From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Song Liu <song@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Matt Bobrowski <mattbobrowski@google.com>,
Xu Kuohai <xukuohai@huawei.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
selinux@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v6 bpf-next 2/2] selftests/bpf: Add a kernel flag test for LSM bpf hook
Date: Mon, 10 Mar 2025 11:11:32 -0700 [thread overview]
Message-ID: <87senkycvf.fsf@microsoft.com> (raw)
In-Reply-To: <CAPhsuW41zvcSK8exRT6Ui1jyQ=OhD8BAdV6bU4nhGQGfV14+Cw@mail.gmail.com>
Song Liu <song@kernel.org> writes:
> On Mon, Mar 10, 2025 at 10:43 AM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> Song Liu <song@kernel.org> writes:
>>
>> > On Fri, Mar 7, 2025 at 5:33 PM Blaise Boscaccy
>> > <bboscaccy@linux.microsoft.com> wrote:
>> >>
>> >> This test exercises the kernel flag added to security_bpf by
>> >> effectively blocking light-skeletons from loading while allowing
>> >> normal skeletons to function as-is. Since this should work with any
>> >> arbitrary BPF program, an existing program from LSKELS_EXTRA was
>> >> used as a test payload.
>> >>
>> >> Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
>> >> ---
>> >> .../selftests/bpf/prog_tests/kernel_flag.c | 43 +++++++++++++++++++
>> >> .../selftests/bpf/progs/test_kernel_flag.c | 28 ++++++++++++
>> >> 2 files changed, 71 insertions(+)
>> >> create mode 100644 tools/testing/selftests/bpf/prog_tests/kernel_flag.c
>> >> create mode 100644 tools/testing/selftests/bpf/progs/test_kernel_flag.c
>> >>
>> >> diff --git a/tools/testing/selftests/bpf/prog_tests/kernel_flag.c b/tools/testing/selftests/bpf/prog_tests/kernel_flag.c
>> >> new file mode 100644
>> >> index 0000000000000..479ad5de3737e
>> >> --- /dev/null
>> >> +++ b/tools/testing/selftests/bpf/prog_tests/kernel_flag.c
>> >> @@ -0,0 +1,43 @@
>> >> +// SPDX-License-Identifier: GPL-2.0
>> >> +/* Copyright (c) 2025 Microsoft */
>> >> +#include <test_progs.h>
>> >> +#include "kfunc_call_test.skel.h"
>> >> +#include "kfunc_call_test.lskel.h"
>> >> +#include "test_kernel_flag.skel.h"
>> >> +
>> >> +void test_kernel_flag(void)
>> >> +{
>> >> + struct test_kernel_flag *lsm_skel;
>> >> + struct kfunc_call_test *skel = NULL;
>> >> + struct kfunc_call_test_lskel *lskel = NULL;
>> >> + int ret;
>> >> +
>> >> + lsm_skel = test_kernel_flag__open_and_load();
>> >> + if (!ASSERT_OK_PTR(lsm_skel, "lsm_skel"))
>> >> + return;
>> >> +
>> >> + ret = test_kernel_flag__attach(lsm_skel);
>> >> + if (!ASSERT_OK(ret, "test_kernel_flag__attach"))
>> >> + goto close_prog;
>> >> +
>> >> + lsm_skel->bss->monitored_pid = getpid();
>> >
>> > We usually set monitored_pid before attaching the program.
>> >
>>
>> Okay, copy that.
>>
>> >> +
>> >> + /* Test with skel. This should pass the gatekeeper */
>> >> + skel = kfunc_call_test__open_and_load();
>> >> + if (!ASSERT_OK_PTR(skel, "skel"))
>> >> + goto close_prog;
>> >> +
>> >> + /* Test with lskel. This should fail due to blocking kernel-based bpf() invocations */
>> >> + lskel = kfunc_call_test_lskel__open_and_load();
>> >> + if (!ASSERT_ERR_PTR(lskel, "lskel"))
>> >> + goto close_prog;
>> >> +
>> >> +close_prog:
>> >> + if (skel)
>> >> + kfunc_call_test__destroy(skel);
>> >> + if (lskel)
>> >> + kfunc_call_test_lskel__destroy(lskel);
>> >> +
>> >> + lsm_skel->bss->monitored_pid = 0;
>> >> + test_kernel_flag__destroy(lsm_skel);
>> >> +}
>> >> diff --git a/tools/testing/selftests/bpf/progs/test_kernel_flag.c b/tools/testing/selftests/bpf/progs/test_kernel_flag.c
>> >> new file mode 100644
>> >> index 0000000000000..9ca01aadb6656
>> >> --- /dev/null
>> >> +++ b/tools/testing/selftests/bpf/progs/test_kernel_flag.c
>> >> @@ -0,0 +1,28 @@
>> >> +// SPDX-License-Identifier: GPL-2.0
>> >> +
>> >> +/*
>> >> + * Copyright (C) 2025 Microsoft Corporation
>> >> + *
>> >> + * Author: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
>> >> + */
>> >> +
>> >> +#include "vmlinux.h"
>> >> +#include <errno.h>
>> >> +#include <bpf/bpf_helpers.h>
>> >> +#include <bpf/bpf_tracing.h>
>> >> +
>> >> +char _license[] SEC("license") = "GPL";
>> >> +
>> >> +__u32 monitored_pid;
>> >> +
>> >> +SEC("lsm.s/bpf")
>> >> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
>> >> +{
>> >> + __u32 pid;
>> >> +
>> >> + pid = bpf_get_current_pid_tgid() >> 32;
>> >> + if (!kernel || pid != monitored_pid)
>> >> + return 0;
>> >
>> > We are blocking lskel load for the pid. This could make
>> > parallel testing (test_progs -j) flaky. We should probably
>> > change the logic to filtering on monitored_tiid.
>> >
>>
>> Curious on this for my own edification. The
>>
>> pid = bpf_get_current_pid_tgid() >> 32;
>>
>> is used extensively in the current test suite in a bunch of other
>> tests. Why does that not cause an issue with the other tests during
>> parallel testing?
>
> We are blindly blocking all security_bpf() with kernel=true here, so
> any lskel load in parallel with this test may fail. On the other hand,
> existing tests only block some operations under certain conditions.
> For example, test_cgroup1_hierarchy.c only blocks operations for
> target_ancestor_cgid.
>
> Does this make sense?
>
Not quite. This is only blocking security_bpf where kernel=true and
pid=monitored_pid.
> Thanks,
> Song
next prev parent reply other threads:[~2025-03-10 18:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-08 1:32 [PATCH v6 bpf-next 0/2] security: Propagate caller information in bpf hooks Blaise Boscaccy
2025-03-08 1:32 ` [PATCH v6 bpf-next 1/2] " Blaise Boscaccy
2025-03-10 16:31 ` [PATCH v6 " Paul Moore
2025-03-08 1:32 ` [PATCH v6 bpf-next 2/2] selftests/bpf: Add a kernel flag test for LSM bpf hook Blaise Boscaccy
2025-03-10 17:23 ` Song Liu
2025-03-10 17:43 ` Blaise Boscaccy
2025-03-10 17:56 ` Song Liu
2025-03-10 18:11 ` Blaise Boscaccy [this message]
2025-03-10 18:20 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87senkycvf.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=memxor@gmail.com \
--cc=mykolal@fb.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=xukuohai@huawei.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.