July 2019 - Linux-kselftest-mirror

[PATCH v3] selftests/livepatch: add test skip handling

by Joe Lawrence

Add a skip() message function that stops the test, logs an explanation, and sets the "skip" return code (4). Before loading a livepatch self-test kernel module, first verify that we've built and installed it by running a 'modprobe --dry-run'. This should catch a few environment issues, including !CONFIG_LIVEPATCH and !CONFIG_TEST_LIVEPATCH. In these cases, exit gracefully with the new skip() function. Reported-by: Jiri Benc <jbenc(a)redhat.com> Suggested-by: Shuah Khan <shuah(a)kernel.org> Signed-off-by: Joe Lawrence <joe.lawrence(a)redhat.com> --- v3: tweak modprobe error message: check kernel config and run as root, so output now looks like [shuah] : % make run_tests TAP version 13 1..3 # selftests: livepatch: test-livepatch.sh # TEST: basic function patching ... SKIP: unable load module test_klp_livepatch, verify CONFIG_TEST_LIVEPATCH=m and run self-tests as root not ok 1 selftests: livepatch: test-livepatch.sh # SKIP # selftests: livepatch: test-callbacks.sh # TEST: target module before livepatch ... SKIP: unable load module test_klp_callbacks_mod, verify CONFIG_TEST_LIVEPATCH=m and run self-tests as root not ok 2 selftests: livepatch: test-callbacks.sh # SKIP # selftests: livepatch: test-shadow-vars.sh # TEST: basic shadow variable API ... SKIP: unable load module test_klp_shadow_vars, verify CONFIG_TEST_LIVEPATCH=m and run self-tests as root not ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP v2: move assert_mod() call into load_mod() and load_lp_nowait(), before they check whether the module is a livepatch or not (a test-failing assertion). [mbenes, pmladek] .../testing/selftests/livepatch/functions.sh | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/testing/selftests/livepatch/functions.sh b/tools/testing/selftests/livepatch/functions.sh index 30195449c63c..8eb21fcc71de 100644 --- a/tools/testing/selftests/livepatch/functions.sh +++ b/tools/testing/selftests/livepatch/functions.sh @@ -13,6 +13,14 @@ function log() { echo "$1" > /dev/kmsg } +# skip(msg) - testing can't proceed +# msg - explanation +function skip() { + log "SKIP: $1" + echo "SKIP: $1" >&2 + exit 4 +} + # die(msg) - game over, man # msg - dying words function die() { @@ -43,6 +51,12 @@ function loop_until() { done } +function assert_mod() { + local mod="$1" + + modprobe --dry-run "$mod" &>/dev/null +} + function is_livepatch_mod() { local mod="$1" @@ -75,6 +89,9 @@ function __load_mod() { function load_mod() { local mod="$1"; shift + assert_mod "$mod" || + skip "unable load module ${mod}, verify CONFIG_TEST_LIVEPATCH=m and run self-tests as root" + is_livepatch_mod "$mod" && die "use load_lp() to load the livepatch module $mod" @@ -88,6 +105,9 @@ function load_mod() { function load_lp_nowait() { local mod="$1"; shift + assert_mod "$mod" || + skip "unable load module ${mod}, verify CONFIG_TEST_LIVEPATCH=m and run self-tests as root" + is_livepatch_mod "$mod" || die "module $mod is not a livepatch" -- 2.21.0

4 years, 9 months

3
7
0 0

[PATCH 1/1] tests: add pidfd poll tests

by Suren Baghdasaryan

This adds testing for polling on pidfd of a process being killed. Test runs 10000 iterations by default to stress test pidfd polling functionality. It accepts an optional command-line parameter to override the number or iterations to run. Specifically, it tests for: - pidfd_open on a child process succeeds - pidfd_send_signal on a child process succeeds - polling on pidfd succeeds and returns exactly one event - returned event is POLLIN - event is received within 3 secs of the process being killed 10000 iterations was chosen because of the race condition being tested which is not consistently reproducible but usually is revealed after less than 2000 iterations. Reveals race fixed by commit b191d6491be6 ("pidfd: fix a poll race when setting exit_state") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> --- tools/testing/selftests/pidfd/.gitignore | 1 + tools/testing/selftests/pidfd/Makefile | 2 +- .../testing/selftests/pidfd/pidfd_poll_test.c | 137 ++++++++++++++++++ 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/pidfd/pidfd_poll_test.c diff --git a/tools/testing/selftests/pidfd/.gitignore b/tools/testing/selftests/pidfd/.gitignore index 16d84d117bc0..a67896347d34 100644 --- a/tools/testing/selftests/pidfd/.gitignore +++ b/tools/testing/selftests/pidfd/.gitignore @@ -1,2 +1,3 @@ pidfd_open_test +pidfd_poll_test pidfd_test diff --git a/tools/testing/selftests/pidfd/Makefile b/tools/testing/selftests/pidfd/Makefile index 720b2d884b3c..ed58b7108d18 100644 --- a/tools/testing/selftests/pidfd/Makefile +++ b/tools/testing/selftests/pidfd/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only CFLAGS += -g -I../../../../usr/include/ -lpthread -TEST_GEN_PROGS := pidfd_test pidfd_open_test +TEST_GEN_PROGS := pidfd_test pidfd_open_test pidfd_poll_test include ../lib.mk diff --git a/tools/testing/selftests/pidfd/pidfd_poll_test.c b/tools/testing/selftests/pidfd/pidfd_poll_test.c new file mode 100644 index 000000000000..f2934aa070ae --- /dev/null +++ b/tools/testing/selftests/pidfd/pidfd_poll_test.c @@ -0,0 +1,137 @@ +// SPDX-License-Identifier: GPL-2.0 + +#define _GNU_SOURCE +#include <errno.h> +#include <linux/types.h> +#include <linux/wait.h> +#include <poll.h> +#include <signal.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syscall.h> +#include <sys/wait.h> +#include <unistd.h> + +#include "pidfd.h" +#include "../kselftest.h" + +#define __NR_pidfd_send_signal 424 +#define __NR_pidfd_open 434 + +static inline int sys_pidfd_open(pid_t pid, unsigned int flags) +{ + return syscall(__NR_pidfd_open, pid, flags); +} + +static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info, + unsigned int flags) +{ + return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags); +} + +static bool timeout; + +static void handle_alarm(int sig) +{ + timeout = true; +} + +int main(int argc, char **argv) +{ + int ret = 1; + int pidfd = -1; + struct pollfd fds; + int iter, nevents; + int nr_iterations = 10000; + + fds.events = POLLIN; + if (argc > 1) { + nr_iterations = atoi(argv[1]); + if (!nr_iterations) { + ksft_test_result_fail("invalid input parameter %s\n", + argv[1]); + return ksft_exit_fail(); + } + } + + ksft_print_msg("running pidfd poll test for %d iterations\n", + nr_iterations); + + for (iter = 0; iter < nr_iterations; iter++) { + int child_pid = fork(); + + if (!child_pid) { + /* Child process just sleeps for a min */ + sleep(60); + exit(0); + } + + /* Parent kills the child and waits for its death */ + if (child_pid < 0) { + if (errno == EAGAIN) { + iter--; + continue; + } + ksft_print_msg("%s - failed to fork a child process\n", + strerror(errno)); + } + pidfd = sys_pidfd_open(child_pid, 0); + if (pidfd < 0) { + ksft_print_msg("%s - pidfd_open failed\n", + strerror(errno)); + goto on_error; + } + /* Setup 3 sec alarm - plenty of time */ + if (signal(SIGALRM, handle_alarm) == SIG_ERR) { + ksft_print_msg("%s - signal failed\n", + strerror(errno)); + goto on_error; + } + alarm(3); + /* Send SIGKILL to the child */ + if (sys_pidfd_send_signal(pidfd, SIGKILL, NULL, 0)) { + ksft_print_msg("%s - pidfd_send_signal failed\n", + strerror(errno)); + goto on_error; + } + /* Wait for the death notification */ + fds.fd = pidfd; + nevents = poll(&fds, 1, -1); + if (nevents < 0) { + ksft_print_msg("%s - poll failed\n", + strerror(errno)); + goto on_error; + } + if (nevents != 1) { + ksft_print_msg("unexpected poll result: %d\n", + nevents); + goto on_error; + } + if (!(fds.revents & POLLIN)) { + ksft_print_msg( + "unexpected event type received: 0x%x\n", + fds.revents); + goto on_error; + } + if (timeout) { + ksft_print_msg("death notification wait timeout\n"); + goto on_error; + } + close(pidfd); + } + ret = 0; + +on_error: + if (pidfd) + close(pidfd); + + if (ret) { + ksft_test_result_fail("failed after %d retries\n", iter); + return ksft_exit_fail(); + } + + ksft_test_result_pass("pidfd poll test: pass\n"); + return ksft_exit_pass(); +} -- 2.22.0.657.g960e92d24f-goog

4 years, 9 months

2
2
0 0

[PATCH] selftests: mlxsw: Fix typo in qos_mc_aware.sh

by Masanari Iida

This patch fixes some spelling typo in qos_mc_aware.sh Signed-off-by: Masanari Iida <standby24x7(a)gmail.com> --- tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh b/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh index 71231ad2dbfb..47315fe48d5a 100755 --- a/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh +++ b/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh @@ -262,7 +262,7 @@ test_mc_aware() stop_traffic - log_test "UC performace under MC overload" + log_test "UC performance under MC overload" echo "UC-only throughput $(humanize $ucth1)" echo "UC+MC throughput $(humanize $ucth2)" @@ -316,7 +316,7 @@ test_uc_aware() stop_traffic - log_test "MC performace under UC overload" + log_test "MC performance under UC overload" echo " ingress UC throughput $(humanize ${uc_ir})" echo " egress UC throughput $(humanize ${uc_er})" echo " sent $attempts BC ARPs, got $passes responses" -- 2.22.0.545.g9c9b961d7eb1

4 years, 9 months

3
2
0 0

[PATCH 5/5] pidfd: add pidfd_wait tests

by Christian Brauner

Add tests for pidfd_wait() and CLONE_WAIT_PID: - test that pidfd_wait() syscall is supported - test that pidfd_wait() does not accept unknown flags - test that pidfd_wait() can wait on a pidfd - test that pidfd_wait() can wait on a pidfd and return struct rusage - test that pidfd_wait() can wait on a pidfd and return siginfo_t - test that pidfd_wait() works with WEXITED - test that pidfd_wait() works with WSTOPPED - test that pidfd_wait() works with WUNTRACED - test that pidfd_wait() works with WCONTINUED - test that pidfd_wait() works with WNOWAIT - test that pidfd_wait() works with WNOHANG - test that CLONE_WAIT_PID does not appear in waitid(P_ALL) requests - test that CLONE_WAIT_PID does not appear in waitid(P_PGID) requests - test that CLONE_WAIT_PID does not appear in wait4(-1) requests - test that CLONE_WAIT_PID does not appear in wait4(0) requests - test that CLONE_WAIT_PID does appear in waitid(P_PID) requests - test that CLONE_WAIT_PID does appear in wait4(pid) requests Signed-off-by: Christian Brauner <christian(a)brauner.io> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Joel Fernandes (Google) <joel(a)joelfernandes.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: David Howells <dhowells(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Andy Lutomirsky <luto(a)kernel.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: linux-kselftest(a)vger.kernel.org --- tools/testing/selftests/pidfd/pidfd.h | 25 ++ tools/testing/selftests/pidfd/pidfd_test.c | 14 - tools/testing/selftests/pidfd/pidfd_wait.c | 398 +++++++++++++++++++++ 3 files changed, 423 insertions(+), 14 deletions(-) create mode 100644 tools/testing/selftests/pidfd/pidfd_wait.c diff --git a/tools/testing/selftests/pidfd/pidfd.h b/tools/testing/selftests/pidfd/pidfd.h index 8452e910463f..d56bca179b9e 100644 --- a/tools/testing/selftests/pidfd/pidfd.h +++ b/tools/testing/selftests/pidfd/pidfd.h @@ -16,6 +16,26 @@ #include "../kselftest.h" +#ifndef CLONE_PIDFD +#define CLONE_PIDFD 0x00001000 +#endif + +#ifndef CLONE_WAIT_PID +#define CLONE_WAIT_PID 0x200000000ULL +#endif + +#ifndef __NR_pidfd_open +#define __NR_pidfd_open -1 +#endif + +#ifndef __NR_pidfd_send_signal +#define __NR_pidfd_send_signal -1 +#endif + +#ifndef __NR_clone3 +#define __NR_clone3 -1 +#endif + /* * The kernel reserves 300 pids via RESERVED_PIDS in kernel/pid.c * That means, when it wraps around any pid < 300 will be skipped. @@ -53,5 +73,10 @@ int wait_for_pid(pid_t pid) return WEXITSTATUS(status); } +static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info, + unsigned int flags) +{ + return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags); +} #endif /* __PIDFD_H */ diff --git a/tools/testing/selftests/pidfd/pidfd_test.c b/tools/testing/selftests/pidfd/pidfd_test.c index 7eaa8a3de262..42e3eb494d72 100644 --- a/tools/testing/selftests/pidfd/pidfd_test.c +++ b/tools/testing/selftests/pidfd/pidfd_test.c @@ -21,20 +21,12 @@ #include "pidfd.h" #include "../kselftest.h" -#ifndef __NR_pidfd_send_signal -#define __NR_pidfd_send_signal -1 -#endif - #define str(s) _str(s) #define _str(s) #s #define CHILD_THREAD_MIN_WAIT 3 /* seconds */ #define MAX_EVENTS 5 -#ifndef CLONE_PIDFD -#define CLONE_PIDFD 0x00001000 -#endif - static pid_t pidfd_clone(int flags, int *pidfd, int (*fn)(void *)) { size_t stack_size = 1024; @@ -47,12 +39,6 @@ static pid_t pidfd_clone(int flags, int *pidfd, int (*fn)(void *)) #endif } -static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info, - unsigned int flags) -{ - return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags); -} - static int signal_received; static void set_signal_received_on_sigusr1(int sig) diff --git a/tools/testing/selftests/pidfd/pidfd_wait.c b/tools/testing/selftests/pidfd/pidfd_wait.c new file mode 100644 index 000000000000..fcbd10098067 --- /dev/null +++ b/tools/testing/selftests/pidfd/pidfd_wait.c @@ -0,0 +1,398 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#define _GNU_SOURCE +#include <errno.h> +#include <linux/sched.h> +#include <linux/types.h> +#include <signal.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <sched.h> +#include <string.h> +#include <sys/resource.h> +#include <sys/time.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <unistd.h> + +#include "pidfd.h" +#include "../kselftest.h" + +#define ptr_to_u64(ptr) ((__u64)((uintptr_t)(ptr))) + +static pid_t sys_clone3(struct clone_args *args) +{ + return syscall(__NR_clone3, args, sizeof(struct clone_args)); +} + +static pid_t sys_pidfd_wait(int pidfd, int *wstatus, siginfo_t *info, + struct rusage *ru, unsigned int states, + unsigned int flags) +{ + return syscall(__NR_pidfd_wait, pidfd, wstatus, info, ru, states, flags); +} + +static int test_pidfd_wait_syscall_support(void) +{ + int ret; + const char *test_name = "pidfd_wait check for support"; + + ret = sys_pidfd_wait(-EBADF, NULL, NULL, NULL, WEXITED, 0); + if (ret < 0 && errno == ENOSYS) + ksft_exit_skip("%s test: pidfd_wait() syscall not supported\n", + test_name); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +static int test_pidfd_wait_simple(void) +{ + const char *test_name = "pidfd_wait simple"; + int pidfd = -1, status = 0; + pid_t parent_tid = -1; + struct clone_args args = { + .parent_tid = ptr_to_u64(&parent_tid), + .pidfd = ptr_to_u64(&pidfd), + .flags = CLONE_PIDFD | CLONE_PARENT_SETTID, + .exit_signal = SIGCHLD, + }; + pid_t pid; + + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_SUCCESS); + + pid = sys_pidfd_wait(pidfd, NULL, NULL, NULL, -1, 0); + if (pid > 0) + ksft_exit_fail_msg( + "%s test: succeeded to wait on process with invalid flags passed", + test_name); + + pid = sys_pidfd_wait(pidfd, NULL, NULL, NULL, 0, -1); + if (pid > 0) + ksft_exit_fail_msg( + "%s test: succeeded to wait on process with invalid flags passed", + test_name); + + pid = sys_pidfd_wait(pidfd, NULL, NULL, NULL, 0, 0); + if (pid > 0) + ksft_exit_fail_msg( + "%s test: succeeded to wait on process with invalid flags passed", + test_name); + + pid = sys_pidfd_wait(pidfd, NULL, NULL, NULL, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + pidfd = -1; + parent_tid = -1; + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_SUCCESS); + + pid = sys_pidfd_wait(pidfd, &status, NULL, NULL, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + if (!WIFEXITED(status) || WEXITSTATUS(status)) + ksft_exit_fail_msg( + "%s test: unexpected status received after waiting on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + pidfd = -1; + parent_tid = -1; + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_FAILURE); + + pid = sys_pidfd_wait(pidfd, &status, NULL, NULL, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + if (!WIFEXITED(status) || !WEXITSTATUS(status)) + ksft_exit_fail_msg( + "%s test: unexpected status received after waiting on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +static int test_pidfd_wait_rusage(void) +{ + const char *test_name = "pidfd_wait rusage"; + int pidfd = -1, status = 0; + pid_t parent_tid = -1; + struct clone_args args = { + .parent_tid = ptr_to_u64(&parent_tid), + .pidfd = ptr_to_u64(&pidfd), + .flags = CLONE_PIDFD | CLONE_PARENT_SETTID, + .exit_signal = SIGCHLD, + }; + pid_t pid; + struct rusage rusage = { 0 }; + + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_SUCCESS); + + pid = sys_pidfd_wait(pidfd, &status, NULL, &rusage, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + if (!WIFEXITED(status) || WEXITSTATUS(status)) + ksft_exit_fail_msg( + "%s test: unexpected status received after waiting on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +static int test_pidfd_wait_siginfo(void) +{ + const char *test_name = "pidfd_wait siginfo"; + int pidfd = -1, status = 0; + pid_t parent_tid = -1; + struct clone_args args = { + .parent_tid = ptr_to_u64(&parent_tid), + .pidfd = ptr_to_u64(&pidfd), + .flags = CLONE_PIDFD | CLONE_PARENT_SETTID, + .exit_signal = SIGCHLD, + }; + pid_t pid; + siginfo_t info = { + .si_signo = 0, + }; + + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_SUCCESS); + + pid = sys_pidfd_wait(pidfd, &status, &info, NULL, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + if (!WIFEXITED(status) || WEXITSTATUS(status)) + ksft_exit_fail_msg( + "%s test: unexpected status received after waiting on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + if (info.si_signo != SIGCHLD) + ksft_exit_fail_msg( + "%s test: unexpected si_signo value %d received after waiting on process with pid %d and pidfd %d: %s", + test_name, info.si_signo, parent_tid, pidfd, + strerror(errno)); + + if (info.si_code != CLD_EXITED) + ksft_exit_fail_msg( + "%s test: unexpected si_code value %d received after waiting on process with pid %d and pidfd %d: %s", + test_name, info.si_code, parent_tid, pidfd, + strerror(errno)); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +static int test_pidfd_wait_states(void) +{ + const char *test_name = "pidfd_wait states"; + int pidfd = -1, status = 0; + pid_t parent_tid = -1; + struct clone_args args = { + .parent_tid = ptr_to_u64(&parent_tid), + .pidfd = ptr_to_u64(&pidfd), + .flags = CLONE_PIDFD | CLONE_PARENT_SETTID, + .exit_signal = SIGCHLD, + }; + int ret; + pid_t pid; + siginfo_t info = { + .si_signo = 0, + }; + + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) { + kill(getpid(), SIGSTOP); + kill(getpid(), SIGSTOP); + exit(EXIT_SUCCESS); + } + + pid = sys_pidfd_wait(pidfd, &status, &info, NULL, WSTOPPED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + ret = sys_pidfd_send_signal(pidfd, SIGCONT, NULL, 0); + if (ret < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + pid = sys_pidfd_wait(pidfd, &status, &info, NULL, WCONTINUED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + pid = sys_pidfd_wait(pidfd, &status, &info, NULL, WUNTRACED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + ret = sys_pidfd_send_signal(pidfd, SIGKILL, NULL, 0); + if (ret < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + pid = sys_pidfd_wait(pidfd, &status, &info, NULL, WEXITED, 0); + if (pid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + close(pidfd); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +static int test_clone_wait_pid(void) +{ + const char *test_name = "CLONE_WAIT_PID"; + int pidfd = -1, status = 0; + pid_t parent_tid = -1; + struct clone_args args = { + .parent_tid = ptr_to_u64(&parent_tid), + .pidfd = ptr_to_u64(&pidfd), + .flags = CLONE_PARENT_SETTID | CLONE_WAIT_PID, + .exit_signal = SIGCHLD, + }; + int ret; + pid_t pid, rpid; + + pid = sys_clone3(&args); + if (pid > 0) + ksft_exit_fail_msg( + "%s test: managed to create new process with CLONE_WAIT_PID but without CLONE_PIDFD", + test_name); + + args.flags |= CLONE_PIDFD; + pid = sys_clone3(&args); + if (pid < 0) + ksft_exit_fail_msg("%s test: failed to create new process %s", + test_name, strerror(errno)); + + if (pid == 0) + exit(EXIT_SUCCESS); + + ret = syscall(__NR_waitid, P_ALL, -1, NULL, WEXITED, NULL); + if (ret == 0) + ksft_exit_fail_msg( + "%s test: managed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through waitid(P_ALL) request", + test_name, parent_tid, pidfd); + + ret = syscall(__NR_waitid, P_PGID, getpgid(0), NULL, WEXITED, NULL); + if (ret == 0) + ksft_exit_fail_msg( + "%s test: managed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through waitid(P_PGID) request", + test_name, parent_tid, pidfd); + + rpid = syscall(__NR_wait4, -1, NULL, 0, NULL); + if (rpid > 0) + ksft_exit_fail_msg( + "%s test: managed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through wait4(-1) request", + test_name, parent_tid, pidfd); + + rpid = syscall(__NR_wait4, 0, NULL, 0, NULL); + if (rpid > 0) + ksft_exit_fail_msg( + "%s test: managed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through wait4(0) request", + test_name, parent_tid, pidfd); + + ret = syscall(__NR_waitid, P_PID, pid, NULL, WEXITED | WNOWAIT | WNOHANG, NULL); + if (ret < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through waitid(P_PID) request: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + rpid = sys_pidfd_wait(pidfd, NULL, NULL, NULL, WEXITED, WNOWAIT | WNOHANG); + if (rpid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + + rpid = syscall(__NR_wait4, pid, &status, 0, NULL); + if (rpid < 0) + ksft_exit_fail_msg( + "%s test: failed to wait on process created with CLONE_PIDFD | CLONE_WAIT_PID with pid %d and pidfd %d through wait4(%d) request: %s", + test_name, parent_tid, pidfd, parent_tid, strerror(errno)); + + if (!WIFEXITED(status) || WEXITSTATUS(status)) + ksft_exit_fail_msg( + "%s test: unexpected status received after waiting on process with pid %d and pidfd %d: %s", + test_name, parent_tid, pidfd, strerror(errno)); + close(pidfd); + + ksft_test_result_pass("%s test: Passed\n", test_name); + return 0; +} + +int main(int argc, char **argv) +{ + ksft_print_header(); + ksft_set_plan(6); + + test_pidfd_wait_syscall_support(); + test_pidfd_wait_simple(); + test_pidfd_wait_rusage(); + test_pidfd_wait_siginfo(); + test_pidfd_wait_states(); + test_clone_wait_pid(); + + return ksft_exit_pass(); +} -- 2.22.0

4 years, 9 months

1
0
0 0

[PATCH] selftests: kmod: Fix typo in kmod.sh

by Masanari Iida

This patch fixes some spelling typos in kmod.sh Signed-off-by: Masanari Iida <standby24x7(a)gmail.com> --- tools/testing/selftests/kmod/kmod.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/kmod/kmod.sh b/tools/testing/selftests/kmod/kmod.sh index 0a76314b4414..8b944cf042f6 100755 --- a/tools/testing/selftests/kmod/kmod.sh +++ b/tools/testing/selftests/kmod/kmod.sh @@ -28,7 +28,7 @@ # override by exporting to your environment prior running this script. # For instance this script assumes you do not have xfs loaded upon boot. # If this is false, export DEFAULT_KMOD_FS="ext4" prior to running this -# script if the filesyste module you don't have loaded upon bootup +# script if the filesystem module you don't have loaded upon bootup # is ext4 instead. Refer to allow_user_defaults() for a list of user # override variables possible. # @@ -263,7 +263,7 @@ config_get_test_result() config_reset() { if ! echo -n "1" >"$DIR"/reset; then - echo "$0: reset shuld have worked" >&2 + echo "$0: reset should have worked" >&2 exit 1 fi } @@ -488,7 +488,7 @@ usage() echo Example uses: echo echo "${TEST_NAME}.sh -- executes all tests" - echo "${TEST_NAME}.sh -t 0008 -- Executes test ID 0008 number of times is recomended" + echo "${TEST_NAME}.sh -t 0008 -- Executes test ID 0008 number of times is recommended" echo "${TEST_NAME}.sh -w 0008 -- Watch test ID 0008 run until an error occurs" echo "${TEST_NAME}.sh -s 0008 -- Run test ID 0008 once" echo "${TEST_NAME}.sh -c 0008 3 -- Run test ID 0008 three times" -- 2.22.0.545.g9c9b961d7eb1

4 years, 9 months

2
1
0 0

"make" vs "$(MAKE)" in tools/testing/selftests/Makefile

by Ilya Leoshkevich

Hello, Is there a reason why kselftest Makefile uses plain "make" instead of "$(MAKE)"? Because of this, "make kselftest TARGETS=bpf -j12" ends up building all bpf tests sequentially, since the top make's jobserver is not shared with its children. Replacing "make" with "$(MAKE)" helps, but since other Makefiles use "$(MAKE)", it looks as if this has been done intentionally. Best regards, Ilya

4 years, 9 months

3
2
0 0

[PATCH] selftests/livepatch: add test skip handling

by Joe Lawrence

Before running a livpeatch self-test, first verify that we've built and installed the livepatch self-test kernel modules by running a 'modprobe --dry-run'. This should catch a few environment issues, including !CONFIG_LIVEPATCH and !CONFIG_TEST_LIVEPATCH. In these cases, exit gracefully with test-skip status rather than test-fail status. Reported-by: Jiri Benc <jbenc(a)redhat.com> Suggested-by: Shuah Khan <shuah(a)kernel.org> Signed-off-by: Joe Lawrence <joe.lawrence(a)redhat.com> --- tools/testing/selftests/livepatch/functions.sh | 18 ++++++++++++++++++ .../selftests/livepatch/test-callbacks.sh | 5 +++++ .../selftests/livepatch/test-livepatch.sh | 3 +++ .../selftests/livepatch/test-shadow-vars.sh | 2 ++ 4 files changed, 28 insertions(+) diff --git a/tools/testing/selftests/livepatch/functions.sh b/tools/testing/selftests/livepatch/functions.sh index 30195449c63c..92d6cfb49365 100644 --- a/tools/testing/selftests/livepatch/functions.sh +++ b/tools/testing/selftests/livepatch/functions.sh @@ -13,6 +13,14 @@ function log() { echo "$1" > /dev/kmsg } +# skip(msg) - testing can't proceed +# msg - explanation +function skip() { + log "SKIP: $1" + echo "SKIP: $1" >&2 + exit 4 +} + # die(msg) - game over, man # msg - dying words function die() { @@ -43,6 +51,16 @@ function loop_until() { done } +function assert_mod() { + local mod="$1" + + if ! modprobe --dry-run "$mod" &>/dev/null ; then + skip "Failed modprobe --dry-run of module: $mod" + fi + + return 1 +} + function is_livepatch_mod() { local mod="$1" diff --git a/tools/testing/selftests/livepatch/test-callbacks.sh b/tools/testing/selftests/livepatch/test-callbacks.sh index e97a9dcb73c7..87a407cee7fd 100755 --- a/tools/testing/selftests/livepatch/test-callbacks.sh +++ b/tools/testing/selftests/livepatch/test-callbacks.sh @@ -9,6 +9,11 @@ MOD_LIVEPATCH2=test_klp_callbacks_demo2 MOD_TARGET=test_klp_callbacks_mod MOD_TARGET_BUSY=test_klp_callbacks_busy +assert_mod $MOD_LIVEPATCH +assert_mod $MOD_LIVEPATCH2 +assert_mod $MOD_TARGET +assert_mod $MOD_TARGET_BUSY + set_dynamic_debug diff --git a/tools/testing/selftests/livepatch/test-livepatch.sh b/tools/testing/selftests/livepatch/test-livepatch.sh index f05268aea859..8d3b75ceeeff 100755 --- a/tools/testing/selftests/livepatch/test-livepatch.sh +++ b/tools/testing/selftests/livepatch/test-livepatch.sh @@ -7,6 +7,9 @@ MOD_LIVEPATCH=test_klp_livepatch MOD_REPLACE=test_klp_atomic_replace +assert_mod $MOD_LIVEPATCH +assert_mod $MOD_REPLACE + set_dynamic_debug diff --git a/tools/testing/selftests/livepatch/test-shadow-vars.sh b/tools/testing/selftests/livepatch/test-shadow-vars.sh index 04a37831e204..1ab09bc50363 100755 --- a/tools/testing/selftests/livepatch/test-shadow-vars.sh +++ b/tools/testing/selftests/livepatch/test-shadow-vars.sh @@ -6,6 +6,8 @@ MOD_TEST=test_klp_shadow_vars +assert_mod $MOD_TEST + set_dynamic_debug -- 2.21.0

4 years, 9 months

5
8
0 0

[PATCH v10 0/9] namei: openat2(2) path resolution restrictions

by Aleksa Sarai

This patch is being developed here (with snapshots of each series version being stashed in separate branches with names of the form "resolveat/vX-summary"): <https://github.com/cyphar/linux/tree/resolveat/master> Patch changelog: v10: * Ensure that unlazy_walk() will fail if we are in a scoped walk and the caller has zeroed nd->root (this happens in a few places, I'm not sure why because unlazy_walk() does legitimize_path() already). In this case we need to go through path_init() again to reset it (otherwise we will have a breakout because set_root() will breakout). * Also add a WARN_ON (and return -ENOTRECOVERABLE) if LOOKUP_IN_ROOT is set and we are in set_root() -- which should never happen and will cause a breakout. * Make changes suggested by Al Viro: * Remove nd->{opath_mask,acc_mode} by moving all of the magic-link permission logic be done after trailing_symlink() (with trailing_magiclink()) only within path_openat(). * Introduce LOOKUP_MAGICLINK_JUMPED to be able to detect magic-link jumps done with nd_jump_link() (so we don't end up blocking other LOOKUP_JUMPED cases). * Simplify all of the path_init() changes to make the code far less confusing. dirfd_path_init() turns out to be un-necessary. * Make openat2(2) also -EINVAL on unknown how->flags. [Dmitry V. Levin] * Clean up bad definitions of O_EMPTYPATH on architectures where O_* flags are subtly different to <asm-generic/fcntl.h>. * Switch away from passing a struct to build_open_flags() and instead just copy the one field we need to temporarily modify (how->flags). Also fix a bug in OPENHOW_MODE. [Rasmus Villemoes] * Fix syscall linkages and switch to 437. [Arnd Bergmann] * Clean up text in commit messages and the cover-letter. [Rolf Eike Beer] * Fix openat2 selftest makefile. [Michael Ellerman] The need for some sort of control over VFS's path resolution (to avoid malicious paths resulting in inadvertent breakouts) has been a very long-standing desire of many userspace applications. This patchset is a revival of Al Viro's old AT_NO_JUMPS[1,2] patchset (which was a variant of David Drysdale's O_BENEATH patchset[3] which was a spin-off of the Capsicum project[4]) with a few additions and changes made based on the previous discussion within [5] as well as others I felt were useful. In line with the conclusions of the original discussion of AT_NO_JUMPS, the flag has been split up into separate flags. However, instead of being an openat(2) flag it is provided through a new syscall openat2(2) which provides an alternative way to get an O_PATH file descriptor (the reasoning for doing this is included in the patch description). The following new LOOKUP_* flags are added: * LOOKUP_NO_XDEV blocks all mountpoint crossings (upwards, downwards, or through absolute links). Absolute pathnames alone in openat(2) do not trigger this. * LOOKUP_NO_MAGICLINKS blocks resolution through /proc/$pid/fd-style links. This is done by blocking the usage of nd_jump_link() during resolution in a filesystem. The term "magic-links" is used to match with the only reference to these links in Documentation/, but I'm happy to change the name. It should be noted that this is different to the scope of ~LOOKUP_FOLLOW in that it applies to all path components. However, you can do openat2(NO_FOLLOW|NO_MAGICLINKS) on a magic-link and it will *not* fail (assuming that no parent component was a magic-link), and you will have an fd for the magic-link. * LOOKUP_BENEATH disallows escapes to outside the starting dirfd's tree, using techniques such as ".." or absolute links. Absolute paths in openat(2) are also disallowed. Conceptually this flag is to ensure you "stay below" a certain point in the filesystem tree -- but this requires some additional to protect against various races that would allow escape using "..". Currently LOOKUP_BENEATH implies LOOKUP_NO_MAGICLINKS, because it can trivially beam you around the filesystem (breaking the protection). In future, there might be similar safety checks done as in LOOKUP_IN_ROOT, but that requires more discussion. In addition, two new flags are added that expand on the above ideas: * LOOKUP_NO_SYMLINKS does what it says on the tin. No symlink resolution is allowed at all, including magic-links. Just as with LOOKUP_NO_MAGICLINKS this can still be used with NOFOLLOW to open an fd for the symlink as long as no parent path had a symlink component. * LOOKUP_IN_ROOT is an extension of LOOKUP_BENEATH that, rather than blocking attempts to move past the root, forces all such movements to be scoped to the starting point. This provides chroot(2)-like protection but without the cost of a chroot(2) for each filesystem operation, as well as being safe against race attacks that chroot(2) is not. If a race is detected (as with LOOKUP_BENEATH) then an error is generated, and similar to LOOKUP_BENEATH it is not permitted to cross magic-links with LOOKUP_IN_ROOT. The primary need for this is from container runtimes, which currently need to do symlink scoping in userspace[6] when opening paths in a potentially malicious container. There is a long list of CVEs that could have bene mitigated by having RESOLVE_THIS_ROOT (such as CVE-2017-1002101, CVE-2017-1002102, CVE-2018-15664, and CVE-2019-5736, just to name a few). And further, several semantics of file descriptor "re-opening" are now changed to prevent attacks like CVE-2019-5736 by restricting how magic-links can be resolved (based on their mode). This required some other changes to the semantics of the modes of O_PATH file descriptor's associated /proc/self/fd magic-links. openat2(2) has the ability to further restrict re-opening of its own O_PATH fds, so that users can make even better use of this feature. Finally, O_EMPTYPATH was added so that users can do /proc/self/fd-style re-opening without depending on procfs. The new restricted semantics for magic-links are applied here too. In order to make all of the above more usable, I'm working on libpathrs[7] which is a C-friendly library for safe path resolution. It features a userspace-emulated backend if the kernel doesn't support openat2(2). Hopefully we can get userspace to switch to using it, and thus get openat2(2) support for free once it's ready. Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: David Howells <dhowells(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Christian Brauner <christian(a)brauner.io> Cc: David Drysdale <drysdale(a)google.com> Cc: Tycho Andersen <tycho(a)tycho.ws> Cc: Kees Cook <keescook(a)chromium.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <containers(a)lists.linux-foundation.org> Cc: <linux-fsdevel(a)vger.kernel.org> Cc: <linux-api(a)vger.kernel.org> [1]: https://lwn.net/Articles/721443/ [2]: https://lore.kernel.org/patchwork/patch/784221/ [3]: https://lwn.net/Articles/619151/ [4]: https://lwn.net/Articles/603929/ [5]: https://lwn.net/Articles/723057/ [6]: https://github.com/cyphar/filepath-securejoin [7]: https://github.com/openSUSE/libpathrs Aleksa Sarai (9): namei: obey trailing magic-link DAC permissions procfs: switch magic-link modes to be more sane open: O_EMPTYPATH: procfs-less file descriptor re-opening namei: O_BENEATH-style path resolution flags namei: LOOKUP_IN_ROOT: chroot-like path resolution namei: aggressively check for nd->root escape on ".." resolution open: openat2(2) syscall kselftest: save-and-restore errno to allow for %m formatting selftests: add openat2(2) selftests Documentation/filesystems/path-lookup.rst | 12 +- arch/alpha/include/uapi/asm/fcntl.h | 1 + arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/include/uapi/asm/fcntl.h | 39 +- arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/include/uapi/asm/fcntl.h | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + fs/fcntl.c | 2 +- fs/internal.h | 1 + fs/namei.c | 270 ++++++++++-- fs/open.c | 112 ++++- fs/proc/base.c | 20 +- fs/proc/fd.c | 23 +- fs/proc/namespaces.c | 2 +- include/linux/fcntl.h | 17 +- include/linux/fs.h | 8 +- include/linux/namei.h | 9 + include/linux/syscalls.h | 17 +- include/uapi/asm-generic/fcntl.h | 4 + include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/fcntl.h | 42 ++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/kselftest.h | 15 + tools/testing/selftests/memfd/memfd_test.c | 7 +- tools/testing/selftests/openat2/.gitignore | 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftests/openat2/helpers.c | 162 +++++++ tools/testing/selftests/openat2/helpers.h | 114 +++++ .../testing/selftests/openat2/linkmode_test.c | 326 ++++++++++++++ .../selftests/openat2/rename_attack_test.c | 124 ++++++ .../testing/selftests/openat2/resolve_test.c | 397 ++++++++++++++++++ 46 files changed, 1652 insertions(+), 107 deletions(-) create mode 100644 tools/testing/selftests/openat2/.gitignore create mode 100644 tools/testing/selftests/openat2/Makefile create mode 100644 tools/testing/selftests/openat2/helpers.c create mode 100644 tools/testing/selftests/openat2/helpers.h create mode 100644 tools/testing/selftests/openat2/linkmode_test.c create mode 100644 tools/testing/selftests/openat2/rename_attack_test.c create mode 100644 tools/testing/selftests/openat2/resolve_test.c -- 2.22.0

4 years, 9 months

2
12
0 0

[PATCH v9 00/10] namei: openat2(2) path resolution restrictions

by Aleksa Sarai

Patch changelog: v9: * Replace resolveat(2) with openat2(2). [Linus] * Output a warning to dmesg if may_open_magiclink() is violated. * Add an openat2(O_CREAT) testcase. v8: * Default to O_CLOEXEC to match other new fd-creation syscalls (users can always disable O_CLOEXEC afterwards). [Christian] * Implement magic-link restrictions based on their mode. This is done through a series of masks and is designed to avoid breaking users -- most users don't have chained O_PATH fd re-opens. * Add O_EMPTYPATH which allows for fd re-opening without needing procfs. This would help some users of fd re-opening, and with the changes to magic-link permissions we now have the right semantics for such a flag. * Add selftests for resolveat(2), O_EMPTYPATH, and the magic-link mode semantics. v7: * Remove execveat(2) support for these flags since it might result in some pretty hairy security issues with setuid binaries. There are other avenues we can go down to solve the issues with CVE-2019-5736. [Jann] * Reserve an additional bit in resolveat(2) for the eXecute access mode if we end up implementing it. v6: * Drop O_* flags API to the new LOOKUP_ path scoping bits and instead introduce resolveat(2) as an alternative method of obtaining an O_PATH. The justification for this is included in patch 6 (though switching back to O_* flags is trivial). v5: * In response to CVE-2019-5736 (one of the vectors showed that open(2)+fexec(3) cannot be used to scope binfmt_script's implicit open_exec()), AT_* flags have been re-added and are now piped through to binfmt_script (and other binfmt_* that use open_exec) but are only supported for execveat(2) for now. v4: * Remove AT_* flag reservations, as they require more discussion. * Switch to path_is_under() over __d_path() for breakout checking. * Make O_XDEV no longer block openat("/tmp", "/", O_XDEV) -- dirfd is now ignored for absolute paths to match other flags. * Improve the dirfd_path_init() refactor and move it to a separate commit. * Remove reference to Linux-capsicum. * Switch "proclink" name to magic-link. v3: [resend] v2: * Made ".." resolution with AT_THIS_ROOT and AT_BENEATH safe(r) with some semi-aggressive __d_path checking (see patch 3). * Disallowed "proclinks" with AT_THIS_ROOT and AT_BENEATH, in the hopes they can be re-enabled once safe. * Removed the selftests as they will be reimplemented as xfstests. * Removed stat(2) support, since you can already get it through O_PATH and fstatat(2). The need for some sort of control over VFS's path resolution (to avoid malicious paths resulting in inadvertent breakouts) has been a very long-standing desire of many userspace applications. This patchset is a revival of Al Viro's old AT_NO_JUMPS[1,2] patchset (which was a variant of David Drysdale's O_BENEATH patchset[3] which was a spin-off of the Capsicum project[4]) with a few additions and changes made based on the previous discussion within [5] as well as others I felt were useful. In line with the conclusions of the original discussion of AT_NO_JUMPS, the flag has been split up into separate flags. However, instead of being an openat(2) flag it is provided through a new syscall openat2(2) which provides an alternative way to get an O_PATH file descriptor (the reasoning for doing this is included in patch 6). The following new LOOKUP_ flags are added: * LOOKUP_XDEV blocks all mountpoint crossings (upwards, downwards, or through absolute links). Absolute pathnames alone in openat(2) do not trigger this. * LOOKUP_NO_MAGICLINKS blocks resolution through /proc/$pid/fd-style links. This is done by blocking the usage of nd_jump_link() during resolution in a filesystem. The term "magic-links" is used to match with the only reference to these links in Documentation/, but I'm happy to change the name. It should be noted that this is different to the scope of ~LOOKUP_FOLLOW in that it applies to all path components. However, you can do openat2(NO_FOLLOW|NO_MAGICLINKS) on a magic-link and it will *not* fail (assuming that no parent component was a magic-link), and you will have an fd for the magic-link. * LOOKUP_BENEATH disallows escapes to outside the starting dirfd's tree, using techniques such as ".." or absolute links. Absolute paths in openat(2) are also disallowed. Conceptually this flag is to ensure you "stay below" a certain point in the filesystem tree -- but this requires some additional to protect against various races that would allow escape using "..". Currently LOOKUP_BENEATH implies LOOKUP_NO_MAGICLINKS, because it can trivially beam you around the filesystem (breaking the protection). In future, there might be similar safety checks done as in LOOKUP_IN_ROOT, but that requires more discussion. In addition, two new flags are added that expand on the above ideas: * LOOKUP_NO_SYMLINKS does what it says on the tin. No symlink resolution is allowed at all, including magic-links. Just as with LOOKUP_NO_MAGICLINKS this can still be used with NOFOLLOW to open an fd for the symlink as long as no parent path had a symlink component. * LOOKUP_IN_ROOT is an extension of LOOKUP_BENEATH that, rather than blocking attempts to move past the root, forces all such movements to be scoped to the starting point. This provides chroot(2)-like protection but without the cost of a chroot(2) for each filesystem operation, as well as being safe against race attacks that chroot(2) is not. If a race is detected (as with LOOKUP_BENEATH) then an error is generated, and similar to LOOKUP_BENEATH it is not permitted to cross magic-links with LOOKUP_IN_ROOT. The primary need for this is from container runtimes, which currently need to do symlink scoping in userspace[6] when opening paths in a potentially malicious container. There is a long list of CVEs that could have bene mitigated by having O_THISROOT (such as CVE-2017-1002101, CVE-2017-1002102, CVE-2018-15664, and CVE-2019-5736, just to name a few). And further, several semantics of file descriptor "re-opening" are now changed to prevent attacks like CVE-2019-5736 by restricting how magic-links can be resolved (based on their mode). This required some other changes to the semantics of the modes of O_PATH file descriptor's associated /proc/self/fd magic-links. openat2(2) has the ability to further restrict re-opening of its own O_PATH fds, so that users can make even better use of this feature. Finally, O_EMPTYPATH was added so that users can do /proc/self/fd-style re-opening without depending on procfs. The new restricted semantics for magic-links are applied here too. In order to make all of the above more usable, I'm working on libpathrs[7] which is a C-friendly library for safe path resolution. It features a userspace-emulated backend if the kernel doesn't support openat2(2). Hopefully we can get userspace to switch to using it, and thus get openat2(2) support for free once it's ready. Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: David Howells <dhowells(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Christian Brauner <christian(a)brauner.io> Cc: David Drysdale <drysdale(a)google.com> Cc: Tycho Andersen <tycho(a)tycho.ws> Cc: Kees Cook <keescook(a)chromium.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <containers(a)lists.linux-foundation.org> Cc: <linux-fsdevel(a)vger.kernel.org> Cc: <linux-api(a)vger.kernel.org> [1]: https://lwn.net/Articles/721443/ [2]: https://lore.kernel.org/patchwork/patch/784221/ [3]: https://lwn.net/Articles/619151/ [4]: https://lwn.net/Articles/603929/ [5]: https://lwn.net/Articles/723057/ [6]: https://github.com/cyphar/filepath-securejoin [7]: https://github.com/openSUSE/libpathrs Aleksa Sarai (10): namei: obey trailing magic-link DAC permissions procfs: switch magic-link modes to be more sane open: O_EMPTYPATH: procfs-less file descriptor re-opening namei: split out nd->dfd handling to dirfd_path_init namei: O_BENEATH-style path resolution flags namei: LOOKUP_IN_ROOT: chroot-like path resolution namei: aggressively check for nd->root escape on ".." resolution open: openat2(2) syscall kselftest: save-and-restore errno to allow for %m formatting selftests: add openat2(2) selftests arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + fs/fcntl.c | 2 +- fs/internal.h | 1 + fs/namei.c | 333 ++++++++++++--- fs/open.c | 140 +++++-- fs/proc/base.c | 20 +- fs/proc/fd.c | 23 +- fs/proc/namespaces.c | 2 +- include/linux/fcntl.h | 17 +- include/linux/fs.h | 8 +- include/linux/namei.h | 8 + include/linux/syscalls.h | 14 +- include/uapi/asm-generic/fcntl.h | 5 + include/uapi/asm-generic/unistd.h | 5 +- include/uapi/linux/fcntl.h | 38 ++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/kselftest.h | 15 + tools/testing/selftests/memfd/memfd_test.c | 7 +- tools/testing/selftests/openat2/.gitignore | 1 + tools/testing/selftests/openat2/Makefile | 12 + tools/testing/selftests/openat2/helpers.c | 162 +++++++ tools/testing/selftests/openat2/helpers.h | 114 +++++ .../testing/selftests/openat2/linkmode_test.c | 325 ++++++++++++++ .../selftests/openat2/rename_attack_test.c | 124 ++++++ .../testing/selftests/openat2/resolve_test.c | 395 ++++++++++++++++++ 42 files changed, 1667 insertions(+), 125 deletions(-) create mode 100644 tools/testing/selftests/openat2/.gitignore create mode 100644 tools/testing/selftests/openat2/Makefile create mode 100644 tools/testing/selftests/openat2/helpers.c create mode 100644 tools/testing/selftests/openat2/helpers.h create mode 100644 tools/testing/selftests/openat2/linkmode_test.c create mode 100644 tools/testing/selftests/openat2/rename_attack_test.c create mode 100644 tools/testing/selftests/openat2/resolve_test.c -- 2.22.0

4 years, 9 months

7
44
0 0

[PATCH AUTOSEL 5.2 226/249] selftests: bpf: fix inlines in test_lwt_seg6local

by Sasha Levin

From: Jiri Benc <jbenc(a)redhat.com> [ Upstream commit 11aca65ec4db09527d3e9b6b41a0615b7da4386b ] Selftests are reporting this failure in test_lwt_seg6local.sh: + ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2 Error fetching program/map! Failed to parse eBPF program: Operation not permitted The problem is __attribute__((always_inline)) alone is not enough to prevent clang from inserting those functions in .text. In that case, .text is not marked as relocateable. See the output of objdump -h test_lwt_seg6local.o: Idx Name Size VMA LMA File off Algn 0 .text 00003530 0000000000000000 0000000000000000 00000040 2**3 CONTENTS, ALLOC, LOAD, READONLY, CODE This causes the iproute bpf loader to fail in bpf_fetch_prog_sec: bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no relocateable .text section in the file. To fix this, convert to 'static __always_inline'. v2: Use 'static __always_inline' instead of 'static inline __attribute__((always_inline))' Fixes: c99a84eac026 ("selftests/bpf: test for seg6local End.BPF action") Signed-off-by: Jiri Benc <jbenc(a)redhat.com> Acked-by: Yonghong Song <yhs(a)fb.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../testing/selftests/bpf/progs/test_lwt_seg6local.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c index 0575751bc1bc..e2f6ed0a583d 100644 --- a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c +++ b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c @@ -61,7 +61,7 @@ struct sr6_tlv_t { unsigned char value[0]; } BPF_PACKET_HEADER; -__attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb) +static __always_inline struct ip6_srh_t *get_srh(struct __sk_buff *skb) { void *cursor, *data_end; struct ip6_srh_t *srh; @@ -95,7 +95,7 @@ __attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb) return srh; } -__attribute__((always_inline)) +static __always_inline int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad, uint32_t old_pad, uint32_t pad_off) { @@ -125,7 +125,7 @@ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad, return 0; } -__attribute__((always_inline)) +static __always_inline int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t *tlv_off, uint32_t *pad_size, uint32_t *pad_off) @@ -184,7 +184,7 @@ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh, return 0; } -__attribute__((always_inline)) +static __always_inline int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off, struct sr6_tlv_t *itlv, uint8_t tlv_size) { @@ -228,7 +228,7 @@ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off, return update_tlv_pad(skb, new_pad, pad_size, pad_off); } -__attribute__((always_inline)) +static __always_inline int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off) { @@ -266,7 +266,7 @@ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, return update_tlv_pad(skb, new_pad, pad_size, pad_off); } -__attribute__((always_inline)) +static __always_inline int has_egr_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh) { int tlv_offset = sizeof(struct ip6_t) + sizeof(struct ip6_srh_t) + -- 2.20.1

4 years, 9 months

3
6
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror July 2019