Re: [PATCH bpf-next v2 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

From: Martin KaFai Lau <kafai@fb.com>
To: KP Singh <kpsingh@chromium.org>
Cc: <linux-kernel@vger.kernel.org>, <bpf@vger.kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Florent Revest <revest@chromium.org>,
	Brendan Jackman <jackmanb@chromium.org>,
	Pauline Middelink <middelin@google.com>
Subject: Re: [PATCH bpf-next v2 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts
Date: Mon, 16 Nov 2020 16:43:03 -0800	[thread overview]
Message-ID: <20201117004303.zpzoqluhslwbp7ce@kafai-mbp.dhcp.thefacebook.com> (raw)
In-Reply-To: <20201116232536.1752908-2-kpsingh@chromium.org>

On Mon, Nov 16, 2020 at 11:25:36PM +0000, KP Singh wrote:
> From: KP Singh <kpsingh@google.com>
> 
> The test forks a child process, updates the local storage to set/unset
> the securexec bit.
> 
> The BPF program in the test attaches to bprm_creds_for_exec which checks
> the local storage of the current task to set the secureexec bit on the
> binary parameters (bprm).
> 
> The child then execs a bash command with the environment variable
> TMPDIR set in the envp.  The bash command returns a different exit code
> based on its observed value of the TMPDIR variable.
> 
> Since TMPDIR is one of the variables that is ignored by the dynamic
> loader when the secureexec bit is set, one should expect the
> child execution to not see this value when the secureexec bit is set.
> 
> Signed-off-by: KP Singh <kpsingh@google.com>
> ---
>  .../selftests/bpf/prog_tests/test_bprm_opts.c | 124 ++++++++++++++++++
>  tools/testing/selftests/bpf/progs/bprm_opts.c |  34 +++++
>  2 files changed, 158 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/test_bprm_opts.c
>  create mode 100644 tools/testing/selftests/bpf/progs/bprm_opts.c
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_bprm_opts.c b/tools/testing/selftests/bpf/prog_tests/test_bprm_opts.c
> new file mode 100644
> index 000000000000..cba1ef3dc8b4
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_bprm_opts.c
> @@ -0,0 +1,124 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright (C) 2020 Google LLC.
> + */
> +
> +#include <asm-generic/errno-base.h>
> +#include <sys/stat.h>
Is it needed?

> +#include <test_progs.h>
> +#include <linux/limits.h>
> +
> +#include "bprm_opts.skel.h"
> +#include "network_helpers.h"
> +
> +#ifndef __NR_pidfd_open
> +#define __NR_pidfd_open 434
> +#endif
> +
> +static const char * const bash_envp[] = { "TMPDIR=shouldnotbeset", NULL };
> +
> +static inline int sys_pidfd_open(pid_t pid, unsigned int flags)
> +{
> +	return syscall(__NR_pidfd_open, pid, flags);
> +}
> +
> +static int update_storage(int map_fd, int secureexec)
> +{
> +	int task_fd, ret = 0;
> +
> +	task_fd = sys_pidfd_open(getpid(), 0);
> +	if (task_fd < 0)
> +		return errno;
> +
> +	ret = bpf_map_update_elem(map_fd, &task_fd, &secureexec, BPF_NOEXIST);
> +	if (ret)
> +		ret = errno;
> +
> +	close(task_fd);
> +	return ret;
> +}
> +
> +static int run_set_secureexec(int map_fd, int secureexec)
> +{
> +
> +	int child_pid, child_status, ret, null_fd;
> +
> +	child_pid = fork();
> +	if (child_pid == 0) {
> +		null_fd = open("/dev/null", O_WRONLY);
> +		if (null_fd == -1)
> +			exit(errno);
> +		dup2(null_fd, STDOUT_FILENO);
> +		dup2(null_fd, STDERR_FILENO);
> +		close(null_fd);
> +
> +		/* Ensure that all executions from hereon are
> +		 * secure by setting a local storage which is read by
> +		 * the bprm_creds_for_exec hook and sets bprm->secureexec.
> +		 */
> +		ret = update_storage(map_fd, secureexec);
> +		if (ret)
> +			exit(ret);
> +
> +		/* If the binary is executed with securexec=1, the dynamic
> +		 * loader ingores and unsets certain variables like LD_PRELOAD,
> +		 * TMPDIR etc. TMPDIR is used here to simplify the example, as
> +		 * LD_PRELOAD requires a real .so file.
> +		 *
> +		 * If the value of TMPDIR is set, the bash command returns 10
> +		 * and if the value is unset, it returns 20.
> +		 */
> +		ret = execle("/bin/bash", "bash", "-c",
> +			     "[[ -z \"${TMPDIR}\" ]] || exit 10 && exit 20",
> +			     NULL, bash_envp);
> +		if (ret)
It should never reach here?  May be just exit() unconditionally
instead of having a chance to fall-through and then return -EINVAL.

> +			exit(errno);
> +	} else if (child_pid > 0) {
> +		waitpid(child_pid, &child_status, 0);
> +		ret = WEXITSTATUS(child_status);
> +
> +		/* If a secureexec occured, the exit status should be 20.
> +		 */
> +		if (secureexec && ret == 20)
> +			return 0;
> +
> +		/* If normal execution happened the exit code should be 10.
> +		 */
> +		if (!secureexec && ret == 10)
> +			return 0;
> +
> +		return ret;
Any chance that ret may be 0?

> +	}
> +
> +	return -EINVAL;
> +}
> +
> +void test_test_bprm_opts(void)
> +{
> +	int err, duration = 0;
> +	struct bprm_opts *skel = NULL;
> +
> +	skel = bprm_opts__open_and_load();
> +	if (CHECK(!skel, "skel_load", "skeleton failed\n"))
> +		goto close_prog;
> +
> +	err = bprm_opts__attach(skel);
> +	if (CHECK(err, "attach", "attach failed: %d\n", err))
> +		goto close_prog;
> +
> +	/* Run the test with the secureexec bit unset */
> +	err = run_set_secureexec(bpf_map__fd(skel->maps.secure_exec_task_map),
> +				 0 /* secureexec */);
> +	if (CHECK(err, "run_set_secureexec:0", "err = %d", err))
nit. err = %d"\n"

> +		goto close_prog;
> +
> +	/* Run the test with the secureexec bit set */
> +	err = run_set_secureexec(bpf_map__fd(skel->maps.secure_exec_task_map),
> +				 1 /* secureexec */);
> +	if (CHECK(err, "run_set_secureexec:1", "err = %d", err))
Same here.

Others LGTM.