From: Roberto Sassu roberto.sassu@huawei.com
Add a missing fd modes check in map iterators, potentially causing unauthorized map writes by eBPF programs attached to the iterator. Use this patch set as an opportunity to start a discussion with the cgroup developers about whether a security check is missing or not for their iterator.
Also, extend libbpf with the _opts variant of bpf_*_get_fd_by_id(). Only bpf_map_get_fd_by_id_opts() is really useful in this patch set, to ensure that the creation of a map iterator fails with a read-only fd.
Add all variants in this patch set for symmetry with bpf_map_get_fd_by_id_opts(), and because all the variants share the same opts structure. Also, add all the variants here, to shrink the patch set fixing map permissions requested by bpftool, so that the remaining patches are only about the latter.
Finally, extend the bpf_iter test with the read-only fd check, and test each _opts variant of bpf_*_get_fd_by_id().
Roberto Sassu (7): bpf: Add missing fd modes check for map iterators libbpf: Define bpf_get_fd_opts and introduce bpf_map_get_fd_by_id_opts() libbpf: Introduce bpf_prog_get_fd_by_id_opts() libbpf: Introduce bpf_btf_get_fd_by_id_opts() libbpf: Introduce bpf_link_get_fd_by_id_opts() selftests/bpf: Ensure fd modes are checked for map iters and destroy links selftests/bpf: Add tests for _opts variants of libbpf
include/linux/bpf.h | 2 +- kernel/bpf/inode.c | 2 +- kernel/bpf/map_iter.c | 3 +- kernel/bpf/syscall.c | 8 +- net/core/bpf_sk_storage.c | 3 +- net/core/sock_map.c | 3 +- tools/lib/bpf/bpf.c | 47 +++++- tools/lib/bpf/bpf.h | 16 ++ tools/lib/bpf/libbpf.map | 10 +- tools/lib/bpf/libbpf_version.h | 2 +- .../selftests/bpf/prog_tests/bpf_iter.c | 34 +++- .../bpf/prog_tests/libbpf_get_fd_opts.c | 145 ++++++++++++++++++ .../bpf/progs/test_libbpf_get_fd_opts.c | 49 ++++++ 13 files changed, 309 insertions(+), 15 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_opts.c create mode 100644 tools/testing/selftests/bpf/progs/test_libbpf_get_fd_opts.c
From: Roberto Sassu roberto.sassu@huawei.com
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") added the BPF_F_RDONLY and BPF_F_WRONLY flags, to let user space specify whether it will just read or modify a map.
Map access control is done in two steps. First, when user space wants to obtain a map fd, it provides to the kernel the eBPF-defined flags, which are converted into open flags and passed to the security_bpf_map() security hook for evaluation by LSMs.
Second, if user space successfully obtained an fd, it passes that fd to the kernel when it requests a map operation (e.g. lookup or update). The kernel first checks if the fd has the modes required to perform the requested operation and, if yes, continues the execution and returns the result to user space.
While the fd modes check was added for map_*_elem() functions, it is currently missing for map iterators, added more recently with commit a5cbe05a6673 ("bpf: Implement bpf iterator for map elements"). A map iterator executes a chosen eBPF program for each key/value pair of a map and allows that program to read and/or modify them.
Whether a map iterator allows only read or also write depends on whether the MEM_RDONLY flag in the ctx_arg_info member of the bpf_iter_reg structure is set. Also, write needs to be supported at verifier level (for example, it is currently not supported for sock maps).
Since map iterators obtain a map from a user space fd with bpf_map_get_with_uref(), add the new req_modes parameter to that function, so that map iterators can provide the required fd modes to access a map. If the user space fd doesn't include the required modes, bpf_map_get_with_uref() returns with an error, and the map iterator will not be created.
If a map iterator marks both the key and value as read-only, it calls bpf_map_get_with_uref() with FMODE_CAN_READ as value for req_modes. If it also allows write access to either the key or the value, it calls that function with FMODE_CAN_READ | FMODE_CAN_WRITE as value for req_modes, regardless of whether or not the write is supported by the verifier (the write is intentionally allowed).
bpf_fd_probe_obj() does not require any fd mode, as the fd is only used for the purpose of finding the eBPF object type, for pinning the object to the bpffs filesystem.
Finally, it is worth to mention that the fd modes check was not added for the cgroup iterator, although it registers an attach_target method like the other iterators. The reason is that the fd is not the only way for user space to reference a cgroup object (also by ID and by path). For the protection to be effective, all reference methods need to be evaluated consistently. This work is deferred to a separate patch.
Cc: stable@vger.kernel.org # 5.10.x Fixes: a5cbe05a6673 ("bpf: Implement bpf iterator for map elements") Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- include/linux/bpf.h | 2 +- kernel/bpf/inode.c | 2 +- kernel/bpf/map_iter.c | 3 ++- kernel/bpf/syscall.c | 8 +++++++- net/core/bpf_sk_storage.c | 3 ++- net/core/sock_map.c | 3 ++- 6 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 9c1674973e03..6cd2ca910553 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1628,7 +1628,7 @@ bool bpf_map_equal_kptr_off_tab(const struct bpf_map *map_a, const struct bpf_ma void bpf_map_free_kptrs(struct bpf_map *map, void *map_value);
struct bpf_map *bpf_map_get(u32 ufd); -struct bpf_map *bpf_map_get_with_uref(u32 ufd); +struct bpf_map *bpf_map_get_with_uref(u32 ufd, fmode_t req_modes); struct bpf_map *__bpf_map_get(struct fd f); void bpf_map_inc(struct bpf_map *map); void bpf_map_inc_with_uref(struct bpf_map *map); diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c index 4f841e16779e..862e1caa8b0f 100644 --- a/kernel/bpf/inode.c +++ b/kernel/bpf/inode.c @@ -71,7 +71,7 @@ static void *bpf_fd_probe_obj(u32 ufd, enum bpf_type *type) { void *raw;
- raw = bpf_map_get_with_uref(ufd); + raw = bpf_map_get_with_uref(ufd, 0); if (!IS_ERR(raw)) { *type = BPF_TYPE_MAP; return raw; diff --git a/kernel/bpf/map_iter.c b/kernel/bpf/map_iter.c index b0fa190b0979..1143f8960135 100644 --- a/kernel/bpf/map_iter.c +++ b/kernel/bpf/map_iter.c @@ -110,7 +110,8 @@ static int bpf_iter_attach_map(struct bpf_prog *prog, if (!linfo->map.map_fd) return -EBADF;
- map = bpf_map_get_with_uref(linfo->map.map_fd); + map = bpf_map_get_with_uref(linfo->map.map_fd, + FMODE_CAN_READ | FMODE_CAN_WRITE); if (IS_ERR(map)) return PTR_ERR(map);
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 4e9d4622aef7..4a2063d8e99c 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1232,7 +1232,7 @@ struct bpf_map *bpf_map_get(u32 ufd) } EXPORT_SYMBOL(bpf_map_get);
-struct bpf_map *bpf_map_get_with_uref(u32 ufd) +struct bpf_map *bpf_map_get_with_uref(u32 ufd, fmode_t req_modes) { struct fd f = fdget(ufd); struct bpf_map *map; @@ -1241,7 +1241,13 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) if (IS_ERR(map)) return map;
+ if ((map_get_sys_perms(map, f) & req_modes) != req_modes) { + map = ERR_PTR(-EPERM); + goto out; + } + bpf_map_inc_with_uref(map); +out: fdput(f);
return map; diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c index 1b7f385643b4..bf9c6afed8ac 100644 --- a/net/core/bpf_sk_storage.c +++ b/net/core/bpf_sk_storage.c @@ -897,7 +897,8 @@ static int bpf_iter_attach_map(struct bpf_prog *prog, if (!linfo->map.map_fd) return -EBADF;
- map = bpf_map_get_with_uref(linfo->map.map_fd); + map = bpf_map_get_with_uref(linfo->map.map_fd, + FMODE_CAN_READ | FMODE_CAN_WRITE); if (IS_ERR(map)) return PTR_ERR(map);
diff --git a/net/core/sock_map.c b/net/core/sock_map.c index a660baedd9e7..7f7375dc39b2 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -1636,7 +1636,8 @@ static int sock_map_iter_attach_target(struct bpf_prog *prog, if (!linfo->map.map_fd) return -EBADF;
- map = bpf_map_get_with_uref(linfo->map.map_fd); + map = bpf_map_get_with_uref(linfo->map.map_fd, + FMODE_CAN_READ | FMODE_CAN_WRITE); if (IS_ERR(map)) return PTR_ERR(map);
On Tue, Sep 6, 2022 at 10:04 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
From: Roberto Sassu roberto.sassu@huawei.com
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") added the BPF_F_RDONLY and BPF_F_WRONLY flags, to let user space specify whether it will just read or modify a map.
Map access control is done in two steps. First, when user space wants to obtain a map fd, it provides to the kernel the eBPF-defined flags, which are converted into open flags and passed to the security_bpf_map() security hook for evaluation by LSMs.
Second, if user space successfully obtained an fd, it passes that fd to the kernel when it requests a map operation (e.g. lookup or update). The kernel first checks if the fd has the modes required to perform the requested operation and, if yes, continues the execution and returns the result to user space.
While the fd modes check was added for map_*_elem() functions, it is currently missing for map iterators, added more recently with commit a5cbe05a6673 ("bpf: Implement bpf iterator for map elements"). A map iterator executes a chosen eBPF program for each key/value pair of a map and allows that program to read and/or modify them.
Whether a map iterator allows only read or also write depends on whether the MEM_RDONLY flag in the ctx_arg_info member of the bpf_iter_reg structure is set. Also, write needs to be supported at verifier level (for example, it is currently not supported for sock maps).
Since map iterators obtain a map from a user space fd with bpf_map_get_with_uref(), add the new req_modes parameter to that function, so that map iterators can provide the required fd modes to access a map. If the user space fd doesn't include the required modes, bpf_map_get_with_uref() returns with an error, and the map iterator will not be created.
If a map iterator marks both the key and value as read-only, it calls bpf_map_get_with_uref() with FMODE_CAN_READ as value for req_modes. If it also allows write access to either the key or the value, it calls that function with FMODE_CAN_READ | FMODE_CAN_WRITE as value for req_modes, regardless of whether or not the write is supported by the verifier (the write is intentionally allowed).
bpf_fd_probe_obj() does not require any fd mode, as the fd is only used for the purpose of finding the eBPF object type, for pinning the object to the bpffs filesystem.
Finally, it is worth to mention that the fd modes check was not added for the cgroup iterator, although it registers an attach_target method like the other iterators. The reason is that the fd is not the only way for user space to reference a cgroup object (also by ID and by path). For the protection to be effective, all reference methods need to be evaluated consistently. This work is deferred to a separate patch.
I think the current behavior is fine. File permissions don't apply at iterator level or prog level. fmode_can_read/write are for syscall commands only. To be fair we've added them to lookup/delete commands and it was more of a pain to maintain and no confirmed good use.
On Tue, 2022-09-06 at 11:21 -0700, Alexei Starovoitov wrote:
On Tue, Sep 6, 2022 at 10:04 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
From: Roberto Sassu roberto.sassu@huawei.com
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") added the BPF_F_RDONLY and BPF_F_WRONLY flags, to let user space specify whether it will just read or modify a map.
Map access control is done in two steps. First, when user space wants to obtain a map fd, it provides to the kernel the eBPF-defined flags, which are converted into open flags and passed to the security_bpf_map() security hook for evaluation by LSMs.
Second, if user space successfully obtained an fd, it passes that fd to the kernel when it requests a map operation (e.g. lookup or update). The kernel first checks if the fd has the modes required to perform the requested operation and, if yes, continues the execution and returns the result to user space.
While the fd modes check was added for map_*_elem() functions, it is currently missing for map iterators, added more recently with commit a5cbe05a6673 ("bpf: Implement bpf iterator for map elements"). A map iterator executes a chosen eBPF program for each key/value pair of a map and allows that program to read and/or modify them.
Whether a map iterator allows only read or also write depends on whether the MEM_RDONLY flag in the ctx_arg_info member of the bpf_iter_reg structure is set. Also, write needs to be supported at verifier level (for example, it is currently not supported for sock maps).
Since map iterators obtain a map from a user space fd with bpf_map_get_with_uref(), add the new req_modes parameter to that function, so that map iterators can provide the required fd modes to access a map. If the user space fd doesn't include the required modes, bpf_map_get_with_uref() returns with an error, and the map iterator will not be created.
If a map iterator marks both the key and value as read-only, it calls bpf_map_get_with_uref() with FMODE_CAN_READ as value for req_modes. If it also allows write access to either the key or the value, it calls that function with FMODE_CAN_READ | FMODE_CAN_WRITE as value for req_modes, regardless of whether or not the write is supported by the verifier (the write is intentionally allowed).
bpf_fd_probe_obj() does not require any fd mode, as the fd is only used for the purpose of finding the eBPF object type, for pinning the object to the bpffs filesystem.
Finally, it is worth to mention that the fd modes check was not added for the cgroup iterator, although it registers an attach_target method like the other iterators. The reason is that the fd is not the only way for user space to reference a cgroup object (also by ID and by path). For the protection to be effective, all reference methods need to be evaluated consistently. This work is deferred to a separate patch.
I think the current behavior is fine. File permissions don't apply at iterator level or prog level.
+ Chenbo, linux-security-module
Well, if you write a security module to prevent writes on a map, and user space is able to do it anyway with an iterator, what is the purpose of the security module then?
fmode_can_read/write are for syscall commands only. To be fair we've added them to lookup/delete commands and it was more of a pain to maintain and no confirmed good use.
I think a good use would be requesting the right permission for the type of operation that needs to be performed, e.g. read-only permission when you have a read-like operation like a lookup or dump.
By always requesting read-write permission, for all operations, security modules won't be able to distinguish which operation has to be denied to satisfy the policy.
One example of that is that, when there is a security module preventing writes on maps (will be that uncommon?), bpftool is not able to show the full list of maps because it asks for read-write permission for getting the map info.
Freezing the map is not a solution, if you want to allow certain subjects to continuously update the protected map at run-time.
Roberto
On Wed, Sep 7, 2022 at 1:03 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
On Tue, 2022-09-06 at 11:21 -0700, Alexei Starovoitov wrote:
On Tue, Sep 6, 2022 at 10:04 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
From: Roberto Sassu roberto.sassu@huawei.com
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") added the BPF_F_RDONLY and BPF_F_WRONLY flags, to let user space specify whether it will just read or modify a map.
Map access control is done in two steps. First, when user space wants to obtain a map fd, it provides to the kernel the eBPF-defined flags, which are converted into open flags and passed to the security_bpf_map() security hook for evaluation by LSMs.
Second, if user space successfully obtained an fd, it passes that fd to the kernel when it requests a map operation (e.g. lookup or update). The kernel first checks if the fd has the modes required to perform the requested operation and, if yes, continues the execution and returns the result to user space.
While the fd modes check was added for map_*_elem() functions, it is currently missing for map iterators, added more recently with commit a5cbe05a6673 ("bpf: Implement bpf iterator for map elements"). A map iterator executes a chosen eBPF program for each key/value pair of a map and allows that program to read and/or modify them.
Whether a map iterator allows only read or also write depends on whether the MEM_RDONLY flag in the ctx_arg_info member of the bpf_iter_reg structure is set. Also, write needs to be supported at verifier level (for example, it is currently not supported for sock maps).
Since map iterators obtain a map from a user space fd with bpf_map_get_with_uref(), add the new req_modes parameter to that function, so that map iterators can provide the required fd modes to access a map. If the user space fd doesn't include the required modes, bpf_map_get_with_uref() returns with an error, and the map iterator will not be created.
If a map iterator marks both the key and value as read-only, it calls bpf_map_get_with_uref() with FMODE_CAN_READ as value for req_modes. If it also allows write access to either the key or the value, it calls that function with FMODE_CAN_READ | FMODE_CAN_WRITE as value for req_modes, regardless of whether or not the write is supported by the verifier (the write is intentionally allowed).
bpf_fd_probe_obj() does not require any fd mode, as the fd is only used for the purpose of finding the eBPF object type, for pinning the object to the bpffs filesystem.
Finally, it is worth to mention that the fd modes check was not added for the cgroup iterator, although it registers an attach_target method like the other iterators. The reason is that the fd is not the only way for user space to reference a cgroup object (also by ID and by path). For the protection to be effective, all reference methods need to be evaluated consistently. This work is deferred to a separate patch.
I think the current behavior is fine. File permissions don't apply at iterator level or prog level.
- Chenbo, linux-security-module
Well, if you write a security module to prevent writes on a map, and user space is able to do it anyway with an iterator, what is the purpose of the security module then?
sounds like a broken "security module" and nothing else.
fmode_can_read/write are for syscall commands only. To be fair we've added them to lookup/delete commands and it was more of a pain to maintain and no confirmed good use.
I think a good use would be requesting the right permission for the type of operation that needs to be performed, e.g. read-only permission when you have a read-like operation like a lookup or dump.
By always requesting read-write permission, for all operations, security modules won't be able to distinguish which operation has to be denied to satisfy the policy.
One example of that is that, when there is a security module preventing writes on maps (will be that uncommon?),
lsm that prevents writes into bpf maps? That's a convoluted design. You can try to implement such an lsm, but expect lots of challenges.
bpftool is not able to show the full list of maps because it asks for read-write permission for getting the map info.
completely orthogonal issue.
Freezing the map is not a solution, if you want to allow certain subjects to continuously update the protected map at run-time.
Roberto
On Wed, 2022-09-07 at 09:02 -0700, Alexei Starovoitov wrote:
[...]
Well, if you write a security module to prevent writes on a map, and user space is able to do it anyway with an iterator, what is the purpose of the security module then?
sounds like a broken "security module" and nothing else.
Ok, if a custom security module does not convince you, let me make a small example with SELinux.
I created a small map iterator that sets every value of a map to 5:
SEC("iter/bpf_map_elem") int write_bpf_hash_map(struct bpf_iter__bpf_map_elem *ctx) { u32 *key = ctx->key; u8 *val = ctx->value;
if (key == NULL || val == NULL) return 0;
*val = 5; return 0; }
I create and pin a map:
# bpftool map create /sys/fs/bpf/map type array key 4 value 1 entries 1 name test
Initially, the content of the map looks like:
# bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 00 Found 1 element
I then created a new SELinux type bpftool_test_t, which has only read permission on maps:
# sesearch -A -s bpftool_test_t -t unconfined_t -c bpf allow bpftool_test_t unconfined_t:bpf map_read;
So, what I expect is that this type is not able to write to the map.
Indeed, the current bpftool is not able to do it:
# strace -f -etrace=bpf runcon -t bpftool_test_t bpftool iter pin writer.o /sys/fs/bpf/iter map pinned /sys/fs/bpf/map bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/map", bpf_fd=0, file_flags=0}, 144) = -1 EACCES (Permission denied) Error: bpf obj get (/sys/fs/bpf): Permission denied
This happens because the current bpftool requests to access the map with read-write permission, and SELinux denies it:
# cat /var/log/audit/audit.log|audit2allow
#============= bpftool_test_t ============== allow bpftool_test_t unconfined_t:bpf map_write;
The command failed, and the content of the map is still:
# bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 00 Found 1 element
Now, what I will do is to use a slightly modified version of bpftool which requests read-only access to the map instead:
# strace -f -etrace=bpf runcon -t bpftool_test_t ./bpftool iter pin writer.o /sys/fs/bpf/iter map pinned /sys/fs/bpf/map bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/map", bpf_fd=0, file_flags=BPF_F_RDONLY}, 16) = 3 libbpf: elf: skipping unrecognized data section(5) .eh_frame libbpf: elf: skipping relo section(6) .rel.eh_frame for section(5) .eh_frame
...
bpf(BPF_LINK_CREATE, {link_create={prog_fd=4, target_fd=0, attach_type=BPF_TRACE_ITER, flags=0}, ...}, 48) = 5 bpf(BPF_OBJ_PIN, {pathname="/sys/fs/bpf/iter", bpf_fd=5, file_flags=0}, 16) = 0
That worked, because SELinux grants read-only permission to bpftool_test_t. However, the map iterator does not check how the fd was obtained, and thus allows the iterator to be created.
At this point, we have write access, despite not having the right to do it:
# cat /sys/fs/bpf/iter # bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 05 Found 1 element
The iterator updated the map value.
The patch I'm proposing checks how the map fd was obtained, and if its modes are compatible with the operations an attached program is allowed to do. If the fd does not have the required modes, eBPF denies the creation of the map iterator.
After patching the kernel, I try to run the modified bpftool again:
# strace -f -etrace=bpf runcon -t bpftool_test_t ./bpftool iter pin writer.o /sys/fs/bpf/iter map pinned /sys/fs/bpf/map bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/map", bpf_fd=0, file_flags=BPF_F_RDONLY}, 16) = 3 libbpf: elf: skipping unrecognized data section(5) .eh_frame libbpf: elf: skipping relo section(6) .rel.eh_frame for section(5) .eh_frame
...
bpf(BPF_LINK_CREATE, {link_create={prog_fd=4, target_fd=0, attach_type=BPF_TRACE_ITER, flags=0}, ...}, 48) = -1 EPERM (Operation not permitted) libbpf: prog 'write_bpf_hash_map': failed to attach to iterator: Operation not permitted Error: attach_iter failed for program write_bpf_hash_map
The map iterator cannot be created and the map is not updated:
# bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 00 Found 1 element
Roberto
On Thu, Sep 8, 2022 at 6:59 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
On Wed, 2022-09-07 at 09:02 -0700, Alexei Starovoitov wrote:
[...]
Well, if you write a security module to prevent writes on a map, and user space is able to do it anyway with an iterator, what is the purpose of the security module then?
sounds like a broken "security module" and nothing else.
Ok, if a custom security module does not convince you, let me make a small example with SELinux.
I created a small map iterator that sets every value of a map to 5:
SEC("iter/bpf_map_elem") int write_bpf_hash_map(struct bpf_iter__bpf_map_elem *ctx) { u32 *key = ctx->key; u8 *val = ctx->value;
if (key == NULL || val == NULL) return 0; *val = 5; return 0;}
I create and pin a map:
# bpftool map create /sys/fs/bpf/map type array key 4 value 1 entries 1 name test
Initially, the content of the map looks like:
# bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 00 Found 1 element
I then created a new SELinux type bpftool_test_t, which has only read permission on maps:
# sesearch -A -s bpftool_test_t -t unconfined_t -c bpf allow bpftool_test_t unconfined_t:bpf map_read;
So, what I expect is that this type is not able to write to the map.
Indeed, the current bpftool is not able to do it:
# strace -f -etrace=bpf runcon -t bpftool_test_t bpftool iter pin writer.o /sys/fs/bpf/iter map pinned /sys/fs/bpf/map bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/map", bpf_fd=0, file_flags=0}, 144) = -1 EACCES (Permission denied) Error: bpf obj get (/sys/fs/bpf): Permission denied
This happens because the current bpftool requests to access the map with read-write permission, and SELinux denies it:
# cat /var/log/audit/audit.log|audit2allow
#============= bpftool_test_t ============== allow bpftool_test_t unconfined_t:bpf map_write;
The command failed, and the content of the map is still:
# bpftool map dump pinned /sys/fs/bpf/map key: 00 00 00 00 value: 00 Found 1 element
Now, what I will do is to use a slightly modified version of bpftool which requests read-only access to the map instead:
# strace -f -etrace=bpf runcon -t bpftool_test_t ./bpftool iter pin writer.o /sys/fs/bpf/iter map pinned /sys/fs/bpf/map bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/map", bpf_fd=0, file_flags=BPF_F_RDONLY}, 16) = 3 libbpf: elf: skipping unrecognized data section(5) .eh_frame libbpf: elf: skipping relo section(6) .rel.eh_frame for section(5) .eh_frame
...
bpf(BPF_LINK_CREATE, {link_create={prog_fd=4, target_fd=0, attach_type=BPF_TRACE_ITER, flags=0}, ...}, 48) = 5 bpf(BPF_OBJ_PIN, {pathname="/sys/fs/bpf/iter", bpf_fd=5, file_flags=0}, 16) = 0
That worked, because SELinux grants read-only permission to bpftool_test_t. However, the map iterator does not check how the fd was obtained, and thus allows the iterator to be created.
At this point, we have write access, despite not having the right to do it:
That is a wrong assumption to begin with. Having an fd to a bpf object (map, link, prog) allows access. read/write sort-of applicable to maps, but not so much to progs, links. That file based read/write flag is only for user processes. bpf progs always had separate flags for that. See BPF_F_RDONLY vs BPF_F_RDONLY_PROG. One doesn't imply the other.
From: Roberto Sassu roberto.sassu@huawei.com
Define a new data structure called bpf_get_fd_opts, with the member open_flags, to be used by callers of the _opts variants of bpf_*_get_fd_by_id() to specify the permissions needed for the file descriptor to be obtained.
Also, introduce bpf_map_get_fd_by_id_opts(), to let the caller pass a bpf_get_fd_opts structure.
Finally, keep the existing bpf_map_get_fd_by_id(), and call bpf_map_get_fd_by_id_opts() with NULL as opts argument, to request read-write permissions (current behavior).
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/lib/bpf/bpf.c | 12 +++++++++++- tools/lib/bpf/bpf.h | 10 ++++++++++ tools/lib/bpf/libbpf.map | 7 ++++++- tools/lib/bpf/libbpf_version.h | 2 +- 4 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 1d49a0352836..4b03063edf1d 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -948,19 +948,29 @@ int bpf_prog_get_fd_by_id(__u32 id) return libbpf_err_errno(fd); }
-int bpf_map_get_fd_by_id(__u32 id) +int bpf_map_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts)) + return libbpf_err(-EINVAL); + memset(&attr, 0, attr_sz); attr.map_id = id; + attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_MAP_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); }
+int bpf_map_get_fd_by_id(__u32 id) +{ + return bpf_map_get_fd_by_id_opts(id, NULL); +} + int bpf_btf_get_fd_by_id(__u32 id) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 9c50beabdd14..38a1b7eccfc8 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -365,7 +365,17 @@ LIBBPF_API int bpf_prog_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_map_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_btf_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); + +struct bpf_get_fd_opts { + size_t sz; /* size of this struct for forward/backward compatibility */ + __u32 open_flags; /* permissions requested for the operation on fd */ + __u32 :0; +}; +#define bpf_get_fd_opts__last_field open_flags + LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); +LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_map_get_fd_by_id(__u32 id); LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id); LIBBPF_API int bpf_link_get_fd_by_id(__u32 id); diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index 2b928dc21af0..8721829f9c41 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -367,4 +367,9 @@ LIBBPF_1.0.0 { libbpf_bpf_map_type_str; libbpf_bpf_prog_type_str; perf_buffer__buffer; -}; +} LIBBPF_0.8.0; + +LIBBPF_1.1.0 { + global: + bpf_map_get_fd_by_id_opts; +} LIBBPF_1.0.0; diff --git a/tools/lib/bpf/libbpf_version.h b/tools/lib/bpf/libbpf_version.h index 2fb2f4290080..e944f5bce728 100644 --- a/tools/lib/bpf/libbpf_version.h +++ b/tools/lib/bpf/libbpf_version.h @@ -4,6 +4,6 @@ #define __LIBBPF_VERSION_H
#define LIBBPF_MAJOR_VERSION 1 -#define LIBBPF_MINOR_VERSION 0 +#define LIBBPF_MINOR_VERSION 1
#endif /* __LIBBPF_VERSION_H */
From: Roberto Sassu roberto.sassu@huawei.com
Introduce bpf_prog_get_fd_by_id_opts(), for symmetry with bpf_map_get_fd_by_id_opts(), to let the caller pass the newly introduced data structure bpf_get_fd_opts. Keep the existing bpf_prog_get_fd_by_id(), and call bpf_prog_get_fd_by_id_opts() with NULL as opts argument, to prevent setting open_flags.
Currently, the kernel does not support non-zero open_flags for bpf_prog_get_fd_by_id_opts(), and a call with them will result in an error returned by the bpf() system call. The caller should always pass zero open_flags.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/lib/bpf/bpf.c | 11 ++++++++++- tools/lib/bpf/bpf.h | 2 ++ tools/lib/bpf/libbpf.map | 1 + 3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 4b03063edf1d..92464c2d1da7 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -935,19 +935,28 @@ int bpf_link_get_next_id(__u32 start_id, __u32 *next_id) return bpf_obj_get_next_id(start_id, next_id, BPF_LINK_GET_NEXT_ID); }
-int bpf_prog_get_fd_by_id(__u32 id) +int bpf_prog_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_opts *opts) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts)) + return libbpf_err(-EINVAL); + memset(&attr, 0, attr_sz); attr.prog_id = id; + attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_PROG_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); }
+int bpf_prog_get_fd_by_id(__u32 id) +{ + return bpf_prog_get_fd_by_id_opts(id, NULL); +} + int bpf_map_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_opts *opts) { diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 38a1b7eccfc8..9471c6e05b83 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -373,6 +373,8 @@ struct bpf_get_fd_opts { }; #define bpf_get_fd_opts__last_field open_flags
+LIBBPF_API int bpf_prog_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_opts *opts); diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index 8721829f9c41..823aee68dc4e 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -372,4 +372,5 @@ LIBBPF_1.0.0 { LIBBPF_1.1.0 { global: bpf_map_get_fd_by_id_opts; + bpf_prog_get_fd_by_id_opts; } LIBBPF_1.0.0;
From: Roberto Sassu roberto.sassu@huawei.com
Introduce bpf_btf_get_fd_by_id_opts(), for symmetry with bpf_map_get_fd_by_id_opts(), to let the caller pass the newly introduced data structure bpf_get_fd_opts. Keep the existing bpf_btf_get_fd_by_id(), and call bpf_btf_get_fd_by_id_opts() with NULL as opts argument, to prevent setting open_flags.
Currently, the kernel does not support non-zero open_flags for bpf_btf_get_fd_by_id_opts(), and a call with them will result in an error returned by the bpf() system call. The caller should always pass zero open_flags.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/lib/bpf/bpf.c | 12 +++++++++++- tools/lib/bpf/bpf.h | 2 ++ tools/lib/bpf/libbpf.map | 1 + 3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 92464c2d1da7..f43e8c8afbd3 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -980,19 +980,29 @@ int bpf_map_get_fd_by_id(__u32 id) return bpf_map_get_fd_by_id_opts(id, NULL); }
-int bpf_btf_get_fd_by_id(__u32 id) +int bpf_btf_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts)) + return libbpf_err(-EINVAL); + memset(&attr, 0, attr_sz); attr.btf_id = id; + attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_BTF_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); }
+int bpf_btf_get_fd_by_id(__u32 id) +{ + return bpf_btf_get_fd_by_id_opts(id, NULL); +} + int bpf_link_get_fd_by_id(__u32 id) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 9471c6e05b83..35c0cc6ed71b 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -379,6 +379,8 @@ LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_map_get_fd_by_id(__u32 id); +LIBBPF_API int bpf_btf_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id); LIBBPF_API int bpf_link_get_fd_by_id(__u32 id); LIBBPF_API int bpf_obj_get_info_by_fd(int bpf_fd, void *info, __u32 *info_len); diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index 823aee68dc4e..7db2d963cb55 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -371,6 +371,7 @@ LIBBPF_1.0.0 {
LIBBPF_1.1.0 { global: + bpf_btf_get_fd_by_id_opts; bpf_map_get_fd_by_id_opts; bpf_prog_get_fd_by_id_opts; } LIBBPF_1.0.0;
From: Roberto Sassu roberto.sassu@huawei.com
Introduce bpf_link_get_fd_by_id_opts(), for symmetry with bpf_map_get_fd_by_id_opts(), to let the caller pass the newly introduced data structure bpf_get_fd_opts. Keep the existing bpf_link_get_fd_by_id(), and call bpf_link_get_fd_by_id_opts() with NULL as opts argument, to prevent setting open_flags.
Currently, the kernel does not support non-zero open_flags for bpf_link_get_fd_by_id_opts(), and a call with them will result in an error returned by the bpf() system call. The caller should always pass zero open_flags.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/lib/bpf/bpf.c | 12 +++++++++++- tools/lib/bpf/bpf.h | 2 ++ tools/lib/bpf/libbpf.map | 1 + 3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index f43e8c8afbd3..f3d89a2bdb50 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -1003,19 +1003,29 @@ int bpf_btf_get_fd_by_id(__u32 id) return bpf_btf_get_fd_by_id_opts(id, NULL); }
-int bpf_link_get_fd_by_id(__u32 id) +int bpf_link_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts)) + return libbpf_err(-EINVAL); + memset(&attr, 0, attr_sz); attr.link_id = id; + attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_LINK_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); }
+int bpf_link_get_fd_by_id(__u32 id) +{ + return bpf_link_get_fd_by_id_opts(id, NULL); +} + int bpf_obj_get_info_by_fd(int bpf_fd, void *info, __u32 *info_len) { const size_t attr_sz = offsetofend(union bpf_attr, info); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 35c0cc6ed71b..04813e5ac309 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -382,6 +382,8 @@ LIBBPF_API int bpf_map_get_fd_by_id(__u32 id); LIBBPF_API int bpf_btf_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id); +LIBBPF_API int bpf_link_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_link_get_fd_by_id(__u32 id); LIBBPF_API int bpf_obj_get_info_by_fd(int bpf_fd, void *info, __u32 *info_len);
diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index 7db2d963cb55..e52816e2555a 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -372,6 +372,7 @@ LIBBPF_1.0.0 { LIBBPF_1.1.0 { global: bpf_btf_get_fd_by_id_opts; + bpf_link_get_fd_by_id_opts; bpf_map_get_fd_by_id_opts; bpf_prog_get_fd_by_id_opts; } LIBBPF_1.0.0;
From: Roberto Sassu roberto.sassu@huawei.com
Add an additional check in do_read_map_iter_fd(), to ensure that map iterators requiring read-write access to a map cannot be created when they receive as input a read-only fd. Do it for array maps, sk storage maps and sock maps.
Allowing that operation could result in a map update operation not authorized by LSMs (since they were asked for read-only access).
Finally, destroy the link when it is not supposed to be created.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- .../selftests/bpf/prog_tests/bpf_iter.c | 34 +++++++++++++++++-- 1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c index e89685bd587c..b2d067d38f47 100644 --- a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c +++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c @@ -72,10 +72,38 @@ static void do_read_map_iter_fd(struct bpf_object_skeleton **skel, struct bpf_pr struct bpf_map *map) { DECLARE_LIBBPF_OPTS(bpf_iter_attach_opts, opts); + struct bpf_map_info info_m = { 0 }; + __u32 info_m_len = sizeof(info_m); union bpf_iter_link_info linfo; struct bpf_link *link; char buf[16] = {}; int iter_fd, len; + int ret, fd; + + DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_rdonly, + .open_flags = BPF_F_RDONLY, + ); + + ret = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info_m, &info_m_len); + if (!ASSERT_OK(ret, "bpf_obj_get_info_by_fd")) + return; + + fd = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_rdonly); + if (!ASSERT_GE(fd, 0, "bpf_map_get_fd_by_id_opts")) + return; + + memset(&linfo, 0, sizeof(linfo)); + linfo.map.map_fd = fd; + opts.link_info = &linfo; + opts.link_info_len = sizeof(linfo); + link = bpf_program__attach_iter(prog, &opts); + + close(fd); + + if (!ASSERT_ERR_PTR(link, "attach_map_iter")) { + bpf_link__destroy(link); + return; + }
memset(&linfo, 0, sizeof(linfo)); linfo.map.map_fd = bpf_map__fd(map); @@ -656,12 +684,12 @@ static void test_bpf_hash_map(void) opts.link_info_len = sizeof(linfo); link = bpf_program__attach_iter(skel->progs.dump_bpf_hash_map, &opts); if (!ASSERT_ERR_PTR(link, "attach_iter")) - goto out; + goto free_link;
linfo.map.map_fd = bpf_map__fd(skel->maps.hashmap3); link = bpf_program__attach_iter(skel->progs.dump_bpf_hash_map, &opts); if (!ASSERT_ERR_PTR(link, "attach_iter")) - goto out; + goto free_link;
/* hashmap1 should be good, update map values here */ map_fd = bpf_map__fd(skel->maps.hashmap1); @@ -683,7 +711,7 @@ static void test_bpf_hash_map(void) linfo.map.map_fd = map_fd; link = bpf_program__attach_iter(skel->progs.sleepable_dummy_dump, &opts); if (!ASSERT_ERR_PTR(link, "attach_sleepable_prog_to_iter")) - goto out; + goto free_link;
linfo.map.map_fd = map_fd; link = bpf_program__attach_iter(skel->progs.dump_bpf_hash_map, &opts);
From: Roberto Sassu roberto.sassu@huawei.com
Introduce the data_input map, write-protected with a small eBPF program implementing the lsm/bpf_map hook.
Then, ensure that bpf_map_get_fd_by_id() and bpf_map_get_fd_by_id_opts() with NULL opts don't succeed due to requesting read-write access to the write-protected map. Also, ensure that bpf_map_get_fd_by_id_opts() with flags in opts set to BPF_F_RDONLY instead succeeds.
After obtaining a read-only fd, ensure that only map lookup succeeds and not update. Ensure that update works only with the read-write fd obtained at program loading time, when the write protection was not yet enabled.
Finally, ensure that other _opts variants of libbpf don't work if the BPF_F_RDONLY flag is set in opts (due to the kernel not handling the open_flags member of bpf_attr).
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- .../bpf/prog_tests/libbpf_get_fd_opts.c | 145 ++++++++++++++++++ .../bpf/progs/test_libbpf_get_fd_opts.c | 49 ++++++ 2 files changed, 194 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_opts.c create mode 100644 tools/testing/selftests/bpf/progs/test_libbpf_get_fd_opts.c
diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_opts.c b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_opts.c new file mode 100644 index 000000000000..8ea1c44f979e --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_opts.c @@ -0,0 +1,145 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu roberto.sassu@huawei.com + */ + +#include <test_progs.h> + +#include "test_libbpf_get_fd_opts.skel.h" + +void test_libbpf_get_fd_opts(void) +{ + DECLARE_LIBBPF_OPTS(bpf_iter_attach_opts, opts); + struct test_libbpf_get_fd_opts *skel; + struct bpf_map_info info_m = { 0 }; + __u32 len = sizeof(info_m), value; + union bpf_iter_link_info linfo; + struct bpf_link *link; + struct bpf_map *map; + char buf[16]; + int ret, zero = 0, fd = -1, iter_fd; + + DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_rdonly, + .open_flags = BPF_F_RDONLY, + ); + + skel = test_libbpf_get_fd_opts__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_libbpf_get_fd_opts__open_and_load")) + return; + + bpf_program__set_autoattach(skel->progs.write_bpf_array_map, false); + + ret = test_libbpf_get_fd_opts__attach(skel); + if (!ASSERT_OK(ret, "test_libbpf_get_fd_opts__attach")) + goto close_prog; + + map = bpf_object__find_map_by_name(skel->obj, "data_input"); + if (!ASSERT_OK_PTR(map, "bpf_object__find_map_by_name")) + goto close_prog; + + ret = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info_m, &len); + if (!ASSERT_OK(ret, "bpf_obj_get_info_by_fd")) + goto close_prog; + + fd = bpf_map_get_fd_by_id(info_m.id); + if (!ASSERT_LT(fd, 0, "bpf_map_get_fd_by_id")) + goto close_prog; + + fd = bpf_map_get_fd_by_id_opts(info_m.id, NULL); + if (!ASSERT_LT(fd, 0, "bpf_map_get_fd_by_id_opts")) + goto close_prog; + + fd = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_rdonly); + if (!ASSERT_GE(fd, 0, "bpf_map_get_fd_by_id_opts")) + goto close_prog; + + /* Map lookup should work with read-only fd. */ + ret = bpf_map_lookup_elem(fd, &zero, &value); + if (!ASSERT_OK(ret, "bpf_map_lookup_elem")) + goto close_prog; + + if (!ASSERT_EQ(value, 0, "map value mismatch")) + goto close_prog; + + /* Map update should not work with read-only fd. */ + ret = bpf_map_update_elem(fd, &zero, &len, BPF_ANY); + if (!ASSERT_LT(ret, 0, "bpf_map_update_elem")) + goto close_prog; + + /* Map update through map iterator should not work with read-only fd. */ + memset(&linfo, 0, sizeof(linfo)); + linfo.map.map_fd = fd; + opts.link_info = &linfo; + opts.link_info_len = sizeof(linfo); + link = bpf_program__attach_iter(skel->progs.write_bpf_array_map, &opts); + if (!ASSERT_ERR_PTR(link, "bpf_program__attach_iter")) { + /* + * Faulty path, this should never happen if fd modes check is + * added for map iterators. + */ + iter_fd = bpf_iter_create(bpf_link__fd(link)); + bpf_link__destroy(link); + + if (!ASSERT_GE(iter_fd, 0, "bpf_iter_create (faulty path)")) + goto close_prog; + + read(iter_fd, buf, sizeof(buf)); + close(iter_fd); + + ret = bpf_map_lookup_elem(fd, &zero, &value); + if (!ASSERT_OK(ret, "bpf_map_lookup_elem (faulty path)")) + goto close_prog; + + if (!ASSERT_EQ(value, 5, + "unauthorized map update (faulty path)")) + goto close_prog; + } + + /* Map update should work with read-write fd. */ + ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &len, BPF_ANY); + if (!ASSERT_OK(ret, "bpf_map_update_elem")) + goto close_prog; + + /* Map update through map iterator should work with read-write fd. */ + linfo.map.map_fd = bpf_map__fd(map); + link = bpf_program__attach_iter(skel->progs.write_bpf_array_map, &opts); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_iter")) + goto close_prog; + + iter_fd = bpf_iter_create(bpf_link__fd(link)); + bpf_link__destroy(link); + + if (!ASSERT_GE(iter_fd, 0, "bpf_iter_create")) + goto close_prog; + + read(iter_fd, buf, sizeof(buf)); + close(iter_fd); + + ret = bpf_map_lookup_elem(fd, &zero, &value); + if (!ASSERT_OK(ret, "bpf_map_lookup_elem")) + goto close_prog; + + if (!ASSERT_EQ(value, 5, "map value mismatch")) + goto close_prog; + + /* Prog get fd with opts set should not work (no kernel support). */ + ret = bpf_prog_get_fd_by_id_opts(0, &fd_opts_rdonly); + if (!ASSERT_EQ(ret, -EINVAL, "bpf_prog_get_fd_by_id_opts")) + goto close_prog; + + /* Link get fd with opts set should not work (no kernel support). */ + ret = bpf_link_get_fd_by_id_opts(0, &fd_opts_rdonly); + if (!ASSERT_EQ(ret, -EINVAL, "bpf_link_get_fd_by_id_opts")) + goto close_prog; + + /* BTF get fd with opts set should not work (no kernel support). */ + ret = bpf_btf_get_fd_by_id_opts(0, &fd_opts_rdonly); + ASSERT_EQ(ret, -EINVAL, "bpf_btf_get_fd_by_id_opts"); + +close_prog: + close(fd); + test_libbpf_get_fd_opts__destroy(skel); +} diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_opts.c new file mode 100644 index 000000000000..83366024023f --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_opts.c @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu roberto.sassu@huawei.com + */ + +#include "vmlinux.h" +#include <errno.h> +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> + +/* From include/linux/mm.h. */ +#define FMODE_WRITE 0x2 + +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, 1); + __type(key, __u32); + __type(value, __u32); +} data_input SEC(".maps"); + +char _license[] SEC("license") = "GPL"; + +SEC("lsm/bpf_map") +int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) +{ + if (map != (struct bpf_map *)&data_input) + return 0; + + if (fmode & FMODE_WRITE) + return -EACCES; + + return 0; +} + +SEC("iter/bpf_map_elem") +int write_bpf_array_map(struct bpf_iter__bpf_map_elem *ctx) +{ + u32 *key = ctx->key; + u32 *val = ctx->value; + + if (key == NULL || val == NULL) + return 0; + + *val = 5; + return 0; +}
linux-kselftest-mirror@lists.linaro.org
-
Alexei Starovoitov -
Roberto Sassu