netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andrii Nakryiko <andrii.nakryiko@gmail.com>
To: Stanislav Fomichev <sdf@google.com>
Cc: Networking <netdev@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>
Subject: Re: [PATCH bpf-next 2/2] selftests/bpf: verify that rebinding to port < 1024 from BPF works
Date: Thu, 21 Jan 2021 16:24:25 -0800	[thread overview]
Message-ID: <CAEf4Bza6OeNMy9DH2Du8obSNfVFhg7wS1j9KgvR2ihOukEpNmw@mail.gmail.com> (raw)
In-Reply-To: <YAoXy0xcjhW8BftF@google.com>

On Thu, Jan 21, 2021 at 4:09 PM <sdf@google.com> wrote:
>
> On 01/21, Andrii Nakryiko wrote:
> > On Wed, Jan 20, 2021 at 7:16 PM Stanislav Fomichev <sdf@google.com> wrote:
> > >
> > > BPF rewrites from 111 to 111, but it still should mark the port as
> > > "changed".
> > > We also verify that if port isn't touched by BPF, it's still prohibited.
> > >
> > > Signed-off-by: Stanislav Fomichev <sdf@google.com>
> > > ---
> > >  .../selftests/bpf/prog_tests/bind_perm.c      | 88 +++++++++++++++++++
> > >  tools/testing/selftests/bpf/progs/bind_perm.c | 36 ++++++++
> > >  2 files changed, 124 insertions(+)
> > >  create mode 100644 tools/testing/selftests/bpf/prog_tests/bind_perm.c
> > >  create mode 100644 tools/testing/selftests/bpf/progs/bind_perm.c
> > >
> > > diff --git a/tools/testing/selftests/bpf/prog_tests/bind_perm.c
> > b/tools/testing/selftests/bpf/prog_tests/bind_perm.c
> > > new file mode 100644
> > > index 000000000000..840a04ac9042
> > > --- /dev/null
> > > +++ b/tools/testing/selftests/bpf/prog_tests/bind_perm.c
> > > @@ -0,0 +1,88 @@
> > > +// SPDX-License-Identifier: GPL-2.0
> > > +#include <test_progs.h>
> > > +#include "bind_perm.skel.h"
> > > +
> > > +#include <sys/types.h>
> > > +#include <sys/socket.h>
> > > +#include <sys/capability.h>
> > > +
> > > +static int duration;
> > > +
> > > +void try_bind(int port, int expected_errno)
> > > +{
> > > +       struct sockaddr_in sin = {};
> > > +       int fd = -1;
> > > +
> > > +       fd = socket(AF_INET, SOCK_STREAM, 0);
> > > +       if (CHECK(fd < 0, "fd", "errno %d", errno))
> > > +               goto close_socket;
> > > +
> > > +       sin.sin_family = AF_INET;
> > > +       sin.sin_port = htons(port);
> > > +
> > > +       errno = 0;
> > > +       bind(fd, (struct sockaddr *)&sin, sizeof(sin));
> > > +       CHECK(errno != expected_errno, "bind", "errno %d, expected %d",
> > > +             errno, expected_errno);
>
> > ASSERT_NEQ() is nicer
> Nice, didn't know these existed. Now we need ASSERT_GT/LE/GE/LE to also
> get rid of those other CHECKs :-)

When I was adding the initial set of ASSERT_XXX() I didn't think we'll
need all those variants, but it turns out they come up pretty
frequently. So while you might be joking, I think it's a good idea to
add them and start using them consistently.

>
> > > +
> > > +close_socket:
> > > +       if (fd >= 0)
> > > +               close(fd);
> > > +}
> > > +
> > > +void cap_net_bind_service(cap_flag_value_t flag)
> > > +{
> > > +       const cap_value_t cap_net_bind_service = CAP_NET_BIND_SERVICE;
> > > +       cap_t caps;
> > > +
> > > +       caps = cap_get_proc();
> > > +       if (CHECK(!caps, "cap_get_proc", "errno %d", errno))
> > > +               goto free_caps;
> > > +
> > > +       if (CHECK(cap_set_flag(caps, CAP_EFFECTIVE, 1,
> > &cap_net_bind_service,
> > > +                              CAP_CLEAR),
> > > +                 "cap_set_flag", "errno %d", errno))
> > > +               goto free_caps;
> > > +
> > > +       if (CHECK(cap_set_flag(caps, CAP_EFFECTIVE, 1,
> > &cap_net_bind_service,
> > > +                              CAP_CLEAR),
> > > +                 "cap_set_flag", "errno %d", errno))
> > > +               goto free_caps;
> > > +
> > > +       if (CHECK(cap_set_proc(caps), "cap_set_proc", "errno %d",
> > errno))
> > > +               goto free_caps;
> > > +
> > > +free_caps:
> > > +       if (CHECK(cap_free(caps), "cap_free", "errno %d", errno))
> > > +               goto free_caps;
> > > +}
> > > +
> > > +void test_bind_perm(void)
> > > +{
> > > +       struct bind_perm *skel;
> > > +       int cgroup_fd;
> > > +
> > > +       cgroup_fd = test__join_cgroup("/bind_perm");
> > > +       if (CHECK(cgroup_fd < 0, "cg-join", "errno %d", errno))
> > > +               return;
> > > +
> > > +       skel = bind_perm__open_and_load();
> > > +       if (CHECK(!skel, "skel-load", "errno %d", errno))
> > > +               goto close_cgroup_fd;
>
> > errno is irrelevant; also use ASSERT_PTR_OK() instead
> Ack, it might be worth unconditionally printing it in your ASSERT_XXX
> macros. Worst case - it's not used, but in general case avoids
> all this "errno %d" boilerplate.

Don't know about that, having unrelated errno everywhere is annoying
and misleading. I'd rather move away from relying on errno so much :)

>
> > > +
> > > +       skel->links.bind_v4_prog =
> > bpf_program__attach_cgroup(skel->progs.bind_v4_prog, cgroup_fd);
> > > +       if (CHECK(IS_ERR(skel->links.bind_v4_prog),
> > > +                 "cg-attach", "bind4 %ld",
> > > +                 PTR_ERR(skel->links.bind_v4_prog)))
>
> > try using ASSERT_PTR_OK instead
> Sure, thanks!

  reply	other threads:[~2021-01-22  0:25 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-21  1:22 [PATCH bpf-next 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start Stanislav Fomichev
2021-01-21  1:22 ` [PATCH bpf-next 2/2] selftests/bpf: verify that rebinding to port < 1024 from BPF works Stanislav Fomichev
2021-01-21 22:33   ` Martin KaFai Lau
2021-01-21 22:57     ` sdf
2021-01-21 23:50       ` Martin KaFai Lau
2021-01-22  0:30         ` sdf
2021-01-22  1:27           ` Martin KaFai Lau
2021-01-22 16:16             ` sdf
2021-01-22 19:38               ` Martin KaFai Lau
2021-01-22 19:56                 ` Stanislav Fomichev
2021-01-21 23:53   ` Andrii Nakryiko
2021-01-22  0:09     ` sdf
2021-01-22  0:24       ` Andrii Nakryiko [this message]
2021-01-22 19:37 ` [PATCH bpf-next 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start Andrey Ignatov
2021-01-22 19:53   ` Stanislav Fomichev
2021-01-22 20:08     ` Andrey Ignatov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEf4Bza6OeNMy9DH2Du8obSNfVFhg7wS1j9KgvR2ihOukEpNmw@mail.gmail.com \
    --to=andrii.nakryiko@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=netdev@vger.kernel.org \
    --cc=sdf@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).