On Wed, Mar 25, 2020 at 8:27 AM KP Singh [off-list ref] wrote:

From: KP Singh <redacted>

* Load/attach a BPF program that hooks to file_mprotect (int)
  and bprm_committed_creds (void).
* Perform an action that triggers the hook.
* Verify if the audit event was received using the shared global
  variables for the process executed.
* Verify if the mprotect returns a -EPERM.

Signed-off-by: KP Singh <redacted>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <redacted>
Reviewed-by: Thomas Garnier <redacted>
---
 tools/testing/selftests/bpf/config            |  2 +
 .../selftests/bpf/prog_tests/test_lsm.c       | 84 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/lsm.c       | 48 +++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/test_lsm.c
 create mode 100644 tools/testing/selftests/bpf/progs/lsm.c

[...]

+
+int exec_cmd(int *monitored_pid)
+{
+       int child_pid;
+
+       child_pid = fork();
+       if (child_pid == 0) {
+               *monitored_pid = getpid();
+               execvp(CMD_ARGS[0], CMD_ARGS);
+               return -EINVAL;
+       } else if (child_pid > 0)

This test is part of test_progs, so let's be a good citizen and wait
for your specific child. I'd rather not hunt for elusive bugs later,
so please use waitpid() instead.

Otherwise looks good and clean, thanks!

+               return wait(NULL);
+
+       return -EINVAL;
+}
+

[...]