From patchwork Wed Mar 5 19:49:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14003301 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 721E9253B57 for ; Wed, 5 Mar 2025 19:49:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204196; cv=none; b=Zc8P04+15XwGjGN9xj2zW2Z+HBxEl14FhD7hatUsM+qvM8daRqy5YfE1xw8WY0PllTmEujLf0diY2r7+TzBldgKpG6RT6vlCGGmjhJtpopyzvtFh/11wMujFiXfaQ3AAOo7JXhNlnJrK13OSndAe1QUdc8w5PlS2m92FOeUfti0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204196; c=relaxed/simple; bh=0aQpqSPAWSvw/fnjFxU5Fimtcm1PgbgdFs9AhfBppoE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n2V5iz4WZWLhUnfeAFbum+4vGIXoC9XfHgz3hmAUpLf+3v573KdRbrCVk8pjXqvBm0ZVKtGlG0S6mEF+okMo+7jwt6k9ybXbJ7eRHwIYl+d7MtYlQLsk+MswSlDGaMSbrIVSKvPovMuQRhnj9kfV6mhZTjHQi6ny/p9Pkwlh02o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FGYqaOxU; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FGYqaOxU" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-5e5bc066283so890560a12.0 for ; Wed, 05 Mar 2025 11:49:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741204192; x=1741808992; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EXCC/BiZJf0MIv5eM7fL+xOBQ5STiWqcOMTzsS+3enc=; b=FGYqaOxUxCyAjyZFH4NKqiPvDw4YrSKiPzPQyJ2lb0aSbhuZn8GbuB5YaUSiFNH9gy IPf8XM6bB2yXopPAGi9L1nbFu4Gp+GDd/c+wP3fVWc9S8s1RhndoqIp1HTznohC92wW0 3PBrLqXd2eciM6tLfp1taj8KNTCxxGSuDnOHpVEpXuD4KEZuVI8jIYQ9USO1vhi9sPAn XdEdqN7sh/c5tP+AEVTmmOvxLozhf4wwMvBWU/WShAPISyobffPYQ/B/dwgk8bQW7/Eo 1h84Ks1Pz7BQM7KP06ytyvpx7FkS4Bi8yzpQOZm4AxQ1C2u9kIYGWQQaWAXqkuVU34yf FkdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741204192; x=1741808992; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EXCC/BiZJf0MIv5eM7fL+xOBQ5STiWqcOMTzsS+3enc=; b=jDt6qTGwvWaitslDjfPSf+8dDVsF2AV2vfzO0r0n9qXBEC4V/HriMTVacVWCbH4jjO KlyXvuf/GjD7Yc/lgpJBPxKNoyxz6aYcqL2w6098+LYFnQ1E1wf/E9EAYPyzTuwFfK+c cnEX/mQzDaN/FQJTYhT0x1goTdv3AS1WU81jx1phpxSu8Grazq0dMI1+cFRgV3HkYMY2 v+f/HHufAe/NoyYstRi+zVHbwoR3CsqDqaDHk+C93ZX9upbm+PHeWh72vkxnlSJ9HkPx rpMAENZU0OYRA9za8nvuXtd9Biy4jGumfwEN20Tp/tb+OObE8bIhFKvFz9Ad3KSbatp6 NGhQ== X-Gm-Message-State: AOJu0YyN1GXZAZ+rTCmU1em7llUBR4XieW4zpLnew5q6GmRunOGxRkMC wJa+CYJuuiEnTfNGms2vxm/Sgq1o5bosto5k/HLgrh8jHAwod2Dg6xz+Eg== X-Gm-Gg: ASbGncuVYppQxoIaGmW5OgSsKOfYVxfpMfdh0b/KzXWJPY0dZWxC13j37cz8nAE+6uV gBRz0l7kXIZGtVew/5nDrqz+uxMK+G1m+JxsUHFw4OMkG6xX2c9A2f8ZxMVCGFYasdJkfX2uCOF 2XZdiJyIaeaAw05UZg4WMV5qnJkj+xvY7SB/KCOGMciw/lE5I8FcCd3xo5xg6qADCsM4GVOnK3p UA940ns1tDGUuPJ7m/mJHUJdZQXYz8T95kiezW4pnfwP8hkV5Dr0WFJVGE/TszpRX3hNtX5aqCw OmQOQXaTrfjq5sLDmxjhge+sOgGQjGGqxj1fII9wgb/zRKPBhT0S7b1NNXc= X-Google-Smtp-Source: AGHT+IGzWaDHioGDd6L+Jjm/648EuV8vxMceRkRQP4ekQklq4YMX46o9k23KUbxKZxTH9UrbKSSxjQ== X-Received: by 2002:a17:906:f584:b0:ac0:3d5c:4fc6 with SMTP id a640c23a62f3a-ac20da51dadmr437124166b.27.1741204192184; Wed, 05 Mar 2025 11:49:52 -0800 (PST) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::6:4624]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1daea1cd2sm481584066b.181.2025.03.05.11.49.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 11:49:51 -0800 (PST) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v2 1/4] bpf: BPF token support for BPF_BTF_GET_FD_BY_ID Date: Wed, 5 Mar 2025 19:49:39 +0000 Message-ID: <20250305194942.123191-2-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> References: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Currently BPF_BTF_GET_FD_BY_ID requires CAP_SYS_ADMIN, which does not allow running it from user namespace. This creates a problem when freplace program running from user namespace needs to query target program BTF. This patch relaxes capable check from CAP_SYS_ADMIN to CAP_BPF and adds support for BPF token that can be passed in attributes to syscall. Signed-off-by: Mykyta Yatsenko --- include/uapi/linux/bpf.h | 1 + kernel/bpf/syscall.c | 9 +++++++-- tools/include/uapi/linux/bpf.h | 1 + .../selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c | 3 +-- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index bb37897c0393..73c23daacabf 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 57a438706215..6975d391bb05 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5137,14 +5137,19 @@ static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_ return btf_new_fd(attr, uattr, uattr_size); } -#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id +#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD token_fd static int bpf_btf_get_fd_by_id(const union bpf_attr *attr) { + struct bpf_token *token = NULL; + if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (attr->open_flags & BPF_F_TOKEN_FD) + token = bpf_token_get_from_fd(attr->token_fd); + + if (!bpf_token_capable(token, CAP_SYS_ADMIN)) return -EPERM; return btf_get_fd_by_id(attr->btf_id); diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index bb37897c0393..73c23daacabf 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c index a3f238f51d05..976ff38a6d43 100644 --- a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c +++ b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c @@ -75,9 +75,8 @@ void test_libbpf_get_fd_by_id_opts(void) if (!ASSERT_EQ(ret, -EINVAL, "bpf_link_get_fd_by_id_opts")) goto close_prog; - /* BTF get fd with opts set should not work (no kernel support). */ ret = bpf_btf_get_fd_by_id_opts(0, &fd_opts_rdonly); - ASSERT_EQ(ret, -EINVAL, "bpf_btf_get_fd_by_id_opts"); + ASSERT_EQ(ret, -ENOENT, "bpf_btf_get_fd_by_id_opts"); close_prog: if (fd >= 0) From patchwork Wed Mar 5 19:49:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14003302 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 978EB25334C for ; Wed, 5 Mar 2025 19:49:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204197; cv=none; b=qdZkKKL5znsOiqr9ORlDEWns/uzD/NfVzkx0Cgrrr9h2MF1wwXC2ibpgHdplN03yjJqizHJ76RVIwU6GsMdsp/d7VVxNm3fWlvwkjd4wTpG2f4bajG+0deiIlPYy7+nJypLfdKIlvEJH5HBMdUmVGc4FPmLQKe2MpV133UEexO0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204197; c=relaxed/simple; bh=BDCJYrp+tAV2rO6igjnF9YD9BcTrhUm13/pOi3j10OU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iuWxYJo8gKuAGz683cK07iVtZXIPS4bexykdQFiagfYMbm05w8WS2gnO0/RAt+NfvFL7MAOJQIf3V1whHS3xroNzL8bbBhxSIAWPCQ+GCmrLIjjnAHr+pMWdE5OjP8PlKWdbga+6da2cZRMQwX1ehxR30kX2GjDh8c3c0y40OW0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i5fCdMCm; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i5fCdMCm" Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-abf4802b242so870889166b.1 for ; Wed, 05 Mar 2025 11:49:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741204194; x=1741808994; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DKVPakIGUlgrwb7IleApJVVxh5BKFUYiN0tFee3buwo=; b=i5fCdMCmhFo3nW+/aaUppPDpSRIcZHgbsnsBJjLt+quI0ZyKxRiS1uumbWVcoM00Ij u9TSBdqMlA8OLioe0K7s9W0KOpqCId+a+Q+92eSM+Lqy5QjDkbapvFrh4slgbcQwyunK 9lp8KgHqzlQRA6IRyOSgfIS556S9JBBqWbWpI4ULksr/ajmYlV6PSx7yzdb7TvNqdzJq shrQxZcqsGYTdvszEBDLDb0v/a0R+yT2UfIYWfyQhUlO1D0FXZowkJaK/uPeWppwy1Q/ YXXSzAQRU0YE7q6dYl1Z8TbvTQzv3A21ci0kZuKgTgcGPV/i46LBjYzd90srkjR6SFvS zEWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741204194; x=1741808994; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DKVPakIGUlgrwb7IleApJVVxh5BKFUYiN0tFee3buwo=; b=awCAfzdBnGYSstt12jNS6UirSbwXdJYhcBhNkVaee88qGzGoP5pesqcoHmpQOqdjmR RfAlWN8adkgbuuWsD8APNHAIuFxNxu2mvB7+HJ3oRNoshQymZCRSwndp3bO02zFO3Ceu wuBMXd8W/rpaxjazl0pLOAi23zQ1hqBBE1nF6QWE7zEDzT3AWES7REpxLjYLMPUJjKma bJU47zefnG3kQabxVk5TaQRfv2ySzvFgFXmW0a6r6Ml8aqXmiLFvfyCFI9AKDEFP+Val WcRJsMozJLyLiqgXbhEswyY/CQY1Z50wg8aaRx7gkH4uYO7fLX4ee/mDLEVk1yPEauez iHhg== X-Gm-Message-State: AOJu0Yx3k8xPD0GNZczRXoL51qBrPmzUTWUai6HpJ7Wwx4YaReyPkkzw WW9v9C4uDCD9xaG71DlllIECu/8r4cgJqDDVPBdZn+I9c4Jsaskqwyom5Q== X-Gm-Gg: ASbGncsQr13VSeXQVzqatzDvWKFuQIIuRiMEUTEeudb3s+yE1ZcUMO1PAmu/4uIHnJc sdtVrPbbYguIv2YkFktEzerFjJNlP2oLstEL3r/CgyCUxZuQpcdV6hx3vMFTCC42qdUzdq2QwfY Jn2BztMZJ3PLdEzZSHOL6HYEN0aFIAVCYDBbpBx2WBQNGFEa7AE5h21P4AOoS4JX0G0fuM9RMoh keQwdRsI8X4Rb4IoIXfnHrqoHNvyxbpV6+Mv+3rN+Drx5brYAEjGjBX7a5PsVM2EcsAqlyCv77Q ksazaW1FLMq7a7ejPlLig8VRF/JGcH2hqiFEULMAg5XM3fbyTpc3r0E9eos= X-Google-Smtp-Source: AGHT+IF4mOn0GDJHXbok09CLwwLgf2CvThoX5VKuZJxTMBHd90vHWQdVka/UMFwHeuzqx09MewnYmA== X-Received: by 2002:a17:906:7312:b0:ac1:ecb5:7207 with SMTP id a640c23a62f3a-ac20d9251eemr381396066b.29.1741204193632; Wed, 05 Mar 2025 11:49:53 -0800 (PST) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::6:4624]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1daea1cd2sm481584066b.181.2025.03.05.11.49.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 11:49:53 -0800 (PST) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v2 2/4] bpf: return prog btf_id without capable check Date: Wed, 5 Mar 2025 19:49:40 +0000 Message-ID: <20250305194942.123191-3-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> References: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Return prog's btf_id from bpf_prog_get_info_by_fd regardless of capable check. This patch enables scenario, when freplace program, running from user namespace, requires to query target prog's btf. Signed-off-by: Mykyta Yatsenko --- kernel/bpf/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 6975d391bb05..ac8b391fdacb 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4749,6 +4749,8 @@ static int bpf_prog_get_info_by_fd(struct file *file, info.recursion_misses = stats.misses; info.verified_insns = prog->aux->verified_insns; + if (prog->aux->btf) + info.btf_id = btf_obj_id(prog->aux->btf); if (!bpf_capable()) { info.jited_prog_len = 0; @@ -4895,8 +4897,6 @@ static int bpf_prog_get_info_by_fd(struct file *file, } } - if (prog->aux->btf) - info.btf_id = btf_obj_id(prog->aux->btf); info.attach_btf_id = prog->aux->attach_btf_id; if (attach_btf) info.attach_btf_obj_id = btf_obj_id(attach_btf); From patchwork Wed Mar 5 19:49:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14003303 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0225254B0F for ; Wed, 5 Mar 2025 19:49:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204198; cv=none; b=SIi869O2FPWYxxAgANky+fdynALez4vTYFtbNxdDOWLJuHGOM7cEp8HCd2mAVBA1y+1/tSALJL8K+C57BqeW0p89bEYI3prhA3IL8BbOnRmQCexTarR4eOqagkt1wmLi/ryz7prDW7EGt0ugtBH0LyTJD7gwQZYmrTBTevCcqTI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204198; c=relaxed/simple; bh=pAH6DJM5WKTVlhQa1dSW67kEovIMWL4V2bwazD63tZ4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BACqs5Z68JJA88LG+RnoeU2DK0F2o/cJCxC5pzFsVTZy8NSesE4zh5CSVTAdnU0gRD2ZrctrPf0OMG9+DQebTRDofelMLgvKBs3qt6epSjgIevFBD8fQDURmRYVms8P7vDv5WEnLmy/4if9AIkWNfay+gID6BxDkj6BKfAVjzjc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i1ZCObl8; arc=none smtp.client-ip=209.85.218.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i1ZCObl8" Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-abf628d653eso666350466b.0 for ; Wed, 05 Mar 2025 11:49:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741204195; x=1741808995; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZgEEAiOqgkfh9oPgNuZeeRzfgmXM/drUMjby4IjFxno=; b=i1ZCObl8F2v475/oIheWWOoKek5KfcbmBFtDpZz0qZbfEpFgxXgJJsbnZd6ad/DLX5 SpSswl4XxTd/XZWkHtpzSTwiRsMHjLfBejwO7OA/9/GSKNPdEqxH7XMdThEozfy8aEA+ 8D9CaSo5Bf4a+OY5if6gqa+7tD3xbCy9QeOQapOIo3uTeOcAcZIcR++0OQPt6TkcGAV7 IWhgjuVakaUEvAR0I8uOv/3FApOOw9wEuV3hGFOGf6vJlNITJX6+TdiBtwbbCdm30N7i FhRoiuj8tTIS9B/THMjs27N2Hlm6WhHMA8tym0nvrLoz6guNK+0OHEwomuYsJNMt0J7/ IyyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741204195; x=1741808995; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZgEEAiOqgkfh9oPgNuZeeRzfgmXM/drUMjby4IjFxno=; b=ZQkllydl71Xz9ANyvOXJFT3WoI/WkcI6fjVtrB7ab5tlOE7Frkcz5bHJZGDZKSlfiX jhCLKaasN0EN5qoCTcxzIQN3r3Q4XlAJZAy7hANWN+7m3RRHVWOiA2d+NGenQZ4n4LV2 FwFLR7xMgSdxcRqZZfQiUXu3r3i6yL3eEDBq0KTYyyPmIGRRy/Apm+YnhmjJYxcb/BkK acZAvtiBwbYaqmPdv+guvi8gAe7ptVwuATRP+L4NKaKhNrQ+VmIgxsCTQQBm5WXFID5h hiIh0g0lUqojBHTawESnWaanbcWZy/JrAnvAtJ2qG/kwNOAN3sqAOHqnv+E8BojSsiUR kRpg== X-Gm-Message-State: AOJu0YzTfy0Ic0V7dICNEo4h9k723LFVVi0BQzowmR+Ney5jwrkLL+eC KHQul9/hj2ozdlGU/gAexjJ0qARzO9g2w8RMAkIRkDP/FSt6Vv+0JY0utA== X-Gm-Gg: ASbGncuzSSzhhxPcYP9XOc2GT6633MW9ySCUESJdImBSE42tXfyUwAv2gbAHtm+FLY2 Xfx1kvR0yafrygHu/S63RvoyLcR7thLlTAB0pRdzSaRwROA0JURAlLqvtcu8Xm2gk9XUp/dBy8J 2ATGjO4wPoJI5s/HIqRN3CAF2eLCs5Sb7vss61ovAWe2BcL1LcCbqICfgM7eepPDQZAmTjvZi7o 6Dq4zbDI5hiKs7nM/i5HIywvzWxw9/SCrgjodXom87vcQHeuKu5zcKzjLrfjj/CYqwl9EwlRFUx D0YhfHJLuiFBOebBrV7BCxEvi7dBbtSy/1GW06yXaLBGzAlGwDhT1FKatAo= X-Google-Smtp-Source: AGHT+IEJUkKONnP97TRth4Nkc3fDYXNKc4U0+zsx1UuzG1+KjUNx83UaIZpVBprO9kU2vWZQn35zcQ== X-Received: by 2002:a17:907:c22:b0:abf:6744:5e96 with SMTP id a640c23a62f3a-ac20d84a962mr412222266b.8.1741204194979; Wed, 05 Mar 2025 11:49:54 -0800 (PST) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::6:4624]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1daea1cd2sm481584066b.181.2025.03.05.11.49.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 11:49:54 -0800 (PST) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v2 3/4] libbpf: pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID Date: Wed, 5 Mar 2025 19:49:41 +0000 Message-ID: <20250305194942.123191-4-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> References: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Pass BPF token from bpf_program__set_attach_target to BPF_BTF_GET_FD_BY_ID bpf command. When freplace program attaches to target program, it needs to look up for BTF of the target, this may require BPF token, if, for example, running from user namespace. Signed-off-by: Mykyta Yatsenko --- tools/lib/bpf/bpf.c | 3 ++- tools/lib/bpf/bpf.h | 4 +++- tools/lib/bpf/btf.c | 14 ++++++++++++-- tools/lib/bpf/libbpf.c | 10 +++++----- tools/lib/bpf/libbpf_internal.h | 1 + 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 359f73ead613..783274172e56 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -1097,7 +1097,7 @@ int bpf_map_get_fd_by_id(__u32 id) int bpf_btf_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_by_id_opts *opts) { - const size_t attr_sz = offsetofend(union bpf_attr, open_flags); + const size_t attr_sz = offsetofend(union bpf_attr, token_fd); union bpf_attr attr; int fd; @@ -1107,6 +1107,7 @@ int bpf_btf_get_fd_by_id_opts(__u32 id, memset(&attr, 0, attr_sz); attr.btf_id = id; attr.open_flags = OPTS_GET(opts, open_flags, 0); + attr.token_fd = OPTS_GET(opts, token_fd, 0); fd = sys_bpf_fd(BPF_BTF_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 435da95d2058..544215d7137c 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -487,9 +487,11 @@ LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); struct bpf_get_fd_by_id_opts { size_t sz; /* size of this struct for forward/backward compatibility */ __u32 open_flags; /* permissions requested for the operation on fd */ + __u32 token_fd; size_t :0; }; -#define bpf_get_fd_by_id_opts__last_field open_flags + +#define bpf_get_fd_by_id_opts__last_field token_fd LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); LIBBPF_API int bpf_prog_get_fd_by_id_opts(__u32 id, diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c index eea99c766a20..466336f16134 100644 --- a/tools/lib/bpf/btf.c +++ b/tools/lib/bpf/btf.c @@ -1619,12 +1619,17 @@ struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf) return btf; } -struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd) { struct btf *btf; int btf_fd; + LIBBPF_OPTS(bpf_get_fd_by_id_opts, opts); + + opts.token_fd = token_fd; + if (token_fd) + opts.open_flags |= BPF_F_TOKEN_FD; - btf_fd = bpf_btf_get_fd_by_id(id); + btf_fd = bpf_btf_get_fd_by_id_opts(id, &opts); if (btf_fd < 0) return libbpf_err_ptr(-errno); @@ -1634,6 +1639,11 @@ struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) return libbpf_ptr(btf); } +struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +{ + return btf_load_from_kernel(id, base_btf, 0); +} + struct btf *btf__load_from_kernel_by_id(__u32 id) { return btf__load_from_kernel_by_id_split(id, NULL); diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 8e32286854ef..6b85060f07b3 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -10024,7 +10024,7 @@ int libbpf_find_vmlinux_btf_id(const char *name, return libbpf_err(err); } -static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) +static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd, int token_fd) { struct bpf_prog_info info; __u32 info_len = sizeof(info); @@ -10044,7 +10044,7 @@ static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) pr_warn("The target program doesn't have BTF\n"); goto out; } - btf = btf__load_from_kernel_by_id(info.btf_id); + btf = btf_load_from_kernel(info.btf_id, NULL, token_fd); err = libbpf_get_error(btf); if (err) { pr_warn("Failed to get BTF %d of the program: %s\n", info.btf_id, errstr(err)); @@ -10127,7 +10127,7 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac pr_warn("prog '%s': attach program FD is not set\n", prog->name); return -EINVAL; } - err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd); + err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd, prog->obj->token_fd); if (err < 0) { pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %s\n", prog->name, attach_prog_fd, attach_name, errstr(err)); @@ -12923,7 +12923,7 @@ struct bpf_link *bpf_program__attach_freplace(const struct bpf_program *prog, if (target_fd) { LIBBPF_OPTS(bpf_link_create_opts, target_opts); - btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd); + btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err_ptr(btf_id); @@ -13744,7 +13744,7 @@ int bpf_program__set_attach_target(struct bpf_program *prog, if (attach_prog_fd) { btf_id = libbpf_find_prog_btf_id(attach_func_name, - attach_prog_fd); + attach_prog_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err(btf_id); } else { diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h index de498e2dd6b0..76669c73dcd1 100644 --- a/tools/lib/bpf/libbpf_internal.h +++ b/tools/lib/bpf/libbpf_internal.h @@ -409,6 +409,7 @@ int libbpf__load_raw_btf(const char *raw_types, size_t types_len, int btf_load_into_kernel(struct btf *btf, char *log_buf, size_t log_sz, __u32 log_level, int token_fd); +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd); struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf); void btf_get_kernel_prefix_kind(enum bpf_attach_type attach_type, From patchwork Wed Mar 5 19:49:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14003304 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46B4125334C for ; Wed, 5 Mar 2025 19:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204200; cv=none; b=kIqpm2lmzFq1yye8fsN5fSm1sj0qLouLG2vNnYgKtyTJgiYIm6kA1K0HoYgb8nL/wBDhU7sujQBiFcigglr0VP54ABpC8emCudXaI5H/Emx9ekaeNwOuA7mo8EyK+uh1JaFqEG+EV/MX63yW4kwHtFsFp4AuFhOT/lDyjzE46lc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741204200; c=relaxed/simple; bh=dZ/84hCQihC+Ypd2ZYjVPssrKGcWtViu3i2JxL7LG0k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vE0Rtq5RONdoe8ewO4HL2Bn8pa4pnbzAF5+kST8wFrJGEdHZjIYE3LzVg7Yrr+DmHwBW9il74TFymoc1ltVPdTUBle6CCCHBcKvm84tYoKY8zmkR5X4aZuDVonDgxA049dNIQtntwF45gdp/CATA+Pr23QMPla2e2KBtLhZ4jNM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WZ9QakO5; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WZ9QakO5" Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-abf6f3b836aso645982066b.3 for ; Wed, 05 Mar 2025 11:49:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741204196; x=1741808996; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KO2YJoHjn82OMdZzIe7tciRRk4plbnuDr6FNsdZoOD4=; b=WZ9QakO57S8d8kXvxmP9wy+vEVCSWaya0zUI86osS1BXYZRJ8I8aRkd/DE45tlcMCA hrxdXs2lFS5z/9ndc7Vgv/f24Au6wsv41j3VYJ/rZCw9JGXPQEzZMuYPuAbo6dMUjKTD WzZvqwxhX4WJ5L4zIcpE/63aMN5Emw0IGxm2Dbz9ktj8cW7a6ZyhxpXtZVm+0Dny9EUj mHIeFbQp9ZLjXuEbbamMd3t9SYx4L8XH+HGSl7XXXqe3sxYFeFEwlsrwGxmbWOe2jH3O s/EOlc7VCARgZmxs20RwaofNImq9FxUB7y5grhJUfQcci5mMOOiRb97yuQFs+FnHnQr0 4ThQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741204196; x=1741808996; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KO2YJoHjn82OMdZzIe7tciRRk4plbnuDr6FNsdZoOD4=; b=EMay5MvmanXKhnLxIGixjw2VLzpOLFuvOu7vdtr3GVCRlUd1atVs0rZugmLdREGtVT jBRyacwmid5q4Z8ePkpne9cP3d62nnAayU5MV5BvxM1NeNFU76gDysIdEva8FGGj7lDV KO8B1dCBrPxGI2gDDDn3g1eVdd9senlxCDYVTPVgRYrEEkbEdEb6VyjHLu6b7LMG+zsN vnrGc9enNIyty3HtEz0j7oA7eGpdWjwQSbE3ThCl7DthiIAZS6K0+nV7sYPDugqJtzM9 S9BVN+xf8ZGDRoBr9sWKmijTnD1tEHpaTZ70NAOM5vv4tqCNmaoGnLcaeTgcireqdT/I tfDw== X-Gm-Message-State: AOJu0YzS7Endn2AVbuKJLt0MuxvwKh0QEXNMnzT//lLvdv7IB96cvhsd n/5Hlt1tko5vp9UiUbMQixIyDA4LIIAakx2nxUWlPB+TE490gveIdk2zWw== X-Gm-Gg: ASbGncv+ZWvlTtsOGusr7XaIFQ5bGe4omydM90Ht9pHjtS41ZqMOt0iWmpK0JeL7iLe W5wTzFXrUVaKxcBml+TJhNuuA1H2u2RSK+z6u2drZmGvy5lzvfGz+dssFRE6xHqoAVOyhdjxpNp nY2QEkxmk4U+KBxCM7w31cqjPfhrupPSyrViMhWImnYi41obvgVX1xUOG32kqjXgQ73zMx9oB4Z Zsa2lgK2jGQWNsLJwHSA5dyCkghAHEj61kCj/1nu81/ls2VEpz0NN63HopTcpKnN//f3/ivsZlt QbsV904SebWo8bhsIuyYPWPE9djscZJ7fppi2bvX0UAyFXZ2mZgrwSrT9NA= X-Google-Smtp-Source: AGHT+IGPkTH5ayoxigT0tl6qNeVZiPvMa0oN1qDS2d9a1+vYBqmm6SE39lozLV4BpEAWPx8LqUCIWw== X-Received: by 2002:a17:906:6a09:b0:ac1:ff43:82ae with SMTP id a640c23a62f3a-ac20d97c81cmr488633966b.2.1741204196217; Wed, 05 Mar 2025 11:49:56 -0800 (PST) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::6:4624]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1daea1cd2sm481584066b.181.2025.03.05.11.49.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 11:49:55 -0800 (PST) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v2 4/4] selftests/bpf: test freplace from user namespace Date: Wed, 5 Mar 2025 19:49:42 +0000 Message-ID: <20250305194942.123191-5-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> References: <20250305194942.123191-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Add selftests to verify that it is possible to load freplace program from user namespace if BPF token is initialized by bpf_object__prepare before calling bpf_program__set_attach_target. Negative test is added as well. Signed-off-by: Mykyta Yatsenko --- .../testing/selftests/bpf/prog_tests/token.c | 94 +++++++++++++++++++ .../selftests/bpf/progs/priv_freplace_prog.c | 13 +++ tools/testing/selftests/bpf/progs/priv_prog.c | 2 +- 3 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/bpf/progs/priv_freplace_prog.c diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c index c3ab9b6fb069..00ebfc36f202 100644 --- a/tools/testing/selftests/bpf/prog_tests/token.c +++ b/tools/testing/selftests/bpf/prog_tests/token.c @@ -19,6 +19,7 @@ #include "priv_prog.skel.h" #include "dummy_st_ops_success.skel.h" #include "token_lsm.skel.h" +#include "priv_freplace_prog.skel.h" static inline int sys_mount(const char *dev_name, const char *dir_name, const char *type, unsigned long flags, @@ -788,6 +789,83 @@ static int userns_obj_priv_prog(int mnt_fd, struct token_lsm *lsm_skel) return 0; } +static int userns_obj_priv_freplace_setup(int mnt_fd, struct priv_freplace_prog **fr_skel, + struct priv_prog **skel, int *tgt_fd) +{ + LIBBPF_OPTS(bpf_object_open_opts, opts); + int err; + char buf[256]; + + /* use bpf_token_path to provide BPF FS path */ + snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd); + opts.bpf_token_path = buf; + *skel = priv_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_prog__open_opts")) + return -EINVAL; + err = priv_prog__load(*skel); + if (!ASSERT_OK(err, "priv_prog__load")) + return -EINVAL; + + *fr_skel = priv_freplace_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_freplace_prog__open_opts")) + return -EINVAL; + + *tgt_fd = bpf_program__fd((*skel)->progs.kprobe_prog); + return 0; +} + +/* Verify that freplace works from user namespace, because bpf token is loaded + * in bpf_object__prepare + */ +static int userns_obj_priv_freplace_prog(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_object__prepare(fr_skel->obj); + if (!ASSERT_OK(err, "freplace__prepare")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_kprobe_prog, tgt_fd, "kprobe_prog"); + if (!ASSERT_OK(err, "set_attach_target")) + goto out; + + err = priv_freplace_prog__load(fr_skel); + ASSERT_OK(err, "priv_freplace_prog__load"); +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + +/* Verify that replace fails to set attach target from user namespace without bpf token */ +static int userns_obj_priv_freplace_prog_fail(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_kprobe_prog, tgt_fd, "kprobe_prog"); + if (ASSERT_ERR(err, "attach fails")) + err = 0; + else + err = -EINVAL; + +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + /* this test is called with BPF FS that doesn't delegate BPF_BTF_LOAD command, * which should cause struct_ops application to fail, as BTF won't be uploaded * into the kernel, even if STRUCT_OPS programs themselves are allowed @@ -1010,6 +1088,22 @@ void test_token(void) subtest_userns(&opts, userns_obj_priv_prog); } + if (test__start_subtest("obj_priv_freplace_prog")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD), + .progs = bit(BPF_PROG_TYPE_KPROBE) | bit(BPF_PROG_TYPE_EXT), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog); + } + if (test__start_subtest("obj_priv_freplace_prog_fail")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD), + .progs = bit(BPF_PROG_TYPE_KPROBE) | bit(BPF_PROG_TYPE_EXT), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog_fail); + } if (test__start_subtest("obj_priv_btf_fail")) { struct bpffs_opts opts = { /* disallow BTF loading */ diff --git a/tools/testing/selftests/bpf/progs/priv_freplace_prog.c b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c new file mode 100644 index 000000000000..c9ab81988624 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include "vmlinux.h" +#include + +char _license[] SEC("license") = "GPL"; + +SEC("freplace/kprobe_prog") +int new_kprobe_prog(struct pt_regs *ctx) +{ + return 1; +} diff --git a/tools/testing/selftests/bpf/progs/priv_prog.c b/tools/testing/selftests/bpf/progs/priv_prog.c index 3c7b2b618c8a..bc3ccd4906b3 100644 --- a/tools/testing/selftests/bpf/progs/priv_prog.c +++ b/tools/testing/selftests/bpf/progs/priv_prog.c @@ -7,7 +7,7 @@ char _license[] SEC("license") = "GPL"; SEC("kprobe") -int kprobe_prog(void *ctx) +int kprobe_prog(struct pt_regs *ctx) { return 1; }