From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: "Jonathan Corbet" <corbet@lwn.net>,
"David Howells" <dhowells@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Shuah Khan" <shuah@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Jan Stancek" <jstancek@redhat.com>,
"Neal Gompa" <neal@gompa.dev>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kbuild@vger.kernel.org, linux-kselftest@vger.kernel.org,
bpf@vger.kernel.org, llvm@lists.linux.dev, nkapron@google.com,
teknoraver@meta.com, roberto.sassu@huawei.com,
xiyou.wangcong@gmail.com
Subject: [PATCH v2 security-next 4/4] selftests/hornet: Add a selftest for the Hornet LSM
Date: Fri, 4 Apr 2025 14:54:53 -0700 [thread overview]
Message-ID: <20250404215527.1563146-5-bboscaccy@linux.microsoft.com> (raw)
In-Reply-To: <20250404215527.1563146-1-bboscaccy@linux.microsoft.com>
This selftest contains a testcase that utilizes light skeleton eBPF
loaders. One version of the light skeleton is signed with the
autogenerated module signing key, another is not. A test driver
attempts to load the programs. With Hornet enabled, the signed version
should successfully be loaded, and the unsigned version should fail.
Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/hornet/Makefile | 51 ++++++++++++++++++++
tools/testing/selftests/hornet/loader.c | 21 ++++++++
tools/testing/selftests/hornet/trivial.bpf.c | 33 +++++++++++++
4 files changed, 106 insertions(+)
create mode 100644 tools/testing/selftests/hornet/Makefile
create mode 100644 tools/testing/selftests/hornet/loader.c
create mode 100644 tools/testing/selftests/hornet/trivial.bpf.c
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index 8daac70c2f9d..fce32ee4de32 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -41,6 +41,7 @@ TARGETS += ftrace
TARGETS += futex
TARGETS += gpio
TARGETS += hid
+TARGETS += hornet
TARGETS += intel_pstate
TARGETS += iommu
TARGETS += ipc
diff --git a/tools/testing/selftests/hornet/Makefile b/tools/testing/selftests/hornet/Makefile
new file mode 100644
index 000000000000..93da70f41d40
--- /dev/null
+++ b/tools/testing/selftests/hornet/Makefile
@@ -0,0 +1,51 @@
+# SPDX-License-Identifier: GPL-2.0
+include ../../../build/Build.include
+include ../../../scripts/Makefile.arch
+include ../../../scripts/Makefile.include
+
+CLANG ?= clang
+CFLAGS := -g -O2 -Wall
+BPFTOOL ?= bpftool
+SCRIPTSDIR := $(abspath ../../../../scripts/hornet)
+TOOLSDIR := $(abspath ../../..)
+LIBDIR := $(TOOLSDIR)/lib
+BPFDIR := $(LIBDIR)/bpf
+TOOLSINCDIR := $(TOOLSDIR)/include
+APIDIR := $(TOOLSINCDIR)/uapi
+CERTDIR := $(abspath ../../../../certs)
+
+TEST_GEN_PROGS_EXTENDED := loader
+TEST_GEN_PROGS := signed_loader
+TEST_PROGS := fail_loader
+TEST_GEN_FILES := vmlinux.h loader.h trivial.bin trivial.bpf.o
+$(TEST_GEN_PROGS): LDLIBS += -lbpf
+$(TEST_GEN_PROGS): $(TEST_GEN_FILES)
+
+include ../lib.mk
+
+BPF_CFLAGS := -target bpf \
+ -D__TARGET_ARCH_$(ARCH) \
+ -I/usr/include/$(shell uname -m)-linux-gnu \
+ $(KHDR_INCLUDES)
+vmlinux.h:
+ $(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+
+trivial.bpf.o: trivial.bpf.c vmlinux.h
+ $(CLANG) $(CFLAGS) $(BPF_CFLAGS) -c $< -o $@
+
+loader.h: trivial.bpf.o
+ $(BPFTOOL) gen skeleton -L $< name trivial > $@
+
+trivial.bin: loader.h
+ $(SCRIPTSDIR)/extract-skel.sh $< $@
+
+loader: loader.c loader.h
+ $(CC) $(CFLAGS) -I$(LIBDIR) -I$(APIDIR) $< -o $@ -lbpf
+
+fail_loader: fail_loader.c loader.h
+ $(CC) $(CFLAGS) -I$(LIBDIR) -I$(APIDIR) $< -o $@ -lbpf
+
+signed_loader: trivial.bin loader fail_loader
+ $(SCRIPTSDIR)/sign-ebpf sha256 $(CERTDIR)/signing_key.pem $(CERTDIR)/signing_key.x509 \
+ trivial.bin loader signed_loader
+ chmod u+x $@
diff --git a/tools/testing/selftests/hornet/loader.c b/tools/testing/selftests/hornet/loader.c
new file mode 100644
index 000000000000..9a43bb012d1b
--- /dev/null
+++ b/tools/testing/selftests/hornet/loader.c
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <sys/resource.h>
+#include <bpf/libbpf.h>
+#include <errno.h>
+#include "loader.h"
+
+int main(int argc, char **argv)
+{
+ struct trivial *skel;
+
+ skel = trivial__open_and_load();
+ if (!skel)
+ return -1;
+
+ trivial__destroy(skel);
+ return 0;
+}
diff --git a/tools/testing/selftests/hornet/trivial.bpf.c b/tools/testing/selftests/hornet/trivial.bpf.c
new file mode 100644
index 000000000000..d38c5b53ff93
--- /dev/null
+++ b/tools/testing/selftests/hornet/trivial.bpf.c
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+int monitored_pid = 0;
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int handle_enter_unlink(struct trace_event_raw_sys_enter *ctx)
+{
+ char filename[128] = { 0 };
+ struct task_struct *task;
+ unsigned long start_time = 0;
+ int pid = bpf_get_current_pid_tgid() >> 32;
+ char *pathname_ptr = (char *) BPF_CORE_READ(ctx, args[1]);
+
+ bpf_probe_read_str(filename, sizeof(filename), pathname_ptr);
+ task = (struct task_struct *)bpf_get_current_task();
+ start_time = BPF_CORE_READ(task, start_time);
+
+ bpf_printk("BPF triggered unlinkat by PID: %d, start_time %ld. pathname = %s",
+ pid, start_time, filename);
+
+ if (monitored_pid == pid)
+ bpf_printk("target pid found");
+
+ return 0;
+}
--
2.48.1
prev parent reply other threads:[~2025-04-04 21:56 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 21:54 [PATCH v2 security-next 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 1/4] security: " Blaise Boscaccy
2025-04-06 4:27 ` kernel test robot
2025-04-06 20:42 ` kernel test robot
2025-04-11 19:09 ` Tyler Hicks
2025-04-14 20:11 ` Blaise Boscaccy
2025-04-11 23:16 ` [PATCH v2 " Paul Moore
2025-04-14 20:46 ` Blaise Boscaccy
2025-04-15 1:37 ` Paul Moore
2025-04-12 0:09 ` [PATCH v2 security-next " Alexei Starovoitov
2025-04-12 0:29 ` Matteo Croce
2025-04-12 0:57 ` Alexei Starovoitov
2025-04-12 14:11 ` Blaise Boscaccy
2025-04-12 13:57 ` Blaise Boscaccy
2025-04-14 16:08 ` Paul Moore
2025-04-14 20:56 ` Alexei Starovoitov
2025-04-15 0:32 ` Blaise Boscaccy
2025-04-15 1:38 ` Alexei Starovoitov
2025-04-15 15:45 ` Blaise Boscaccy
2025-04-15 19:08 ` Blaise Boscaccy
2025-04-19 16:21 ` Paul Moore
2025-04-15 21:48 ` Alexei Starovoitov
2025-04-16 17:31 ` Blaise Boscaccy
2025-04-21 20:12 ` Alexei Starovoitov
2025-04-21 22:03 ` Paul Moore
2025-04-21 23:48 ` Alexei Starovoitov
2025-04-22 2:38 ` Paul Moore
2025-04-23 14:12 ` James Bottomley
2025-04-23 15:10 ` Paul Moore
2025-04-24 23:41 ` Alexei Starovoitov
2025-04-25 14:06 ` James Bottomley
2025-04-25 21:44 ` Blaise Boscaccy
2025-04-19 18:43 ` James Bottomley
2025-04-21 18:52 ` Paul Moore
2025-04-21 19:03 ` James Bottomley
2025-04-04 21:54 ` [PATCH v2 security-next 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-04-04 21:54 ` Blaise Boscaccy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250404215527.1563146-5-bboscaccy@linux.microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).