lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 26 Jun 2020 15:06:34 -0700
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Stanislav Fomichev <sdf@...gle.com>
Cc:     Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [PATCH bpf-next 4/4] selftests/bpf: test BPF_CGROUP_INET_SOCK_RELEASE

On Thu, Jun 25, 2020 at 5:13 PM Stanislav Fomichev <sdf@...gle.com> wrote:
>
> Simple test that enforces a single SOCK_DGRAM socker per cgroup.
>
> Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
> ---
>  .../selftests/bpf/prog_tests/udp_limit.c      | 71 +++++++++++++++++++
>  tools/testing/selftests/bpf/progs/udp_limit.c | 42 +++++++++++
>  2 files changed, 113 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/udp_limit.c
>  create mode 100644 tools/testing/selftests/bpf/progs/udp_limit.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/udp_limit.c b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> new file mode 100644
> index 000000000000..fe359a927d92
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> @@ -0,0 +1,71 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <test_progs.h>
> +#include "udp_limit.skel.h"
> +
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +
> +void test_udp_limit(void)
> +{
> +       struct udp_limit *skel;
> +       int cgroup_fd;
> +       int fd1, fd2;
> +       int err;
> +
> +       cgroup_fd = test__join_cgroup("/udp_limit");
> +       if (CHECK_FAIL(cgroup_fd < 0))
> +               return;
> +
> +       skel = udp_limit__open_and_load();
> +       if (CHECK_FAIL(!skel))
> +               goto close_cgroup_fd;
> +
> +       err = bpf_prog_attach(bpf_program__fd(skel->progs.sock),
> +                             cgroup_fd, BPF_CGROUP_INET_SOCK_CREATE, 0);
> +       if (CHECK_FAIL(err))
> +               goto close_skeleton;
> +
> +       err = bpf_prog_attach(bpf_program__fd(skel->progs.sock_release),
> +                             cgroup_fd, BPF_CGROUP_INET_SOCK_RELEASE, 0);
> +       if (CHECK_FAIL(err))
> +               goto close_skeleton;

Have you tried:

skel->links.sock = bpf_program__attach_cgroup(skel->progs.sock);

and similarly for sock_release?

> +
> +       /* BPF program enforces a single UDP socket per cgroup,
> +        * verify that.
> +        */
> +       fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> +       if (CHECK_FAIL(fd1 < 0))
> +               goto close_skeleton;
> +
> +       fd2 = socket(AF_INET, SOCK_DGRAM, 0);
> +       if (CHECK_FAIL(fd2 != -1))
> +               goto close_fd1;
> +
> +       /* We can reopen again after close. */
> +       close(fd1);
> +
> +       fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> +       if (CHECK_FAIL(fd1 < 0))
> +               goto close_skeleton;
> +
> +       /* Make sure the program was invoked the expected
> +        * number of times:
> +        * - open fd1           - BPF_CGROUP_INET_SOCK_CREATE
> +        * - attempt to openfd2 - BPF_CGROUP_INET_SOCK_CREATE
> +        * - close fd1          - BPF_CGROUP_INET_SOCK_RELEASE
> +        * - open fd1 again     - BPF_CGROUP_INET_SOCK_CREATE
> +        */
> +       if (CHECK_FAIL(skel->bss->invocations != 4))
> +               goto close_fd1;
> +
> +       /* We should still have a single socket in use */
> +       if (CHECK_FAIL(skel->bss->in_use != 1))
> +               goto close_fd1;

Please use a non-silent CHECK() macro for everything that's a proper
and not a high-frequency check. That generates "a log trail" when
running the test in verbose mode, so it's easier to pinpoint where the
failure happened.

> +
> +close_fd1:
> +       close(fd1);
> +close_skeleton:
> +       udp_limit__destroy(skel);
> +close_cgroup_fd:
> +       close(cgroup_fd);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/udp_limit.c b/tools/testing/selftests/bpf/progs/udp_limit.c
> new file mode 100644
> index 000000000000..98fe294d9c21
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/udp_limit.c
> @@ -0,0 +1,42 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +
> +#include <sys/socket.h>
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +
> +int invocations, in_use;
> +
> +SEC("cgroup/sock")
> +int sock(struct bpf_sock *ctx)
> +{
> +       __u32 key;
> +
> +       if (ctx->type != SOCK_DGRAM)
> +               return 1;
> +
> +       __sync_fetch_and_add(&invocations, 1);
> +
> +       if (&in_use > 0) {


&in_use is supposed to return an address of a variable... this looks
weird and probably not what you wanted?

> +               /* BPF_CGROUP_INET_SOCK_RELEASE is _not_ called
> +                * when we return an error from the BPF
> +                * program!
> +                */
> +               return 0;
> +       }
> +
> +       __sync_fetch_and_add(&in_use, 1);
> +       return 1;
> +}
> +
> +SEC("cgroup/sock_release")
> +int sock_release(struct bpf_sock *ctx)
> +{
> +       __u32 key;
> +
> +       if (ctx->type != SOCK_DGRAM)
> +               return 1;
> +
> +       __sync_fetch_and_add(&invocations, 1);
> +       __sync_fetch_and_add(&in_use, -1);
> +       return 1;
> +}
> --
> 2.27.0.111.gc72c7da667-goog
>

Powered by blists - more mailing lists