From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, song@kernel.org, yhs@fb.com,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, mykolal@fb.com,
dhowells@redhat.com, jarkko@kernel.org, rostedt@goodmis.org,
mingo@redhat.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, shuah@kernel.org
Cc: bpf@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
deso@posteo.net, memxor@gmail.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v16 12/12] selftests/bpf: Add tests for dynamic pointers parameters in kfuncs
Date: Mon, 5 Sep 2022 16:33:18 +0200 [thread overview]
Message-ID: <20220905143318.1592015-13-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20220905143318.1592015-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
Add tests to ensure that only supported dynamic pointer types are accepted,
that the passed argument is actually a dynamic pointer, and that the passed
argument is a pointer to the stack.
The tests are currently in the deny list for s390x (JIT does not support
calling kernel function).
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
tools/testing/selftests/bpf/DENYLIST.s390x | 1 +
.../bpf/prog_tests/kfunc_dynptr_param.c | 103 ++++++++++++++++++
.../bpf/progs/test_kfunc_dynptr_param.c | 57 ++++++++++
3 files changed, 161 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c
create mode 100644 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
diff --git a/tools/testing/selftests/bpf/DENYLIST.s390x b/tools/testing/selftests/bpf/DENYLIST.s390x
index 4e305baa5277..9a6dc3671c65 100644
--- a/tools/testing/selftests/bpf/DENYLIST.s390x
+++ b/tools/testing/selftests/bpf/DENYLIST.s390x
@@ -71,3 +71,4 @@ cgroup_hierarchical_stats # JIT does not support calling kernel f
htab_update # failed to attach: ERROR: strerror_r(-524)=22 (trampoline)
lookup_key # JIT does not support calling kernel function (kfunc)
verify_pkcs7_sig # JIT does not support calling kernel function (kfunc)
+kfunc_dynptr_param # JIT does not support calling kernel function (kfunc)
diff --git a/tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c b/tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c
new file mode 100644
index 000000000000..ea655a5c9d8b
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c
@@ -0,0 +1,103 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2022 Facebook
+ * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ */
+
+#include <test_progs.h>
+#include "test_kfunc_dynptr_param.skel.h"
+
+static size_t log_buf_sz = 1048576; /* 1 MB */
+static char obj_log_buf[1048576];
+
+static struct {
+ const char *prog_name;
+ const char *expected_err_msg;
+} kfunc_dynptr_tests[] = {
+ {"dynptr_type_not_supp",
+ "arg#0 pointer type STRUCT bpf_dynptr_kern points to unsupported dynamic pointer type"},
+ {"not_valid_dynptr",
+ "arg#0 pointer type STRUCT bpf_dynptr_kern must be valid and initialized"},
+ {"not_ptr_to_stack", "arg#0 pointer type STRUCT bpf_dynptr_kern not to stack"},
+};
+
+static bool kfunc_not_supported;
+
+static int libbpf_print_cb(enum libbpf_print_level level, const char *fmt,
+ va_list args)
+{
+ if (strcmp(fmt, "libbpf: extern (func ksym) '%s': not found in kernel or module BTFs\n"))
+ return 0;
+
+ if (strcmp(va_arg(args, char *), "bpf_verify_pkcs7_signature"))
+ return 0;
+
+ kfunc_not_supported = true;
+ return 0;
+}
+
+static void verify_fail(const char *prog_name, const char *expected_err_msg)
+{
+ struct test_kfunc_dynptr_param *skel;
+ LIBBPF_OPTS(bpf_object_open_opts, opts);
+ libbpf_print_fn_t old_print_cb;
+ struct bpf_program *prog;
+ int err;
+
+ opts.kernel_log_buf = obj_log_buf;
+ opts.kernel_log_size = log_buf_sz;
+ opts.kernel_log_level = 1;
+
+ skel = test_kfunc_dynptr_param__open_opts(&opts);
+ if (!ASSERT_OK_PTR(skel, "test_kfunc_dynptr_param__open_opts"))
+ goto cleanup;
+
+ prog = bpf_object__find_program_by_name(skel->obj, prog_name);
+ if (!ASSERT_OK_PTR(prog, "bpf_object__find_program_by_name"))
+ goto cleanup;
+
+ bpf_program__set_autoload(prog, true);
+
+ bpf_map__set_max_entries(skel->maps.ringbuf, getpagesize());
+
+ kfunc_not_supported = false;
+
+ old_print_cb = libbpf_set_print(libbpf_print_cb);
+ err = test_kfunc_dynptr_param__load(skel);
+ libbpf_set_print(old_print_cb);
+
+ if (err < 0 && kfunc_not_supported) {
+ fprintf(stderr,
+ "%s:SKIP:bpf_verify_pkcs7_signature() kfunc not supported\n",
+ __func__);
+ test__skip();
+ goto cleanup;
+ }
+
+ if (!ASSERT_ERR(err, "unexpected load success"))
+ goto cleanup;
+
+ if (!ASSERT_OK_PTR(strstr(obj_log_buf, expected_err_msg), "expected_err_msg")) {
+ fprintf(stderr, "Expected err_msg: %s\n", expected_err_msg);
+ fprintf(stderr, "Verifier output: %s\n", obj_log_buf);
+ }
+
+cleanup:
+ test_kfunc_dynptr_param__destroy(skel);
+}
+
+void test_kfunc_dynptr_param(void)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(kfunc_dynptr_tests); i++) {
+ if (!test__start_subtest(kfunc_dynptr_tests[i].prog_name))
+ continue;
+
+ verify_fail(kfunc_dynptr_tests[i].prog_name,
+ kfunc_dynptr_tests[i].expected_err_msg);
+ }
+}
diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
new file mode 100644
index 000000000000..2f09f91a1576
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ */
+
+#include "vmlinux.h"
+#include <errno.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct bpf_dynptr {
+ __u64 :64;
+ __u64 :64;
+} __attribute__((aligned(8)));
+
+extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr,
+ struct bpf_dynptr *sig_ptr,
+ struct bpf_key *trusted_keyring) __ksym;
+
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+} ringbuf SEC(".maps");
+
+char _license[] SEC("license") = "GPL";
+
+SEC("?lsm.s/bpf")
+int BPF_PROG(dynptr_type_not_supp, int cmd, union bpf_attr *attr,
+ unsigned int size)
+{
+ char write_data[64] = "hello there, world!!";
+ struct bpf_dynptr ptr;
+
+ bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(write_data), 0, &ptr);
+
+ return bpf_verify_pkcs7_signature(&ptr, &ptr, NULL);
+}
+
+SEC("?lsm.s/bpf")
+int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
+{
+ unsigned long val;
+
+ return bpf_verify_pkcs7_signature((struct bpf_dynptr *)&val,
+ (struct bpf_dynptr *)&val, NULL);
+}
+
+SEC("?lsm.s/bpf")
+int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
+{
+ unsigned long val;
+
+ return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
+ (struct bpf_dynptr *)val, NULL);
+}
--
2.25.1
next prev parent reply other threads:[~2022-09-05 14:38 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 14:33 [PATCH v16 00/12] bpf: Add kfuncs for PKCS#7 signature verification Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 01/12] bpf: Allow kfuncs to be used in LSM programs Roberto Sassu
2022-09-06 2:28 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 02/12] bpf: Move dynptr type check to is_dynptr_type_expected() Roberto Sassu
2022-09-06 2:32 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 03/12] btf: Allow dynamic pointer parameters in kfuncs Roberto Sassu
2022-09-06 2:33 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 04/12] bpf: Export bpf_dynptr_get_size() Roberto Sassu
2022-09-06 2:33 ` Kumar Kartikeya Dwivedi
2022-09-06 3:06 ` Hou Tao
2022-09-05 14:33 ` [PATCH v16 05/12] KEYS: Move KEY_LOOKUP_ to include/linux/key.h and define KEY_LOOKUP_ALL Roberto Sassu
2022-09-05 21:38 ` Jarkko Sakkinen
2022-09-06 7:08 ` Roberto Sassu
2022-09-06 10:37 ` Jarkko Sakkinen
2022-09-06 11:04 ` Roberto Sassu
2022-09-06 11:43 ` Jarkko Sakkinen
2022-09-06 12:15 ` [PATCH v17 " Roberto Sassu
2022-09-06 12:26 ` Jarkko Sakkinen
2022-09-06 12:28 ` Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 06/12] bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs Roberto Sassu
2022-09-06 2:43 ` Kumar Kartikeya Dwivedi
2022-09-06 8:00 ` Roberto Sassu
2022-09-06 18:45 ` Alexei Starovoitov
2022-09-07 6:59 ` Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-09-06 2:57 ` Kumar Kartikeya Dwivedi
2022-09-06 8:07 ` Roberto Sassu
2022-09-07 2:28 ` Kumar Kartikeya Dwivedi
2022-09-07 12:19 ` Roberto Sassu
2022-09-07 13:55 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 08/12] selftests/bpf: Compile kernel with everything as built-in Roberto Sassu
2022-09-06 3:01 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 09/12] selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() Roberto Sassu
2022-09-06 3:03 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 10/12] selftests/bpf: Add additional tests for bpf_lookup_*_key() Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 11/12] selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-09-05 14:33 ` Roberto Sassu [this message]
2022-09-06 3:15 ` [PATCH v16 12/12] selftests/bpf: Add tests for dynamic pointers parameters in kfuncs Kumar Kartikeya Dwivedi
2022-09-06 8:30 ` Roberto Sassu
2022-09-07 2:34 ` Kumar Kartikeya Dwivedi
2022-09-07 14:59 ` [PATCH v17 " Roberto Sassu
2022-09-07 16:02 ` Kumar Kartikeya Dwivedi
2022-09-05 19:26 ` [PATCH v16 00/12] bpf: Add kfuncs for PKCS#7 signature verification Kumar Kartikeya Dwivedi
2022-09-06 7:35 ` Roberto Sassu
2022-09-07 14:49 ` Roberto Sassu
2022-09-07 14:57 ` Kumar Kartikeya Dwivedi
2022-09-07 15:09 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220905143318.1592015-13-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=deso@posteo.net \
--cc=dhowells@redhat.com \
--cc=haoluo@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mingo@redhat.com \
--cc=mykolal@fb.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rostedt@goodmis.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.