From: Andrii Nakryiko <andrii@kernel.org>
To: <bpf@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>, <keescook@chromium.org>,
<brauner@kernel.org>, <lennart@poettering.net>,
<cyphar@cyphar.com>, <luto@kernel.org>, <kernel-team@meta.com>,
<sargun@sargun.me>
Subject: [PATCH v3 bpf-next 06/14] selftests/bpf: add BPF token-enabled test for BPF_MAP_CREATE command
Date: Wed, 21 Jun 2023 16:38:01 -0700 [thread overview]
Message-ID: <20230621233809.1941811-7-andrii@kernel.org> (raw)
In-Reply-To: <20230621233809.1941811-1-andrii@kernel.org>
Add test for creating BPF token with support for BPF_MAP_CREATE
delegation. And validate that its allowed_map_types filter works as
expected and allows to create privileged BPF maps through delegated
token, as long as they are allowed by privileged creator of a token.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
.../testing/selftests/bpf/prog_tests/token.c | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c
index 153c4e26ef6b..0f832f9178a2 100644
--- a/tools/testing/selftests/bpf/prog_tests/token.c
+++ b/tools/testing/selftests/bpf/prog_tests/token.c
@@ -89,8 +89,63 @@ static void subtest_token_create(void)
ASSERT_OK(restore_priv_caps(old_caps), "restore_caps");
}
+static void subtest_map_token(void)
+{
+ LIBBPF_OPTS(bpf_token_create_opts, token_opts);
+ LIBBPF_OPTS(bpf_map_create_opts, map_opts);
+ int token_fd = 0, map_fd = 0, err;
+ __u64 old_caps = 0;
+
+ /* check that it's ok to allow any map type */
+ token_opts.allowed_map_types = ~0ULL; /* any current and future map types is allowed */
+ err = bpf_token_create(-EBADF, TOKEN_PATH, &token_opts);
+ if (!ASSERT_OK(err, "token_create_future_proof"))
+ return;
+ unlink(TOKEN_PATH);
+
+ /* create BPF token allowing STACK, but not QUEUE map */
+ token_opts.allowed_cmds = 1ULL << BPF_MAP_CREATE;
+ token_opts.allowed_map_types = 1ULL << BPF_MAP_TYPE_STACK; /* but not QUEUE */
+ err = bpf_token_create(-EBADF, TOKEN_PATH, &token_opts);
+ if (!ASSERT_OK(err, "token_create"))
+ return;
+
+ /* drop privileges to test token_fd passing */
+ if (!ASSERT_OK(drop_priv_caps(&old_caps), "drop_caps"))
+ goto cleanup;
+
+ token_fd = bpf_obj_get(TOKEN_PATH);
+ if (!ASSERT_GT(token_fd, 0, "token_get"))
+ goto cleanup;
+
+ /* BPF_MAP_TYPE_STACK is privileged, but with given token_fd should succeed */
+ map_opts.token_fd = token_fd;
+ map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "token_stack", 0, 8, 1, &map_opts);
+ if (!ASSERT_GT(map_fd, 0, "stack_map_fd"))
+ goto cleanup;
+ close(map_fd);
+ map_fd = 0;
+
+ /* BPF_MAP_TYPE_QUEUE is privileged, and token doesn't allow it, so should fail */
+ map_opts.token_fd = token_fd;
+ map_fd = bpf_map_create(BPF_MAP_TYPE_QUEUE, "token_queue", 0, 8, 1, &map_opts);
+ if (!ASSERT_EQ(map_fd, -EPERM, "queue_map_fd"))
+ goto cleanup;
+
+cleanup:
+ if (map_fd > 0)
+ close(map_fd);
+ if (token_fd)
+ close(token_fd);
+ unlink(TOKEN_PATH);
+ if (old_caps)
+ ASSERT_OK(restore_priv_caps(old_caps), "restore_caps");
+}
+
void test_token(void)
{
if (test__start_subtest("token_create"))
subtest_token_create();
+ if (test__start_subtest("map_token"))
+ subtest_map_token();
}
--
2.34.1
next prev parent reply other threads:[~2023-06-21 23:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 23:37 [PATCH v3 bpf-next 00/14] BPF token Andrii Nakryiko
2023-06-21 23:37 ` [PATCH v3 bpf-next 01/14] bpf: introduce BPF token object Andrii Nakryiko
2023-06-21 23:37 ` [PATCH v3 bpf-next 02/14] libbpf: add bpf_token_create() API Andrii Nakryiko
2023-06-21 23:37 ` [PATCH v3 bpf-next 03/14] selftests/bpf: add BPF_TOKEN_CREATE test Andrii Nakryiko
2023-06-21 23:37 ` [PATCH v3 bpf-next 04/14] bpf: add BPF token support to BPF_MAP_CREATE command Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 05/14] libbpf: add BPF token support to bpf_map_create() API Andrii Nakryiko
2023-06-21 23:38 ` Andrii Nakryiko [this message]
2023-06-21 23:38 ` [PATCH v3 bpf-next 07/14] bpf: add BPF token support to BPF_BTF_LOAD command Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 08/14] libbpf: add BPF token support to bpf_btf_load() API Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 09/14] selftests/bpf: add BPF token-enabled BPF_BTF_LOAD selftest Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 10/14] bpf: add BPF token support to BPF_PROG_LOAD command Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 11/14] bpf: take into account BPF token when fetching helper protos Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 12/14] bpf: consistenly use BPF token throughout BPF verifier logic Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 13/14] libbpf: add BPF token support to bpf_prog_load() API Andrii Nakryiko
2023-06-21 23:38 ` [PATCH v3 bpf-next 14/14] selftests/bpf: add BPF token-enabled BPF_PROG_LOAD tests Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230621233809.1941811-7-andrii@kernel.org \
--to=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=keescook@chromium.org \
--cc=kernel-team@meta.com \
--cc=lennart@poettering.net \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).