Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Christian Brauner <brauner@kernel.org>
To: KP Singh <kpsingh@kernel.org>
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Benjamin Tissoires <benjamin.tissoires@redhat.com>,
	Yosry Ahmed <yosryahmed@google.com>
Subject: Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr
Date: Tue, 28 Jun 2022 19:33:44 +0200	[thread overview]
Message-ID: <20220628173344.h7ihvyl6vuky5xus@wittgenstein> (raw)
In-Reply-To: <20220628161948.475097-6-kpsingh@kernel.org>

On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> A simple test that adds an xattr on a copied /bin/ls and reads it back
> when the copied ls is executed.
> 
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
>  tools/testing/selftests/bpf/progs/xattr.c     | 37 +++++++++++++
>  2 files changed, 91 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
>  create mode 100644 tools/testing/selftests/bpf/progs/xattr.c
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/xattr.c b/tools/testing/selftests/bpf/prog_tests/xattr.c
> new file mode 100644
> index 000000000000..ef07fa8a1763
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/xattr.c
> @@ -0,0 +1,54 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright 2022 Google LLC.
> + */
> +
> +#include <test_progs.h>
> +#include <sys/xattr.h>
> +#include "xattr.skel.h"
> +
> +#define XATTR_NAME "security.bpf"
> +#define XATTR_VALUE "test_progs"
> +
> +void test_xattr(void)
> +{
> +	struct xattr *skel = NULL;
> +	char tmp_dir_path[] = "/tmp/xattrXXXXXX";
> +	char tmp_exec_path[64];
> +	char cmd[256];
> +	int err;
> +
> +	if (CHECK_FAIL(!mkdtemp(tmp_dir_path)))
> +		goto close_prog;
> +
> +	snprintf(tmp_exec_path, sizeof(tmp_exec_path), "%s/copy_of_ls",
> +		 tmp_dir_path);
> +	snprintf(cmd, sizeof(cmd), "cp /bin/ls %s", tmp_exec_path);
> +	if (CHECK_FAIL(system(cmd)))
> +		goto close_prog_rmdir;
> +
> +	if (CHECK_FAIL(setxattr(tmp_exec_path, XATTR_NAME, XATTR_VALUE,
> +			   sizeof(XATTR_VALUE), 0)))
> +		goto close_prog_rmdir;
> +
> +	skel = xattr__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "skel_load"))
> +		goto close_prog_rmdir;
> +
> +	err = xattr__attach(skel);
> +	if (!ASSERT_OK(err, "xattr__attach failed"))
> +		goto close_prog_rmdir;
> +
> +	snprintf(cmd, sizeof(cmd), "%s -l", tmp_exec_path);
> +	if (CHECK_FAIL(system(cmd)))
> +		goto close_prog_rmdir;
> +
> +	ASSERT_EQ(skel->bss->result, 1, "xattr result");
> +
> +close_prog_rmdir:
> +	snprintf(cmd, sizeof(cmd), "rm -rf %s", tmp_dir_path);
> +	system(cmd);
> +close_prog:
> +	xattr__destroy(skel);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/xattr.c b/tools/testing/selftests/bpf/progs/xattr.c
> new file mode 100644
> index 000000000000..ccc078fb8ebd
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/xattr.c
> @@ -0,0 +1,37 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright 2022 Google LLC.
> + */
> +
> +#include "vmlinux.h"
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +
> +char _license[] SEC("license") = "GPL";
> +
> +#define XATTR_NAME "security.bpf"
> +#define XATTR_VALUE "test_progs"
> +
> +__u64 result = 0;
> +
> +extern ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
> +			    const char *name, void *value, int size) __ksym;
> +
> +SEC("lsm.s/bprm_committed_creds")
> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> +{
> +	struct task_struct *current = bpf_get_current_task_btf();
> +	char dir_xattr_value[64] = {0};
> +	int xattr_sz = 0;
> +
> +	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> +				bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> +				dir_xattr_value, 64);

Yeah, this isn't right. You're not accounting for the caller's userns
nor for the idmapped mount. If this is supposed to work you will need a
variant of vfs_getxattr() that takes the mount's idmapping into account
afaict. See what needs to happen after do_getxattr().

next prev parent reply	other threads:[~2022-06-28 17:33 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-28 16:19 [PATCH v5 bpf-next 0/5] Add bpf_getxattr KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 1/5] btf: Add a new kfunc set which allows to mark a function to be sleepable KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 2/5] bpf: kfunc support for ARG_PTR_TO_CONST_STR KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 3/5] bpf: Allow kfuncs to be used in LSM programs KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc KP Singh
2022-06-28 17:22   ` Christian Brauner
2022-06-28 17:23   ` Al Viro
2022-06-28 17:29     ` KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr KP Singh
2022-06-28 17:33   ` Christian Brauner [this message]
2022-06-28 17:52     ` KP Singh
2022-06-28 22:28       ` Alexei Starovoitov
2022-06-29  8:11         ` Christian Brauner
2022-06-29  9:55           ` Christian Brauner
2022-06-30  3:02             ` Alexei Starovoitov
2022-06-30 11:45               ` Christian Brauner
2022-06-30 12:21                 ` KP Singh
2022-06-30 12:23                   ` KP Singh
2022-06-30 13:26                   ` Christian Brauner
2022-06-30 13:29                     ` KP Singh
2022-06-30 13:47                       ` Christian Brauner
2022-06-30 14:37                         ` Christian Brauner
2022-06-30 16:10                         ` Casey Schaufler
2022-06-30 22:23                           ` KP Singh
2022-06-30 23:23                             ` Casey Schaufler
2022-07-01  8:32                               ` Amir Goldstein
2022-07-01  8:58                                 ` Christian Brauner
2022-07-01  9:24                                   ` Amir Goldstein
2022-06-30 16:28                   ` Amir Goldstein
2022-06-30 22:25                     ` KP Singh
2022-06-28 17:13 ` [PATCH v5 bpf-next 0/5] Add bpf_getxattr Christian Brauner
2022-06-28 17:20   ` KP Singh
2022-06-28 17:21     ` KP Singh
2022-06-29  1:36       ` Dave Chinner
2022-06-29  2:00         ` KP Singh
2022-06-29  2:05           ` KP Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220628173344.h7ihvyl6vuky5xus@wittgenstein \
    --to=brauner@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=benjamin.tissoires@redhat.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kpsingh@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=yosryahmed@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).