| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Feb 2020 20:02:20 +0100
From: Michal Rostecki <mrostecki@...nsuse.org>
To: bpf@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>,
Quentin Monnet <quentin.monnet@...ronome.com>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Shuah Khan <shuah@...nel.org>,
linux-kselftest@...r.kernel.org
Subject: [PATCH bpf-next 3/6] bpftool: Add arguments for filtering in and filtering out probes
Add positional arguments "filter_in" and "filter_out" to the feature
command of bpftool. If "filter_in" is defined, bpftool is going to
perform and print only checks which match the given pattern. If
"filter_out" is defined, bpftool will not perform and print checks which
match the given pattern.
Signed-off-by: Michal Rostecki <mrostecki@...nsuse.org>
---
tools/bpf/bpftool/feature.c | 324 ++++++++++++++++++++++++++++--------
1 file changed, 256 insertions(+), 68 deletions(-)
diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c
index cfba0faf148f..f10e928d18c8 100644
--- a/tools/bpf/bpftool/feature.c
+++ b/tools/bpf/bpftool/feature.c
@@ -3,6 +3,7 @@
#include <ctype.h>
#include <errno.h>
+#include <regex.h>
#include <string.h>
#include <unistd.h>
#include <net/if.h>
@@ -64,6 +65,55 @@ static void uppercase(char *str, size_t len)
str[i] = toupper(str[i]);
}
+/* Filtering utility functions */
+
+static bool
+check_filters(const char *name, regex_t *filter_in, regex_t *filter_out)
+{
+ char err_buf[100];
+ int ret;
+
+ /* Do not probe if filter_in was defined and string does not match
+ * against the pattern.
+ */
+ if (filter_in) {
+ ret = regexec(filter_in, name, 0, NULL, 0);
+ switch (ret) {
+ case 0:
+ break;
+ case REG_NOMATCH:
+ return false;
+ default:
+ regerror(ret, filter_in, err_buf, ARRAY_SIZE(err_buf));
+ p_err("could not match regex: %s", err_buf);
+ free(filter_in);
+ free(filter_out);
+ exit(1);
+ }
+ }
+
+ /* Do not probe if filter_out was defined and string matches against the
+ * pattern.
+ */
+ if (filter_out) {
+ ret = regexec(filter_out, name, 0, NULL, 0);
+ switch (ret) {
+ case 0:
+ return false;
+ case REG_NOMATCH:
+ break;
+ default:
+ regerror(ret, filter_out, err_buf, ARRAY_SIZE(err_buf));
+ p_err("could not match regex: %s", err_buf);
+ free(filter_in);
+ free(filter_out);
+ exit(1);
+ }
+ }
+
+ return true;
+}
+
/* Printing utility functions */
static void
@@ -79,11 +129,16 @@ print_bool_feature(const char *feat_name, const char *plain_name,
printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
}
-static void print_kernel_option(const char *name, const char *value)
+static void
+print_kernel_option(const char *name, const char *value, regex_t *filter_in,
+ regex_t *filter_out)
{
char *endptr;
int res;
+ if (!check_filters(name, filter_in, filter_out))
+ return;
+
/* No support for C-style ouptut */
if (json_output) {
@@ -154,15 +209,19 @@ static int read_procfs(const char *path)
return res;
}
-static void probe_unprivileged_disabled(void)
+static void probe_unprivileged_disabled(regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "unprivileged_bpf_disabled";
int res;
/* No support for C-style ouptut */
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
if (json_output) {
- jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
+ jsonw_int_field(json_wtr, feat_name, res);
} else {
switch (res) {
case 0:
@@ -180,15 +239,19 @@ static void probe_unprivileged_disabled(void)
}
}
-static void probe_jit_enable(void)
+static void probe_jit_enable(regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "bpf_jit_enable";
int res;
/* No support for C-style ouptut */
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
if (json_output) {
- jsonw_int_field(json_wtr, "bpf_jit_enable", res);
+ jsonw_int_field(json_wtr, feat_name, res);
} else {
switch (res) {
case 0:
@@ -210,15 +273,19 @@ static void probe_jit_enable(void)
}
}
-static void probe_jit_harden(void)
+static void probe_jit_harden(regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "bpf_jit_harden";
int res;
/* No support for C-style ouptut */
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
if (json_output) {
- jsonw_int_field(json_wtr, "bpf_jit_harden", res);
+ jsonw_int_field(json_wtr, feat_name, res);
} else {
switch (res) {
case 0:
@@ -240,15 +307,19 @@ static void probe_jit_harden(void)
}
}
-static void probe_jit_kallsyms(void)
+static void probe_jit_kallsyms(regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "bpf_jit_kallsyms";
int res;
/* No support for C-style ouptut */
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
if (json_output) {
- jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
+ jsonw_int_field(json_wtr, feat_name, res);
} else {
switch (res) {
case 0:
@@ -266,15 +337,19 @@ static void probe_jit_kallsyms(void)
}
}
-static void probe_jit_limit(void)
+static void probe_jit_limit(regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "bpf_jit_limit";
int res;
/* No support for C-style ouptut */
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
if (json_output) {
- jsonw_int_field(json_wtr, "bpf_jit_limit", res);
+ jsonw_int_field(json_wtr, feat_name, res);
} else {
switch (res) {
case -1:
@@ -314,7 +389,8 @@ static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
return false;
}
-static void probe_kernel_image_config(void)
+static void
+probe_kernel_image_config(regex_t *filter_in, regex_t *filter_out)
{
static const char * const options[] = {
/* Enable BPF */
@@ -438,23 +514,31 @@ static void probe_kernel_image_config(void)
gzclose(file);
for (i = 0; i < ARRAY_SIZE(options); i++) {
- print_kernel_option(options[i], values[i]);
+ print_kernel_option(options[i], values[i], filter_in,
+ filter_out);
free(values[i]);
}
}
static bool
-probe_bpf_syscall(bool print_syscall_config, const char *define_prefix)
+probe_bpf_syscall(bool print_syscall_config, const char *define_prefix,
+ regex_t *filter_in, regex_t *filter_out)
{
+ const char *feat_name = "have_bpf_syscall";
+ const char *plain_desc = "bpf() syscall";
+ const char *define_name = "BPF_SYSCALL";
bool res;
bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
res = (errno != ENOSYS);
+ if (!check_filters(feat_name, filter_in, filter_out))
+ print_syscall_config = false;
+
if (print_syscall_config)
- print_bool_feature("have_bpf_syscall",
- "bpf() syscall",
- "BPF_SYSCALL",
+ print_bool_feature(feat_name,
+ plain_desc,
+ define_name,
res, define_prefix);
return res;
@@ -462,13 +546,19 @@ probe_bpf_syscall(bool print_syscall_config, const char *define_prefix)
static void
probe_prog_type(bool print_program_types, enum bpf_prog_type prog_type,
- bool *supported_types, const char *define_prefix, __u32 ifindex)
+ bool *supported_types, const char *define_prefix,
+ regex_t *filter_in, regex_t *filter_out, __u32 ifindex)
{
char feat_name[128], plain_desc[128], define_name[128];
const char *plain_comment = "eBPF program_type ";
size_t maxlen;
bool res;
+ sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
+ sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
+ uppercase(define_name, sizeof(define_name));
+ sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
+
if (ifindex)
/* Only test offload-able program types */
switch (prog_type) {
@@ -489,10 +579,8 @@ probe_prog_type(bool print_program_types, enum bpf_prog_type prog_type,
return;
}
- sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
- sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
- uppercase(define_name, sizeof(define_name));
- sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
if (print_program_types)
print_bool_feature(feat_name, plain_desc, define_name, res,
@@ -501,13 +589,21 @@ probe_prog_type(bool print_program_types, enum bpf_prog_type prog_type,
static void
probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
- __u32 ifindex)
+ regex_t *filter_in, regex_t *filter_out, __u32 ifindex)
{
char feat_name[128], plain_desc[128], define_name[128];
const char *plain_comment = "eBPF map_type ";
size_t maxlen;
bool res;
+ sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
+ sprintf(define_name, "%s_map_type", map_type_name[map_type]);
+ uppercase(define_name, sizeof(define_name));
+ sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
+
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = bpf_probe_map_type(map_type, ifindex);
maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
@@ -516,23 +612,23 @@ probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
return;
}
- sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
- sprintf(define_name, "%s_map_type", map_type_name[map_type]);
- uppercase(define_name, sizeof(define_name));
- sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
print_bool_feature(feat_name, plain_desc, define_name, res,
define_prefix);
}
static void
probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
- const char *define_prefix, __u32 ifindex)
+ const char *define_prefix, regex_t *filter_in,
+ regex_t *filter_out, __u32 ifindex)
{
const char *ptype_name = prog_type_name[prog_type];
char feat_name[128];
unsigned int id;
bool res;
+ if (!check_filters(ptype_name, filter_in, filter_out))
+ return;
+
if (ifindex)
/* Only test helpers for offload-able program types */
switch (prog_type) {
@@ -553,6 +649,9 @@ probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
}
for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
+ if (!check_filters(helper_name[id], filter_in, filter_out))
+ continue;
+
if (!supported_type)
res = false;
else
@@ -578,19 +677,27 @@ probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
}
static void
-probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
+probe_large_insn_limit(const char *define_prefix, regex_t *filter_in,
+ regex_t *filter_out, __u32 ifindex)
{
+ const char *plain_desc = "Large program size limit";
+ const char *feat_name = "have_large_insn_limit";
+ const char *define_name = "LARGE_INSN_LIMIT";
bool res;
+ if (!check_filters(feat_name, filter_in, filter_out))
+ return;
+
res = bpf_probe_large_insn_limit(ifindex);
- print_bool_feature("have_large_insn_limit",
- "Large program size limit",
- "LARGE_INSN_LIMIT",
+ print_bool_feature(feat_name,
+ plain_desc,
+ define_name,
res, define_prefix);
}
static void
-section_system_config(enum probe_component target, const char *define_prefix)
+section_system_config(enum probe_component target, const char *define_prefix,
+ regex_t *filter_in, regex_t *filter_out)
{
switch (target) {
case COMPONENT_KERNEL:
@@ -603,15 +710,15 @@ section_system_config(enum probe_component target, const char *define_prefix)
NULL, /* define_comment never used here */
NULL); /* define_prefix always NULL here */
if (check_procfs()) {
- probe_unprivileged_disabled();
- probe_jit_enable();
- probe_jit_harden();
- probe_jit_kallsyms();
- probe_jit_limit();
+ probe_unprivileged_disabled(filter_in, filter_out);
+ probe_jit_enable(filter_in, filter_out);
+ probe_jit_harden(filter_in, filter_out);
+ probe_jit_kallsyms(filter_in, filter_out);
+ probe_jit_limit(filter_in, filter_out);
} else {
p_info("/* procfs not mounted, skipping related probes */");
}
- probe_kernel_image_config();
+ probe_kernel_image_config(filter_in, filter_out);
print_end_section();
break;
default:
@@ -620,7 +727,8 @@ section_system_config(enum probe_component target, const char *define_prefix)
}
static bool
-section_syscall_config(bool print_syscall_config, const char *define_prefix)
+section_syscall_config(bool print_syscall_config, const char *define_prefix,
+ regex_t *filter_in, regex_t *filter_out)
{
bool res;
@@ -629,7 +737,8 @@ section_syscall_config(bool print_syscall_config, const char *define_prefix)
"Scanning system call availability...",
"/*** System call availability ***/",
define_prefix);
- res = probe_bpf_syscall(print_syscall_config, define_prefix);
+ res = probe_bpf_syscall(print_syscall_config, define_prefix,
+ filter_in, filter_out);
if (print_syscall_config)
print_end_section();
@@ -638,7 +747,8 @@ section_syscall_config(bool print_syscall_config, const char *define_prefix)
static void
section_program_types(bool print_program_types, bool *supported_types,
- const char *define_prefix, __u32 ifindex)
+ const char *define_prefix, regex_t *filter_in,
+ regex_t *filter_out, __u32 ifindex)
{
unsigned int i;
@@ -650,13 +760,14 @@ section_program_types(bool print_program_types, bool *supported_types,
for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
probe_prog_type(print_program_types, i, supported_types,
- define_prefix, ifindex);
+ define_prefix, filter_in, filter_out, ifindex);
if (print_program_types)
print_end_section();
}
-static void section_map_types(const char *define_prefix, __u32 ifindex)
+static void section_map_types(const char *define_prefix, regex_t *filter_in,
+ regex_t *filter_out, __u32 ifindex)
{
unsigned int i;
@@ -666,13 +777,15 @@ static void section_map_types(const char *define_prefix, __u32 ifindex)
define_prefix);
for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
- probe_map_type(i, define_prefix, ifindex);
+ probe_map_type(i, define_prefix, filter_in, filter_out,
+ ifindex);
print_end_section();
}
static void
-section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
+section_helpers(bool *supported_types, const char *define_prefix,
+ regex_t *filter_in, regex_t *filter_out, __u32 ifindex)
{
unsigned int i;
@@ -698,18 +811,20 @@ section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
define_prefix);
for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
probe_helpers_for_progtype(i, supported_types[i],
- define_prefix, ifindex);
+ define_prefix, filter_in, filter_out,
+ ifindex);
print_end_section();
}
-static void section_misc(const char *define_prefix, __u32 ifindex)
+static void section_misc(const char *define_prefix, regex_t *filter_in,
+ regex_t *filter_out, __u32 ifindex)
{
print_start_section(SECTION_MISC,
"Scanning miscellaneous eBPF features...",
"/*** eBPF misc features ***/",
define_prefix);
- probe_large_insn_limit(define_prefix, ifindex);
+ probe_large_insn_limit(define_prefix, filter_in, filter_out, ifindex);
print_end_section();
}
@@ -721,6 +836,8 @@ static int do_probe(int argc, char **argv)
* should exit.
*/
bool print_syscall_config = false;
+ const char *filter_out_raw = NULL;
+ const char *filter_in_raw = NULL;
const char *define_prefix = NULL;
bool check_system_config = false;
/* Program types probes are needed if helper probes are going to be
@@ -734,9 +851,14 @@ static int do_probe(int argc, char **argv)
bool check_map_types = false;
bool check_helpers = false;
bool check_section = false;
+ regex_t *filter_out = NULL;
+ regex_t *filter_in = NULL;
bool check_misc = false;
+ char regerror_buf[100];
__u32 ifindex = 0;
char *ifname;
+ int reg_ret;
+ int ret = 0;
/* Detection assumes user has sufficient privileges (CAP_SYS_ADMIN).
* Let's approximate, and restrict usage to root user only.
@@ -752,7 +874,8 @@ static int do_probe(int argc, char **argv)
if (is_prefix(*argv, "kernel")) {
if (target != COMPONENT_UNSPEC) {
p_err("component to probe already specified");
- return -1;
+ ret = -1;
+ goto cleanup;
}
target = COMPONENT_KERNEL;
NEXT_ARG();
@@ -761,10 +884,13 @@ static int do_probe(int argc, char **argv)
if (target != COMPONENT_UNSPEC || ifindex) {
p_err("component to probe already specified");
- return -1;
+ ret = -1;
+ goto cleanup;
+ }
+ if (!REQ_ARGS(1)) {
+ ret = -1;
+ goto cleanup;
}
- if (!REQ_ARGS(1))
- return -1;
target = COMPONENT_DEVICE;
ifname = GET_ARG();
@@ -772,7 +898,8 @@ static int do_probe(int argc, char **argv)
if (!ifindex) {
p_err("unrecognized netdevice '%s': %s", ifname,
strerror(errno));
- return -1;
+ ret = -1;
+ goto cleanup;
}
} else if (is_prefix(*argv, "section")) {
check_section = true;
@@ -804,30 +931,82 @@ static int do_probe(int argc, char **argv)
SECTION_MAP_TYPES,
SECTION_HELPERS,
SECTION_MISC);
- return -1;
+ ret = -1;
+ goto cleanup;
+ }
+ NEXT_ARG();
+ } else if (is_prefix(*argv, "filter_in")) {
+ if (filter_in_raw) {
+ p_err("filter_in can be used only once");
+ ret = -1;
+ goto cleanup;
}
NEXT_ARG();
+ if (!REQ_ARGS(1)) {
+ ret = -1;
+ goto cleanup;
+ }
+ filter_in_raw = GET_ARG();
+
+ filter_in = malloc(sizeof(regex_t));
+ reg_ret = regcomp(filter_in, filter_in_raw, 0);
+ if (reg_ret) {
+ regerror(reg_ret, filter_in, regerror_buf,
+ ARRAY_SIZE(regerror_buf));
+ p_err("could not compile regex: %s",
+ regerror_buf);
+ ret = -1;
+ goto cleanup;
+ }
+ } else if (is_prefix(*argv, "filter_out")) {
+ if (filter_out_raw) {
+ p_err("filter_out can be used only once");
+ ret = -1;
+ goto cleanup;
+ }
+ NEXT_ARG();
+ if (!REQ_ARGS(1)) {
+ ret = -1;
+ goto cleanup;
+ }
+ filter_out_raw = GET_ARG();
+
+ filter_out = malloc(sizeof(regex_t));
+ reg_ret = regcomp(filter_out, filter_out_raw, 0);
+ if (reg_ret) {
+ regerror(reg_ret, filter_out, regerror_buf,
+ ARRAY_SIZE(regerror_buf));
+ p_err("could not compile regex: %s",
+ regerror_buf);
+ ret = -1;
+ goto cleanup;
+ }
} else if (is_prefix(*argv, "macros") && !define_prefix) {
define_prefix = "";
NEXT_ARG();
} else if (is_prefix(*argv, "prefix")) {
if (!define_prefix) {
p_err("'prefix' argument can only be use after 'macros'");
- return -1;
+ ret = -1;
+ goto cleanup;
}
if (strcmp(define_prefix, "")) {
p_err("'prefix' already defined");
- return -1;
+ ret = -1;
+ goto cleanup;
}
NEXT_ARG();
- if (!REQ_ARGS(1))
- return -1;
+ if (!REQ_ARGS(1)) {
+ ret = -1;
+ goto cleanup;
+ }
define_prefix = GET_ARG();
} else {
p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
*argv);
- return -1;
+ ret = -1;
+ goto cleanup;
}
}
@@ -848,26 +1027,35 @@ static int do_probe(int argc, char **argv)
}
if (check_system_config)
- section_system_config(target, define_prefix);
- if (!section_syscall_config(print_syscall_config, define_prefix))
+ section_system_config(target, define_prefix, filter_in,
+ filter_out);
+ if (!section_syscall_config(print_syscall_config, define_prefix,
+ filter_in, filter_out))
/* bpf() syscall unavailable, don't probe other BPF features */
goto exit_close_json;
if (check_program_types)
section_program_types(print_program_types, supported_types,
- define_prefix, ifindex);
+ define_prefix, filter_in, filter_out,
+ ifindex);
if (check_map_types)
- section_map_types(define_prefix, ifindex);
+ section_map_types(define_prefix, filter_in, filter_out,
+ ifindex);
if (check_helpers)
- section_helpers(supported_types, define_prefix, ifindex);
+ section_helpers(supported_types, define_prefix, filter_in,
+ filter_out, ifindex);
if (check_misc)
- section_misc(define_prefix, ifindex);
+ section_misc(define_prefix, filter_in, filter_out, ifindex);
exit_close_json:
if (json_output)
/* End root object */
jsonw_end_object(json_wtr);
- return 0;
+cleanup:
+ free(filter_in);
+ free(filter_out);
+
+ return ret;
}
static int do_help(int argc, char **argv)
@@ -878,7 +1066,7 @@ static int do_help(int argc, char **argv)
}
fprintf(stderr,
- "Usage: %s %s probe [COMPONENT] [section SECTION] [macros [prefix PREFIX]]\n"
+ "Usage: %s %s probe [COMPONENT] [section SECTION] [filter_in PATTERN] [filter_out PATTERN] [macros [prefix PREFIX]]\n"
" %s %s help\n"
"\n"
" COMPONENT := { kernel | dev NAME }\n"
--
2.25.0
Powered by blists - more mailing lists