From: Andrii Nakryiko <andrii.nakryiko@gmail.com>
To: Jiri Olsa <olsajiri@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, keescook@chromium.org,
brauner@kernel.org, lennart@poettering.net, kernel-team@meta.com,
sargun@sargun.me
Subject: Re: [PATCH v8 bpf-next 17/18] selftests/bpf: add BPF token-enabled tests
Date: Tue, 17 Oct 2023 10:32:12 -0700 [thread overview]
Message-ID: <CAEf4BzZEoAAfb3BdDavAjHAsQSEsEOwHA7ELUMGqskinH19HTQ@mail.gmail.com> (raw)
In-Reply-To: <ZS5ptHMhvMAkB+Tb@krava>
On Tue, Oct 17, 2023 at 4:02 AM Jiri Olsa <olsajiri@gmail.com> wrote:
>
> On Mon, Oct 16, 2023 at 11:02:19AM -0700, Andrii Nakryiko wrote:
> > Add a selftest that attempts to conceptually replicate intended BPF
> > token use cases inside user namespaced container.
> >
> > Child process is forked. It is then put into its own userns and mountns.
> > Child creates BPF FS context object and sets it up as desired. This
> > ensures child userns is captures as owning userns for this instance of
> > BPF FS.
> >
> > This context is passed back to privileged parent process through Unix
> > socket, where parent creates and mounts it as a detached mount. This
> > mount FD is passed back to the child to be used for BPF token creation,
> > which allows otherwise privileged BPF operations to succeed inside
> > userns.
> >
> > We validate that all of token-enabled privileged commands (BPF_BTF_LOAD,
> > BPF_MAP_CREATE, and BPF_PROG_LOAD) work as intended. They should only
> > succeed inside the userns if a) BPF token is provided with proper
> > allowed sets of commands and types; and b) namespaces CAP_BPF and other
> > privileges are set. Lacking a) or b) should lead to -EPERM failures.
> >
> > Based on suggested workflow by Christian Brauner ([0]).
> >
> > [0] https://lore.kernel.org/bpf/20230704-hochverdient-lehne-eeb9eeef785e@brauner/
> >
> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > ---
> > .../testing/selftests/bpf/prog_tests/token.c | 629 ++++++++++++++++++
> > 1 file changed, 629 insertions(+)
> > create mode 100644 tools/testing/selftests/bpf/prog_tests/token.c
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c
> > new file mode 100644
> > index 000000000000..41cee6b4731e
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/prog_tests/token.c
> > @@ -0,0 +1,629 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
> > +#define _GNU_SOURCE
> > +#include <test_progs.h>
> > +#include <bpf/btf.h>
> > +#include "cap_helpers.h"
> > +#include <fcntl.h>
> > +#include <sched.h>
> > +#include <signal.h>
> > +#include <unistd.h>
> > +#include <linux/filter.h>
> > +#include <linux/unistd.h>
> > +#include <sys/mount.h>
> > +#include <sys/socket.h>
> > +#include <sys/syscall.h>
> > +#include <sys/un.h>
> > +
> > +/* copied from include/uapi/linux/mount.h, as including it conflicts with
> > + * sys/mount.h include
> > + */
> > +enum fsconfig_command {
> > + FSCONFIG_SET_FLAG = 0, /* Set parameter, supplying no value */
> > + FSCONFIG_SET_STRING = 1, /* Set parameter, supplying a string value */
> > + FSCONFIG_SET_BINARY = 2, /* Set parameter, supplying a binary blob value */
> > + FSCONFIG_SET_PATH = 3, /* Set parameter, supplying an object by path */
> > + FSCONFIG_SET_PATH_EMPTY = 4, /* Set parameter, supplying an object by (empty) path */
> > + FSCONFIG_SET_FD = 5, /* Set parameter, supplying an object by fd */
> > + FSCONFIG_CMD_CREATE = 6, /* Invoke superblock creation */
> > + FSCONFIG_CMD_RECONFIGURE = 7, /* Invoke superblock reconfiguration */
> > +};
>
> I'm getting compilation fail, because fsconfig_command seems to be
> included through the sys/mount.h include, but CI is green hum :-\
>
> when I get -E output I can see:
>
> ...
> # 16 "./cap_helpers.h"
> int cap_enable_effective(__u64 caps, __u64 *old_caps);
> int cap_disable_effective(__u64 caps, __u64 *old_caps);
> # 7 "/home/jolsa/kernel/linux-qemu/tools/testing/selftests/bpf/prog_tests/token.c" 2
>
> # 1 "/usr/include/sys/mount.h" 1 3 4
> # 27 "/usr/include/sys/mount.h" 3 4
> # 1 "/usr/lib/gcc/x86_64-redhat-linux/13/include/stddef.h" 1 3 4
> # 28 "/usr/include/sys/mount.h" 2 3 4
>
> # 1 "/home/jolsa/kernel/linux-qemu/tools/include/uapi/linux/mount.h" 1 3 4
> # 96 "/home/jolsa/kernel/linux-qemu/tools/include/uapi/linux/mount.h" 3 4
>
> # 96 "/home/jolsa/kernel/linux-qemu/tools/include/uapi/linux/mount.h" 3 4
> enum fsconfig_command {
> FSCONFIG_SET_FLAG = 0,
> FSCONFIG_SET_STRING = 1,
> FSCONFIG_SET_BINARY = 2,
> FSCONFIG_SET_PATH = 3,
> FSCONFIG_SET_PATH_EMPTY = 4,
> FSCONFIG_SET_FD = 5,
> FSCONFIG_CMD_CREATE = 6,
> FSCONFIG_CMD_RECONFIGURE = 7,
> };
>
>
> ...
>
>
> # 21 "/home/jolsa/kernel/linux-qemu/tools/testing/selftests/bpf/prog_tests/token.c"
> enum fsconfig_command {
> FSCONFIG_SET_FLAG = 0,
> FSCONFIG_SET_STRING = 1,
> FSCONFIG_SET_BINARY = 2,
> FSCONFIG_SET_PATH = 3,
> FSCONFIG_SET_PATH_EMPTY = 4,
> FSCONFIG_SET_FD = 5,
> FSCONFIG_CMD_CREATE = 6,
> FSCONFIG_CMD_RECONFIGURE = 7,
> };
>
>
> it's probably included through this bit in the /usr/include/sys/mount.h:
>
> #ifdef __has_include
> # if __has_include ("linux/mount.h")
> # include "linux/mount.h"
> # endif
> #endif
>
> which was added 'recently' in https://sourceware.org/git/?p=glibc.git;a=commit;h=774058d72942249f71d74e7f2b639f77184160a6
>
> maybe you use older glibs headers? or perhaps it might be my build setup
No, I'm pretty sure I have older headers. I'd like this to work in
both environments, so I need to fix this. I'll try to make this work
with uapi header, I guess. Thanks for reporting!
>
> jirka
>
[...]
next prev parent reply other threads:[~2023-10-17 17:32 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 18:02 [PATCH v8 bpf-next 00/18] BPF token and BPF FS-based delegation Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 01/18] bpf: align CAP_NET_ADMIN checks with bpf_capable() approach Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 02/18] bpf: add BPF token delegation mount options to BPF FS Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 03/18] bpf: introduce BPF token object Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 04/18] bpf: add BPF token support to BPF_MAP_CREATE command Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 05/18] bpf: add BPF token support to BPF_BTF_LOAD command Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 06/18] bpf: add BPF token support to BPF_PROG_LOAD command Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 07/18] bpf: take into account BPF token when fetching helper protos Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 08/18] bpf: consistenly use BPF token throughout BPF verifier logic Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 09/18] bpf,lsm: refactor bpf_prog_alloc/bpf_prog_free LSM hooks Andrii Nakryiko
2023-10-17 13:56 ` kernel test robot
2023-10-17 17:46 ` Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 10/18] bpf,lsm: refactor bpf_map_alloc/bpf_map_free " Andrii Nakryiko
2023-10-17 14:59 ` kernel test robot
2023-10-16 18:02 ` [PATCH v8 bpf-next 11/18] bpf,lsm: add BPF token " Andrii Nakryiko
2023-10-17 15:44 ` kernel test robot
2023-10-16 18:02 ` [PATCH v8 bpf-next 12/18] libbpf: add bpf_token_create() API Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 13/18] selftests/bpf: fix test_maps' use of bpf_map_create_opts Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 14/18] libbpf: add BPF token support to bpf_map_create() API Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 15/18] libbpf: add BPF token support to bpf_btf_load() API Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 16/18] libbpf: add BPF token support to bpf_prog_load() API Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 17/18] selftests/bpf: add BPF token-enabled tests Andrii Nakryiko
2023-10-17 11:02 ` Jiri Olsa
2023-10-17 17:32 ` Andrii Nakryiko [this message]
2023-10-17 17:44 ` Andrii Nakryiko
2023-10-16 18:02 ` [PATCH v8 bpf-next 18/18] bpf,selinux: allocate bpf_security_struct per BPF token Andrii Nakryiko
2023-10-20 13:18 ` [PATCH v8 bpf-next 00/18] BPF token and BPF FS-based delegation Lorenz Bauer
2023-10-20 16:25 ` Andrii Nakryiko
2023-10-24 17:52 ` Andrii Nakryiko
2023-10-24 18:23 ` Paul Moore
2023-10-24 19:38 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEf4BzZEoAAfb3BdDavAjHAsQSEsEOwHA7ELUMGqskinH19HTQ@mail.gmail.com \
--to=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-team@meta.com \
--cc=lennart@poettering.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olsajiri@gmail.com \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).