| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Dec 2020 17:01:10 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Florent Revest <revest@...omium.org>
Cc: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
KP Singh <kpsingh@...omium.org>,
Florent Revest <revest@...gle.com>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next 2/2] bpf: Add a selftest for the tracing bpf_get_socket_cookie
On Thu, Nov 26, 2020 at 9:02 AM Florent Revest <revest@...omium.org> wrote:
>
> This builds up on the existing socket cookie test which checks whether
> the bpf_get_socket_cookie helpers provide the same value in
> cgroup/connect6 and sockops programs for a socket created by the
> userspace part of the test.
>
> Adding a tracing program to the existing objects requires a different
> attachment strategy and different headers.
>
> Signed-off-by: Florent Revest <revest@...gle.com>
> ---
> .../selftests/bpf/progs/socket_cookie_prog.c | 41 ++++++++++++++++---
> .../selftests/bpf/test_socket_cookie.c | 18 +++++---
> 2 files changed, 49 insertions(+), 10 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/socket_cookie_prog.c b/tools/testing/selftests/bpf/progs/socket_cookie_prog.c
> index 0cb5656a22b0..a11026aeaaf1 100644
> --- a/tools/testing/selftests/bpf/progs/socket_cookie_prog.c
> +++ b/tools/testing/selftests/bpf/progs/socket_cookie_prog.c
> @@ -1,11 +1,13 @@
> // SPDX-License-Identifier: GPL-2.0
> // Copyright (c) 2018 Facebook
>
> -#include <linux/bpf.h>
> -#include <sys/socket.h>
> +#include "vmlinux.h"
>
> #include <bpf/bpf_helpers.h>
> #include <bpf/bpf_endian.h>
> +#include <bpf/bpf_tracing.h>
> +
> +#define AF_INET6 10
>
> struct socket_cookie {
> __u64 cookie_key;
> @@ -19,6 +21,14 @@ struct {
> __type(value, struct socket_cookie);
> } socket_cookies SEC(".maps");
>
> +/*
> + * These three programs get executed in a row on connect() syscalls. The
> + * userspace side of the test creates a client socket, issues a connect() on it
> + * and then checks that the local storage associated with this socket has:
> + * cookie_value == local_port << 8 | 0xFF
> + * The different parts of this cookie_value are appended by those hooks if they
> + * all agree on the output of bpf_get_socket_cookie().
> + */
> SEC("cgroup/connect6")
> int set_cookie(struct bpf_sock_addr *ctx)
> {
> @@ -32,14 +42,14 @@ int set_cookie(struct bpf_sock_addr *ctx)
> if (!p)
> return 1;
>
> - p->cookie_value = 0xFF;
> + p->cookie_value = 0xF;
> p->cookie_key = bpf_get_socket_cookie(ctx);
>
> return 1;
> }
>
> SEC("sockops")
> -int update_cookie(struct bpf_sock_ops *ctx)
> +int update_cookie_sockops(struct bpf_sock_ops *ctx)
> {
> struct bpf_sock *sk;
> struct socket_cookie *p;
> @@ -60,11 +70,32 @@ int update_cookie(struct bpf_sock_ops *ctx)
> if (p->cookie_key != bpf_get_socket_cookie(ctx))
> return 1;
>
> - p->cookie_value = (ctx->local_port << 8) | p->cookie_value;
> + p->cookie_value |= (ctx->local_port << 8);
>
> return 1;
> }
>
> +SEC("fexit/inet_stream_connect")
> +int BPF_PROG(update_cookie_tracing, struct socket *sock,
> + struct sockaddr *uaddr, int addr_len, int flags)
> +{
> + struct socket_cookie *p;
> +
> + if (uaddr->sa_family != AF_INET6)
> + return 0;
> +
> + p = bpf_sk_storage_get(&socket_cookies, sock->sk, 0, 0);
> + if (!p)
> + return 0;
> +
> + if (p->cookie_key != bpf_get_socket_cookie(sock->sk))
> + return 0;
> +
> + p->cookie_value |= 0xF0;
> +
> + return 0;
> +}
> +
> int _version SEC("version") = 1;
please remove this, while you are at it
>
> char _license[] SEC("license") = "GPL";
> diff --git a/tools/testing/selftests/bpf/test_socket_cookie.c b/tools/testing/selftests/bpf/test_socket_cookie.c
> index ca7ca87e91aa..0d955c65a4f8 100644
> --- a/tools/testing/selftests/bpf/test_socket_cookie.c
> +++ b/tools/testing/selftests/bpf/test_socket_cookie.c
> @@ -133,6 +133,7 @@ static int run_test(int cgfd)
> struct bpf_prog_load_attr attr;
> struct bpf_program *prog;
> struct bpf_object *pobj;
> + struct bpf_link *link;
> const char *prog_name;
> int server_fd = -1;
> int client_fd = -1;
> @@ -153,11 +154,18 @@ static int run_test(int cgfd)
> bpf_object__for_each_program(prog, pobj) {
> prog_name = bpf_program__section_name(prog);
>
> - if (libbpf_attach_type_by_name(prog_name, &attach_type))
> - goto err;
> -
> - err = bpf_prog_attach(bpf_program__fd(prog), cgfd, attach_type,
> - BPF_F_ALLOW_OVERRIDE);
> + if (bpf_program__is_tracing(prog)) {
> + link = bpf_program__attach(prog);
> + err = !link;
link is a pointer, so use libbpf_get_error()
> + continue;
> + } else {
else branch is not really necessary, just adds indentation unnecessarily
> + if (libbpf_attach_type_by_name(prog_name, &attach_type))
> + goto err;
> +
> + err = bpf_prog_attach(bpf_program__fd(prog), cgfd,
> + attach_type,
> + BPF_F_ALLOW_OVERRIDE);
> + }
> if (err) {
> log_err("Failed to attach prog %s", prog_name);
> goto out;
> --
> 2.29.2.454.gaff20da3a2-goog
>
Powered by blists - more mailing lists