1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
4 #include <test_progs.h>
6 #include "cap_helpers.h"
11 #include <linux/filter.h>
12 #include <linux/unistd.h>
13 #include <linux/mount.h>
14 #include <sys/socket.h>
16 #include <sys/syscall.h>
18 #include "priv_map.skel.h"
19 #include "priv_prog.skel.h"
20 #include "dummy_st_ops_success.skel.h"
21 #include "token_lsm.skel.h"
23 static inline int sys_mount(const char *dev_name, const char *dir_name,
24 const char *type, unsigned long flags,
27 return syscall(__NR_mount, dev_name, dir_name, type, flags, data);
30 static inline int sys_fsopen(const char *fsname, unsigned flags)
32 return syscall(__NR_fsopen, fsname, flags);
35 static inline int sys_fspick(int dfd, const char *path, unsigned flags)
37 return syscall(__NR_fspick, dfd, path, flags);
40 static inline int sys_fsconfig(int fs_fd, unsigned cmd, const char *key, const void *val, int aux)
42 return syscall(__NR_fsconfig, fs_fd, cmd, key, val, aux);
45 static inline int sys_fsmount(int fs_fd, unsigned flags, unsigned ms_flags)
47 return syscall(__NR_fsmount, fs_fd, flags, ms_flags);
50 static inline int sys_move_mount(int from_dfd, const char *from_path,
51 int to_dfd, const char *to_path,
54 return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
57 static int drop_priv_caps(__u64 *old_caps)
59 return cap_disable_effective((1ULL << CAP_BPF) |
60 (1ULL << CAP_PERFMON) |
61 (1ULL << CAP_NET_ADMIN) |
62 (1ULL << CAP_SYS_ADMIN), old_caps);
65 static int restore_priv_caps(__u64 old_caps)
67 return cap_enable_effective(old_caps, NULL);
70 static int set_delegate_mask(int fs_fd, const char *key, __u64 mask, const char *mask_str)
79 snprintf(buf, sizeof(buf), "0x%llx", (unsigned long long)mask);
84 err = sys_fsconfig(fs_fd, FSCONFIG_SET_STRING, key,
91 #define zclose(fd) do { if (fd >= 0) close(fd); fd = -1; } while (0)
100 const char *progs_str;
101 const char *attachs_str;
104 static int create_bpffs_fd(void)
108 /* create VFS context */
109 fs_fd = sys_fsopen("bpf", 0);
110 ASSERT_GE(fs_fd, 0, "fs_fd");
115 static int materialize_bpffs_fd(int fs_fd, struct bpffs_opts *opts)
119 /* set up token delegation mount options */
120 err = set_delegate_mask(fs_fd, "delegate_cmds", opts->cmds, opts->cmds_str);
121 if (!ASSERT_OK(err, "fs_cfg_cmds"))
123 err = set_delegate_mask(fs_fd, "delegate_maps", opts->maps, opts->maps_str);
124 if (!ASSERT_OK(err, "fs_cfg_maps"))
126 err = set_delegate_mask(fs_fd, "delegate_progs", opts->progs, opts->progs_str);
127 if (!ASSERT_OK(err, "fs_cfg_progs"))
129 err = set_delegate_mask(fs_fd, "delegate_attachs", opts->attachs, opts->attachs_str);
130 if (!ASSERT_OK(err, "fs_cfg_attachs"))
133 /* instantiate FS object */
134 err = sys_fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
138 /* create O_PATH fd for detached mount */
139 mnt_fd = sys_fsmount(fs_fd, 0, 0);
146 /* send FD over Unix domain (AF_UNIX) socket */
147 static int sendfd(int sockfd, int fd)
149 struct msghdr msg = {};
150 struct cmsghdr *cmsg;
151 int fds[1] = { fd }, err;
155 .iov_len = sizeof(iobuf),
158 char buf[CMSG_SPACE(sizeof(fds))];
159 struct cmsghdr align;
164 msg.msg_control = u.buf;
165 msg.msg_controllen = sizeof(u.buf);
166 cmsg = CMSG_FIRSTHDR(&msg);
167 cmsg->cmsg_level = SOL_SOCKET;
168 cmsg->cmsg_type = SCM_RIGHTS;
169 cmsg->cmsg_len = CMSG_LEN(sizeof(fds));
170 memcpy(CMSG_DATA(cmsg), fds, sizeof(fds));
172 err = sendmsg(sockfd, &msg, 0);
175 if (!ASSERT_EQ(err, 1, "sendmsg"))
181 /* receive FD over Unix domain (AF_UNIX) socket */
182 static int recvfd(int sockfd, int *fd)
184 struct msghdr msg = {};
185 struct cmsghdr *cmsg;
190 .iov_len = sizeof(iobuf),
193 char buf[CMSG_SPACE(sizeof(fds))];
194 struct cmsghdr align;
199 msg.msg_control = u.buf;
200 msg.msg_controllen = sizeof(u.buf);
202 err = recvmsg(sockfd, &msg, 0);
205 if (!ASSERT_EQ(err, 1, "recvmsg"))
208 cmsg = CMSG_FIRSTHDR(&msg);
209 if (!ASSERT_OK_PTR(cmsg, "cmsg_null") ||
210 !ASSERT_EQ(cmsg->cmsg_len, CMSG_LEN(sizeof(fds)), "cmsg_len") ||
211 !ASSERT_EQ(cmsg->cmsg_level, SOL_SOCKET, "cmsg_level") ||
212 !ASSERT_EQ(cmsg->cmsg_type, SCM_RIGHTS, "cmsg_type"))
215 memcpy(fds, CMSG_DATA(cmsg), sizeof(fds));
221 static ssize_t write_nointr(int fd, const void *buf, size_t count)
226 ret = write(fd, buf, count);
227 } while (ret < 0 && errno == EINTR);
232 static int write_file(const char *path, const void *buf, size_t count)
237 fd = open(path, O_WRONLY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
241 ret = write_nointr(fd, buf, count);
243 if (ret < 0 || (size_t)ret != count)
249 static int create_and_enter_userns(void)
258 if (unshare(CLONE_NEWUSER))
261 if (write_file("/proc/self/setgroups", "deny", sizeof("deny") - 1) &&
265 snprintf(map, sizeof(map), "0 %d 1", uid);
266 if (write_file("/proc/self/uid_map", map, strlen(map)))
270 snprintf(map, sizeof(map), "0 %d 1", gid);
271 if (write_file("/proc/self/gid_map", map, strlen(map)))
283 typedef int (*child_callback_fn)(int bpffs_fd, struct token_lsm *lsm_skel);
285 static void child(int sock_fd, struct bpffs_opts *opts, child_callback_fn callback)
287 int mnt_fd = -1, fs_fd = -1, err = 0, bpffs_fd = -1, token_fd = -1;
288 struct token_lsm *lsm_skel = NULL;
290 /* load and attach LSM "policy" before we go into unpriv userns */
291 lsm_skel = token_lsm__open_and_load();
292 if (!ASSERT_OK_PTR(lsm_skel, "lsm_skel_load")) {
296 lsm_skel->bss->my_pid = getpid();
297 err = token_lsm__attach(lsm_skel);
298 if (!ASSERT_OK(err, "lsm_skel_attach"))
301 /* setup userns with root mappings */
302 err = create_and_enter_userns();
303 if (!ASSERT_OK(err, "create_and_enter_userns"))
306 /* setup mountns to allow creating BPF FS (fsopen("bpf")) from unpriv process */
307 err = unshare(CLONE_NEWNS);
308 if (!ASSERT_OK(err, "create_mountns"))
311 err = sys_mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0);
312 if (!ASSERT_OK(err, "remount_root"))
315 fs_fd = create_bpffs_fd();
316 if (!ASSERT_GE(fs_fd, 0, "create_bpffs_fd")) {
321 /* ensure unprivileged child cannot set delegation options */
322 err = set_delegate_mask(fs_fd, "delegate_cmds", 0x1, NULL);
323 ASSERT_EQ(err, -EPERM, "delegate_cmd_eperm");
324 err = set_delegate_mask(fs_fd, "delegate_maps", 0x1, NULL);
325 ASSERT_EQ(err, -EPERM, "delegate_maps_eperm");
326 err = set_delegate_mask(fs_fd, "delegate_progs", 0x1, NULL);
327 ASSERT_EQ(err, -EPERM, "delegate_progs_eperm");
328 err = set_delegate_mask(fs_fd, "delegate_attachs", 0x1, NULL);
329 ASSERT_EQ(err, -EPERM, "delegate_attachs_eperm");
331 /* pass BPF FS context object to parent */
332 err = sendfd(sock_fd, fs_fd);
333 if (!ASSERT_OK(err, "send_fs_fd"))
337 /* avoid mucking around with mount namespaces and mounting at
338 * well-known path, just get detach-mounted BPF FS fd back from parent
340 err = recvfd(sock_fd, &mnt_fd);
341 if (!ASSERT_OK(err, "recv_mnt_fd"))
344 /* try to fspick() BPF FS and try to add some delegation options */
345 fs_fd = sys_fspick(mnt_fd, "", FSPICK_EMPTY_PATH);
346 if (!ASSERT_GE(fs_fd, 0, "bpffs_fspick")) {
351 /* ensure unprivileged child cannot reconfigure to set delegation options */
352 err = set_delegate_mask(fs_fd, "delegate_cmds", 0, "any");
353 if (!ASSERT_EQ(err, -EPERM, "delegate_cmd_eperm_reconfig")) {
357 err = set_delegate_mask(fs_fd, "delegate_maps", 0, "any");
358 if (!ASSERT_EQ(err, -EPERM, "delegate_maps_eperm_reconfig")) {
362 err = set_delegate_mask(fs_fd, "delegate_progs", 0, "any");
363 if (!ASSERT_EQ(err, -EPERM, "delegate_progs_eperm_reconfig")) {
367 err = set_delegate_mask(fs_fd, "delegate_attachs", 0, "any");
368 if (!ASSERT_EQ(err, -EPERM, "delegate_attachs_eperm_reconfig")) {
374 bpffs_fd = openat(mnt_fd, ".", 0, O_RDWR);
375 if (!ASSERT_GE(bpffs_fd, 0, "bpffs_open")) {
380 /* create BPF token FD and pass it to parent for some extra checks */
381 token_fd = bpf_token_create(bpffs_fd, NULL);
382 if (!ASSERT_GT(token_fd, 0, "child_token_create")) {
386 err = sendfd(sock_fd, token_fd);
387 if (!ASSERT_OK(err, "send_token_fd"))
391 /* do custom test logic with customly set up BPF FS instance */
392 err = callback(bpffs_fd, lsm_skel);
393 if (!ASSERT_OK(err, "test_callback"))
404 lsm_skel->bss->my_pid = 0;
405 token_lsm__destroy(lsm_skel);
410 static int wait_for_pid(pid_t pid)
415 ret = waitpid(pid, &status, 0);
423 if (!WIFEXITED(status))
426 return WEXITSTATUS(status);
429 static void parent(int child_pid, struct bpffs_opts *bpffs_opts, int sock_fd)
431 int fs_fd = -1, mnt_fd = -1, token_fd = -1, err;
433 err = recvfd(sock_fd, &fs_fd);
434 if (!ASSERT_OK(err, "recv_bpffs_fd"))
437 mnt_fd = materialize_bpffs_fd(fs_fd, bpffs_opts);
438 if (!ASSERT_GE(mnt_fd, 0, "materialize_bpffs_fd")) {
444 /* pass BPF FS context object to parent */
445 err = sendfd(sock_fd, mnt_fd);
446 if (!ASSERT_OK(err, "send_mnt_fd"))
450 /* receive BPF token FD back from child for some extra tests */
451 err = recvfd(sock_fd, &token_fd);
452 if (!ASSERT_OK(err, "recv_token_fd"))
455 err = wait_for_pid(child_pid);
456 ASSERT_OK(err, "waitpid_child");
465 (void)kill(child_pid, SIGKILL);
468 static void subtest_userns(struct bpffs_opts *bpffs_opts,
469 child_callback_fn child_cb)
471 int sock_fds[2] = { -1, -1 };
472 int child_pid = 0, err;
474 err = socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds);
475 if (!ASSERT_OK(err, "socketpair"))
479 if (!ASSERT_GE(child_pid, 0, "fork"))
482 if (child_pid == 0) {
484 return child(sock_fds[1], bpffs_opts, child_cb);
488 return parent(child_pid, bpffs_opts, sock_fds[0]);
495 (void)kill(child_pid, SIGKILL);
498 static int userns_map_create(int mnt_fd, struct token_lsm *lsm_skel)
500 LIBBPF_OPTS(bpf_map_create_opts, map_opts);
501 int err, token_fd = -1, map_fd = -1;
504 /* create BPF token from BPF FS mount */
505 token_fd = bpf_token_create(mnt_fd, NULL);
506 if (!ASSERT_GT(token_fd, 0, "token_create")) {
511 /* while inside non-init userns, we need both a BPF token *and*
512 * CAP_BPF inside current userns to create privileged map; let's test
513 * that neither BPF token alone nor namespaced CAP_BPF is sufficient
515 err = drop_priv_caps(&old_caps);
516 if (!ASSERT_OK(err, "drop_caps"))
519 /* no token, no CAP_BPF -> fail */
520 map_opts.map_flags = 0;
521 map_opts.token_fd = 0;
522 map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "wo_token_wo_bpf", 0, 8, 1, &map_opts);
523 if (!ASSERT_LT(map_fd, 0, "stack_map_wo_token_wo_cap_bpf_should_fail")) {
528 /* token without CAP_BPF -> fail */
529 map_opts.map_flags = BPF_F_TOKEN_FD;
530 map_opts.token_fd = token_fd;
531 map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "w_token_wo_bpf", 0, 8, 1, &map_opts);
532 if (!ASSERT_LT(map_fd, 0, "stack_map_w_token_wo_cap_bpf_should_fail")) {
537 /* get back effective local CAP_BPF (and CAP_SYS_ADMIN) */
538 err = restore_priv_caps(old_caps);
539 if (!ASSERT_OK(err, "restore_caps"))
542 /* CAP_BPF without token -> fail */
543 map_opts.map_flags = 0;
544 map_opts.token_fd = 0;
545 map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "wo_token_w_bpf", 0, 8, 1, &map_opts);
546 if (!ASSERT_LT(map_fd, 0, "stack_map_wo_token_w_cap_bpf_should_fail")) {
551 /* finally, namespaced CAP_BPF + token -> success */
552 map_opts.map_flags = BPF_F_TOKEN_FD;
553 map_opts.token_fd = token_fd;
554 map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "w_token_w_bpf", 0, 8, 1, &map_opts);
555 if (!ASSERT_GT(map_fd, 0, "stack_map_w_token_w_cap_bpf")) {
566 static int userns_btf_load(int mnt_fd, struct token_lsm *lsm_skel)
568 LIBBPF_OPTS(bpf_btf_load_opts, btf_opts);
569 int err, token_fd = -1, btf_fd = -1;
570 const void *raw_btf_data;
571 struct btf *btf = NULL;
575 /* create BPF token from BPF FS mount */
576 token_fd = bpf_token_create(mnt_fd, NULL);
577 if (!ASSERT_GT(token_fd, 0, "token_create")) {
582 /* while inside non-init userns, we need both a BPF token *and*
583 * CAP_BPF inside current userns to create privileged map; let's test
584 * that neither BPF token alone nor namespaced CAP_BPF is sufficient
586 err = drop_priv_caps(&old_caps);
587 if (!ASSERT_OK(err, "drop_caps"))
590 /* setup a trivial BTF data to load to the kernel */
591 btf = btf__new_empty();
592 if (!ASSERT_OK_PTR(btf, "empty_btf"))
595 ASSERT_GT(btf__add_int(btf, "int", 4, 0), 0, "int_type");
597 raw_btf_data = btf__raw_data(btf, &raw_btf_size);
598 if (!ASSERT_OK_PTR(raw_btf_data, "raw_btf_data"))
601 /* no token + no CAP_BPF -> failure */
602 btf_opts.btf_flags = 0;
603 btf_opts.token_fd = 0;
604 btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
605 if (!ASSERT_LT(btf_fd, 0, "no_token_no_cap_should_fail"))
608 /* token + no CAP_BPF -> failure */
609 btf_opts.btf_flags = BPF_F_TOKEN_FD;
610 btf_opts.token_fd = token_fd;
611 btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
612 if (!ASSERT_LT(btf_fd, 0, "token_no_cap_should_fail"))
615 /* get back effective local CAP_BPF (and CAP_SYS_ADMIN) */
616 err = restore_priv_caps(old_caps);
617 if (!ASSERT_OK(err, "restore_caps"))
620 /* token + CAP_BPF -> success */
621 btf_opts.btf_flags = BPF_F_TOKEN_FD;
622 btf_opts.token_fd = token_fd;
623 btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
624 if (!ASSERT_GT(btf_fd, 0, "token_and_cap_success"))
635 static int userns_prog_load(int mnt_fd, struct token_lsm *lsm_skel)
637 LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
638 int err, token_fd = -1, prog_fd = -1;
639 struct bpf_insn insns[] = {
640 /* bpf_jiffies64() requires CAP_BPF */
641 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_jiffies64),
642 /* bpf_get_current_task() requires CAP_PERFMON */
643 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_current_task),
645 BPF_MOV64_IMM(BPF_REG_0, 0),
648 size_t insn_cnt = ARRAY_SIZE(insns);
651 /* create BPF token from BPF FS mount */
652 token_fd = bpf_token_create(mnt_fd, NULL);
653 if (!ASSERT_GT(token_fd, 0, "token_create")) {
658 /* validate we can successfully load BPF program with token; this
659 * being XDP program (CAP_NET_ADMIN) using bpf_jiffies64() (CAP_BPF)
660 * and bpf_get_current_task() (CAP_PERFMON) helpers validates we have
661 * BPF token wired properly in a bunch of places in the kernel
663 prog_opts.prog_flags = BPF_F_TOKEN_FD;
664 prog_opts.token_fd = token_fd;
665 prog_opts.expected_attach_type = BPF_XDP;
666 prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
667 insns, insn_cnt, &prog_opts);
668 if (!ASSERT_GT(prog_fd, 0, "prog_fd")) {
673 /* no token + caps -> failure */
674 prog_opts.prog_flags = 0;
675 prog_opts.token_fd = 0;
676 prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
677 insns, insn_cnt, &prog_opts);
678 if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
683 err = drop_priv_caps(&old_caps);
684 if (!ASSERT_OK(err, "drop_caps"))
687 /* no caps + token -> failure */
688 prog_opts.prog_flags = BPF_F_TOKEN_FD;
689 prog_opts.token_fd = token_fd;
690 prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
691 insns, insn_cnt, &prog_opts);
692 if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
697 /* no caps + no token -> definitely a failure */
698 prog_opts.prog_flags = 0;
699 prog_opts.token_fd = 0;
700 prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
701 insns, insn_cnt, &prog_opts);
702 if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
714 static int userns_obj_priv_map(int mnt_fd, struct token_lsm *lsm_skel)
716 LIBBPF_OPTS(bpf_object_open_opts, opts);
718 struct priv_map *skel;
721 skel = priv_map__open_and_load();
722 if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
723 priv_map__destroy(skel);
727 /* use bpf_token_path to provide BPF FS path */
728 snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
729 opts.bpf_token_path = buf;
730 skel = priv_map__open_opts(&opts);
731 if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
734 err = priv_map__load(skel);
735 priv_map__destroy(skel);
736 if (!ASSERT_OK(err, "obj_token_path_load"))
742 static int userns_obj_priv_prog(int mnt_fd, struct token_lsm *lsm_skel)
744 LIBBPF_OPTS(bpf_object_open_opts, opts);
746 struct priv_prog *skel;
749 skel = priv_prog__open_and_load();
750 if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
751 priv_prog__destroy(skel);
755 /* use bpf_token_path to provide BPF FS path */
756 snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
757 opts.bpf_token_path = buf;
758 skel = priv_prog__open_opts(&opts);
759 if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
761 err = priv_prog__load(skel);
762 priv_prog__destroy(skel);
763 if (!ASSERT_OK(err, "obj_token_path_load"))
766 /* provide BPF token, but reject bpf_token_capable() with LSM */
767 lsm_skel->bss->reject_capable = true;
768 lsm_skel->bss->reject_cmd = false;
769 skel = priv_prog__open_opts(&opts);
770 if (!ASSERT_OK_PTR(skel, "obj_token_lsm_reject_cap_open"))
772 err = priv_prog__load(skel);
773 priv_prog__destroy(skel);
774 if (!ASSERT_ERR(err, "obj_token_lsm_reject_cap_load"))
777 /* provide BPF token, but reject bpf_token_cmd() with LSM */
778 lsm_skel->bss->reject_capable = false;
779 lsm_skel->bss->reject_cmd = true;
780 skel = priv_prog__open_opts(&opts);
781 if (!ASSERT_OK_PTR(skel, "obj_token_lsm_reject_cmd_open"))
783 err = priv_prog__load(skel);
784 priv_prog__destroy(skel);
785 if (!ASSERT_ERR(err, "obj_token_lsm_reject_cmd_load"))
791 /* this test is called with BPF FS that doesn't delegate BPF_BTF_LOAD command,
792 * which should cause struct_ops application to fail, as BTF won't be uploaded
793 * into the kernel, even if STRUCT_OPS programs themselves are allowed
795 static int validate_struct_ops_load(int mnt_fd, bool expect_success)
797 LIBBPF_OPTS(bpf_object_open_opts, opts);
799 struct dummy_st_ops_success *skel;
802 snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
803 opts.bpf_token_path = buf;
804 skel = dummy_st_ops_success__open_opts(&opts);
805 if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
808 err = dummy_st_ops_success__load(skel);
809 dummy_st_ops_success__destroy(skel);
810 if (expect_success) {
811 if (!ASSERT_OK(err, "obj_token_path_load"))
813 } else /* expect failure */ {
814 if (!ASSERT_ERR(err, "obj_token_path_load"))
821 static int userns_obj_priv_btf_fail(int mnt_fd, struct token_lsm *lsm_skel)
823 return validate_struct_ops_load(mnt_fd, false /* should fail */);
826 static int userns_obj_priv_btf_success(int mnt_fd, struct token_lsm *lsm_skel)
828 return validate_struct_ops_load(mnt_fd, true /* should succeed */);
831 static const char *token_bpffs_custom_dir()
833 return getenv("BPF_SELFTESTS_BPF_TOKEN_DIR") ?: "/tmp/bpf-token-fs";
836 #define TOKEN_ENVVAR "LIBBPF_BPF_TOKEN_PATH"
838 static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel)
840 LIBBPF_OPTS(bpf_object_open_opts, opts);
841 struct dummy_st_ops_success *skel;
844 /* before we mount BPF FS with token delegation, struct_ops skeleton
845 * should fail to load
847 skel = dummy_st_ops_success__open_and_load();
848 if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
849 dummy_st_ops_success__destroy(skel);
853 /* mount custom BPF FS over /sys/fs/bpf so that libbpf can create BPF
854 * token automatically and implicitly
856 err = sys_move_mount(mnt_fd, "", AT_FDCWD, "/sys/fs/bpf", MOVE_MOUNT_F_EMPTY_PATH);
857 if (!ASSERT_OK(err, "move_mount_bpffs"))
860 /* disable implicit BPF token creation by setting
861 * LIBBPF_BPF_TOKEN_PATH envvar to empty value, load should fail
863 err = setenv(TOKEN_ENVVAR, "", 1 /*overwrite*/);
864 if (!ASSERT_OK(err, "setenv_token_path"))
866 skel = dummy_st_ops_success__open_and_load();
867 if (!ASSERT_ERR_PTR(skel, "obj_token_envvar_disabled_load")) {
868 unsetenv(TOKEN_ENVVAR);
869 dummy_st_ops_success__destroy(skel);
872 unsetenv(TOKEN_ENVVAR);
874 /* now the same struct_ops skeleton should succeed thanks to libbpf
875 * creating BPF token from /sys/fs/bpf mount point
877 skel = dummy_st_ops_success__open_and_load();
878 if (!ASSERT_OK_PTR(skel, "obj_implicit_token_load"))
881 dummy_st_ops_success__destroy(skel);
883 /* now disable implicit token through empty bpf_token_path, should fail */
884 opts.bpf_token_path = "";
885 skel = dummy_st_ops_success__open_opts(&opts);
886 if (!ASSERT_OK_PTR(skel, "obj_empty_token_path_open"))
889 err = dummy_st_ops_success__load(skel);
890 dummy_st_ops_success__destroy(skel);
891 if (!ASSERT_ERR(err, "obj_empty_token_path_load"))
897 static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *lsm_skel)
899 const char *custom_dir = token_bpffs_custom_dir();
900 LIBBPF_OPTS(bpf_object_open_opts, opts);
901 struct dummy_st_ops_success *skel;
904 /* before we mount BPF FS with token delegation, struct_ops skeleton
905 * should fail to load
907 skel = dummy_st_ops_success__open_and_load();
908 if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
909 dummy_st_ops_success__destroy(skel);
913 /* mount custom BPF FS over custom location, so libbpf can't create
914 * BPF token implicitly, unless pointed to it through
915 * LIBBPF_BPF_TOKEN_PATH envvar
918 if (!ASSERT_OK(mkdir(custom_dir, 0777), "mkdir_bpffs_custom"))
920 err = sys_move_mount(mnt_fd, "", AT_FDCWD, custom_dir, MOVE_MOUNT_F_EMPTY_PATH);
921 if (!ASSERT_OK(err, "move_mount_bpffs"))
924 /* even though we have BPF FS with delegation, it's not at default
925 * /sys/fs/bpf location, so we still fail to load until envvar is set up
927 skel = dummy_st_ops_success__open_and_load();
928 if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load2")) {
929 dummy_st_ops_success__destroy(skel);
933 err = setenv(TOKEN_ENVVAR, custom_dir, 1 /*overwrite*/);
934 if (!ASSERT_OK(err, "setenv_token_path"))
937 /* now the same struct_ops skeleton should succeed thanks to libbpf
938 * creating BPF token from custom mount point
940 skel = dummy_st_ops_success__open_and_load();
941 if (!ASSERT_OK_PTR(skel, "obj_implicit_token_load"))
944 dummy_st_ops_success__destroy(skel);
946 /* now disable implicit token through empty bpf_token_path, envvar
947 * will be ignored, should fail
949 opts.bpf_token_path = "";
950 skel = dummy_st_ops_success__open_opts(&opts);
951 if (!ASSERT_OK_PTR(skel, "obj_empty_token_path_open"))
954 err = dummy_st_ops_success__load(skel);
955 dummy_st_ops_success__destroy(skel);
956 if (!ASSERT_ERR(err, "obj_empty_token_path_load"))
960 unsetenv(TOKEN_ENVVAR);
964 unsetenv(TOKEN_ENVVAR);
968 #define bit(n) (1ULL << (n))
970 void test_token(void)
972 if (test__start_subtest("map_token")) {
973 struct bpffs_opts opts = {
974 .cmds_str = "map_create",
978 subtest_userns(&opts, userns_map_create);
980 if (test__start_subtest("btf_token")) {
981 struct bpffs_opts opts = {
982 .cmds = 1ULL << BPF_BTF_LOAD,
985 subtest_userns(&opts, userns_btf_load);
987 if (test__start_subtest("prog_token")) {
988 struct bpffs_opts opts = {
989 .cmds_str = "PROG_LOAD",
991 .attachs_str = "xdp",
994 subtest_userns(&opts, userns_prog_load);
996 if (test__start_subtest("obj_priv_map")) {
997 struct bpffs_opts opts = {
998 .cmds = bit(BPF_MAP_CREATE),
999 .maps = bit(BPF_MAP_TYPE_QUEUE),
1002 subtest_userns(&opts, userns_obj_priv_map);
1004 if (test__start_subtest("obj_priv_prog")) {
1005 struct bpffs_opts opts = {
1006 .cmds = bit(BPF_PROG_LOAD),
1007 .progs = bit(BPF_PROG_TYPE_KPROBE),
1011 subtest_userns(&opts, userns_obj_priv_prog);
1013 if (test__start_subtest("obj_priv_btf_fail")) {
1014 struct bpffs_opts opts = {
1015 /* disallow BTF loading */
1016 .cmds = bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1017 .maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1018 .progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1022 subtest_userns(&opts, userns_obj_priv_btf_fail);
1024 if (test__start_subtest("obj_priv_btf_success")) {
1025 struct bpffs_opts opts = {
1026 /* allow BTF loading */
1027 .cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1028 .maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1029 .progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1033 subtest_userns(&opts, userns_obj_priv_btf_success);
1035 if (test__start_subtest("obj_priv_implicit_token")) {
1036 struct bpffs_opts opts = {
1037 /* allow BTF loading */
1038 .cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1039 .maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1040 .progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1044 subtest_userns(&opts, userns_obj_priv_implicit_token);
1046 if (test__start_subtest("obj_priv_implicit_token_envvar")) {
1047 struct bpffs_opts opts = {
1048 /* allow BTF loading */
1049 .cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1050 .maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1051 .progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1055 subtest_userns(&opts, userns_obj_priv_implicit_token_envvar);
projects / linux.git / blob