| Message ID | 20240806230904.71194-4-song@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add bpf_get_dentry_xattr | expand |
On Tue, Aug 06, 2024 at 04:09:04PM -0700, Song Liu wrote: > Add test for bpf_get_dentry_xattr on hook security_inode_getxattr. > Verify that the kfunc can read the xattr. Also test failing getxattr > from user space by returning non-zero from the LSM bpf program. > > Acked-by: Christian Brauner <brauner@kernel.org> > Signed-off-by: Song Liu <song@kernel.org> > --- > tools/testing/selftests/bpf/bpf_kfuncs.h | 9 +++++ > .../selftests/bpf/prog_tests/fs_kfuncs.c | 9 ++++- > .../selftests/bpf/progs/test_get_xattr.c | 37 ++++++++++++++++--- > 3 files changed, 49 insertions(+), 6 deletions(-) > > diff --git a/tools/testing/selftests/bpf/bpf_kfuncs.h b/tools/testing/selftests/bpf/bpf_kfuncs.h > index 3b6675ab4086..efed458a3c0a 100644 > --- a/tools/testing/selftests/bpf/bpf_kfuncs.h > +++ b/tools/testing/selftests/bpf/bpf_kfuncs.h > @@ -78,4 +78,13 @@ extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr, > > extern bool bpf_session_is_return(void) __ksym __weak; > extern __u64 *bpf_session_cookie(void) __ksym __weak; > + > +struct dentry; > +/* Description > + * Returns xattr of a dentry > + * Returns__bpf_kfunc nit, extra '__bpf_kfunc' suffix? jirka > + * Error code > + */ > +extern int bpf_get_dentry_xattr(struct dentry *dentry, const char *name, > + struct bpf_dynptr *value_ptr) __ksym __weak; > #endif > diff --git a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c > index 37056ba73847..5a0b51157451 100644 > --- a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c > +++ b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c > @@ -16,6 +16,7 @@ static void test_xattr(void) > { > struct test_get_xattr *skel = NULL; > int fd = -1, err; > + int v[32]; > > fd = open(testfile, O_CREAT | O_RDONLY, 0644); > if (!ASSERT_GE(fd, 0, "create_file")) > @@ -50,7 +51,13 @@ static void test_xattr(void) > if (!ASSERT_GE(fd, 0, "open_file")) > goto out; > > - ASSERT_EQ(skel->bss->found_xattr, 1, "found_xattr"); > + ASSERT_EQ(skel->bss->found_xattr_from_file, 1, "found_xattr_from_file"); > + > + /* Trigger security_inode_getxattr */ > + err = getxattr(testfile, "user.kfuncs", v, sizeof(v)); > + ASSERT_EQ(err, -1, "getxattr_return"); > + ASSERT_EQ(errno, EINVAL, "getxattr_errno"); > + ASSERT_EQ(skel->bss->found_xattr_from_dentry, 1, "found_xattr_from_dentry"); > > out: > close(fd); > diff --git a/tools/testing/selftests/bpf/progs/test_get_xattr.c b/tools/testing/selftests/bpf/progs/test_get_xattr.c > index 7eb2a4e5a3e5..66e737720f7c 100644 > --- a/tools/testing/selftests/bpf/progs/test_get_xattr.c > +++ b/tools/testing/selftests/bpf/progs/test_get_xattr.c > @@ -2,6 +2,7 @@ > /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ > > #include "vmlinux.h" > +#include <errno.h> > #include <bpf/bpf_helpers.h> > #include <bpf/bpf_tracing.h> > #include "bpf_kfuncs.h" > @@ -9,10 +10,12 @@ > char _license[] SEC("license") = "GPL"; > > __u32 monitored_pid; > -__u32 found_xattr; > +__u32 found_xattr_from_file; > +__u32 found_xattr_from_dentry; > > static const char expected_value[] = "hello"; > -char value[32]; > +char value1[32]; > +char value2[32]; > > SEC("lsm.s/file_open") > int BPF_PROG(test_file_open, struct file *f) > @@ -25,13 +28,37 @@ int BPF_PROG(test_file_open, struct file *f) > if (pid != monitored_pid) > return 0; > > - bpf_dynptr_from_mem(value, sizeof(value), 0, &value_ptr); > + bpf_dynptr_from_mem(value1, sizeof(value1), 0, &value_ptr); > > ret = bpf_get_file_xattr(f, "user.kfuncs", &value_ptr); > if (ret != sizeof(expected_value)) > return 0; > - if (bpf_strncmp(value, ret, expected_value)) > + if (bpf_strncmp(value1, ret, expected_value)) > return 0; > - found_xattr = 1; > + found_xattr_from_file = 1; > return 0; > } > + > +SEC("lsm.s/inode_getxattr") > +int BPF_PROG(test_inode_getxattr, struct dentry *dentry, char *name) > +{ > + struct bpf_dynptr value_ptr; > + __u32 pid; > + int ret; > + > + pid = bpf_get_current_pid_tgid() >> 32; > + if (pid != monitored_pid) > + return 0; > + > + bpf_dynptr_from_mem(value2, sizeof(value2), 0, &value_ptr); > + > + ret = bpf_get_dentry_xattr(dentry, "user.kfuncs", &value_ptr); > + if (ret != sizeof(expected_value)) > + return 0; > + if (bpf_strncmp(value2, ret, expected_value)) > + return 0; > + found_xattr_from_dentry = 1; > + > + /* return non-zero to fail getxattr from user space */ > + return -EINVAL; > +} > -- > 2.43.5 > >
On Wed, Aug 7, 2024 at 2:33 AM Jiri Olsa <olsajiri@gmail.com> wrote: > > On Tue, Aug 06, 2024 at 04:09:04PM -0700, Song Liu wrote: > > Add test for bpf_get_dentry_xattr on hook security_inode_getxattr. > > Verify that the kfunc can read the xattr. Also test failing getxattr > > from user space by returning non-zero from the LSM bpf program. > > > > Acked-by: Christian Brauner <brauner@kernel.org> > > Signed-off-by: Song Liu <song@kernel.org> > > --- > > tools/testing/selftests/bpf/bpf_kfuncs.h | 9 +++++ > > .../selftests/bpf/prog_tests/fs_kfuncs.c | 9 ++++- > > .../selftests/bpf/progs/test_get_xattr.c | 37 ++++++++++++++++--- > > 3 files changed, 49 insertions(+), 6 deletions(-) > > > > diff --git a/tools/testing/selftests/bpf/bpf_kfuncs.h b/tools/testing/selftests/bpf/bpf_kfuncs.h > > index 3b6675ab4086..efed458a3c0a 100644 > > --- a/tools/testing/selftests/bpf/bpf_kfuncs.h > > +++ b/tools/testing/selftests/bpf/bpf_kfuncs.h > > @@ -78,4 +78,13 @@ extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr, > > > > extern bool bpf_session_is_return(void) __ksym __weak; > > extern __u64 *bpf_session_cookie(void) __ksym __weak; > > + > > +struct dentry; > > +/* Description > > + * Returns xattr of a dentry > > + * Returns__bpf_kfunc > > nit, extra '__bpf_kfunc' suffix? Good catch.. I somehow got it from bpf_sock_addr_set_sun_path. Please let me if we need to respin for this change. Thanks, Song > jirka [...]
On Wed, Aug 7, 2024 at 7:40 AM Song Liu <song@kernel.org> wrote: > > > +struct dentry; > > > +/* Description > > > + * Returns xattr of a dentry > > > + * Returns__bpf_kfunc > > > > nit, extra '__bpf_kfunc' suffix? > > Good catch.. I somehow got it from bpf_sock_addr_set_sun_path. Fixed up both while applying.
diff --git a/tools/testing/selftests/bpf/bpf_kfuncs.h b/tools/testing/selftests/bpf/bpf_kfuncs.h index 3b6675ab4086..efed458a3c0a 100644 --- a/tools/testing/selftests/bpf/bpf_kfuncs.h +++ b/tools/testing/selftests/bpf/bpf_kfuncs.h @@ -78,4 +78,13 @@ extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr, extern bool bpf_session_is_return(void) __ksym __weak; extern __u64 *bpf_session_cookie(void) __ksym __weak; + +struct dentry; +/* Description + * Returns xattr of a dentry + * Returns__bpf_kfunc + * Error code + */ +extern int bpf_get_dentry_xattr(struct dentry *dentry, const char *name, + struct bpf_dynptr *value_ptr) __ksym __weak; #endif diff --git a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c index 37056ba73847..5a0b51157451 100644 --- a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c +++ b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c @@ -16,6 +16,7 @@ static void test_xattr(void) { struct test_get_xattr *skel = NULL; int fd = -1, err; + int v[32]; fd = open(testfile, O_CREAT | O_RDONLY, 0644); if (!ASSERT_GE(fd, 0, "create_file")) @@ -50,7 +51,13 @@ static void test_xattr(void) if (!ASSERT_GE(fd, 0, "open_file")) goto out; - ASSERT_EQ(skel->bss->found_xattr, 1, "found_xattr"); + ASSERT_EQ(skel->bss->found_xattr_from_file, 1, "found_xattr_from_file"); + + /* Trigger security_inode_getxattr */ + err = getxattr(testfile, "user.kfuncs", v, sizeof(v)); + ASSERT_EQ(err, -1, "getxattr_return"); + ASSERT_EQ(errno, EINVAL, "getxattr_errno"); + ASSERT_EQ(skel->bss->found_xattr_from_dentry, 1, "found_xattr_from_dentry"); out: close(fd); diff --git a/tools/testing/selftests/bpf/progs/test_get_xattr.c b/tools/testing/selftests/bpf/progs/test_get_xattr.c index 7eb2a4e5a3e5..66e737720f7c 100644 --- a/tools/testing/selftests/bpf/progs/test_get_xattr.c +++ b/tools/testing/selftests/bpf/progs/test_get_xattr.c @@ -2,6 +2,7 @@ /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ #include "vmlinux.h" +#include <errno.h> #include <bpf/bpf_helpers.h> #include <bpf/bpf_tracing.h> #include "bpf_kfuncs.h" @@ -9,10 +10,12 @@ char _license[] SEC("license") = "GPL"; __u32 monitored_pid; -__u32 found_xattr; +__u32 found_xattr_from_file; +__u32 found_xattr_from_dentry; static const char expected_value[] = "hello"; -char value[32]; +char value1[32]; +char value2[32]; SEC("lsm.s/file_open") int BPF_PROG(test_file_open, struct file *f) @@ -25,13 +28,37 @@ int BPF_PROG(test_file_open, struct file *f) if (pid != monitored_pid) return 0; - bpf_dynptr_from_mem(value, sizeof(value), 0, &value_ptr); + bpf_dynptr_from_mem(value1, sizeof(value1), 0, &value_ptr); ret = bpf_get_file_xattr(f, "user.kfuncs", &value_ptr); if (ret != sizeof(expected_value)) return 0; - if (bpf_strncmp(value, ret, expected_value)) + if (bpf_strncmp(value1, ret, expected_value)) return 0; - found_xattr = 1; + found_xattr_from_file = 1; return 0; } + +SEC("lsm.s/inode_getxattr") +int BPF_PROG(test_inode_getxattr, struct dentry *dentry, char *name) +{ + struct bpf_dynptr value_ptr; + __u32 pid; + int ret; + + pid = bpf_get_current_pid_tgid() >> 32; + if (pid != monitored_pid) + return 0; + + bpf_dynptr_from_mem(value2, sizeof(value2), 0, &value_ptr); + + ret = bpf_get_dentry_xattr(dentry, "user.kfuncs", &value_ptr); + if (ret != sizeof(expected_value)) + return 0; + if (bpf_strncmp(value2, ret, expected_value)) + return 0; + found_xattr_from_dentry = 1; + + /* return non-zero to fail getxattr from user space */ + return -EINVAL; +}