fetch_and_add(&alloc_count, 1);
+
+ return 0;
+}
projects / thirdparty / kernel / linux.git / commitdiff
