From: sashiko-bot@kernel.org
To: "David Windsor" <dwindsor@gmail.com>
Cc: bpf@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH v4 bpf-next 3/3] selftests/bpf: add tests for bpf_init_inode_xattr kfunc
Date: Tue, 30 Jun 2026 18:51:00 +0000 [thread overview]
Message-ID: <20260630185101.68F481F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630183956.281293-4-dwindsor@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] The tests use predictable temporary file paths with `open(..., O_CREAT)` but without `O_EXCL` or prior cleanup, leading to test flakiness and a symlink attack vulnerability.
- [Medium] The slot limit test triggers duplicate xattr name creations during `inode_init_security`, causing the test to fail on filesystems like ext4 that enforce `XATTR_CREATE`.
--
commit 9defa5666243f46c3a058ad117a6ee0ace1b9f5c
Author: David Windsor <dwindsor@gmail.com>
selftests/bpf: add tests for bpf_init_inode_xattr kfunc
Test bpf atomic inode xattr labeling in inode_init_security.
> diff --git a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> index 43a26ec69a8e3..8b2e0d433aea2 100644
> --- a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> +++ b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> @@ -268,6 +269,116 @@ static void test_fsverity(void)
> remove(testfile);
> }
>
> +static void test_init_inode_xattr(void)
> +{
> + struct test_init_inode_xattr *skel = NULL;
> + int fd = -1, err;
> + char value_out[64];
> + const char *testfile_new = "/tmp/test_progs_fs_kfuncs_new";
> +
> + skel = test_init_inode_xattr__open_and_load();
> + if (!ASSERT_OK_PTR(skel, "test_init_inode_xattr__open_and_load"))
> + return;
> +
> + skel->bss->monitored_pid = getpid();
> + err = test_init_inode_xattr__attach(skel);
> + if (!ASSERT_OK(err, "test_init_inode_xattr__attach"))
> + goto out;
> +
> + /* Trigger inode_init_security */
> + fd = open(testfile_new, O_CREAT | O_RDWR, 0644);
[Severity: Medium]
Since this test runs as root and uses predictable paths in /tmp/, can this
allow an attacker to place a symlink to overwrite arbitrary system files?
Additionally, if a previous run leaves the file behind (e.g., via panic or
early abort), open(O_CREAT) without O_EXCL will open the existing file
instead of creating a new one. This bypasses the inode_init_security hook
entirely, which can cause the test's assertions on init_result to fail
spuriously.
Would it be better to add O_EXCL to the open() flags or unlink the file
before opening?
> + if (!ASSERT_GE(fd, 0, "create_file"))
> + goto out;
[ ... ]
> +static void test_init_inode_xattr_slot_limit(void)
> +{
> + struct test_init_inode_xattr *skel[INIT_INODE_XATTR_MAX + 1] = {};
> + struct bpf_link *link[INIT_INODE_XATTR_MAX + 1] = {};
> + const char *testfile_slot = "/tmp/test_progs_fs_kfuncs_slot";
> + int ok = 0, nospc = 0, other = 0;
> + int i, fd = -1;
> +
> + /* All programs attach successfully; there is no attach-time cap. */
> + for (i = 0; i <= INIT_INODE_XATTR_MAX; i++) {
> + skel[i] = test_init_inode_xattr__open_and_load();
> + if (!ASSERT_OK_PTR(skel[i], "open_and_load"))
> + goto out;
> +
> + skel[i]->bss->monitored_pid = getpid();
> +
> + link[i] = bpf_program__attach_lsm(skel[i]->progs.test_init_inode_xattr);
> + if (!ASSERT_OK_PTR(link[i], "attach"))
> + goto out;
> + }
> +
> + /* Trigger inode_init_security once with all programs attached. */
> + fd = open(testfile_slot, O_CREAT | O_RDWR, 0644);
[Severity: Medium]
Will this test reliably fail on filesystems like ext4?
The test attaches 5 identical BPF programs to inode_init_security, which all
attempt to add an xattr with the exact same name (bpf.test_label).
On ext4, ext4_initxattrs() passes the XATTR_CREATE flag to
ext4_xattr_set_handle(), meaning the second identical xattr creation fails
with -EEXIST. This failure propagates up to the VFS, causing the open()
syscall here to fail with -EEXIST and breaking the test before it can validate
the slot limits.
Should the attached BPF programs generate unique xattr names?
(Also, similar to test_init_inode_xattr(), this open() call might benefit
from O_EXCL to prevent symlink attacks and test flakiness).
> + if (!ASSERT_GE(fd, 0, "create_file"))
> + goto out;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630183956.281293-1-dwindsor@gmail.com?part=3
prev parent reply other threads:[~2026-06-30 18:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 18:39 [PATCH v4 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-06-30 18:39 ` [PATCH v4 bpf-next 1/3] security: pass inode_init_security xattrs via struct lsm_xattrs David Windsor
2026-06-30 18:46 ` sashiko-bot
2026-06-30 18:39 ` [PATCH v4 bpf-next 2/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-06-30 18:46 ` David Windsor
2026-06-30 18:54 ` sashiko-bot
2026-07-01 22:54 ` David Windsor
2026-06-30 19:20 ` Paul Moore
2026-07-01 6:09 ` Alexei Starovoitov
2026-07-01 12:55 ` Paul Moore
2026-07-01 15:09 ` Paul Moore
2026-07-01 22:58 ` David Windsor
2026-07-01 23:21 ` Paul Moore
2026-06-30 18:39 ` [PATCH v4 bpf-next 3/3] selftests/bpf: add tests for bpf_init_inode_xattr kfunc David Windsor
2026-06-30 18:51 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630185101.68F481F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dwindsor@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.