@@ -51,6 +51,7 @@ similar dependencies):
* iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
* lksctp-tools-devel _(to build the SCTP test programs)_
* attr _(tools used by the overlayfs tests)_
+* libbpf-devel _(tools used by the bpf tests)_
On a modern Fedora system you can install these dependencies with the
following command:
@@ -65,7 +66,8 @@ following command:
netlabel_tools \
iptables \
lksctp-tools-devel \
- attr
+ attr \
+ libbpf-devel
The testsuite requires a pre-existing base policy configuration of SELinux,
using either the old example policy or the reference policy as the baseline.
@@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y
# This will configure the Dynamically Allocated Binder Devices added
# to 5.0+ kernels:
CONFIG_ANDROID_BINDERFS=y
+
+# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files.
+# They are not required for SELinux operation itself.
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
@@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren
TARGETS += test_sctp.te
endif
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_bpf.te
+endif
+
ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
endif
new file mode 100644
@@ -0,0 +1,77 @@
+#
+################# BPF selinux-testsuite policy module ######################
+#
+
+attribute bpfdomain;
+
+################################### Main ###################################
+type test_bpf_t;
+domain_type(test_bpf_t)
+unconfined_runs_test(test_bpf_t)
+typeattribute test_bpf_t testdomain;
+typeattribute test_bpf_t bpfdomain;
+
+allow test_bpf_t self:process { setrlimit };
+allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
+
+############################## Deny map_create #############################
+type test_bpf_deny_map_create_t;
+domain_type(test_bpf_deny_map_create_t)
+unconfined_runs_test(test_bpf_deny_map_create_t)
+typeattribute test_bpf_deny_map_create_t testdomain;
+typeattribute test_bpf_deny_map_create_t bpfdomain;
+
+allow test_bpf_deny_map_create_t self:process { setrlimit };
+allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
+
+############################## Deny map_read ##############################
+type test_bpf_deny_map_read_t;
+domain_type(test_bpf_deny_map_read_t)
+unconfined_runs_test(test_bpf_deny_map_read_t)
+typeattribute test_bpf_deny_map_read_t testdomain;
+typeattribute test_bpf_deny_map_read_t bpfdomain;
+
+allow test_bpf_deny_map_read_t self:process { setrlimit };
+allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
+
+############################## Deny map_write ##############################
+type test_bpf_deny_map_write_t;
+domain_type(test_bpf_deny_map_write_t)
+unconfined_runs_test(test_bpf_deny_map_write_t)
+typeattribute test_bpf_deny_map_write_t testdomain;
+typeattribute test_bpf_deny_map_write_t bpfdomain;
+
+allow test_bpf_deny_map_write_t self:process { setrlimit };
+allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
+
+############################## Deny prog_load ##############################
+type test_bpf_deny_prog_load_t;
+domain_type(test_bpf_deny_prog_load_t)
+unconfined_runs_test(test_bpf_deny_prog_load_t)
+typeattribute test_bpf_deny_prog_load_t testdomain;
+typeattribute test_bpf_deny_prog_load_t bpfdomain;
+
+allow test_bpf_deny_prog_load_t self:process { setrlimit };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
+
+############################## Deny prog_run ###############################
+type test_bpf_deny_prog_run_t;
+domain_type(test_bpf_deny_prog_run_t)
+unconfined_runs_test(test_bpf_deny_prog_run_t)
+typeattribute test_bpf_deny_prog_run_t testdomain;
+typeattribute test_bpf_deny_prog_run_t bpfdomain;
+
+allow test_bpf_deny_prog_run_t self:process { setrlimit };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
+
+#
+############ Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(bpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
@@ -41,6 +41,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e
SUBDIRS += binder
endif
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifneq ($(shell ./kvercmp $$(uname -r) 4.15),-1)
+SUBDIRS += bpf
+export CFLAGS += -DHAVE_BPF
+endif
+endif
+
ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
SUBDIRS += infiniband_endport
endif
new file mode 100644
@@ -0,0 +1,2 @@
+bpf_test
+bpf_common
new file mode 100644
@@ -0,0 +1,10 @@
+TARGETS = bpf_test
+DEPS = bpf_common.c bpf_common.h
+LDLIBS += -lselinux -lbpf
+
+all: $(TARGETS)
+
+clean:
+ rm -f $(TARGETS)
+
+$(TARGETS): $(DEPS)
new file mode 100644
@@ -0,0 +1,69 @@
+#include "bpf_common.h"
+
+int create_bpf_map(void)
+{
+ int map_fd, key;
+ long long value = 0;
+
+ map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key),
+ sizeof(value), 256, 0);
+ if (map_fd < 0) {
+ fprintf(stderr, "Failed to create BPF map: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ return map_fd;
+}
+
+int create_bpf_prog(void)
+{
+ int prog_fd;
+ size_t insns_cnt;
+
+ struct bpf_insn prog[] = {
+ BPF_MOV64_IMM(BPF_REG_0, 1),
+ BPF_EXIT_INSN(),
+ };
+ insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
+
+ prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
+ insns_cnt, "GPL", 0, NULL, 0);
+
+ if (prog_fd < 0) {
+ fprintf(stderr, "Failed to load BPF prog: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ return prog_fd;
+}
+
+/*
+ * The default RLIMIT_MEMLOCK is normally 64K, however BPF map/prog requires
+ * more than this so double it unless RLIM_INFINITY is set.
+ */
+void bpf_setrlimit(void)
+{
+ int result;
+ struct rlimit r;
+
+ result = getrlimit(RLIMIT_MEMLOCK, &r);
+ if (result < 0) {
+ fprintf(stderr, "Failed to get resource limit: %s\n",
+ strerror(errno));
+ exit(-1);
+ }
+
+ if (r.rlim_cur != RLIM_INFINITY && r.rlim_cur <= (64 * 1024)) {
+ r.rlim_cur *= 2;
+ r.rlim_max *= 2;
+ }
+
+ result = setrlimit(RLIMIT_MEMLOCK, &r);
+ if (result < 0) {
+ fprintf(stderr, "Failed to set resource limit: %ld Err: %s\n",
+ r.rlim_cur, strerror(errno));
+ exit(-1);
+ }
+}
new file mode 100644
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <selinux/selinux.h>
+#include <bpf/bpf.h>
+#include <linux/bpf.h>
+#include <sys/resource.h>
+
+extern int create_bpf_map(void);
+extern int create_bpf_prog(void);
+extern void bpf_setrlimit(void);
+
+/* edited eBPF instruction library */
+/* Short form of mov, dst_reg = imm32 */
+#define BPF_MOV64_IMM(DST, IMM) \
+ ((struct bpf_insn) { \
+ .code = BPF_ALU64 | BPF_MOV | BPF_K, \
+ .dst_reg = DST, \
+ .src_reg = 0, \
+ .off = 0, \
+ .imm = IMM })
+
+/* Program exit */
+#define BPF_EXIT_INSN() \
+ ((struct bpf_insn) { \
+ .code = BPF_JMP | BPF_EXIT, \
+ .dst_reg = 0, \
+ .src_reg = 0, \
+ .off = 0, \
+ .imm = 0 })
+
new file mode 100644
@@ -0,0 +1,77 @@
+#include "bpf_common.h"
+
+static void usage(char *progname)
+{
+ fprintf(stderr,
+ "usage: %s -m|-p [-v]\n"
+ "Where:\n\t"
+ "-m Create BPF map fd\n\t"
+ "-p Create BPF prog fd\n\t"
+ "-v Print information.\n", progname);
+ exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+ int opt, result, fd;
+ bool verbose = false;
+ char *context;
+
+ enum {
+ MAP_FD = 1,
+ PROG_FD
+ } bpf_fd_type;
+
+ while ((opt = getopt(argc, argv, "mpv")) != -1) {
+ switch (opt) {
+ case 'm':
+ bpf_fd_type = MAP_FD;
+ break;
+ case 'p':
+ bpf_fd_type = PROG_FD;
+ break;
+ case 'v':
+ verbose = true;
+ break;
+ default:
+ usage(argv[0]);
+ }
+ }
+
+ result = getcon(&context);
+ if (result < 0) {
+ fprintf(stderr, "Failed to obtain SELinux context\n");
+ exit(-1);
+ }
+
+ if (verbose)
+ printf("Process context:\n\t%s\n", context);
+
+ free(context);
+
+ /* If BPF enabled, then need to set limits */
+ bpf_setrlimit();
+
+ switch (bpf_fd_type) {
+ case MAP_FD:
+ if (verbose)
+ printf("Creating BPF map\n");
+
+ fd = create_bpf_map();
+ break;
+ case PROG_FD:
+ if (verbose)
+ printf("Creating BPF prog\n");
+
+ fd = create_bpf_prog();
+ break;
+ default:
+ usage(argv[0]);
+ }
+
+ if (fd < 0)
+ return fd;
+
+ close(fd);
+ return 0;
+}
new file mode 100755
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+use Test::More;
+
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $test_count = 7;
+
+ # allow info to be shown during tests
+ $v = $ARGV[0];
+ if ($v) {
+ if ( $v ne "-v" ) {
+ plan skip_all => "Invalid option (use -v)";
+ }
+ }
+ else {
+ $v = " ";
+ }
+
+ plan tests => $test_count;
+}
+
+#
+# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE
+#
+
+#
+################ Core BPF Tests #######################
+#
+# BPF map - BPF_MAP_TYPE_ARRAY
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v";
+ok( $result eq 0 );
+
+# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v";
+ok( $result eq 0 );
+
+# Deny map_create permission
+$result =
+ system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_read permission
+$result =
+ system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_write permission
+$result =
+ system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny prog_load permission
+$result =
+ system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+# Deny prog_run permission
+$result =
+ system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+exit;
This adds basic BPF tests for map and prog functions. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- README.md | 4 ++- defconfig | 5 +++ policy/Makefile | 4 +++ policy/test_bpf.te | 77 ++++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 7 ++++ tests/bpf/.gitignore | 2 ++ tests/bpf/Makefile | 10 ++++++ tests/bpf/bpf_common.c | 69 +++++++++++++++++++++++++++++++++++++ tests/bpf/bpf_common.h | 34 +++++++++++++++++++ tests/bpf/bpf_test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ tests/bpf/test | 64 +++++++++++++++++++++++++++++++++++ 11 files changed, 352 insertions(+), 1 deletion(-) create mode 100644 policy/test_bpf.te create mode 100644 tests/bpf/.gitignore create mode 100644 tests/bpf/Makefile create mode 100644 tests/bpf/bpf_common.c create mode 100644 tests/bpf/bpf_common.h create mode 100644 tests/bpf/bpf_test.c create mode 100755 tests/bpf/test