From: Roberto Sassu roberto.sassu@huawei.com
=== All credits of this patch set go to Lorenz Bauer oss@lmb.io, as he identified this issue and proposed a number of solutions. ===
Lorenz presented at the Linux Plumbers EU 2022 a talk with title 'Closing the BPF map permission loophole', where he reported that read-only fds can be used for map update operations, if they were provided to eBPF programs.
This work initially started as PoC to reproduce the reported bug, and became the test for validating an idea on how to fix the bug.
Patch 1 adds a dependency necessary for the tests.
The actual fix, in patch 2, is relatively simple. It is based on an already existing enforcement mechanism in the eBPF verifier for map flags. As Lorenz mentioned, a problem would be backporting this fix to stable kernels which don't have that enforcement mechanism. However, backporting just the enforcement mechanism itself (without introducing the new map flags and allowing user space to use them) could meet the stable kernel criteria.
Alternatively, a completely different fix can be developed for older stable kernels, like what Lorenz suggested, to refuse fds which are not read/write.
Finally, patch 3 introduces the tests.
Roberto Sassu (3): libbpf: Define bpf_get_fd_opts and introduce bpf_map_get_fd_by_id_opts() bpf: Enforce granted permissions in a map fd at verifier level selftests/bpf: Test enforcement of map fd permissions at verifier level
include/linux/bpf.h | 13 + include/linux/bpf_verifier.h | 1 + kernel/bpf/verifier.c | 26 +- tools/lib/bpf/bpf.c | 12 +- tools/lib/bpf/bpf.h | 10 + tools/lib/bpf/libbpf.map | 3 +- .../selftests/bpf/prog_tests/map_fd_perm.c | 227 ++++++++++++++++++ 7 files changed, 288 insertions(+), 4 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
From: Roberto Sassu roberto.sassu@huawei.com
Define a new data structure called bpf_get_fd_opts, with the member open_flags, to be used by callers of the _opts variants of bpf_*_get_fd_by_id() to specify the permissions needed for the file descriptor to be obtained.
Also, introduce bpf_map_get_fd_by_id_opts(), to let the caller pass a bpf_get_fd_opts structure.
Finally, keep the existing bpf_map_get_fd_by_id(), and call bpf_map_get_fd_by_id_opts() with NULL as opts argument, to request read-write permissions (current behavior).
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- tools/lib/bpf/bpf.c | 12 +++++++++++- tools/lib/bpf/bpf.h | 10 ++++++++++ tools/lib/bpf/libbpf.map | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 1d49a0352836..4b03063edf1d 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -948,19 +948,29 @@ int bpf_prog_get_fd_by_id(__u32 id) return libbpf_err_errno(fd); }
-int bpf_map_get_fd_by_id(__u32 id) +int bpf_map_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts)) + return libbpf_err(-EINVAL); + memset(&attr, 0, attr_sz); attr.map_id = id; + attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_MAP_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); }
+int bpf_map_get_fd_by_id(__u32 id) +{ + return bpf_map_get_fd_by_id_opts(id, NULL); +} + int bpf_btf_get_fd_by_id(__u32 id) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 9c50beabdd14..38a1b7eccfc8 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -365,7 +365,17 @@ LIBBPF_API int bpf_prog_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_map_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_btf_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); + +struct bpf_get_fd_opts { + size_t sz; /* size of this struct for forward/backward compatibility */ + __u32 open_flags; /* permissions requested for the operation on fd */ + __u32 :0; +}; +#define bpf_get_fd_opts__last_field open_flags + LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); +LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id, + const struct bpf_get_fd_opts *opts); LIBBPF_API int bpf_map_get_fd_by_id(__u32 id); LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id); LIBBPF_API int bpf_link_get_fd_by_id(__u32 id); diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index c1d6aa7c82b6..2e665b21d84f 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -367,10 +367,11 @@ LIBBPF_1.0.0 { libbpf_bpf_map_type_str; libbpf_bpf_prog_type_str; perf_buffer__buffer; -}; +} LIBBPF_0.8.0;
LIBBPF_1.1.0 { global: + bpf_map_get_fd_by_id_opts; user_ring_buffer__discard; user_ring_buffer__free; user_ring_buffer__new;
On Mon, Sep 26, 2022 at 8:45 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
From: Roberto Sassu roberto.sassu@huawei.com
Define a new data structure called bpf_get_fd_opts, with the member open_flags, to be used by callers of the _opts variants of bpf_*_get_fd_by_id() to specify the permissions needed for the file descriptor to be obtained.
Also, introduce bpf_map_get_fd_by_id_opts(), to let the caller pass a bpf_get_fd_opts structure.
Finally, keep the existing bpf_map_get_fd_by_id(), and call bpf_map_get_fd_by_id_opts() with NULL as opts argument, to request read-write permissions (current behavior).
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com
looks good overall, but please see two nits below
tools/lib/bpf/bpf.c | 12 +++++++++++- tools/lib/bpf/bpf.h | 10 ++++++++++ tools/lib/bpf/libbpf.map | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 1d49a0352836..4b03063edf1d 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -948,19 +948,29 @@ int bpf_prog_get_fd_by_id(__u32 id) return libbpf_err_errno(fd); }
-int bpf_map_get_fd_by_id(__u32 id) +int bpf_map_get_fd_by_id_opts(__u32 id,
const struct bpf_get_fd_opts *opts)
{ const size_t attr_sz = offsetofend(union bpf_attr, open_flags); union bpf_attr attr; int fd;
if (!OPTS_VALID(opts, bpf_get_fd_opts))
return libbpf_err(-EINVAL);
memset(&attr, 0, attr_sz); attr.map_id = id;
attr.open_flags = OPTS_GET(opts, open_flags, 0); fd = sys_bpf_fd(BPF_MAP_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd);
}
+int bpf_map_get_fd_by_id(__u32 id) +{
return bpf_map_get_fd_by_id_opts(id, NULL);
+}
int bpf_btf_get_fd_by_id(__u32 id) { const size_t attr_sz = offsetofend(union bpf_attr, open_flags); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 9c50beabdd14..38a1b7eccfc8 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -365,7 +365,17 @@ LIBBPF_API int bpf_prog_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_map_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_btf_get_next_id(__u32 start_id, __u32 *next_id); LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id);
+struct bpf_get_fd_opts {
size_t sz; /* size of this struct for forward/backward compatibility */
__u32 open_flags; /* permissions requested for the operation on fd */
__u32 :0;
this should be size_t: 0
+}; +#define bpf_get_fd_opts__last_field open_flags
LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); +LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id,
const struct bpf_get_fd_opts *opts);
LIBBPF_API int bpf_map_get_fd_by_id(__u32 id); LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id); LIBBPF_API int bpf_link_get_fd_by_id(__u32 id); diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map index c1d6aa7c82b6..2e665b21d84f 100644 --- a/tools/lib/bpf/libbpf.map +++ b/tools/lib/bpf/libbpf.map @@ -367,10 +367,11 @@ LIBBPF_1.0.0 { libbpf_bpf_map_type_str; libbpf_bpf_prog_type_str; perf_buffer__buffer; -}; +} LIBBPF_0.8.0;
good catch, please send this as a separate fix, thanks!
LIBBPF_1.1.0 { global:
bpf_map_get_fd_by_id_opts; user_ring_buffer__discard; user_ring_buffer__free; user_ring_buffer__new;
-- 2.25.1
From: Roberto Sassu roberto.sassu@huawei.com
Commit afdb09c720b62 ("security: bpf: Add LSM hooks for bpf object related syscall") introduced new eBPF-related hooks in the LSM framework, for programs and maps, aiming at enforcing permissions per eBPF object.
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") further introduced the BPF_F_RDONLY and BPF_F_WRONLY flags, for user space to request specific permissions when using a given eBPF object.
The two patches are related, as the first ensures that LSMs grant to user space the requested permissions (read and/or write) for performing operations on an eBPF object. The second ensures that the granted permissions are sufficient to perform a requested operation.
While the second check has been added for operations of the bpf() system call that directly deal with a map, such as BPF_MAP_*_ELEM, it is missing for bpf() system call operations that still receive a map fd, but modify a map indirectly: map iterators (addressed separately) and the eBPF verifier.
An eBPF program might contain a map fd as argument of the BPF_PSEUDO_MAP_FD and BPF_PSEUDO_MAP_IDX instructions. The eBPF verifier processes those instructions, and replaces the map fd with the corresponding map address, which can be then passed to eBPF helpers, such as bpf_map_lookup_elem() and bpf_map_update_elem(). This has the same effect of invoking the bpf() system call and executing the BPF_MAP_*_ELEM operations.
The problem is that, unlike BPF_MAP_*_ELEM operations of the bpf() system call, the eBPF verifier does not check the fd modes before letting the eBPF program do map operations. As a consequence, for example, a read-only fd can be provided to the eBPF program, allowing it to do a map update.
A different behavior occurs when the map flags BPF_F_RDONLY_PROG and BPF_F_WRONLY_PROG are set at map creation time. Commit 591fe9888d78 ("bpf: add program side {rd, wr}only support for maps") ensures that only the map operations compatible with the map flags can be executed by the eBPF program, otherwise the verifier refuses to run that program.
As the verifier can already restrict map operations, rely on the same mechanism to enforce permissions given with the fd. Providing a read-only fd has the same effect of setting the BPF_F_RDONLY_PROG map flag, except that the effect is limited to the program execution and not for the map lifetime.
If multiple map fds are provided to the eBPF program, combine the fd modes, as the verifier is not able to track the exact fd a map address has been obtained from.
Finally, make sure that the resulting fd modes don't give to the eBPF program more permissions than the ones granted by map flags. Instead, given the initial permissions granted by map flags, clear the ones that are missing from the fd.
Although normally map fd-based operations are not affected by BPF_F_*_PROG, in this case it cannot be, as it is the eBPF program itself doing map operations, which is what BPF_F_*_PROG are designed to restrict.
Cc: stable@vger.kernel.org Fixes: 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps") Reported by: Lorenz Bauer oss@lmb.io Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- include/linux/bpf.h | 13 +++++++++++++ include/linux/bpf_verifier.h | 1 + kernel/bpf/verifier.c | 26 ++++++++++++++++++++++++-- 3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index edd43edb27d6..1e18f11df7ca 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1415,6 +1415,19 @@ static inline u32 bpf_map_flags_to_cap(struct bpf_map *map) return BPF_MAP_CAN_READ | BPF_MAP_CAN_WRITE; }
+static inline u32 bpf_fd_modes_to_cap(fmode_t mode) +{ + u32 cap = 0; + + if (mode & FMODE_CAN_READ) + cap |= BPF_MAP_CAN_READ; + + if (mode & FMODE_CAN_WRITE) + cap |= BPF_MAP_CAN_WRITE; + + return cap; +} + static inline bool bpf_map_flags_access_ok(u32 access_flags) { return (access_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG)) != diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 9e1e6965f407..3f490bae0bcd 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -501,6 +501,7 @@ struct bpf_verifier_env { struct bpf_verifier_state_list **explored_states; /* search pruning optimization */ struct bpf_verifier_state_list *free_list; struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */ + u32 used_maps_caps[MAX_USED_MAPS]; /* array of map capabilities possessed by eBPF program */ struct btf_mod_pair used_btfs[MAX_USED_BTFS]; /* array of BTF's used by BPF program */ u32 used_map_cnt; /* number of used maps */ u32 used_btf_cnt; /* number of used BTF objects */ diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 6f6d2d511c06..ac9bd4402169 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3531,6 +3531,14 @@ static int check_map_access_type(struct bpf_verifier_env *env, u32 regno, struct bpf_reg_state *regs = cur_regs(env); struct bpf_map *map = regs[regno].map_ptr; u32 cap = bpf_map_flags_to_cap(map); + int i; + + for (i = 0; i < env->used_map_cnt; i++) { + if (env->used_maps[i] == map) { + cap &= env->used_maps_caps[i]; + break; + } + }
if (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) { verbose(env, "write into map forbidden, value_size=%d off=%d size=%d\n", @@ -7040,6 +7048,8 @@ record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta, { struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx]; struct bpf_map *map = meta->map_ptr; + u32 cap; + int i;
if (func_id != BPF_FUNC_tail_call && func_id != BPF_FUNC_map_lookup_elem && @@ -7058,11 +7068,20 @@ record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta, return -EINVAL; }
+ cap = bpf_map_flags_to_cap(map); + + for (i = 0; i < env->used_map_cnt; i++) { + if (env->used_maps[i] == map) { + cap &= env->used_maps_caps[i]; + break; + } + } + /* In case of read-only, some additional restrictions * need to be applied in order to prevent altering the * state of the map from program side. */ - if ((map->map_flags & BPF_F_RDONLY_PROG) && + if (!(cap & BPF_MAP_CAN_WRITE) && (func_id == BPF_FUNC_map_delete_elem || func_id == BPF_FUNC_map_update_elem || func_id == BPF_FUNC_map_push_elem || @@ -12870,6 +12889,7 @@ static int resolve_pseudo_ldimm64(struct bpf_verifier_env *env) /* check whether we recorded this map already */ for (j = 0; j < env->used_map_cnt; j++) { if (env->used_maps[j] == map) { + env->used_maps_caps[j] |= bpf_fd_modes_to_cap(f.file->f_mode); aux->map_index = j; fdput(f); goto next_insn; @@ -12889,7 +12909,9 @@ static int resolve_pseudo_ldimm64(struct bpf_verifier_env *env) bpf_map_inc(map);
aux->map_index = env->used_map_cnt; - env->used_maps[env->used_map_cnt++] = map; + env->used_maps[env->used_map_cnt] = map; + env->used_maps_caps[env->used_map_cnt] = bpf_fd_modes_to_cap(f.file->f_mode); + env->used_map_cnt++;
if (bpf_map_is_cgroup_storage(map) && bpf_cgroup_storage_assign(env->prog->aux, map)) {
From: Roberto Sassu roberto.sassu@huawei.com
Create two maps, one read/writable and another only readable. Also, define four programs, that respectively read, read/write, read/write (with two map fds), and write to a given map.
For the read/writable map, two additional fds are obtained to test the ability of the verifier to restrict operations by a program depending on the map permissions granted.
To make testing easier, the map fd for the BPF_LD_MAP_FD instruction is always the same (20), and dup2() is used to make sure that the program takes the correct map at the time it is loaded.
In addition, a second fd (21) set with dup2() is passed to one eBPF program to check the merging of fd modes (read-only and write-only).
The tests first verify the correct behavior, i.e. a program is successfully executed if it has sufficient permissions on the map. Then, they verify the incorrect combinations (e.g. a program willing to perform read/write operations on a map referenced with a write-only fd), and ensure that the verifier emits the expected error message.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- .../selftests/bpf/prog_tests/map_fd_perm.c | 227 ++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
diff --git a/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c b/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c new file mode 100644 index 000000000000..eaabf6f5bb9b --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c @@ -0,0 +1,227 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu roberto.sassu@huawei.com + */ + +#include <test_progs.h> + +#define TARGET_MAP_FD 20 +#define TARGET_MAP_FD2 21 +#define EXPECTED_MAP_VALUE 2 + +char bpf_log_buf[BPF_LOG_BUF_SIZE]; + +struct bpf_insn prog_r[] = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */ + BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), + BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */ + BPF_EXIT_INSN(), +}; + +struct bpf_insn prog_rw[] = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */ + BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), + BPF_MOV64_IMM(BPF_REG_1, EXPECTED_MAP_VALUE), + BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_0, BPF_REG_1, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */ + BPF_EXIT_INSN(), +}; + +struct bpf_insn prog_rw_merge[] = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */ + BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD), + BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD2), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), + BPF_MOV64_IMM(BPF_REG_1, EXPECTED_MAP_VALUE), + BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_0, BPF_REG_1, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */ + BPF_EXIT_INSN(), +}; + +struct bpf_insn prog_w[] = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */ + BPF_MOV64_IMM(BPF_REG_0, EXPECTED_MAP_VALUE), + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8), /* *(u32 *)(fp - 8) = r0 */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */ + BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), /* r3 = fp - 8 */ + BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD), + BPF_MOV64_IMM(BPF_REG_4, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem), + BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */ + BPF_EXIT_INSN(), +}; + +static int load_prog(struct bpf_insn *prog, int num_insn, int map_fd, + int map_fd2, int map_check_fd, int expected_map_value, + const char *expected_err_msg) +{ + u32 key = 0, value; + int ret, prog_fd, link_fd; + + LIBBPF_OPTS(bpf_prog_load_opts, trace_opts, + .expected_attach_type = BPF_TRACE_FENTRY, + .log_buf = bpf_log_buf, + .log_size = BPF_LOG_BUF_SIZE, + ); + + memset(bpf_log_buf, 0, sizeof(bpf_log_buf)); + + trace_opts.attach_btf_id = + libbpf_find_vmlinux_btf_id("array_map_lookup_elem", + trace_opts.expected_attach_type); + + ret = dup2(map_fd, TARGET_MAP_FD); + if (ret < 0) + return ret; + + if (map_fd2 != -1) { + ret = dup2(map_fd2, TARGET_MAP_FD2); + if (ret < 0) { + close(TARGET_MAP_FD); + return ret; + } + } + + prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACING, NULL, "GPL", + prog, num_insn, &trace_opts); + + close(TARGET_MAP_FD); + if (map_fd2 != -1) + close(TARGET_MAP_FD2); + + if (prog_fd < 0) { + if (expected_err_msg && strstr(bpf_log_buf, expected_err_msg)) + return 0; + + printf("%s\n", bpf_log_buf); + return -EINVAL; + } + + if (map_check_fd >= 0) { + link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_FENTRY, NULL); + if (link_fd < 0) { + ret = -errno; + close(prog_fd); + return ret; + } + + ret = bpf_map_lookup_elem(map_check_fd, &key, &value); + + close(prog_fd); + close(link_fd); + + if (ret < 0) + return ret; + + if (value != expected_map_value) + return -EINVAL; + } else { + close(prog_fd); + } + + return 0; +} + +void test_map_fd_perm(void) +{ + int map_fd, map_fd_rdonly, map_fd_wronly; + int map_rdonly_fd; + struct bpf_map_info info_m = { 0 }; + __u32 len = sizeof(info_m); + int ret; + + DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_rdonly, + .open_flags = BPF_F_RDONLY, + ); + + DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_wronly, + .open_flags = BPF_F_WRONLY, + ); + + DECLARE_LIBBPF_OPTS(bpf_map_create_opts, create_opts, + .map_flags = BPF_F_RDONLY_PROG, + ); + + map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, NULL, sizeof(u32), + sizeof(u32), 1, NULL); + ASSERT_GE(map_fd, 0, "failed to create rw map"); + + map_rdonly_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, NULL, sizeof(u32), + sizeof(u32), 1, &create_opts); + ASSERT_GE(map_rdonly_fd, 0, "failed to create ro map"); + + ret = bpf_obj_get_info_by_fd(map_fd, &info_m, &len); + ASSERT_OK(ret, "bpf_obj_get_info_by_fd"); + + map_fd_rdonly = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_rdonly); + ASSERT_GE(map_fd_rdonly, 0, "bpf_map_get_fd_by_id_opts rw map ro fd"); + + map_fd_wronly = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_wronly); + ASSERT_GE(map_fd_wronly, 0, "bpf_map_get_fd_by_id_opts rw map wo fd"); + + ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_fd_rdonly, -1, -1, -1, + NULL); + ASSERT_OK(ret, "load ro prog, rw map, ro fd"); + + ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd, -1, map_fd, + EXPECTED_MAP_VALUE, NULL); + ASSERT_OK(ret, "load rw prog, rw map, rw fd"); + + ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_fd_wronly, -1, map_fd, + EXPECTED_MAP_VALUE, NULL); + ASSERT_OK(ret, "load wo prog, rw map, wo fd"); + + ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_rdonly_fd, -1, -1, -1, + NULL); + ASSERT_OK(ret, "load ro prog, ro map, ro fd"); + + /* Existing value was set by prog_w, so it is EXPECTED_MAP_VALUE * 2. */ + ret = load_prog(prog_rw_merge, ARRAY_SIZE(prog_rw_merge), map_fd_rdonly, + map_fd_wronly, map_fd, EXPECTED_MAP_VALUE * 2, NULL); + ASSERT_OK(ret, "load rw prog merge, ro fd, wo fd"); + + ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_fd_wronly, -1, -1, -1, + "read from map forbidden"); + ASSERT_OK(ret, "load ro prog, rw map, wo fd"); + + ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_fd_rdonly, -1, -1, -1, + "write into map forbidden"); + ASSERT_OK(ret, "load wo prog, rw map, ro fd"); + + ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd_rdonly, -1, -1, -1, + "write into map forbidden"); + ASSERT_OK(ret, "load rw prog, rw map, ro fd"); + + ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd_wronly, -1, -1, -1, + "read from map forbidden"); + ASSERT_OK(ret, "load rw prog, rw map, wo fd"); + + ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_rdonly_fd, -1, -1, -1, + "write into map forbidden"); + ASSERT_OK(ret, "load wo prog, ro map, rw fd"); +}
linux-kselftest-mirror@lists.linaro.org