From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Song Liu <song@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
selinux@vger.kernel.org
Subject: Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs
Date: Tue, 04 Mar 2025 16:36:44 -0800 [thread overview]
Message-ID: <87a5a0jotf.fsf@microsoft.com> (raw)
In-Reply-To: <CAPhsuW5HJuRYPucfvDbs25un7_D8JJnt=7zNUJ1utY3O_VMeSw@mail.gmail.com>
Song Liu <song@kernel.org> writes:
> On Tue, Mar 4, 2025 at 12:31 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> The security_bpf LSM hook now contains a boolean parameter specifying
>> whether an invocation of the bpf syscall originated from within the
>> kernel. Here, we update the function signature of relevant test
>> programs to include that new parameter.
>>
>> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> ^^^ The email address is broken.
>
Whoops, appologies, will get that fixed.
>> ---
>> tools/testing/selftests/bpf/progs/rcu_read_lock.c | 3 ++-
>> tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c | 4 ++--
>> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
>> tools/testing/selftests/bpf/progs/test_lookup_key.c | 2 +-
>> tools/testing/selftests/bpf/progs/test_ptr_untrusted.c | 2 +-
>> tools/testing/selftests/bpf/progs/test_task_under_cgroup.c | 2 +-
>> tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c | 2 +-
>> 7 files changed, 11 insertions(+), 10 deletions(-)
>
> It appears you missed a few of these?
>
Some of these don't require any changes. I ran into this as well while doing a
search.
These are all accounted for in the patch.
> tools/testing/selftests/bpf/progs/rcu_read_lock.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm/bpf")
> tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("lsm.s/bpf")
security_bpf_map wasn't altered, it can't be called from the kernel. No
changes needed.
> tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c:SEC("lsm/bpf_map")
These are also all accounted for in the patch.
> tools/testing/selftests/bpf/progs/test_lookup_key.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_ptr_untrusted.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_task_under_cgroup.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c:SEC("lsm.s/bpf")
bpf_token_cmd and bpf_token_capabable aren't callable from the kernel,
no changes to that hook either currently.
> tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_capable")
> tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_cmd")
This program doesn't take any parameters currently.
> tools/testing/selftests/bpf/progs/verifier_global_subprogs.c:SEC("?lsm/bpf")
These are all naked calls that don't take any explicit parameters.
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
>
-blaise
>>
>> diff --git a/tools/testing/selftests/bpf/progs/rcu_read_lock.c b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> index ab3a532b7dd6d..f85d0e282f2ae 100644
>> --- a/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> +++ b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> @@ -242,7 +242,8 @@ int inproper_sleepable_helper(void *ctx)
>> }
>>
>> SEC("?lsm.s/bpf")
>> -int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size,
>> + bool is_kernel)
>> {
>> struct bpf_key *bkey;
>>
>> diff --git a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> index 44628865fe1d4..0e741262138f2 100644
>> --- a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> +++ b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> @@ -51,13 +51,13 @@ static int bpf_link_create_verify(int cmd)
>> }
>>
>> SEC("lsm/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> return bpf_link_create_verify(cmd);
>> }
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> return bpf_link_create_verify(cmd);
>> }
>> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> index cd4d752bd089c..ce36a55ba5b8b 100644
>> --- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> @@ -36,7 +36,7 @@ char _license[] SEC("license") = "GPL";
>>
>> SEC("?lsm.s/bpf")
>> __failure __msg("cannot pass in dynptr at an offset=-8")
>> -int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> unsigned long val;
>>
>> @@ -46,7 +46,7 @@ int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
>>
>> SEC("?lsm.s/bpf")
>> __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
>> -int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> unsigned long val = 0;
>>
>> @@ -55,7 +55,7 @@ int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
>> }
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> struct bpf_key *trusted_keyring;
>> struct bpf_dynptr ptr;
>> diff --git a/tools/testing/selftests/bpf/progs/test_lookup_key.c b/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> index c73776990ae30..c46077e01a4ca 100644
>> --- a/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> +++ b/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> @@ -23,7 +23,7 @@ extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym;
>> extern void bpf_key_put(struct bpf_key *key) __ksym;
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> struct bpf_key *bkey;
>> __u32 pid;
>> diff --git a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> index 2fdc44e766248..21fce1108a21d 100644
>> --- a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> +++ b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> @@ -7,7 +7,7 @@
>> char tp_name[128];
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> switch (cmd) {
>> case BPF_RAW_TRACEPOINT_OPEN:
>> diff --git a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> index 7e750309ce274..18ad24a851c6c 100644
>> --- a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> +++ b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> @@ -49,7 +49,7 @@ int BPF_PROG(tp_btf_run, struct task_struct *task, u64 clone_flags)
>> }
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> struct cgroup *cgrp = NULL;
>> struct task_struct *task;
>> diff --git a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> index 12034a73ee2d2..135665f011c7e 100644
>> --- a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> +++ b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> @@ -37,7 +37,7 @@ struct {
>> char _license[] SEC("license") = "GPL";
>>
>> SEC("lsm.s/bpf")
>> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>> {
>> struct bpf_dynptr data_ptr, sig_ptr;
>> struct data *data_val;
>> --
>> 2.48.1
>>
next prev parent reply other threads:[~2025-03-05 0:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 20:30 [PATCH v4 bpf-next 0/2] security: Propagate caller information in bpf hooks Blaise Boscaccy
2025-03-04 20:30 ` [PATCH v4 bpf-next 1/2] " Blaise Boscaccy
2025-03-05 0:46 ` Paul Moore
2025-03-04 20:30 ` [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs Blaise Boscaccy
2025-03-04 23:19 ` Song Liu
2025-03-05 0:36 ` Blaise Boscaccy [this message]
2025-03-05 3:27 ` Song Liu
2025-03-05 0:40 ` Paul Moore
2025-03-05 1:25 ` Blaise Boscaccy
2025-03-05 2:14 ` Paul Moore
2025-03-05 3:32 ` Song Liu
2025-03-05 16:12 ` Paul Moore
2025-03-05 17:08 ` Alexei Starovoitov
2025-03-05 17:20 ` Song Liu
2025-03-05 20:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a5a0jotf.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).