From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, KP Singh <kpsingh@kernel.org>,
Spencer Baugh <sbaugh@catern.com>,
Pavel Emelyanov <ovzxemul@gmail.com>,
Alexander Mihalicyn <alexander@mihalicyn.com>,
Andrei Vagin <avagin@gmail.com>,
linux-security-module@vger.kernel.org
Subject: [PATCH bpf-next v2 5/5] tools: testing: Add selftest for file local storage map
Date: Thu, 26 Aug 2021 19:09:13 +0530 [thread overview]
Message-ID: <20210826133913.627361-6-memxor@gmail.com> (raw)
In-Reply-To: <20210826133913.627361-1-memxor@gmail.com>
This adds a test case for verifying that file local storage map works as
intended. It also tests map value with bpf_spin_lock.
It also demonstrates how this map is supposed to function in a security
context, by e.g. restricting an operation on a single fd. This could be
used to filter ioctls, fcntls, bpf ops, etc. on a per-fd basis.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
.../bpf/prog_tests/test_local_storage.c | 55 +++++++++++++++++++
.../selftests/bpf/progs/local_storage.c | 43 +++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/test_local_storage.c b/tools/testing/selftests/bpf/prog_tests/test_local_storage.c
index d2c16eaae367..a0df0d4cdc34 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_local_storage.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_local_storage.c
@@ -24,6 +24,7 @@ static inline int sys_pidfd_open(pid_t pid, unsigned int flags)
static unsigned int duration;
#define TEST_STORAGE_VALUE 0xbeefdead
+#define DUMMY_STORAGE_VALUE 0xdeadbeef
struct storage {
void *inode;
@@ -111,6 +112,55 @@ static bool check_syscall_operations(int map_fd, int obj_fd)
return true;
}
+int test_file_local_storage(struct bpf_map *map)
+{
+ struct storage ls;
+ int fd, ret;
+
+ fd = open("/dev/null", O_RDONLY);
+ if (!ASSERT_GE(fd, 0, "open(/dev/null)"))
+ return -errno;
+
+ ret = fcntl(fd, F_DUPFD, 42);
+ if (!ASSERT_EQ(errno, EPERM, "fcntl should return EPERM"))
+ goto end;
+
+ ret = bpf_map_lookup_elem_flags(bpf_map__fd(map), &fd, &ls, BPF_F_LOCK);
+ if (!ASSERT_OK(ret, "bpf_map_lookup_elem for file local storage"))
+ goto end;
+
+ ASSERT_EQ(ls.value, DUMMY_STORAGE_VALUE, "file local value match");
+
+ ret = bpf_map_delete_elem(bpf_map__fd(map), &fd);
+ if (!ASSERT_OK(ret, "bpf_map_delete_elem for file local storage"))
+ goto end;
+
+ ret = bpf_map_lookup_elem_flags(bpf_map__fd(map), &fd, &ls, BPF_F_LOCK);
+ if (!ASSERT_EQ(ret, -ENOENT, "bpf_map_lookup_elem should fail"))
+ goto end;
+
+ memset(&ls, 0, sizeof(ls));
+ ls.value = DUMMY_STORAGE_VALUE;
+ ret = bpf_map_update_elem(bpf_map__fd(map), &fd, &ls, BPF_NOEXIST | BPF_F_LOCK);
+ if (!ASSERT_OK(ret, "bpf_map_update_elem for file local storage"))
+ goto end;
+
+ ret = bpf_map_lookup_elem_flags(bpf_map__fd(map), &fd, &ls, BPF_F_LOCK);
+ if (!ASSERT_OK(ret, "bpf_map_lookup_elem for file local storage"))
+ goto end;
+
+ close(fd);
+
+ ret = bpf_map_lookup_elem_flags(bpf_map__fd(map), &fd, &ls, BPF_F_LOCK);
+ if (!ASSERT_EQ(ret, -EBADF, "bpf_map_lookup_elem should fail"))
+ return -EINVAL;
+
+ return 0;
+end:
+ close(fd);
+ return ret;
+}
+
void test_test_local_storage(void)
{
char tmp_dir_path[] = "/tmp/local_storageXXXXXX";
@@ -167,6 +217,11 @@ void test_test_local_storage(void)
/* Set the process being monitored to be the current process */
skel->bss->monitored_pid = getpid();
+ /* Test file local storage */
+ err = test_file_local_storage(skel->maps.file_storage_map);
+ if (!ASSERT_OK(err, "test_file_local_storage"))
+ goto close_prog_rmdir;
+
/* Move copy_of_rm to a new location so that it triggers the
* inode_rename LSM hook with a new_dentry that has a NULL inode ptr.
*/
diff --git a/tools/testing/selftests/bpf/progs/local_storage.c b/tools/testing/selftests/bpf/progs/local_storage.c
index 95868bc7ada9..0ea04bd803f1 100644
--- a/tools/testing/selftests/bpf/progs/local_storage.c
+++ b/tools/testing/selftests/bpf/progs/local_storage.c
@@ -44,6 +44,13 @@ struct {
__type(value, struct local_storage);
} task_storage_map SEC(".maps");
+struct {
+ __uint(type, BPF_MAP_TYPE_FILE_STORAGE);
+ __uint(map_flags, BPF_F_NO_PREALLOC);
+ __type(key, int);
+ __type(value, struct local_storage);
+} file_storage_map SEC(".maps");
+
SEC("lsm/inode_unlink")
int BPF_PROG(unlink_hook, struct inode *dir, struct dentry *victim)
{
@@ -181,3 +188,39 @@ void BPF_PROG(exec, struct linux_binprm *bprm)
storage->value = DUMMY_STORAGE_VALUE;
bpf_spin_unlock(&storage->lock);
}
+
+SEC("lsm/file_open")
+int BPF_PROG(file_open, struct file *file)
+{
+ __u32 pid = bpf_get_current_pid_tgid() >> 32;
+ struct local_storage *storage;
+
+ if (pid != monitored_pid)
+ return 0;
+
+ storage = bpf_file_storage_get(&file_storage_map, file, 0,
+ BPF_LOCAL_STORAGE_GET_F_CREATE);
+ if (!storage)
+ return 0;
+ bpf_spin_lock(&storage->lock);
+ storage->value = DUMMY_STORAGE_VALUE;
+ bpf_spin_unlock(&storage->lock);
+
+ return 0;
+}
+
+SEC("lsm/file_fcntl")
+int BPF_PROG(file_fcntl, struct file *file, unsigned int cmd, unsigned long arg)
+{
+ __u32 pid = bpf_get_current_pid_tgid() >> 32;
+ struct local_storage *storage;
+
+ if (pid != monitored_pid)
+ return 0;
+
+ storage = bpf_file_storage_get(&file_storage_map, file, 0,
+ BPF_LOCAL_STORAGE_GET_F_CREATE);
+ if (storage)
+ return -EPERM;
+ return 0;
+}
--
2.33.0
prev parent reply other threads:[~2021-08-26 13:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-26 13:39 [PATCH bpf-next v2 0/5] Implement file local storage Kumar Kartikeya Dwivedi
2021-08-26 13:39 ` [PATCH bpf-next v2 1/5] bpf: " Kumar Kartikeya Dwivedi
2021-08-26 22:23 ` Alexei Starovoitov
2021-08-27 0:13 ` KP Singh
2021-08-27 1:05 ` Kumar Kartikeya Dwivedi
2021-08-30 4:23 ` Serge E. Hallyn
2021-08-30 5:17 ` Kumar Kartikeya Dwivedi
2021-08-30 15:31 ` Serge E. Hallyn
2021-08-26 13:39 ` [PATCH bpf-next v2 2/5] tools: sync bpf.h header Kumar Kartikeya Dwivedi
2021-08-26 13:39 ` [PATCH bpf-next v2 3/5] libbpf: Add bpf_probe_map_type support for file local storage Kumar Kartikeya Dwivedi
2021-08-26 13:39 ` [PATCH bpf-next v2 4/5] tools: bpf: update bpftool for file_storage map Kumar Kartikeya Dwivedi
2021-08-26 13:39 ` Kumar Kartikeya Dwivedi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210826133913.627361-6-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=alexander@mihalicyn.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=avagin@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=ovzxemul@gmail.com \
--cc=sbaugh@catern.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).