| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jun 2020 15:06:34 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Stanislav Fomichev <sdf@...gle.com>
Cc: Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [PATCH bpf-next 4/4] selftests/bpf: test BPF_CGROUP_INET_SOCK_RELEASE
On Thu, Jun 25, 2020 at 5:13 PM Stanislav Fomichev <sdf@...gle.com> wrote:
>
> Simple test that enforces a single SOCK_DGRAM socker per cgroup.
>
> Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
> ---
> .../selftests/bpf/prog_tests/udp_limit.c | 71 +++++++++++++++++++
> tools/testing/selftests/bpf/progs/udp_limit.c | 42 +++++++++++
> 2 files changed, 113 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/udp_limit.c
> create mode 100644 tools/testing/selftests/bpf/progs/udp_limit.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/udp_limit.c b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> new file mode 100644
> index 000000000000..fe359a927d92
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> @@ -0,0 +1,71 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <test_progs.h>
> +#include "udp_limit.skel.h"
> +
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +
> +void test_udp_limit(void)
> +{
> + struct udp_limit *skel;
> + int cgroup_fd;
> + int fd1, fd2;
> + int err;
> +
> + cgroup_fd = test__join_cgroup("/udp_limit");
> + if (CHECK_FAIL(cgroup_fd < 0))
> + return;
> +
> + skel = udp_limit__open_and_load();
> + if (CHECK_FAIL(!skel))
> + goto close_cgroup_fd;
> +
> + err = bpf_prog_attach(bpf_program__fd(skel->progs.sock),
> + cgroup_fd, BPF_CGROUP_INET_SOCK_CREATE, 0);
> + if (CHECK_FAIL(err))
> + goto close_skeleton;
> +
> + err = bpf_prog_attach(bpf_program__fd(skel->progs.sock_release),
> + cgroup_fd, BPF_CGROUP_INET_SOCK_RELEASE, 0);
> + if (CHECK_FAIL(err))
> + goto close_skeleton;
Have you tried:
skel->links.sock = bpf_program__attach_cgroup(skel->progs.sock);
and similarly for sock_release?
> +
> + /* BPF program enforces a single UDP socket per cgroup,
> + * verify that.
> + */
> + fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> + if (CHECK_FAIL(fd1 < 0))
> + goto close_skeleton;
> +
> + fd2 = socket(AF_INET, SOCK_DGRAM, 0);
> + if (CHECK_FAIL(fd2 != -1))
> + goto close_fd1;
> +
> + /* We can reopen again after close. */
> + close(fd1);
> +
> + fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> + if (CHECK_FAIL(fd1 < 0))
> + goto close_skeleton;
> +
> + /* Make sure the program was invoked the expected
> + * number of times:
> + * - open fd1 - BPF_CGROUP_INET_SOCK_CREATE
> + * - attempt to openfd2 - BPF_CGROUP_INET_SOCK_CREATE
> + * - close fd1 - BPF_CGROUP_INET_SOCK_RELEASE
> + * - open fd1 again - BPF_CGROUP_INET_SOCK_CREATE
> + */
> + if (CHECK_FAIL(skel->bss->invocations != 4))
> + goto close_fd1;
> +
> + /* We should still have a single socket in use */
> + if (CHECK_FAIL(skel->bss->in_use != 1))
> + goto close_fd1;
Please use a non-silent CHECK() macro for everything that's a proper
and not a high-frequency check. That generates "a log trail" when
running the test in verbose mode, so it's easier to pinpoint where the
failure happened.
> +
> +close_fd1:
> + close(fd1);
> +close_skeleton:
> + udp_limit__destroy(skel);
> +close_cgroup_fd:
> + close(cgroup_fd);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/udp_limit.c b/tools/testing/selftests/bpf/progs/udp_limit.c
> new file mode 100644
> index 000000000000..98fe294d9c21
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/udp_limit.c
> @@ -0,0 +1,42 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +
> +#include <sys/socket.h>
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +
> +int invocations, in_use;
> +
> +SEC("cgroup/sock")
> +int sock(struct bpf_sock *ctx)
> +{
> + __u32 key;
> +
> + if (ctx->type != SOCK_DGRAM)
> + return 1;
> +
> + __sync_fetch_and_add(&invocations, 1);
> +
> + if (&in_use > 0) {
&in_use is supposed to return an address of a variable... this looks
weird and probably not what you wanted?
> + /* BPF_CGROUP_INET_SOCK_RELEASE is _not_ called
> + * when we return an error from the BPF
> + * program!
> + */
> + return 0;
> + }
> +
> + __sync_fetch_and_add(&in_use, 1);
> + return 1;
> +}
> +
> +SEC("cgroup/sock_release")
> +int sock_release(struct bpf_sock *ctx)
> +{
> + __u32 key;
> +
> + if (ctx->type != SOCK_DGRAM)
> + return 1;
> +
> + __sync_fetch_and_add(&invocations, 1);
> + __sync_fetch_and_add(&in_use, -1);
> + return 1;
> +}
> --
> 2.27.0.111.gc72c7da667-goog
>
Powered by blists - more mailing lists