Re: [PATCH v3 bpf-next 2/3] selftests/bpf: add negative tests for new VFS based BPF kfuncs

[Matt Bobrowski <mattbobrowski@google.com>]

On Fri, Jul 26, 2024 at 04:38:32PM -0700, Song Liu wrote:
> On Fri, Jul 26, 2024 at 1:56 AM Matt Bobrowski <mattbobrowski@google.com> wrote:
> >
> > Add a bunch of negative selftests responsible for asserting that the
> > BPF verifier successfully rejects a BPF program load when the
> > underlying BPF program misuses one of the newly introduced VFS based
> > BPF kfuncs.
> 
> Negative tests are great. Thanks for adding them.
> 
> A few nitpicks below.

Thanks for the review!

> > diff --git a/tools/testing/selftests/bpf/bpf_experimental.h b/tools/testing/selftests/bpf/bpf_experimental.h
> > index 828556cdc2f0..8a1ed62b4ed1 100644
> > --- a/tools/testing/selftests/bpf/bpf_experimental.h
> > +++ b/tools/testing/selftests/bpf/bpf_experimental.h
> > @@ -195,6 +195,32 @@ extern void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it) __ksym;
> >   */
> >  extern void bpf_throw(u64 cookie) __ksym;
> >
> > +/* Description
> > + *     Acquire a reference on the exe_file member field belonging to the
> > + *     mm_struct that is nested within the supplied task_struct. The supplied
> > + *     task_struct must be trusted/referenced.
> > + * Returns
> > + *     A referenced file pointer pointing to the exe_file member field of the
> > + *     mm_struct nested in the supplied task_struct, or NULL.
> > + */
> > +extern struct file *bpf_get_task_exe_file(struct task_struct *task) __ksym;
> > +
> > +/* Description
> > + *     Release a reference on the supplied file. The supplied file must be
> > + *     trusted/referenced.
> 
> Probably replace "trusted/referenced" with "acquired".

Done.

> > + */
> > +extern void bpf_put_file(struct file *file) __ksym;
> > +
> > +/* Description
> > + *     Resolve a pathname for the supplied path and store it in the supplied
> > + *     buffer. The supplied path must be trusted/referenced.
> > + * Returns
> > + *     A positive integer corresponding to the length of the resolved pathname,
> > + *     including the NULL termination character, stored in the supplied
> > + *     buffer. On error, a negative integer is returned.
> > + */
> > +extern int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz) __ksym;
> > +
> 
> In my environment, we already have these declarations in vmlinux.h.
> So maybe we don't need to add them manually?

Right, but that's probably when building vmlinux.h using the latest
pahole I imagine? Those not using the latest pahole will probably
won't already see these BPF kfuncs within the generated vmlinux.h.

> >  /* This macro must be used to mark the exception callback corresponding to the
> >   * main program. For example:
> >   *
> > diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c
> > index 67a49d12472c..14d74ba2188e 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/verifier.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/verifier.c
> > @@ -85,6 +85,7 @@
> >  #include "verifier_value_or_null.skel.h"
> >  #include "verifier_value_ptr_arith.skel.h"
> >  #include "verifier_var_off.skel.h"
> > +#include "verifier_vfs_reject.skel.h"
> >  #include "verifier_xadd.skel.h"
> >  #include "verifier_xdp.skel.h"
> >  #include "verifier_xdp_direct_packet_access.skel.h"
> > @@ -205,6 +206,7 @@ void test_verifier_value(void)                { RUN(verifier_value); }
> >  void test_verifier_value_illegal_alu(void)    { RUN(verifier_value_illegal_alu); }
> >  void test_verifier_value_or_null(void)        { RUN(verifier_value_or_null); }
> >  void test_verifier_var_off(void)              { RUN(verifier_var_off); }
> > +void test_verifier_vfs_reject(void)          { RUN(verifier_vfs_reject); }
> >  void test_verifier_xadd(void)                 { RUN(verifier_xadd); }
> >  void test_verifier_xdp(void)                  { RUN(verifier_xdp); }
> >  void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); }
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c b/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c
> > new file mode 100644
> > index 000000000000..27666a8ef78a
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c
> > @@ -0,0 +1,196 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/* Copyright (c) 2024 Google LLC. */
> > +
> > +#include <vmlinux.h>
> > +#include <bpf/bpf_helpers.h>
> > +#include <bpf/bpf_tracing.h>
> > +#include <linux/limits.h>
> > +
> > +#include "bpf_misc.h"
> > +#include "bpf_experimental.h"
> > +
> > +static char buf[PATH_MAX];
> > +
> > +SEC("lsm.s/file_open")
> > +__failure __msg("Possibly NULL pointer passed to trusted arg0")
> > +int BPF_PROG(get_task_exe_file_kfunc_null)
> > +{
> > +       struct file *acquired;
> > +
> > +       /* Can't pass a NULL pointer to bpf_get_task_exe_file(). */
> > +       acquired = bpf_get_task_exe_file(NULL);
> > +       if (!acquired)
> > +               return 0;
> > +
> > +       bpf_put_file(acquired);
> > +       return 0;
> > +}
> > +
> > +SEC("lsm.s/inode_getxattr")
> > +__failure __msg("arg#0 pointer type STRUCT task_struct must point to scalar, or struct with scalar")
> > +int BPF_PROG(get_task_exe_file_kfunc_fp)
> > +{
> > +       u64 x;
> > +       struct file *acquired;
> > +       struct task_struct *fp;
> 
> "fp" is a weird name for a task_struct pointer.

OK, just want to make it clear that it was a pointer to something that
exists on the current stack frame. Happy to change the name to task or
something. Done.

> Other than these:
> 
> Acked-by: Song Liu <song@kernel.org>
> 
> > +
> > +       fp = (struct task_struct *)&x;
> > +       /* Can't pass random frame pointer to bpf_get_task_exe_file(). */
> > +       acquired = bpf_get_task_exe_file(fp);
> > +       if (!acquired)
> > +               return 0;
> > +
> > +       bpf_put_file(acquired);
> > +       return 0;
> > +}
> > +
> [...]
/M