From patchwork Fri Sep 9 00:49:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12970887 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B0B9ECAAD5 for ; Fri, 9 Sep 2022 00:50:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229754AbiIIAuL (ORCPT ); Thu, 8 Sep 2022 20:50:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229449AbiIIAuI (ORCPT ); Thu, 8 Sep 2022 20:50:08 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D2FF6B65C for ; Thu, 8 Sep 2022 17:50:07 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id f12-20020a25b6cc000000b0069a9e36de26so308699ybm.16 for ; Thu, 08 Sep 2022 17:50:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=7JzQvNuV+huKghBCFvtgwncICdsG5n37tZbHNby+uDE=; b=KgoEPAM3+QykS7sDbHjAfmjHK056pCk9bgrq46VkaGJEwuUr+Et2rWiWpQdNOMzLl+ OHLgmz3GXoEu19Mm7KObu4SXUDtfNORDafFUS7IwQLMOBy2CMw5UL5F9qsUVEiKXACZI uP3LatSY3Lho1FrblrQvxkzBvktZEga4ToUY5XQ9bT2ayFL79PiDYBsIL/OYdYv9fLsr AuEkK7IdQiVJqLK+2fHyUvbxPMyszdsHe5X83GlQiENBTMuUHHHIlY3+otjxRDzT04JB 3/ArW3UqgGY8WnDtpr1HyghgsJ5rsdZ1cd/U4pJPRm6nNe8HgwBKFxNBtaPI5xR7Ftt8 knZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=7JzQvNuV+huKghBCFvtgwncICdsG5n37tZbHNby+uDE=; b=TIIt63p2AGw3+nQxBL5e1eegRtkUlRyaG8xewHfIlmI0ARJ1C4FJakHXdmMaUvH4ds M/lkGgWE8/zW93VsZ5QBajAhCmJfvAO4Hk/0mPQU/QNPu4ZlYg5dpTMf4u4pPikgRGoO HFi0xJjITbY676Z9l0zVctXmK06VsG8qiF6g4MC/wLdQizajX7FUIIC13j6/DrSF3E7U OSxFvgj1gJ5rjNBsaSwVUhi/ew5ip6NowMKo8SacY/umRFO5AezdaBm0DBXwvy2+lHcE YqHR/fEl6rYGeNlduz9uTv70kDBG9mkO61Wts+jzedjpd2DrljqB8bmSWNv2/EMSS7fz FbIQ== X-Gm-Message-State: ACgBeo2N5J+susbPF4WuL2D7cDgOlQV34h1O2r80yofHX6n4EPrFADQD EKjMjlDK1L4OVaabQRuYTHmXteBdqRrh/A== X-Google-Smtp-Source: AA6agR4NaDGITRlVUJv8kUwJ88xUpvK223VI6fF3uWm7HOdggflL5x07gzrOgivwN9S564qsiptFUFnxpbxJpw== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:a81:66c5:0:b0:345:3b1c:26 with SMTP id a188-20020a8166c5000000b003453b1c0026mr10761617ywc.156.1662684606434; Thu, 08 Sep 2022 17:50:06 -0700 (PDT) Date: Fri, 9 Sep 2022 00:49:39 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Message-ID: <5764914c252fad4cd134fb6664c6ede95f409412.1662682323.git.zhuyifei@google.com> Subject: [PATCH v4 bpf-next 1/3] bpf: Invoke cgroup/connect{4,6} programs for unprivileged ICMP ping From: YiFei Zhu To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Stanislav Fomichev , Martin KaFai Lau , John Fastabend , Jiri Olsa , "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Usually when a TCP/UDP connection is initiated, we can bind the socket to a specific IP attached to an interface in a cgroup/connect hook. But for pings, this is impossible, as the hook is not being called. This adds the hook invocation to unprivileged ICMP ping (i.e. ping sockets created with SOCK_DGRAM IPPROTO_ICMP(V6) as opposed to SOCK_RAW. Logic is mirrored from UDP sockets where the hook is invoked during pre_connect, after a check for suficiently sized addr_len. Signed-off-by: YiFei Zhu --- net/ipv4/ping.c | 15 +++++++++++++++ net/ipv6/ping.c | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index b83c2bd9d7223..517042caf6dc1 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -295,6 +296,19 @@ void ping_close(struct sock *sk, long timeout) } EXPORT_SYMBOL_GPL(ping_close); +static int ping_pre_connect(struct sock *sk, struct sockaddr *uaddr, + int addr_len) +{ + /* This check is replicated from __ip4_datagram_connect() and + * intended to prevent BPF program called below from accessing bytes + * that are out of the bound specified by user in addr_len. + */ + if (addr_len < sizeof(struct sockaddr_in)) + return -EINVAL; + + return BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr); +} + /* Checks the bind address and possibly modifies sk->sk_bound_dev_if. */ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, struct sockaddr *uaddr, int addr_len) @@ -1009,6 +1023,7 @@ struct proto ping_prot = { .owner = THIS_MODULE, .init = ping_init_sock, .close = ping_close, + .pre_connect = ping_pre_connect, .connect = ip4_datagram_connect, .disconnect = __udp_disconnect, .setsockopt = ip_setsockopt, diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index 91b8405146569..5f2ef84937142 100644 --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c @@ -20,6 +20,7 @@ #include #include #include +#include #include static void ping_v6_destroy(struct sock *sk) @@ -49,6 +50,20 @@ static int dummy_ipv6_chk_addr(struct net *net, const struct in6_addr *addr, return 0; } +static int ping_v6_pre_connect(struct sock *sk, struct sockaddr *uaddr, + int addr_len) +{ + /* This check is replicated from __ip6_datagram_connect() and + * intended to prevent BPF program called below from accessing + * bytes that are out of the bound specified by user in addr_len. + */ + + if (addr_len < SIN6_LEN_RFC2133) + return -EINVAL; + + return BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr); +} + static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) { struct inet_sock *inet = inet_sk(sk); @@ -191,6 +206,7 @@ struct proto pingv6_prot = { .init = ping_init_sock, .close = ping_close, .destroy = ping_v6_destroy, + .pre_connect = ping_v6_pre_connect, .connect = ip6_datagram_connect_v6_only, .disconnect = __udp_disconnect, .setsockopt = ipv6_setsockopt, From patchwork Fri Sep 9 00:49:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12970886 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4933CC6FA82 for ; Fri, 9 Sep 2022 00:50:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229764AbiIIAuN (ORCPT ); Thu, 8 Sep 2022 20:50:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229748AbiIIAuL (ORCPT ); Thu, 8 Sep 2022 20:50:11 -0400 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 215716C75B for ; Thu, 8 Sep 2022 17:50:08 -0700 (PDT) Received: by mail-pf1-x449.google.com with SMTP id g15-20020aa7874f000000b0053e8b9630c7so89594pfo.19 for ; Thu, 08 Sep 2022 17:50:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=WXnjmdIZb8SItePycRIoqj321JtXN7AVWGBtHTjKeOI=; b=ZTWsDugxXupQNqVPqZX2VvEH8/PJricBwpC4zOpB6ggMcfiNzPSaxgzhmgfMBcOCMU vEvouRs4IZhkgVXmCC8EBdwvpPUxtITvcjdhM2ziKB4qBIDRWLKmyZy5XkFVpX9yG58p MmIr4ljTmxch+UFKLYvSYf7r36mvtQ3bYKj8ik2CgPHT3lOZSc/NdkBzIk0Cn6/56rie ZC2ps3E6XbQnMOrPX1APJ8CnGcM/3Vr5+8vLW5UxOKUuiVPs9KF859ylT5E8vU6mfWiD /2LBghfdL46moOcE6nQDHvfGqZwbbqWcnPA/gmnqIoF/NhJAxDpSfSkg8eriG6k4QoJi aLog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=WXnjmdIZb8SItePycRIoqj321JtXN7AVWGBtHTjKeOI=; b=8LYJX8muumjdBqB3ZWLFNp+m0uW5rzhOZAhGOSwRflCX+STZ2QnEy7TVmrVHgb7heV iGb2mMMFujkrwMS2ECjv1eG63cjnn4+oPeeCU+jahK57m8a9YMcGEhMXi5X8/gz0xBXo vorC1Sdl/mzgDe6AD6D2lVkE61L+ytgHdWUbun0bpxYcAlR6U2hBbORgjDcoEGsrJS86 M9D+V91b+f2owxjicqckcvCYdCWuz9s/7Xhm+grfP5vD1V1JWOgcZPmGwrAJ7Xo0RfN5 8OjtEvmpPdnwdl1O9DJ/W/haViMMPB5Bduj9K9t1GRGEBwYUNOhoczVDkqIQj0Vn33Ww //Vw== X-Gm-Message-State: ACgBeo0mu8Mlc4gTtomNX9afOLVowEeKh0VM4hcUcGJjwPCLXHSwXyNv qkoQnT7MHcsBsA3xPUk6Vps5ivmCOuR4Aw== X-Google-Smtp-Source: AA6agR466doHsdPrRV/SqfmFIwhkzDkbIKAZk5Sl1I029gWyNrTQirMY1QkHbOxm1UFXqiqzc2VFeUlVPU4ZhA== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:a17:902:d589:b0:174:63e0:5a5c with SMTP id k9-20020a170902d58900b0017463e05a5cmr11365998plh.5.1662684608338; Thu, 08 Sep 2022 17:50:08 -0700 (PDT) Date: Fri, 9 Sep 2022 00:49:40 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Message-ID: <9b4fc9a27bd52f771b657b4c4090fc8d61f3a6b5.1662682323.git.zhuyifei@google.com> Subject: [PATCH v4 bpf-next 2/3] selftests/bpf: Deduplicate write_sysctl() to test_progs.c From: YiFei Zhu To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Stanislav Fomichev , Martin KaFai Lau , John Fastabend , Jiri Olsa , "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net This helper is needed in multiple tests. Instead of copying it over and over, better to deduplicate this helper to test_progs.c. test_progs.c is chosen over testing_helpers.c because of this helper's use of CHECK / ASSERT_*, and the CHECK was modified to use ASSERT_* so it does not rely on a duration variable. Suggested-by: Martin KaFai Lau Signed-off-by: YiFei Zhu --- .../bpf/prog_tests/btf_skc_cls_ingress.c | 20 ------------------- .../bpf/prog_tests/tcp_hdr_options.c | 20 ------------------- tools/testing/selftests/bpf/test_progs.c | 17 ++++++++++++++++ tools/testing/selftests/bpf/test_progs.h | 1 + 4 files changed, 18 insertions(+), 40 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c index 664ffc0364f4f..7a277035c275b 100644 --- a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c +++ b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c @@ -22,26 +22,6 @@ static __u32 duration; #define PROG_PIN_FILE "/sys/fs/bpf/btf_skc_cls_ingress" -static int write_sysctl(const char *sysctl, const char *value) -{ - int fd, err, len; - - fd = open(sysctl, O_WRONLY); - if (CHECK(fd == -1, "open sysctl", "open(%s): %s (%d)\n", - sysctl, strerror(errno), errno)) - return -1; - - len = strlen(value); - err = write(fd, value, len); - close(fd); - if (CHECK(err != len, "write sysctl", - "write(%s, %s, %d): err:%d %s (%d)\n", - sysctl, value, len, err, strerror(errno), errno)) - return -1; - - return 0; -} - static int prepare_netns(void) { if (CHECK(unshare(CLONE_NEWNET), "create netns", diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_hdr_options.c b/tools/testing/selftests/bpf/prog_tests/tcp_hdr_options.c index 1fa7720799674..f24436d33cd6f 100644 --- a/tools/testing/selftests/bpf/prog_tests/tcp_hdr_options.c +++ b/tools/testing/selftests/bpf/prog_tests/tcp_hdr_options.c @@ -54,26 +54,6 @@ static int create_netns(void) return 0; } -static int write_sysctl(const char *sysctl, const char *value) -{ - int fd, err, len; - - fd = open(sysctl, O_WRONLY); - if (CHECK(fd == -1, "open sysctl", "open(%s): %s (%d)\n", - sysctl, strerror(errno), errno)) - return -1; - - len = strlen(value); - err = write(fd, value, len); - close(fd); - if (CHECK(err != len, "write sysctl", - "write(%s, %s): err:%d %s (%d)\n", - sysctl, value, err, strerror(errno), errno)) - return -1; - - return 0; -} - static void print_hdr_stg(const struct hdr_stg *hdr_stg, const char *prefix) { fprintf(stderr, "%s{active:%u, resend_syn:%u, syncookie:%u, fastopen:%u}\n", diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c index 3561c97701f24..0e9a47f978908 100644 --- a/tools/testing/selftests/bpf/test_progs.c +++ b/tools/testing/selftests/bpf/test_progs.c @@ -943,6 +943,23 @@ int trigger_module_test_write(int write_sz) return 0; } +int write_sysctl(const char *sysctl, const char *value) +{ + int fd, err, len; + + fd = open(sysctl, O_WRONLY); + if (!ASSERT_NEQ(fd, -1, "open sysctl")) + return -1; + + len = strlen(value); + err = write(fd, value, len); + close(fd); + if (!ASSERT_EQ(err, len, "write sysctl")) + return -1; + + return 0; +} + #define MAX_BACKTRACE_SZ 128 void crash_handler(int signum) { diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h index 5fe1365c2bb1e..b090996daee5c 100644 --- a/tools/testing/selftests/bpf/test_progs.h +++ b/tools/testing/selftests/bpf/test_progs.h @@ -384,6 +384,7 @@ int extract_build_id(char *build_id, size_t size); int kern_sync_rcu(void); int trigger_module_test_read(int read_sz); int trigger_module_test_write(int write_sz); +int write_sysctl(const char *sysctl, const char *value); #ifdef __x86_64__ #define SYS_NANOSLEEP_KPROBE_NAME "__x64_sys_nanosleep" From patchwork Fri Sep 9 00:49:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12970888 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F5A9C6FA8A for ; Fri, 9 Sep 2022 00:50:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229777AbiIIAuP (ORCPT ); Thu, 8 Sep 2022 20:50:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229587AbiIIAuM (ORCPT ); Thu, 8 Sep 2022 20:50:12 -0400 Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com [IPv6:2607:f8b0:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 912416E2D1 for ; Thu, 8 Sep 2022 17:50:10 -0700 (PDT) Received: by mail-pg1-x54a.google.com with SMTP id g63-20020a636b42000000b004305794e112so71734pgc.20 for ; Thu, 08 Sep 2022 17:50:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=l60jWrvXFLVlPq9d3zDJ2MhW7oGs+fbSrMuq9s9CgZg=; b=CvBkV0ztDXgs2xh9vA2CluEStssd+e9Xqs4Niu1+4NW0EHHOUzLFkEWRI48DIVpkhG WsNQorp1RijR2KARGqxfYCAJ02+s4WQ7XtFcKWUzb/0VrnkZ23aiT2QvbyXKUR/cPUzv Mg41ZHGci1lVPdrk9e3vqZLyjFDKexiLt0qUikbcr1n4J1gFg6OHNsgdmEz2iXo8ifZt 28riNXzZhW4Tw6e9HmdQdt6i9dJ0lwMsHi/gKkh8Ww1lIWuLXtcWQmN8JRUzSoH0Lqwe 6YnhgRAtenjD87+QXtEqvlL6dvhN1cwtk5qSvfOwZZy/pN3Yo9P0s781YWs2BE8oozsm 61fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=l60jWrvXFLVlPq9d3zDJ2MhW7oGs+fbSrMuq9s9CgZg=; b=af57MqGnBg+ZiZXKFYIMMzvV0jF1I51umMbSYIEvtq9f11aRLNe+fbRir9WjDOUN8U AEU5OA01C7iT2aeXUn9KCbqCRgukbLJoekSYG87PY/JlUf/oxtYcHc0XY1NGyXshxiu2 CqunODhG3oIsf9eavM4Htt7T1fAxseP+dGV7xvwNorcVzWdSRoqbGYxDaNcaPI3ykTYk vJjo89TLjgS9iVHEQjDTEZYxvLNtlgNvNbvVgcSVr16V7LSXGLCmy75FH04puVyqH31h 425QXOkdWnUEbZlMOaYxI+dBcCtZs4DtKvHvVfkERXOBPkJnX1UR6bRHi6YFKN8PGaXI /rTw== X-Gm-Message-State: ACgBeo1rQDXll5eoV5GOnyV3euNwL2TsrWG9B9DeT54dyFjQzFAqU10D gbr9qNjff9yOBAiDrp7JV8KVC6Qp5czX+g== X-Google-Smtp-Source: AA6agR4Ve/X84141oui0wI1gWlO17d+J53KnzBvefiBI4P2AAMsXv2LQX9g2yZRO93bDV2PnhVERSxzT4z3uJQ== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:a05:6a00:b86:b0:53a:8a00:6ecb with SMTP id g6-20020a056a000b8600b0053a8a006ecbmr11438160pfj.56.1662684610137; Thu, 08 Sep 2022 17:50:10 -0700 (PDT) Date: Fri, 9 Sep 2022 00:49:41 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Message-ID: <086b227c1b97f4e94193e58aae7576d0261b68a4.1662682323.git.zhuyifei@google.com> Subject: [PATCH v4 bpf-next 3/3] selftests/bpf: Ensure cgroup/connect{4,6} programs can bind unpriv ICMP ping From: YiFei Zhu To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Stanislav Fomichev , Martin KaFai Lau , John Fastabend , Jiri Olsa , "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net This tests that when an unprivileged ICMP ping socket connects, the hooks are actually invoked. We also ensure that if the hook does not call bpf_bind(), the bound address is unmodified, and if the hook calls bpf_bind(), the bound address is exactly what we provided to the helper. A new netns is used to enable ping_group_range in the test without affecting ouside of the test, because by default, not even root is permitted to use unprivileged ICMP ping... Signed-off-by: YiFei Zhu --- .../selftests/bpf/prog_tests/connect_ping.c | 178 ++++++++++++++++++ .../selftests/bpf/progs/connect_ping.c | 53 ++++++ 2 files changed, 231 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/connect_ping.c create mode 100644 tools/testing/selftests/bpf/progs/connect_ping.c diff --git a/tools/testing/selftests/bpf/prog_tests/connect_ping.c b/tools/testing/selftests/bpf/prog_tests/connect_ping.c new file mode 100644 index 0000000000000..289218c2216c3 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/connect_ping.c @@ -0,0 +1,178 @@ +// SPDX-License-Identifier: GPL-2.0-only + +/* + * Copyright 2022 Google LLC. + */ + +#define _GNU_SOURCE +#include + +#include "test_progs.h" +#include "cgroup_helpers.h" +#include "network_helpers.h" + +#include "connect_ping.skel.h" + +/* 2001:db8::1 */ +#define BINDADDR_V6 { { { 0x20,0x01,0x0d,0xb8,0,0,0,0,0,0,0,0,0,0,0,1 } } } +static const struct in6_addr bindaddr_v6 = BINDADDR_V6; + +static void subtest(int cgroup_fd, struct connect_ping *skel, + int family, int do_bind) +{ + struct sockaddr_in sa4 = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_LOOPBACK), + }; + struct sockaddr_in6 sa6 = { + .sin6_family = AF_INET6, + .sin6_addr = IN6ADDR_LOOPBACK_INIT, + }; + struct sockaddr *sa; + socklen_t sa_len; + int protocol; + int sock_fd; + + switch (family) { + case AF_INET: + sa = (struct sockaddr *)&sa4; + sa_len = sizeof(sa4); + protocol = IPPROTO_ICMP; + break; + case AF_INET6: + sa = (struct sockaddr *)&sa6; + sa_len = sizeof(sa6); + protocol = IPPROTO_ICMPV6; + break; + } + + memset(skel->bss, 0, sizeof(*skel->bss)); + skel->bss->do_bind = do_bind; + + sock_fd = socket(family, SOCK_DGRAM, protocol); + if (!ASSERT_GE(sock_fd, 0, "sock-create")) + return; + + if (!ASSERT_OK(connect(sock_fd, sa, sa_len), "connect")) + goto close_sock; + + if (!ASSERT_EQ(skel->bss->invocations_v4, family == AF_INET ? 1 : 0, + "invocations_v4")) + goto close_sock; + if (!ASSERT_EQ(skel->bss->invocations_v6, family == AF_INET6 ? 1 : 0, + "invocations_v6")) + goto close_sock; + if (!ASSERT_EQ(skel->bss->has_error, 0, "has_error")) + goto close_sock; + + if (!ASSERT_OK(getsockname(sock_fd, sa, &sa_len), + "getsockname")) + goto close_sock; + + switch (family) { + case AF_INET: + if (!ASSERT_EQ(sa4.sin_family, family, "sin_family")) + goto close_sock; + if (!ASSERT_EQ(sa4.sin_addr.s_addr, + htonl(do_bind ? 0x01010101 : INADDR_LOOPBACK), + "sin_addr")) + goto close_sock; + break; + case AF_INET6: + if (!ASSERT_EQ(sa6.sin6_family, AF_INET6, "sin6_family")) + goto close_sock; + if (!ASSERT_EQ(memcmp(&sa6.sin6_addr, + do_bind ? &bindaddr_v6 : &in6addr_loopback, + sizeof(sa6.sin6_addr)), + 0, "sin6_addr")) + goto close_sock; + break; + } + +close_sock: + close(sock_fd); +} + +void test_connect_ping(void) +{ + struct connect_ping *skel; + int cgroup_fd; + + if (!ASSERT_OK(unshare(CLONE_NEWNET | CLONE_NEWNS), "unshare")) + return; + + /* overmount sysfs, and making original sysfs private so overmount + * does not propagate to other mntns. + */ + if (!ASSERT_OK(mount("none", "/sys", NULL, MS_PRIVATE, NULL), + "remount-private-sys")) + return; + if (!ASSERT_OK(mount("sysfs", "/sys", "sysfs", 0, NULL), + "mount-sys")) + return; + if (!ASSERT_OK(mount("bpffs", "/sys/fs/bpf", "bpf", 0, NULL), + "mount-bpf")) + goto clean_mount; + + if (!ASSERT_OK(system("ip link set dev lo up"), "lo-up")) + goto clean_mount; + if (!ASSERT_OK(system("ip addr add 1.1.1.1 dev lo"), "lo-addr-v4")) + goto clean_mount; + if (!ASSERT_OK(system("ip -6 addr add 2001:db8::1 dev lo"), "lo-addr-v6")) + goto clean_mount; + if (write_sysctl("/proc/sys/net/ipv4/ping_group_range", "0 0")) + goto clean_mount; + + cgroup_fd = test__join_cgroup("/connect_ping"); + if (!ASSERT_GE(cgroup_fd, 0, "cg-create")) + goto clean_mount; + + skel = connect_ping__open_and_load(); + if (!ASSERT_OK_PTR(skel, "skel-load")) + goto close_cgroup; + skel->links.connect_v4_prog = + bpf_program__attach_cgroup(skel->progs.connect_v4_prog, cgroup_fd); + if (!ASSERT_OK_PTR(skel->links.connect_v4_prog, "cg-attach-v4")) + goto skel_destroy; + skel->links.connect_v6_prog = + bpf_program__attach_cgroup(skel->progs.connect_v6_prog, cgroup_fd); + if (!ASSERT_OK_PTR(skel->links.connect_v6_prog, "cg-attach-v6")) + goto skel_destroy; + + /* Connect a v4 ping socket to localhost, assert that only v4 is called, + * and called exactly once, and that the socket's bound address is + * original loopback address. + */ + if (test__start_subtest("ipv4")) + subtest(cgroup_fd, skel, AF_INET, 0); + + /* Connect a v4 ping socket to localhost, assert that only v4 is called, + * and called exactly once, and that the socket's bound address is + * address we explicitly bound. + */ + if (test__start_subtest("ipv4-bind")) + subtest(cgroup_fd, skel, AF_INET, 1); + + /* Connect a v6 ping socket to localhost, assert that only v6 is called, + * and called exactly once, and that the socket's bound address is + * original loopback address. + */ + if (test__start_subtest("ipv6")) + subtest(cgroup_fd, skel, AF_INET6, 0); + + /* Connect a v6 ping socket to localhost, assert that only v6 is called, + * and called exactly once, and that the socket's bound address is + * address we explicitly bound. + */ + if (test__start_subtest("ipv6-bind")) + subtest(cgroup_fd, skel, AF_INET6, 1); + +skel_destroy: + connect_ping__destroy(skel); + +close_cgroup: + close(cgroup_fd); + +clean_mount: + umount2("/sys", MNT_DETACH); +} diff --git a/tools/testing/selftests/bpf/progs/connect_ping.c b/tools/testing/selftests/bpf/progs/connect_ping.c new file mode 100644 index 0000000000000..60178192b672f --- /dev/null +++ b/tools/testing/selftests/bpf/progs/connect_ping.c @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0-only + +/* + * Copyright 2022 Google LLC. + */ + +#include +#include +#include +#include +#include + +/* 2001:db8::1 */ +#define BINDADDR_V6 { { { 0x20,0x01,0x0d,0xb8,0,0,0,0,0,0,0,0,0,0,0,1 } } } + +__u32 do_bind = 0; +__u32 has_error = 0; +__u32 invocations_v4 = 0; +__u32 invocations_v6 = 0; + +SEC("cgroup/connect4") +int connect_v4_prog(struct bpf_sock_addr *ctx) +{ + struct sockaddr_in sa = { + .sin_family = AF_INET, + .sin_addr.s_addr = bpf_htonl(0x01010101), + }; + + __sync_fetch_and_add(&invocations_v4, 1); + + if (do_bind && bpf_bind(ctx, (struct sockaddr *)&sa, sizeof(sa))) + has_error = 1; + + return 1; +} + +SEC("cgroup/connect6") +int connect_v6_prog(struct bpf_sock_addr *ctx) +{ + struct sockaddr_in6 sa = { + .sin6_family = AF_INET6, + .sin6_addr = BINDADDR_V6, + }; + + __sync_fetch_and_add(&invocations_v6, 1); + + if (do_bind && bpf_bind(ctx, (struct sockaddr *)&sa, sizeof(sa))) + has_error = 1; + + return 1; +} + +char _license[] SEC("license") = "GPL";