| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jan 2021 12:15:14 -0800
From: Yonghong Song <yhs@...com>
To: Daniel Borkmann <daniel@...earbox.net>, <ast@...nel.org>
CC: <bpf@...r.kernel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next 2/2] bpf: extend bind v4/v6 selftests for
mark/prio/bindtoifindex
On 1/11/21 8:17 AM, Daniel Borkmann wrote:
> Extend existing cgroup bind4/bind6 tests to add coverage for setting and
> retrieving SO_MARK, SO_PRIORITY and SO_BINDTOIFINDEX at the bind hook.
>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
Ack with a minor comments below.
Acked-by: Yonghong Song <yhs@...com>
> ---
> .../testing/selftests/bpf/progs/bind4_prog.c | 41 +++++++++++++++++--
> .../testing/selftests/bpf/progs/bind6_prog.c | 41 +++++++++++++++++--
> 2 files changed, 74 insertions(+), 8 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/bind4_prog.c b/tools/testing/selftests/bpf/progs/bind4_prog.c
> index c6520f21f5f5..4479ac27b1d3 100644
> --- a/tools/testing/selftests/bpf/progs/bind4_prog.c
> +++ b/tools/testing/selftests/bpf/progs/bind4_prog.c
> @@ -29,18 +29,47 @@ static __inline int bind_to_device(struct bpf_sock_addr *ctx)
> char veth2[IFNAMSIZ] = "test_sock_addr2";
> char missing[IFNAMSIZ] = "nonexistent_dev";
> char del_bind[IFNAMSIZ] = "";
> + int veth1_idx, veth2_idx;
>
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &veth1, sizeof(veth1)))
> + &veth1, sizeof(veth1)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth1_idx, sizeof(veth1_idx)) || !veth1_idx)
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &veth2, sizeof(veth2)))
> + &veth2, sizeof(veth2)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth2_idx, sizeof(veth2_idx)) || !veth2_idx ||
> + veth1_idx == veth2_idx)
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &missing, sizeof(missing)) != -ENODEV)
> + &missing, sizeof(missing)) != -ENODEV)
> + return 1;
> + if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth1_idx, sizeof(veth1_idx)))
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &del_bind, sizeof(del_bind)))
> + &del_bind, sizeof(del_bind)))
> + return 1;
> +
> + return 0;
> +}
> +
> +static __inline int misc_opts(struct bpf_sock_addr *ctx, int opt)
> +{
> + int old, tmp, new = 0xeb9f;
> +
> + if (bpf_getsockopt(ctx, SOL_SOCKET, opt, &old, sizeof(old)) ||
> + old == new)
> + return 1;
Here, we assume old never equals to new. it would be good to add
a comment to explicitly state this is true. Maybe in the future
somebody will try to add more misc_opts which might have conflict
here.
Alternatively, you could pass in "new" values
from user space with global variables for each option,
but that may be an overkill.
> + if (bpf_setsockopt(ctx, SOL_SOCKET, opt, &new, sizeof(new)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, opt, &tmp, sizeof(tmp)) ||
> + tmp != new)
> + return 1;
> + if (bpf_setsockopt(ctx, SOL_SOCKET, opt, &old, sizeof(old)))
> return 1;
>
> return 0;
> @@ -93,6 +122,10 @@ int bind_v4_prog(struct bpf_sock_addr *ctx)
> if (bind_to_device(ctx))
> return 0;
>
> + /* Test for misc socket options. */
> + if (misc_opts(ctx, SO_MARK) || misc_opts(ctx, SO_PRIORITY))
> + return 0;
> +
> ctx->user_ip4 = bpf_htonl(SERV4_REWRITE_IP);
> ctx->user_port = bpf_htons(SERV4_REWRITE_PORT);
>
> diff --git a/tools/testing/selftests/bpf/progs/bind6_prog.c b/tools/testing/selftests/bpf/progs/bind6_prog.c
> index 4358e44dcf47..1b4142fcdd4b 100644
> --- a/tools/testing/selftests/bpf/progs/bind6_prog.c
> +++ b/tools/testing/selftests/bpf/progs/bind6_prog.c
> @@ -35,18 +35,47 @@ static __inline int bind_to_device(struct bpf_sock_addr *ctx)
> char veth2[IFNAMSIZ] = "test_sock_addr2";
> char missing[IFNAMSIZ] = "nonexistent_dev";
> char del_bind[IFNAMSIZ] = "";
> + int veth1_idx, veth2_idx;
>
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &veth1, sizeof(veth1)))
> + &veth1, sizeof(veth1)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth1_idx, sizeof(veth1_idx)) || !veth1_idx)
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &veth2, sizeof(veth2)))
> + &veth2, sizeof(veth2)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth2_idx, sizeof(veth2_idx)) || !veth2_idx ||
> + veth1_idx == veth2_idx)
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &missing, sizeof(missing)) != -ENODEV)
> + &missing, sizeof(missing)) != -ENODEV)
> + return 1;
> + if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTOIFINDEX,
> + &veth1_idx, sizeof(veth1_idx)))
> return 1;
> if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
> - &del_bind, sizeof(del_bind)))
> + &del_bind, sizeof(del_bind)))
> + return 1;
> +
> + return 0;
> +}
> +
> +static __inline int misc_opts(struct bpf_sock_addr *ctx, int opt)
> +{
> + int old, tmp, new = 0xeb9f;
> +
> + if (bpf_getsockopt(ctx, SOL_SOCKET, opt, &old, sizeof(old)) ||
> + old == new)
> + return 1;
> + if (bpf_setsockopt(ctx, SOL_SOCKET, opt, &new, sizeof(new)))
> + return 1;
> + if (bpf_getsockopt(ctx, SOL_SOCKET, opt, &tmp, sizeof(tmp)) ||
> + tmp != new)
> + return 1;
> + if (bpf_setsockopt(ctx, SOL_SOCKET, opt, &old, sizeof(old)))
> return 1;
>
> return 0;
> @@ -107,6 +136,10 @@ int bind_v6_prog(struct bpf_sock_addr *ctx)
> if (bind_to_device(ctx))
> return 0;
>
> + /* Test for misc socket options. */
> + if (misc_opts(ctx, SO_MARK) || misc_opts(ctx, SO_PRIORITY))
> + return 0;
> +
> ctx->user_ip6[0] = bpf_htonl(SERV6_REWRITE_IP_0);
> ctx->user_ip6[1] = bpf_htonl(SERV6_REWRITE_IP_1);
> ctx->user_ip6[2] = bpf_htonl(SERV6_REWRITE_IP_2);
>
Powered by blists - more mailing lists