From: KP Singh <kpsingh@chromium.org>
To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"James Morris" <jmorris@namei.org>,
"Kees Cook" <keescook@chromium.org>,
"Thomas Garnier" <thgarnie@chromium.org>,
"Michael Halcrow" <mhalcrow@google.com>,
"Paul Turner" <pjt@google.com>,
"Brendan Gregg" <brendan.d.gregg@gmail.com>,
"Jann Horn" <jannh@google.com>,
"Matthew Garrett" <mjg59@google.com>,
"Christian Brauner" <christian@brauner.io>,
"Mickaël Salaün" <mic@digikod.net>,
"Florent Revest" <revest@chromium.org>,
"Brendan Jackman" <jackmanb@chromium.org>,
"Martin KaFai Lau" <kafai@fb.com>,
"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Nicolas Ferre" <nicolas.ferre@microchip.com>,
"Stanislav Fomichev" <sdf@google.com>,
"Quentin Monnet" <quentin.monnet@netronome.com>,
"Andrey Ignatov" <rdna@fb.com>, "Joe Stringer" <joe@wand.net.nz>
Subject: [PATCH bpf-next v1 12/13] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM
Date: Fri, 20 Dec 2019 16:42:07 +0100 [thread overview]
Message-ID: <20191220154208.15895-13-kpsingh@chromium.org> (raw)
In-Reply-To: <20191220154208.15895-1-kpsingh@chromium.org>
From: KP Singh <kpsingh@google.com>
* Load a BPF program that audits mprotect calls
* Attach the program to the "file_mprotect" LSM hook
* Verify if the program is actually loading by reading
securityfs
* Initialize the perf events buffer and poll for audit events
* Do an mprotect on some memory allocated on the heap
* Verify if the audit event was received
Signed-off-by: KP Singh <kpsingh@google.com>
---
MAINTAINERS | 2 +
.../bpf/prog_tests/lsm_mprotect_audit.c | 129 ++++++++++++++++++
.../selftests/bpf/progs/lsm_mprotect_audit.c | 58 ++++++++
3 files changed, 189 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
create mode 100644 tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 681ae39bb2f0..652c93292ae9 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3182,6 +3182,8 @@ L: bpf@vger.kernel.org
S: Maintained
F: security/bpf/
F: include/linux/bpf_lsm.h
+F: tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
+F: tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
BROADCOM B44 10/100 ETHERNET DRIVER
M: Michael Chan <michael.chan@broadcom.com>
diff --git a/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c b/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
new file mode 100644
index 000000000000..953531cec9fd
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
@@ -0,0 +1,129 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#include <test_progs.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <malloc.h>
+
+#define EXPECTED_PROG_NAME "mprotect_audit"
+#define MPROTECT_AUDIT_MAGIC 0xDEAD
+
+struct mprotect_audit_log {
+ int is_heap, magic;
+};
+
+static void on_sample(void *ctx, int cpu, void *data, __u32 size)
+{
+ struct mprotect_audit_log *audit_log = data;
+ int duration = 0;
+
+ if (audit_log->magic != MPROTECT_AUDIT_MAGIC)
+ return;
+
+ if (CHECK(audit_log->is_heap != 1, "mprotect on heap",
+ "is_heap = %d\n", audit_log->is_heap))
+ return;
+
+ *(bool *)ctx = true;
+}
+
+int heap_mprotect(void)
+{
+ void *buf;
+ long sz;
+
+ sz = sysconf(_SC_PAGESIZE);
+ if (sz < 0)
+ return sz;
+
+ buf = memalign(sz, 2 * sz);
+ if (buf == NULL)
+ return -ENOMEM;
+
+ return mprotect(buf, sz, PROT_READ | PROT_EXEC);
+}
+
+void test_lsm_mprotect_audit(void)
+{
+ struct bpf_prog_load_attr attr = {
+ .file = "./lsm_mprotect_audit.o",
+ };
+
+ struct perf_buffer_opts pb_opts = {};
+ struct perf_buffer *pb = NULL;
+ struct bpf_link *link = NULL;
+ struct bpf_map *perf_buf_map;
+ struct bpf_object *prog_obj;
+ struct bpf_program *prog;
+ int err, prog_fd, sfs_fd;
+ char sfs_buf[1024];
+ int duration = 0;
+ bool passed = false;
+
+ err = bpf_prog_load_xattr(&attr, &prog_obj, &prog_fd);
+ if (CHECK(err, "prog_load lsm/file_mprotect",
+ "err %d errno %d\n", err, errno))
+ goto close_prog;
+
+ prog = bpf_object__find_program_by_title(prog_obj, "lsm/file_mprotect");
+ if (CHECK(!prog, "find_prog", "lsm/file_mprotect not found\n"))
+ goto close_prog;
+
+ link = bpf_program__attach_lsm(prog);
+ if (CHECK(IS_ERR(link), "attach_lsm file_mprotect",
+ "err %ld\n", PTR_ERR(link)))
+ goto close_prog;
+
+ sfs_fd = open("/sys/kernel/security/bpf/file_mprotect", O_RDONLY);
+ if (CHECK(sfs_fd < 0, "sfs_open file_mprotect",
+ "err %d errno %d\n", sfs_fd, errno))
+ goto close_prog;
+
+ err = read(sfs_fd, sfs_buf, sizeof(sfs_buf));
+ if (CHECK(err < 0, "sfs_read file_mprotect",
+ "err %d errno %d\n", sfs_fd, errno))
+ goto close_prog;
+
+ err = strncmp(sfs_buf, EXPECTED_PROG_NAME, strlen(EXPECTED_PROG_NAME));
+ if (CHECK(err != 0,
+ "sfs_read value", "want = %s, got = %s\n",
+ EXPECTED_PROG_NAME, sfs_buf))
+ goto close_prog;
+
+ perf_buf_map = bpf_object__find_map_by_name(prog_obj, "perf_buf_map");
+ if (CHECK(!perf_buf_map, "find_perf_buf_map", "not found\n"))
+ goto close_prog;
+
+ /* set up perf buffer */
+ pb_opts.sample_cb = on_sample;
+ pb_opts.ctx = &passed;
+ pb = perf_buffer__new(bpf_map__fd(perf_buf_map), 1, &pb_opts);
+ if (CHECK(IS_ERR(pb), "perf_buf__new", "err %ld\n", PTR_ERR(pb)))
+ goto close_prog;
+
+ err = heap_mprotect();
+ if (CHECK(err < 0, "heap_mprotect",
+ "err %d errno %d\n", err, errno))
+ goto close_prog;
+
+ /* read perf buffer */
+ err = perf_buffer__poll(pb, 100);
+ if (CHECK(err < 0, "perf_buffer__poll", "err %d\n", err))
+ goto close_prog;
+
+ /*
+ * make sure mprotect_audit program was triggered
+ * and detected an mprotect on the heap
+ */
+ CHECK_FAIL(!passed);
+
+close_prog:
+ perf_buffer__free(pb);
+ if (!IS_ERR_OR_NULL(link))
+ bpf_link__destroy(link);
+ bpf_object__close(prog_obj);
+}
diff --git a/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c b/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
new file mode 100644
index 000000000000..85048315baae
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#include <linux/bpf.h>
+#include <stdbool.h>
+#include "bpf_helpers.h"
+#include "bpf_trace_helpers.h"
+
+char _license[] SEC("license") = "GPL";
+struct {
+ __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+ __uint(key_size, sizeof(int));
+ __uint(value_size, sizeof(int));
+} perf_buf_map SEC(".maps");
+
+#define MPROTECT_AUDIT_MAGIC 0xDEAD
+
+struct mprotect_audit_log {
+ int is_heap, magic;
+};
+
+/*
+ * Define some of the structs used in the BPF program.
+ * Only the field names and their sizes need to be the
+ * same as the kernel type, the order is irrelevant.
+ */
+struct mm_struct {
+ unsigned long start_brk, brk, start_stack;
+};
+
+struct vm_area_struct {
+ unsigned long start_brk, brk, start_stack;
+ unsigned long vm_start, vm_end;
+ struct mm_struct *vm_mm;
+ unsigned long vm_flags;
+};
+
+BPF_TRACE_3("lsm/file_mprotect", mprotect_audit,
+ struct vm_area_struct *, vma,
+ unsigned long, reqprot, unsigned long, prot)
+{
+ struct mprotect_audit_log audit_log = {};
+ int is_heap = 0;
+
+ __builtin_preserve_access_index(({
+ is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk);
+ }));
+
+ audit_log.magic = MPROTECT_AUDIT_MAGIC;
+ audit_log.is_heap = is_heap;
+ bpf_lsm_event_output(&perf_buf_map, BPF_F_CURRENT_CPU, &audit_log,
+ sizeof(audit_log));
+ return 0;
+}
--
2.20.1
next prev parent reply other threads:[~2019-12-20 15:42 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 15:41 [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI) KP Singh
2019-12-20 15:41 ` [PATCH bpf-next v1 01/13] bpf: Refactor BPF_EVENT context macros to its own header KP Singh
2019-12-20 20:10 ` Andrii Nakryiko
2019-12-20 20:26 ` KP Singh
2019-12-20 15:41 ` [PATCH bpf-next v1 02/13] bpf: lsm: Add a skeleton and config options KP Singh
2020-01-07 21:13 ` James Morris
2019-12-20 15:41 ` [PATCH bpf-next v1 03/13] bpf: lsm: Introduce types for eBPF based LSM KP Singh
2019-12-20 15:41 ` [PATCH bpf-next v1 04/13] bpf: lsm: Allow btf_id based attachment for LSM hooks KP Singh
2019-12-23 23:54 ` Andrii Nakryiko
2019-12-30 19:22 ` KP Singh
2019-12-20 15:42 ` [PATCH bpf-next v1 05/13] tools/libbpf: Add support in libbpf for BPF_PROG_TYPE_LSM KP Singh
2019-12-24 0:07 ` Andrii Nakryiko
2019-12-24 0:09 ` Andrii Nakryiko
2020-01-03 23:59 ` KP Singh
2019-12-20 15:42 ` [PATCH bpf-next v1 06/13] bpf: lsm: Init Hooks and create files in securityfs KP Singh
2019-12-24 6:28 ` Andrii Nakryiko
2019-12-30 15:37 ` KP Singh
2019-12-30 18:52 ` Andrii Nakryiko
2019-12-30 19:20 ` Kees Cook
2020-01-03 23:53 ` KP Singh
2020-01-07 21:22 ` James Morris
2019-12-20 15:42 ` [PATCH bpf-next v1 07/13] bpf: lsm: Implement attach, detach and execution KP Singh
2019-12-24 5:48 ` Andrii Nakryiko
2020-01-07 21:27 ` James Morris
2019-12-20 15:42 ` [PATCH bpf-next v1 08/13] bpf: lsm: Show attached program names in hook read handler KP Singh
2020-01-07 21:28 ` James Morris
2019-12-20 15:42 ` [PATCH bpf-next v1 09/13] bpf: lsm: Add a helper function bpf_lsm_event_output KP Singh
2019-12-24 6:36 ` Andrii Nakryiko
2019-12-30 15:11 ` KP Singh
2019-12-30 18:56 ` Andrii Nakryiko
2019-12-20 15:42 ` [PATCH bpf-next v1 10/13] bpf: lsm: Handle attachment of the same program KP Singh
2019-12-24 6:38 ` Andrii Nakryiko
2020-01-08 18:21 ` James Morris
2019-12-20 15:42 ` [PATCH bpf-next v1 11/13] tools/libbpf: Add bpf_program__attach_lsm KP Singh
2019-12-24 6:44 ` Andrii Nakryiko
2020-01-08 18:24 ` James Morris
2019-12-20 15:42 ` KP Singh [this message]
2019-12-24 6:49 ` [PATCH bpf-next v1 12/13] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM Andrii Nakryiko
2020-01-04 0:09 ` KP Singh
2020-01-09 17:59 ` Andrii Nakryiko
2020-01-08 18:25 ` James Morris
2019-12-20 15:42 ` [PATCH bpf-next v1 13/13] bpf: lsm: Add Documentation KP Singh
2019-12-20 17:17 ` [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI) Casey Schaufler
2019-12-20 17:38 ` KP Singh
2019-12-30 19:15 ` Kees Cook
2020-01-08 15:25 ` Stephen Smalley
2020-01-08 18:58 ` James Morris
2020-01-08 19:33 ` Stephen Smalley
2020-01-09 18:11 ` James Morris
2020-01-09 18:23 ` Greg Kroah-Hartman
2020-01-09 18:58 ` Stephen Smalley
2020-01-09 19:07 ` James Morris
2020-01-09 19:43 ` KP Singh
2020-01-09 19:47 ` Stephen Smalley
2020-01-10 15:27 ` KP Singh
2020-01-10 17:48 ` James Morris
2020-01-10 17:53 ` Alexei Starovoitov
2020-01-14 16:54 ` Stephen Smalley
2020-01-14 17:42 ` Stephen Smalley
2020-01-15 2:48 ` Alexei Starovoitov
2020-01-15 13:59 ` Stephen Smalley
2020-01-15 14:09 ` Greg Kroah-Hartman
2020-01-15 22:23 ` Alexei Starovoitov
2020-01-09 19:11 ` KP Singh
2020-01-08 18:27 ` James Morris
2019-12-20 22:46 ` Mickaël Salaün
2019-12-30 19:30 ` Kees Cook
2019-12-31 12:11 ` Mickaël Salaün
2019-12-22 1:27 ` Alexei Starovoitov
2019-12-30 14:58 ` KP Singh
2019-12-30 19:14 ` Andrii Nakryiko
2019-12-24 6:51 ` Andrii Nakryiko
2019-12-30 15:04 ` KP Singh
2019-12-30 18:58 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191220154208.15895-13-kpsingh@chromium.org \
--to=kpsingh@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brendan.d.gregg@gmail.com \
--cc=christian@brauner.io \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=joe@wand.net.nz \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=mhalcrow@google.com \
--cc=mic@digikod.net \
--cc=mjg59@google.com \
--cc=nicolas.ferre@microchip.com \
--cc=pjt@google.com \
--cc=quentin.monnet@netronome.com \
--cc=rdna@fb.com \
--cc=revest@chromium.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=thgarnie@chromium.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).