@@ -4,6 +4,7 @@
#include <test_progs.h>
#include <bpf/btf.h>
#include "cap_helpers.h"
+#include <linux/filter.h>
static int drop_priv_caps(__u64 *old_caps)
{
@@ -191,6 +192,83 @@ static void subtest_btf_token(void)
ASSERT_OK(restore_priv_caps(old_caps), "restore_caps");
}
+static void subtest_prog_token(void)
+{
+ LIBBPF_OPTS(bpf_token_create_opts, token_opts);
+ LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
+ int token_fd = 0, prog_fd = 0;
+ __u64 old_caps = 0;
+ struct bpf_insn insns[] = {
+ /* bpf_jiffies64() requires CAP_BPF */
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_jiffies64),
+ /* bpf_get_current_task() requires CAP_PERFMON */
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_current_task),
+ /* r0 = 0; exit; */
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ };
+ size_t insn_cnt = ARRAY_SIZE(insns);
+
+ /* check that IGNORE_UNKNOWN_PROG_TYPES flag is respected */
+ token_opts.flags = BPF_F_TOKEN_IGNORE_UNKNOWN_PROG_TYPES;
+ token_opts.allowed_prog_types = ~0ULL; /* any current and future prog type is allowed */
+ token_opts.allowed_attach_types = 0;
+ token_fd = bpf_token_create(&token_opts);
+ if (!ASSERT_GT(token_fd, 0, "token_create_prog_type_future_proof"))
+ return;
+ close(token_fd);
+
+ /* check that IGNORE_UNKNOWN_ATTACH_TYPES flag is respected */
+ token_opts.flags = BPF_F_TOKEN_IGNORE_UNKNOWN_ATTACH_TYPES;
+ token_opts.allowed_prog_types = 0;
+ token_opts.allowed_attach_types = ~0ULL; /* any current and future attach type is allowed */
+ token_fd = bpf_token_create(&token_opts);
+ if (!ASSERT_GT(token_fd, 0, "token_create_prog_type_future_proof"))
+ return;
+ close(token_fd);
+
+ /* create BPF token allowing BPF_PROG_LOAD command */
+ token_opts.flags = 0;
+ token_opts.allowed_cmds = 1ULL << BPF_PROG_LOAD;
+ token_opts.allowed_prog_types = 1ULL << BPF_PROG_TYPE_XDP;
+ token_opts.allowed_attach_types = 1ULL << BPF_XDP;
+ token_fd = bpf_token_create(&token_opts);
+ if (!ASSERT_GT(token_fd, 0, "token_create"))
+ return;
+
+ /* drop privileges to test token_fd passing */
+ if (!ASSERT_OK(drop_priv_caps(&old_caps), "drop_caps"))
+ goto cleanup;
+
+ /* validate we can successfully load BPF program with token; this
+ * being XDP program (CAP_NET_ADMIN) using bpf_jiffies64() (CAP_BPF)
+ * and bpf_get_current_task() (CAP_PERFMON) helpers validates we have
+ * BPF token wired properly in a bunch of places in the kernel
+ */
+ prog_opts.token_fd = token_fd;
+ prog_opts.expected_attach_type = BPF_XDP;
+ prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
+ insns, insn_cnt, &prog_opts);
+ if (!ASSERT_GT(prog_fd, 0, "prog_fd"))
+ goto cleanup;
+ close(prog_fd);
+
+ /* now validate that we *cannot* load BPF program without token */
+ prog_opts.token_fd = 0;
+ prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
+ insns, insn_cnt, &prog_opts);
+ if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm"))
+ goto cleanup;
+
+cleanup:
+ if (prog_fd > 0)
+ close(prog_fd);
+ if (token_fd)
+ close(token_fd);
+ if (old_caps)
+ ASSERT_OK(restore_priv_caps(old_caps), "restore_caps");
+}
+
void test_token(void)
{
if (test__start_subtest("token_create"))
@@ -199,4 +277,6 @@ void test_token(void)
subtest_map_token();
if (test__start_subtest("btf_token"))
subtest_btf_token();
+ if (test__start_subtest("prog_token"))
+ subtest_prog_token();
}
Add a test validating that BPF token can be used to load privileged BPF program using privileged BPF helpers through delegated BPF token created by privileged process. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> --- .../testing/selftests/bpf/prog_tests/token.c | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+)