1 // SPDX-License-Identifier: GPL-2.0
3 #include <test_progs.h>
4 #include "cgroup_helpers.h"
6 #define TEST_NS "sock_post_bind"
8 static char bpf_log_buf[4096];
10 static struct sock_post_bind_test {
12 /* BPF prog properties */
13 const struct bpf_insn insns[64];
14 enum bpf_attach_type attach_type;
15 enum bpf_attach_type expected_attach_type;
16 /* Socket properties */
19 /* Endpoint to bind() to */
22 unsigned short port_retry;
24 /* Expected test result */
34 .descr = "attach type mismatch bind4 vs bind6",
36 BPF_MOV64_IMM(BPF_REG_0, 1),
39 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
40 .attach_type = BPF_CGROUP_INET6_POST_BIND,
41 .result = ATTACH_REJECT,
44 .descr = "attach type mismatch bind6 vs bind4",
46 BPF_MOV64_IMM(BPF_REG_0, 1),
49 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
50 .attach_type = BPF_CGROUP_INET4_POST_BIND,
51 .result = ATTACH_REJECT,
54 .descr = "attach type mismatch default vs bind4",
56 BPF_MOV64_IMM(BPF_REG_0, 1),
59 .expected_attach_type = 0,
60 .attach_type = BPF_CGROUP_INET4_POST_BIND,
61 .result = ATTACH_REJECT,
64 .descr = "attach type mismatch bind6 vs sock_create",
66 BPF_MOV64_IMM(BPF_REG_0, 1),
69 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
70 .attach_type = BPF_CGROUP_INET_SOCK_CREATE,
71 .result = ATTACH_REJECT,
74 .descr = "bind4 reject all",
76 BPF_MOV64_IMM(BPF_REG_0, 0),
79 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
80 .attach_type = BPF_CGROUP_INET4_POST_BIND,
84 .result = BIND_REJECT,
87 .descr = "bind6 reject all",
89 BPF_MOV64_IMM(BPF_REG_0, 0),
92 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
93 .attach_type = BPF_CGROUP_INET6_POST_BIND,
97 .result = BIND_REJECT,
100 .descr = "bind6 deny specific IP & port",
102 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
104 /* if (ip == expected && port == expected) */
105 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
106 offsetof(struct bpf_sock, src_ip6[3])),
107 BPF_JMP_IMM(BPF_JNE, BPF_REG_7,
108 __bpf_constant_ntohl(0x00000001), 4),
109 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
110 offsetof(struct bpf_sock, src_port)),
111 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2),
114 BPF_MOV64_IMM(BPF_REG_0, 0),
117 /* else return ALLOW; */
118 BPF_MOV64_IMM(BPF_REG_0, 1),
121 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
122 .attach_type = BPF_CGROUP_INET6_POST_BIND,
127 .result = BIND_REJECT,
130 .descr = "bind4 allow specific IP & port",
132 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
134 /* if (ip == expected && port == expected) */
135 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
136 offsetof(struct bpf_sock, src_ip4)),
137 BPF_JMP_IMM(BPF_JNE, BPF_REG_7,
138 __bpf_constant_ntohl(0x7F000001), 4),
139 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
140 offsetof(struct bpf_sock, src_port)),
141 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2),
144 BPF_MOV64_IMM(BPF_REG_0, 1),
147 /* else return DENY; */
148 BPF_MOV64_IMM(BPF_REG_0, 0),
151 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
152 .attach_type = BPF_CGROUP_INET4_POST_BIND,
160 .descr = "bind4 deny specific IP & port of TCP, and retry",
162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
164 /* if (ip == expected && port == expected) */
165 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
166 offsetof(struct bpf_sock, src_ip4)),
167 BPF_JMP_IMM(BPF_JNE, BPF_REG_7,
168 __bpf_constant_ntohl(0x7F000001), 4),
169 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
170 offsetof(struct bpf_sock, src_port)),
171 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2),
174 BPF_MOV64_IMM(BPF_REG_0, 0),
177 /* else return ALLOW; */
178 BPF_MOV64_IMM(BPF_REG_0, 1),
181 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
182 .attach_type = BPF_CGROUP_INET4_POST_BIND,
188 .result = RETRY_SUCCESS,
191 .descr = "bind4 deny specific IP & port of UDP, and retry",
193 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
195 /* if (ip == expected && port == expected) */
196 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
197 offsetof(struct bpf_sock, src_ip4)),
198 BPF_JMP_IMM(BPF_JNE, BPF_REG_7,
199 __bpf_constant_ntohl(0x7F000001), 4),
200 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
201 offsetof(struct bpf_sock, src_port)),
202 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2),
205 BPF_MOV64_IMM(BPF_REG_0, 0),
208 /* else return ALLOW; */
209 BPF_MOV64_IMM(BPF_REG_0, 1),
212 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
213 .attach_type = BPF_CGROUP_INET4_POST_BIND,
219 .result = RETRY_SUCCESS,
222 .descr = "bind6 deny specific IP & port, and retry",
224 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
226 /* if (ip == expected && port == expected) */
227 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
228 offsetof(struct bpf_sock, src_ip6[3])),
229 BPF_JMP_IMM(BPF_JNE, BPF_REG_7,
230 __bpf_constant_ntohl(0x00000001), 4),
231 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
232 offsetof(struct bpf_sock, src_port)),
233 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2),
236 BPF_MOV64_IMM(BPF_REG_0, 0),
239 /* else return ALLOW; */
240 BPF_MOV64_IMM(BPF_REG_0, 1),
243 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
244 .attach_type = BPF_CGROUP_INET6_POST_BIND,
250 .result = RETRY_SUCCESS,
253 .descr = "bind4 allow all",
255 BPF_MOV64_IMM(BPF_REG_0, 1),
258 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
259 .attach_type = BPF_CGROUP_INET4_POST_BIND,
266 .descr = "bind6 allow all",
268 BPF_MOV64_IMM(BPF_REG_0, 1),
271 .expected_attach_type = BPF_CGROUP_INET6_POST_BIND,
272 .attach_type = BPF_CGROUP_INET6_POST_BIND,
280 static int load_prog(const struct bpf_insn *insns,
281 enum bpf_attach_type expected_attach_type)
283 LIBBPF_OPTS(bpf_prog_load_opts, opts,
284 .expected_attach_type = expected_attach_type,
286 .log_buf = bpf_log_buf,
287 .log_size = sizeof(bpf_log_buf),
289 int fd, insns_cnt = 0;
292 insns[insns_cnt].code != (BPF_JMP | BPF_EXIT);
297 fd = bpf_prog_load(BPF_PROG_TYPE_CGROUP_SOCK, NULL, "GPL", insns,
300 fprintf(stderr, "%s\n", bpf_log_buf);
305 static int bind_sock(int domain, int type, const char *ip,
306 unsigned short port, unsigned short port_retry)
308 struct sockaddr_storage addr;
309 struct sockaddr_in6 *addr6;
310 struct sockaddr_in *addr4;
315 sockfd = socket(domain, type, 0);
319 memset(&addr, 0, sizeof(addr));
321 if (domain == AF_INET) {
322 len = sizeof(struct sockaddr_in);
323 addr4 = (struct sockaddr_in *)&addr;
324 addr4->sin_family = domain;
325 addr4->sin_port = htons(port);
326 if (inet_pton(domain, ip, (void *)&addr4->sin_addr) != 1)
328 } else if (domain == AF_INET6) {
329 len = sizeof(struct sockaddr_in6);
330 addr6 = (struct sockaddr_in6 *)&addr;
331 addr6->sin6_family = domain;
332 addr6->sin6_port = htons(port);
333 if (inet_pton(domain, ip, (void *)&addr6->sin6_addr) != 1)
339 if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) {
340 /* sys_bind() may fail for different reasons, errno has to be
341 * checked to confirm that BPF program rejected it.
353 if (domain == AF_INET)
354 addr4->sin_port = htons(port_retry);
356 addr6->sin6_port = htons(port_retry);
357 if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) {
372 static int run_test(int cgroup_fd, struct sock_post_bind_test *test)
374 int err, prog_fd, res, ret = 0;
376 prog_fd = load_prog(test->insns, test->expected_attach_type);
380 err = bpf_prog_attach(prog_fd, cgroup_fd, test->attach_type, 0);
382 if (test->result == ATTACH_REJECT)
388 res = bind_sock(test->domain, test->type, test->ip, test->port,
390 if (res > 0 && test->result == res)
395 /* Detaching w/o checking return code: best effort attempt. */
397 bpf_prog_detach(cgroup_fd, test->attach_type);
402 void test_sock_post_bind(void)
404 struct netns_obj *ns;
408 cgroup_fd = test__join_cgroup("/post_bind");
409 if (!ASSERT_OK_FD(cgroup_fd, "join_cgroup"))
412 ns = netns_new(TEST_NS, true);
413 if (!ASSERT_OK_PTR(ns, "netns_new"))
416 for (i = 0; i < ARRAY_SIZE(tests); i++) {
417 if (!test__start_subtest(tests[i].descr))
420 ASSERT_OK(run_test(cgroup_fd, &tests[i]), tests[i].descr);