From patchwork Thu Oct 17 22:49:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Rife X-Patchwork-Id: 13840901 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30EA51D6DB5 for ; Thu, 17 Oct 2024 22:50:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205452; cv=none; b=t1IdyFkDdL79gCTlsOU/ciTXqyREplRewxLk7EXwvfWDgV4YcbwJs/b01+Rau5dyw1B0g6Bynpj97BRLCfLZIhhE718ylPkeGNkQdHSlWUH/5c6ZkoacCXxDWpZuQ4dBlK4m7mDSE+bW6hVGlPH8sg72hhUDl0/VCFqQh4PzYO8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205452; c=relaxed/simple; bh=92lER4RD1KfMgpHw/bqC0mIN5r7IWn865Oh4xhr5o1M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=n04lUK+QLArms5uwsw7zzKDuDIsrNhsF7xwXtwH7HGqPc9LWQmJe3gcvlDei5NKzeZKLRkec7MbfJvoqJawdES0Zs6nDYKmdi3+ZxPMsFwRCFW3R8OZIM/ncJf18nXL/b/XEHdsBNU1YCDPhwMC0C2ZE/WDty5JiqA6DODQddm0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=YQUyKehG; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="YQUyKehG" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-7d4f9974c64so1164004a12.1 for ; Thu, 17 Oct 2024 15:50:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729205449; x=1729810249; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=HD233Lgat9+uaGYeJg/soPiG0pkTMlyycgkHDgRnl1g=; b=YQUyKehGPQmC1QnfVlnEFOlnoxCkt12tlh3Ud3fVa5QOMTGm0a3ZsEjHnB5W+U4Fhi Mb/Heqcf8Y7T9XmampSHqReBkbUhXmxkUGC5HKWvcMtL2P+LM0224kkjuTkH1uUe8FRw pXZlD07rIGFe4nLhlHn0eOsDuOmek2C5Ap0t9HzXiliRwZAt4hrv4sMOZHzOjQxWXVuI fMWeREHX7KYpxUf7DhtECwz9y/FBMssEeYDLXWdoK4CrdKW9vQGMpODrIJhjV/bVtiJw J7C0u1CUeKCJZ+RhX1dHSXmwrK0vKl5Oy6B7awsr/hV8n6JoXDZxa9HMmepD59Q1sSUR t+ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729205449; x=1729810249; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HD233Lgat9+uaGYeJg/soPiG0pkTMlyycgkHDgRnl1g=; b=TLxPHlwNQtisOYH5Dk0PhrvzqN/ieGxGzIcydeCbMOXYsYnuAqwuqHmITPV6Ufg+Nz ALdn19fRWga0f3+S4iQrROoZ4NGmFDtqkJhPQuixCexflnpSYXKfeCiBKD7tynaEZ4oh 4oSXhSVaPjbttaZOOcYKNdR9MK3e/21BPwmuhEIkDEC6jYH1qZyZrEZmKTeTrBx6059q jTOkze04/8zcPpnMHUDBOuuRqwBapiKCSeDZ34AV/6iefSSqcYpd0J6Y8iFunnquC23j MUuysrJf3jV9pY2IzveFFTnzCOYa+9hE+cSHN5m46BhLhgKedtKKNIo6cORo6EyIPYd5 FrAg== X-Gm-Message-State: AOJu0YzEKFc1zw1LxMHg/a5xwUW8tc+ZCqdMjNALIB2q5lMEsYx/fuh/ vtLXJzXwKVoPS069cXKcZ5xzRqLznbbS29YG21TWx1HGnedBC9DI6G5vblMjVHf2NdbNmXgT+Xb fKHNmvnSqqlkRYjcjXpUHxpyQMMyegCaRP9HY2Lb7TjbwqtecLa8A3V1VEutVfwDVXydUgzLEXq zUi6WFWYKT72hSn2qsMOwZoaY= X-Google-Smtp-Source: AGHT+IEch2bGDCqvmLnKWiMJLrUhsRW3+2XiAMqHJd/L/3y0owGocVTDvbossqh4TAm6UrHWATlU7cCs1Q== X-Received: from jrife-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:63c1]) (user=jrife job=sendgmr) by 2002:a63:d311:0:b0:7ea:6c42:d18b with SMTP id 41be03b00d2f7-7eacc894c58mr126a12.8.1729205448258; Thu, 17 Oct 2024 15:50:48 -0700 (PDT) Date: Thu, 17 Oct 2024 22:49:19 +0000 In-Reply-To: <20241017225031.2448426-1-jrife@google.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241017225031.2448426-1-jrife@google.com> X-Mailer: git-send-email 2.47.0.rc1.288.g06298d1525-goog Message-ID: <20241017225031.2448426-2-jrife@google.com> Subject: [PATCH bpf-next v1 1/4] selftests/bpf: Migrate *_POST_BIND test cases to prog_tests From: Jordan Rife To: bpf@vger.kernel.org Cc: Jordan Rife , Andrii Nakryiko , Eduard Zingerman , Mykola Lysenko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , "Daniel T. Lee" , John Fastabend , Stanislav Fomichev , linux-kselftest@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Move all BPF_CGROUP_INET6_POST_BIND and BPF_CGROUP_INET4_POST_BIND test cases to a new prog_test, prog_tests/sock_post_bind.c, except for LOAD_REJECT test cases. Signed-off-by: Jordan Rife --- .../selftests/bpf/prog_tests/sock_post_bind.c | 417 ++++++++++++++++++ tools/testing/selftests/bpf/test_sock.c | 245 ---------- 2 files changed, 417 insertions(+), 245 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/sock_post_bind.c diff --git a/tools/testing/selftests/bpf/prog_tests/sock_post_bind.c b/tools/testing/selftests/bpf/prog_tests/sock_post_bind.c new file mode 100644 index 000000000000..c46537e3b9d4 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/sock_post_bind.c @@ -0,0 +1,417 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include "cgroup_helpers.h" + +static char bpf_log_buf[4096]; +static bool verbose; + +static struct sock_post_bind_test { + const char *descr; + /* BPF prog properties */ + const struct bpf_insn insns[64]; + enum bpf_attach_type attach_type; + enum bpf_attach_type expected_attach_type; + /* Socket properties */ + int domain; + int type; + /* Endpoint to bind() to */ + const char *ip; + unsigned short port; + unsigned short port_retry; + + /* Expected test result */ + enum { + ATTACH_REJECT, + BIND_REJECT, + SUCCESS, + RETRY_SUCCESS, + RETRY_REJECT + } result; +} tests[] = { + { + .descr = "attach type mismatch bind4 vs bind6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET6_POST_BIND, + .result = ATTACH_REJECT, + }, + { + .descr = "attach type mismatch bind6 vs bind4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .result = ATTACH_REJECT, + }, + { + .descr = "attach type mismatch default vs bind4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = 0, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .result = ATTACH_REJECT, + }, + { + .descr = "attach type mismatch bind6 vs sock_create", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET_SOCK_CREATE, + .result = ATTACH_REJECT, + }, + { + .descr = "bind4 reject all", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .domain = AF_INET, + .type = SOCK_STREAM, + .ip = "0.0.0.0", + .result = BIND_REJECT, + }, + { + .descr = "bind6 reject all", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET6_POST_BIND, + .domain = AF_INET6, + .type = SOCK_STREAM, + .ip = "::", + .result = BIND_REJECT, + }, + { + .descr = "bind6 deny specific IP & port", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip6[3])), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, + __bpf_constant_ntohl(0x00000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2), + + /* return DENY; */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_JMP_A(1), + + /* else return ALLOW; */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET6_POST_BIND, + .domain = AF_INET6, + .type = SOCK_STREAM, + .ip = "::1", + .port = 8193, + .result = BIND_REJECT, + }, + { + .descr = "bind4 allow specific IP & port", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip4)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, + __bpf_constant_ntohl(0x7F000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), + + /* return ALLOW; */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_JMP_A(1), + + /* else return DENY; */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .domain = AF_INET, + .type = SOCK_STREAM, + .ip = "127.0.0.1", + .port = 4098, + .result = SUCCESS, + }, + { + .descr = "bind4 deny specific IP & port of TCP, and retry", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip4)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, + __bpf_constant_ntohl(0x7F000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), + + /* return DENY; */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_JMP_A(1), + + /* else return ALLOW; */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .domain = AF_INET, + .type = SOCK_STREAM, + .ip = "127.0.0.1", + .port = 4098, + .port_retry = 5000, + .result = RETRY_SUCCESS, + }, + { + .descr = "bind4 deny specific IP & port of UDP, and retry", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip4)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, + __bpf_constant_ntohl(0x7F000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), + + /* return DENY; */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_JMP_A(1), + + /* else return ALLOW; */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .domain = AF_INET, + .type = SOCK_DGRAM, + .ip = "127.0.0.1", + .port = 4098, + .port_retry = 5000, + .result = RETRY_SUCCESS, + }, + { + .descr = "bind6 deny specific IP & port, and retry", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip6[3])), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, + __bpf_constant_ntohl(0x00000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2), + + /* return DENY; */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_JMP_A(1), + + /* else return ALLOW; */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET6_POST_BIND, + .domain = AF_INET6, + .type = SOCK_STREAM, + .ip = "::1", + .port = 8193, + .port_retry = 9000, + .result = RETRY_SUCCESS, + }, + { + .descr = "bind4 allow all", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, + .attach_type = BPF_CGROUP_INET4_POST_BIND, + .domain = AF_INET, + .type = SOCK_STREAM, + .ip = "0.0.0.0", + .result = SUCCESS, + }, + { + .descr = "bind6 allow all", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, + .attach_type = BPF_CGROUP_INET6_POST_BIND, + .domain = AF_INET6, + .type = SOCK_STREAM, + .ip = "::", + .result = SUCCESS, + }, +}; + +static int load_prog(const struct bpf_insn *insns, + enum bpf_attach_type expected_attach_type) +{ + LIBBPF_OPTS(bpf_prog_load_opts, opts, + .expected_attach_type = expected_attach_type, + .log_level = 2, + .log_buf = bpf_log_buf, + .log_size = sizeof(bpf_log_buf), + ); + int fd, insns_cnt = 0; + + for (; + insns[insns_cnt].code != (BPF_JMP | BPF_EXIT); + insns_cnt++) { + } + insns_cnt++; + + fd = bpf_prog_load(BPF_PROG_TYPE_CGROUP_SOCK, NULL, "GPL", insns, + insns_cnt, &opts); + if (verbose && fd < 0) + fprintf(stderr, "%s\n", bpf_log_buf); + + return fd; +} + +static int bind_sock(int domain, int type, const char *ip, + unsigned short port, unsigned short port_retry) +{ + struct sockaddr_storage addr; + struct sockaddr_in6 *addr6; + struct sockaddr_in *addr4; + int sockfd = -1; + socklen_t len; + int res = SUCCESS; + + sockfd = socket(domain, type, 0); + if (sockfd < 0) + goto err; + + memset(&addr, 0, sizeof(addr)); + + if (domain == AF_INET) { + len = sizeof(struct sockaddr_in); + addr4 = (struct sockaddr_in *)&addr; + addr4->sin_family = domain; + addr4->sin_port = htons(port); + if (inet_pton(domain, ip, (void *)&addr4->sin_addr) != 1) + goto err; + } else if (domain == AF_INET6) { + len = sizeof(struct sockaddr_in6); + addr6 = (struct sockaddr_in6 *)&addr; + addr6->sin6_family = domain; + addr6->sin6_port = htons(port); + if (inet_pton(domain, ip, (void *)&addr6->sin6_addr) != 1) + goto err; + } else { + goto err; + } + + if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) { + /* sys_bind() may fail for different reasons, errno has to be + * checked to confirm that BPF program rejected it. + */ + if (errno != EPERM) + goto err; + if (port_retry) + goto retry; + res = BIND_REJECT; + goto out; + } + + goto out; +retry: + if (domain == AF_INET) + addr4->sin_port = htons(port_retry); + else + addr6->sin6_port = htons(port_retry); + if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) { + if (errno != EPERM) + goto err; + res = RETRY_REJECT; + } else { + res = RETRY_SUCCESS; + } + goto out; +err: + res = -1; +out: + close(sockfd); + return res; +} + +static int run_test(int cgroup_fd, struct sock_post_bind_test *test) +{ + int err, prog_fd, res, ret = 0; + + prog_fd = load_prog(test->insns, test->expected_attach_type); + if (prog_fd < 0) + goto err; + + err = bpf_prog_attach(prog_fd, cgroup_fd, test->attach_type, 0); + if (err < 0) { + if (test->result == ATTACH_REJECT) + goto out; + else + goto err; + } + + res = bind_sock(test->domain, test->type, test->ip, test->port, + test->port_retry); + if (res > 0 && test->result == res) + goto out; +err: + ret = -1; +out: + /* Detaching w/o checking return code: best effort attempt. */ + if (prog_fd != -1) + bpf_prog_detach(cgroup_fd, test->attach_type); + close(prog_fd); + return ret; +} + +void test_sock_post_bind(void) +{ + int cgroup_fd, i; + + cgroup_fd = test__join_cgroup("/post_bind"); + if (!ASSERT_GE(cgroup_fd, 0, "join_cgroup")) + return; + + for (i = 0; i < ARRAY_SIZE(tests); i++) { + if (!test__start_subtest(tests[i].descr)) + continue; + + ASSERT_OK(run_test(cgroup_fd, &tests[i]), tests[i].descr); + } + + close(cgroup_fd); +} diff --git a/tools/testing/selftests/bpf/test_sock.c b/tools/testing/selftests/bpf/test_sock.c index 810c3740b2cc..9ed908163d98 100644 --- a/tools/testing/selftests/bpf/test_sock.c +++ b/tools/testing/selftests/bpf/test_sock.c @@ -127,251 +127,6 @@ static struct sock_test tests[] = { .port = 8097, .result = SUCCESS, }, - { - .descr = "attach type mismatch bind4 vs bind6", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .result = ATTACH_REJECT, - }, - { - .descr = "attach type mismatch bind6 vs bind4", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .result = ATTACH_REJECT, - }, - { - .descr = "attach type mismatch default vs bind4", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = 0, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .result = ATTACH_REJECT, - }, - { - .descr = "attach type mismatch bind6 vs sock_create", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .result = ATTACH_REJECT, - }, - { - .descr = "bind4 reject all", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "0.0.0.0", - .result = BIND_REJECT, - }, - { - .descr = "bind6 reject all", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .domain = AF_INET6, - .type = SOCK_STREAM, - .ip = "::", - .result = BIND_REJECT, - }, - { - .descr = "bind6 deny specific IP & port", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (ip == expected && port == expected) */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip6[3])), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, - __bpf_constant_ntohl(0x00000001), 4), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2), - - /* return DENY; */ - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_JMP_A(1), - - /* else return ALLOW; */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .domain = AF_INET6, - .type = SOCK_STREAM, - .ip = "::1", - .port = 8193, - .result = BIND_REJECT, - }, - { - .descr = "bind4 allow specific IP & port", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (ip == expected && port == expected) */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip4)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, - __bpf_constant_ntohl(0x7F000001), 4), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), - - /* return ALLOW; */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_JMP_A(1), - - /* else return DENY; */ - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "127.0.0.1", - .port = 4098, - .result = SUCCESS, - }, - { - .descr = "bind4 deny specific IP & port of TCP, and retry", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (ip == expected && port == expected) */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip4)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, - __bpf_constant_ntohl(0x7F000001), 4), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), - - /* return DENY; */ - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_JMP_A(1), - - /* else return ALLOW; */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "127.0.0.1", - .port = 4098, - .port_retry = 5000, - .result = RETRY_SUCCESS, - }, - { - .descr = "bind4 deny specific IP & port of UDP, and retry", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (ip == expected && port == expected) */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip4)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, - __bpf_constant_ntohl(0x7F000001), 4), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), - - /* return DENY; */ - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_JMP_A(1), - - /* else return ALLOW; */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .domain = AF_INET, - .type = SOCK_DGRAM, - .ip = "127.0.0.1", - .port = 4098, - .port_retry = 5000, - .result = RETRY_SUCCESS, - }, - { - .descr = "bind6 deny specific IP & port, and retry", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (ip == expected && port == expected) */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip6[3])), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, - __bpf_constant_ntohl(0x00000001), 4), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2), - - /* return DENY; */ - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_JMP_A(1), - - /* else return ALLOW; */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .domain = AF_INET6, - .type = SOCK_STREAM, - .ip = "::1", - .port = 8193, - .port_retry = 9000, - .result = RETRY_SUCCESS, - }, - { - .descr = "bind4 allow all", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "0.0.0.0", - .result = SUCCESS, - }, - { - .descr = "bind6 allow all", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .domain = AF_INET6, - .type = SOCK_STREAM, - .ip = "::", - .result = SUCCESS, - }, }; static size_t probe_prog_length(const struct bpf_insn *fp) From patchwork Thu Oct 17 22:49:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Rife X-Patchwork-Id: 13840902 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CC111D7E54 for ; Thu, 17 Oct 2024 22:50:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205452; cv=none; b=r6lP8Orlb7+30txDLfyd1GtaBnce0cT+AZqQRAcnyFHDhfJAGmiOneAxHk55JuS3X7inWkS1NZ+QwlpZf6VfTXs+HSIDL+LssAVmLxGNuw+6qmYiWbS8QNysDQwYC/dYdlZoo0DBWnVZtadwPJemtVPa6JAlfyupy1Jbm+Qrl8I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205452; c=relaxed/simple; bh=zNtTQAOcD3V7MZIfh1VZleyN9yYCuQCnRGc4gKhaM6A=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=mVrlpGgbEMFOC0EYh3UXYyfKC5SkLDQM+5f1i5WSHzm8FnE+LzewRhIQL1rs9RFRRX21djWD31TArAgpa+0SXWuSVfNi9r1/BMXF1GDvv+y3D8EohRisAwUqYQcdudA2NFlA7JKn1N2tde/f61Rkzy/fGSiiQzva6D/TNyQh6JE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=yc9v3RtZ; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="yc9v3RtZ" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-71e467c39a4so1586805b3a.3 for ; Thu, 17 Oct 2024 15:50:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729205451; x=1729810251; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=TVVEjCnGSeHGjB5BCp65K1C6/nSGfUiVK4HRp7lOBZo=; b=yc9v3RtZgv9oLuUPeuSH87f2FfGNh1+/V2Qr9WnBrKh10Y+M5Kdjr6T5Fm86bY3cw8 mQKrwMBOpN6CHpuLQJ6M+q3Gq5HOIAz8nnZmbXsRhbyNAEbrZaA3MU/hLLOGMto4Hewx Gjrp2KDN6O8LE0B/DfRs1Y/x4kVLdVZb3Ts3XddqpZGMyUhC2s5MvS+QU/rAwtSZHSGH JKRt/Az9BoXV04iNHg5OmVzP0KPcL2IDY17C+E8fLLBd/fca8fCZ6oF5LlHMjA6WumAW nAM3xUbtGZawdPG6uVfkhDzWZbST3ERs1vP5YCM1xdg7PmNJ3TmBCiHXGz+ag7HRrrlU fNUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729205451; x=1729810251; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TVVEjCnGSeHGjB5BCp65K1C6/nSGfUiVK4HRp7lOBZo=; b=rcRYTcECDaxiUF0iVk315ICwM6nq+k7+fuswp3x5v2ICO7/pPM9TLws4uXnPmEKoCe Qx0IX3Mb8ydBNOa4Wofqg5BqPJLTNIFA9bsVoNq3hvbccMd/ozC7fafcAOCvNDitFzdR vyPq2f09WEQP5hy7ys/pyTpM3it8lwzdvDpSRUn5MGTgastcDLZukwwqARFuPgtLwby2 oKyQAfHeETNpgqn8y5LeGqctxsvrFrIXziQU92T0E6wGH6XbBpYn+bsXccEdDNaNvF7u /6frDivklBCnU0SzudplAPLROXsVJxTWFU3qGi2oitQSTdMpDl4TfJIqjoQW8441lUwv mOfw== X-Gm-Message-State: AOJu0Yy09PvBi+IqH/q0iJcSOt5zoH2ObareN3KNserfUcGMNQW/h8TZ ohrozQzONXrWsobQcylUwXvuc4yiQfsRK/ErR2iWP/TEJI62ABvK/S/hsAJDr53W/t6ZU+FR4pY thK10adN96K7PuHD+zc12vdMIJTOEBjakeDEB8mQQnx4RUWi8nSLTxJVs0V88/R3Wrz0XwuKyHv zeVtEOZDEkZiEDwWKRfctBrcU= X-Google-Smtp-Source: AGHT+IHqPG81x2uHUSiDaoedIKmJnC0t2Mz+tYnbTiSVCL4TsthYAtX1ADHfR/OO7/kFtNY9WFiS/mKc0w== X-Received: from jrife-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:63c1]) (user=jrife job=sendgmr) by 2002:a05:6a00:3e15:b0:71e:6122:d9c with SMTP id d2e1a72fcca58-71ea323e075mr674b3a.4.1729205450485; Thu, 17 Oct 2024 15:50:50 -0700 (PDT) Date: Thu, 17 Oct 2024 22:49:20 +0000 In-Reply-To: <20241017225031.2448426-1-jrife@google.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241017225031.2448426-1-jrife@google.com> X-Mailer: git-send-email 2.47.0.rc1.288.g06298d1525-goog Message-ID: <20241017225031.2448426-3-jrife@google.com> Subject: [PATCH bpf-next v1 2/4] selftests/bpf: Migrate LOAD_REJECT test cases to prog_tests From: Jordan Rife To: bpf@vger.kernel.org Cc: Jordan Rife , Andrii Nakryiko , Eduard Zingerman , Mykola Lysenko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , "Daniel T. Lee" , John Fastabend , Stanislav Fomichev , linux-kselftest@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Move LOAD_REJECT test cases from test_sock.c to an equivalent set of verifier tests in progs/verifier_sock.c. Signed-off-by: Jordan Rife --- .../selftests/bpf/progs/verifier_sock.c | 60 +++++++++++++++++++ tools/testing/selftests/bpf/test_sock.c | 52 ---------------- 2 files changed, 60 insertions(+), 52 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/verifier_sock.c b/tools/testing/selftests/bpf/progs/verifier_sock.c index ee76b51005ab..d3e70e38e442 100644 --- a/tools/testing/selftests/bpf/progs/verifier_sock.c +++ b/tools/testing/selftests/bpf/progs/verifier_sock.c @@ -977,4 +977,64 @@ l1_%=: r0 = *(u8*)(r7 + 0); \ : __clobber_all); } +SEC("cgroup/post_bind4") +__description("sk->src_ip6[0] [load 1st byte]") +__failure __msg("invalid bpf_context access off=28 size=2") +__naked void post_bind4_read_src_ip6(void) +{ + asm volatile (" \ + r6 = r1; \ + r7 = *(u16*)(r6 + %[bpf_sock_src_ip6_0]); \ + r0 = 1; \ + exit; \ +" : + : __imm_const(bpf_sock_src_ip6_0, offsetof(struct bpf_sock, src_ip6[0])) + : __clobber_all); +} + +SEC("cgroup/post_bind4") +__description("sk->mark [load mark]") +__failure __msg("invalid bpf_context access off=16 size=2") +__naked void post_bind4_read_mark(void) +{ + asm volatile (" \ + r6 = r1; \ + r7 = *(u16*)(r6 + %[bpf_sock_mark]); \ + r0 = 1; \ + exit; \ +" : + : __imm_const(bpf_sock_mark, offsetof(struct bpf_sock, mark)) + : __clobber_all); +} + +SEC("cgroup/post_bind6") +__description("sk->src_ip4 [load src_ip4]") +__failure __msg("invalid bpf_context access off=24 size=2") +__naked void post_bind6_read_src_ip4(void) +{ + asm volatile (" \ + r6 = r1; \ + r7 = *(u16*)(r6 + %[bpf_sock_src_ip4]); \ + r0 = 1; \ + exit; \ +" : + : __imm_const(bpf_sock_src_ip4, offsetof(struct bpf_sock, src_ip4)) + : __clobber_all); +} + +SEC("cgroup/sock_create") +__description("sk->src_port [word load]") +__failure __msg("invalid bpf_context access off=44 size=2") +__naked void sock_create_read_src_port(void) +{ + asm volatile (" \ + r6 = r1; \ + r7 = *(u16*)(r6 + %[bpf_sock_src_port]); \ + r0 = 1; \ + exit; \ +" : + : __imm_const(bpf_sock_src_port, offsetof(struct bpf_sock, src_port)) + : __clobber_all); +} + char _license[] SEC("license") = "GPL"; diff --git a/tools/testing/selftests/bpf/test_sock.c b/tools/testing/selftests/bpf/test_sock.c index 9ed908163d98..26dff88abbaa 100644 --- a/tools/testing/selftests/bpf/test_sock.c +++ b/tools/testing/selftests/bpf/test_sock.c @@ -47,58 +47,6 @@ struct sock_test { }; static struct sock_test tests[] = { - { - .descr = "bind4 load with invalid access: src_ip6", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip6[0])), - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .result = LOAD_REJECT, - }, - { - .descr = "bind4 load with invalid access: mark", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, mark)), - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, - .attach_type = BPF_CGROUP_INET4_POST_BIND, - .result = LOAD_REJECT, - }, - { - .descr = "bind6 load with invalid access: src_ip4", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_ip4)), - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET6_POST_BIND, - .attach_type = BPF_CGROUP_INET6_POST_BIND, - .result = LOAD_REJECT, - }, - { - .descr = "sock_create load with invalid access: src_port", - .insns = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock, src_port)), - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .result = LOAD_REJECT, - }, { .descr = "sock_create load w/o expected_attach_type (compat mode)", .insns = { From patchwork Thu Oct 17 22:49:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Rife X-Patchwork-Id: 13840903 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00DB91D934D for ; Thu, 17 Oct 2024 22:50:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205455; cv=none; b=p2mI517W7NC0H/w0UApe8RKzVRBd/71G1zUTbjJjDw6guM76FmSu4S4ZtbVqf5RpGgcqmueV2twIFbClXHy+hW3yIMjbEteL8BhKVVDPkQ8Lg6pRM9LfwEM/16sJQ4cDq5zd+D6wA9gBfOiHDBkc3M9orz9mttMmVohzShV8nLY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205455; c=relaxed/simple; bh=OAfb9anE8210FYwBEiWKF9dWOFe/8c3Rp5+zThDaAEY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=OKd+0PomSKUMB7lZPAuZBdnZ7xMuQrEs2fG3deIpGn183jn7HzyiVgpnq0fpryEAm4LbJ7y655hQ2jjlu07AYzDnh4CRX2V33elmsIEyc/JmBfH//U86Y1RmLB9BAAW0aPNQ3AqMZn9b+OayTNnq+xayg26vdAc+4+R+zUFD58w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Ug8twrOo; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Ug8twrOo" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-7db8197d431so1761397a12.0 for ; Thu, 17 Oct 2024 15:50:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729205453; x=1729810253; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=cpV9vj1wEc7ES1irbyMGy3x7XyZP4rCXDLt1nZkWgOw=; b=Ug8twrOo8hUUeFQrBpiNnO/myUTKr+e3Ge7f3CatAuGCUKbpk3WxyAdYXktKL3UXeb mJ29n7a0/uE6umptdyXOPE1Ub2WKhDArAdqb0xTLIAhmtU16qlarAUbmJ/EMCJGavg7W PSaiDwDjmsmwElz74/IJHbbCDjqoKnVOXWY4Rbveqdfm5GtPSqJ3n32boMxUjf0EoP1/ u0dmOrOD8BwQ89SrK3gO2Z5JbJ4Le+RtSDyBRy3LIs1XvCv8Q93WpS2Zxez05fA4WDtw NuCgbYjFIunalD72GAHi7u27m8FZOoIVB0E6w01cIUI2J1+FwI7X9yAGbCAoWIOKokjE utww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729205453; x=1729810253; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cpV9vj1wEc7ES1irbyMGy3x7XyZP4rCXDLt1nZkWgOw=; b=n90lc2i/9xgsQXNl7A+Axtul4FNXhuXkPVGAac8RvtLlXvX3NUxNqaDeNz2yrAyLaa cc8z+5kP7fA7qgjgd83nlenyGGLTwtjPyRd/2xsRdRuLXP10VMEDqu1g3ghY8lul9aMc Tmg06EkGEPJjcmd1xpqLPTF9j4zcVM/l9CSt3nbjv0EORn1QNPxWPSAIvPRNVcmxj8NY yUsD5qyWzHXzOe0FlaCjE2ogD8njvWIkoZAYc7Uh76r2pAm1mO58nNVGh/y1gdky4Dwe zkmsEKK0nP/rhSpah7qEnB7hGCIc549dmPlmbmSzBk/oxwmhLF7u6h5UnoUbG6t01aKk 0Cuw== X-Gm-Message-State: AOJu0Yw75ZJgfG7zQTQJfPbEZtJWEhYeC6/87DX6d2AdRj9wzigpXQ3l lco0J9FbgpVhNO0tufm+od4wg/8j1lWtIlI9IaM6YclU1QDXs2lPz+Y7wAy8yO0fjdesuN51ZBV NN6GIE+uLH2ZQG6t3YLKtN5gnzsNMk+5H7a5oEsxhukN46A2ze1TuJCArLFkV1+LlK2ZDnwZ3Hr ZssQdEWCXbo5MHhcCzhq0RxRU= X-Google-Smtp-Source: AGHT+IE7XDoWkOp0WIbTWUuiS5u5byNPF8by+mu47+ha2YVZCO/96GGrlgTXq8SY3tz9F74VDfHYmJYvnw== X-Received: from jrife-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:63c1]) (user=jrife job=sendgmr) by 2002:a63:230b:0:b0:7ea:694b:db02 with SMTP id 41be03b00d2f7-7eacc6f0a4emr231a12.4.1729205452871; Thu, 17 Oct 2024 15:50:52 -0700 (PDT) Date: Thu, 17 Oct 2024 22:49:21 +0000 In-Reply-To: <20241017225031.2448426-1-jrife@google.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241017225031.2448426-1-jrife@google.com> X-Mailer: git-send-email 2.47.0.rc1.288.g06298d1525-goog Message-ID: <20241017225031.2448426-4-jrife@google.com> Subject: [PATCH bpf-next v1 3/4] selftests/bpf: Migrate BPF_CGROUP_INET_SOCK_CREATE test cases to prog_tests From: Jordan Rife To: bpf@vger.kernel.org Cc: Jordan Rife , Andrii Nakryiko , Eduard Zingerman , Mykola Lysenko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , "Daniel T. Lee" , John Fastabend , Stanislav Fomichev , linux-kselftest@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Move the "load w/o expected_attach_type" test case to prog_tests/sock_create.c and drop the remaining test case, as it is made redundant with the existing coverage inside prog_tests/sock_create.c. Signed-off-by: Jordan Rife --- .../selftests/bpf/prog_tests/sock_create.c | 35 +++++++++++++------ tools/testing/selftests/bpf/test_sock.c | 28 --------------- 2 files changed, 25 insertions(+), 38 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/sock_create.c b/tools/testing/selftests/bpf/prog_tests/sock_create.c index 17a3713621dd..187ffc5e60c4 100644 --- a/tools/testing/selftests/bpf/prog_tests/sock_create.c +++ b/tools/testing/selftests/bpf/prog_tests/sock_create.c @@ -237,6 +237,19 @@ static struct sock_create_test { .error = DENY_CREATE, }, + { + .descr = "load w/o expected_attach_type (compat mode)", + .insns = { + /* return 1 */ + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .expected_attach_type = 0, + .attach_type = BPF_CGROUP_INET_SOCK_CREATE, + + .domain = AF_INET, + .type = SOCK_STREAM, + }, }; static int load_prog(const struct bpf_insn *insns, @@ -291,16 +304,18 @@ static int run_test(int cgroup_fd, struct sock_create_test *test) goto detach_prog; } - err = getsockopt(sock_fd, SOL_SOCKET, test->optname, &optval, &optlen); - if (err) { - log_err("Failed to call getsockopt"); - goto cleanup; - } - - if (optval != test->optval) { - errno = 0; - log_err("getsockopt returned unexpected optval"); - goto cleanup; + if (test->optname) { + err = getsockopt(sock_fd, SOL_SOCKET, test->optname, &optval, &optlen); + if (err) { + log_err("Failed to call getsockopt"); + goto cleanup; + } + + if (optval != test->optval) { + errno = 0; + log_err("getsockopt returned unexpected optval"); + goto cleanup; + } } ret = test->error != OK; diff --git a/tools/testing/selftests/bpf/test_sock.c b/tools/testing/selftests/bpf/test_sock.c index 26dff88abbaa..f97850f1d84a 100644 --- a/tools/testing/selftests/bpf/test_sock.c +++ b/tools/testing/selftests/bpf/test_sock.c @@ -47,34 +47,6 @@ struct sock_test { }; static struct sock_test tests[] = { - { - .descr = "sock_create load w/o expected_attach_type (compat mode)", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = 0, - .attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "127.0.0.1", - .port = 8097, - .result = SUCCESS, - }, - { - .descr = "sock_create load w/ expected_attach_type", - .insns = { - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }, - .expected_attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .attach_type = BPF_CGROUP_INET_SOCK_CREATE, - .domain = AF_INET, - .type = SOCK_STREAM, - .ip = "127.0.0.1", - .port = 8097, - .result = SUCCESS, - }, }; static size_t probe_prog_length(const struct bpf_insn *fp) From patchwork Thu Oct 17 22:49:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jordan Rife X-Patchwork-Id: 13840904 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1810F1D86CD for ; Thu, 17 Oct 2024 22:50:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205459; cv=none; b=RUv6USS+XR2mGB3R0Sbx11vDHoCcz5YsjCtJaXMaKYijgsnkRcfYjeM6Kl2rW49vdXSR+Eb3Kk0tOcm2fVGeX/yjUdeg2pf3Bg2A/AQcFS44cG2TEKDvfsu4J3jPb28tACWN8Xuem2vbudv4mS3SH4CKFCPgjN2AK+VZO1r98SA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729205459; c=relaxed/simple; bh=aVNtV8GwMuZVkiYFkKbuTMqRFI5Mfyx2KtMQzSy7Vf4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lzoo42qT8EekFAkUhPVslt5QgPhGROK+1CMv8inkHvbZ8vWFw4HNnbA/yw24sMtR5AuVv0bQTnsCTRNx3bKm+THZAj+Fzl7dEBKORDN7dGCSBucqhU8YBbKX+/wL0F6rm+HADNDd1PyNQaDo27fH1+yTRmyBa4r9ESoRV0WGThE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=g1fm2o0G; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jrife.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="g1fm2o0G" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-20c45296b3fso17598305ad.0 for ; Thu, 17 Oct 2024 15:50:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729205457; x=1729810257; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Dhk9joV6R0TOMDNjxCxV/zzdAgOxK1FiltkWvC0V3YQ=; b=g1fm2o0GlL8631X/3k3vCdlUqRiMNu9ORGkfHtP4/+dOnlUcWhd60roSxhbpKn4y/X d+h/8DoT+3W8vEijRefxV0MHnegVBQE9p05Q7Ousj744pK6W49e/WCc+YMpCQpfbReCK sa7jNfQHCFzVYek8N8cw6f+llaCVf8IP1v7Mnb0rLkTuwujl24Vo32VedxqN+cCP3vQu 0PwCwnJqjx913V14bTcQZeEH0pQBqDLe8d/8CAWNDoAnFIw6r/wLay+QyywbtxDLQgpA bT/EBlnpIo7v55N+uzRwgSFD7nL9ymB6NmOgqxaviDr+Cl5eOXCvnestbABDoEv2eKFm pVPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729205457; x=1729810257; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Dhk9joV6R0TOMDNjxCxV/zzdAgOxK1FiltkWvC0V3YQ=; b=oJkxZoXi7O3dFOm8wQtXJKzTm2nYJ2E5vHA4Sf8vsz102jjTNNJ1WZykpAk4cZ5Kbm CgmxLrJIC7mk0T3gOdRakcc9Lmf38drnVlqoQQ9Eh60St1C8ZytksKQIQb5rAwxkbvyu n8ndGh1RFdFZDB22ThZC1wRwdqg4hU5rvNKt8dc8L0dZbAyHfkIcbAsUtlfzdNnsmveV 2hK4V3t/AE6bNFR1lmAwnRwu7FEFo9HcnYWPmzbhpon9kUNNUP7FCdMwAOjbahjLhrQR SvXLYg21rhEkH10ZgThwFNRgPdTRvDCStFKxyY1/qKyOsXBx5PEWeCv3DZ5Lf20qezwd uzSA== X-Gm-Message-State: AOJu0YzMpBoVVM4juo0jziMQ80W6iGDIkesjbOJUy4xW0DqjDoPEBSQB Xd71b/cPoKYUgnocrMgQunFRDQFHxNk+luvX+AuA8Y8CNY5tpNS51z5LYjbdFRwqiYfiH1gdRaO 8NYRYXf58vPEyvxxi4BPozniE/EBd/O6KvmggWma4W904Dm49SH++r7zZRmsG7odZWUPYfwiYb5 Rp9fvjUpZrxYGAmuY5I+OuKjg= X-Google-Smtp-Source: AGHT+IGgnwit9Rz9y7vLHfdk5WPlkaCRGUhWlhTHm1GJeu0LC3tuksbzm3j9SlTttSgmQ4In3cKremL9lw== X-Received: from jrife-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:63c1]) (user=jrife job=sendgmr) by 2002:a17:902:ecc1:b0:20c:5d7c:6332 with SMTP id d9443c01a7336-20e59aa0f00mr12035ad.0.1729205455979; Thu, 17 Oct 2024 15:50:55 -0700 (PDT) Date: Thu, 17 Oct 2024 22:49:22 +0000 In-Reply-To: <20241017225031.2448426-1-jrife@google.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241017225031.2448426-1-jrife@google.com> X-Mailer: git-send-email 2.47.0.rc1.288.g06298d1525-goog Message-ID: <20241017225031.2448426-5-jrife@google.com> Subject: [PATCH bpf-next v1 4/4] selftests/bpf: Retire test_sock.c From: Jordan Rife To: bpf@vger.kernel.org Cc: Jordan Rife , Andrii Nakryiko , Eduard Zingerman , Mykola Lysenko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , "Daniel T. Lee" , John Fastabend , Stanislav Fomichev , linux-kselftest@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Completely remove test_sock.c and associated config. Signed-off-by: Jordan Rife --- tools/testing/selftests/bpf/.gitignore | 1 - tools/testing/selftests/bpf/Makefile | 3 +- tools/testing/selftests/bpf/test_sock.c | 231 ------------------------ 3 files changed, 1 insertion(+), 234 deletions(-) delete mode 100644 tools/testing/selftests/bpf/test_sock.c diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore index e6533b3400de..d45c9a9b304d 100644 --- a/tools/testing/selftests/bpf/.gitignore +++ b/tools/testing/selftests/bpf/.gitignore @@ -16,7 +16,6 @@ fixdep /test_progs-cpuv4 test_verifier_log feature -test_sock urandom_read test_sockmap test_lirc_mode2_user diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 28a76baa854d..c4fc9a3291a8 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -84,7 +84,7 @@ endif # Order correspond to 'make run_tests' order TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \ - test_sock test_sockmap \ + test_sockmap \ test_tcpnotify_user test_sysctl \ test_progs-no_alu32 TEST_INST_SUBDIRS := no_alu32 @@ -335,7 +335,6 @@ JSON_WRITER := $(OUTPUT)/json_writer.o CAP_HELPERS := $(OUTPUT)/cap_helpers.o NETWORK_HELPERS := $(OUTPUT)/network_helpers.o -$(OUTPUT)/test_sock: $(CGROUP_HELPERS) $(TESTING_HELPERS) $(OUTPUT)/test_sockmap: $(CGROUP_HELPERS) $(TESTING_HELPERS) $(OUTPUT)/test_tcpnotify_user: $(CGROUP_HELPERS) $(TESTING_HELPERS) $(TRACE_HELPERS) $(OUTPUT)/test_sock_fields: $(CGROUP_HELPERS) $(TESTING_HELPERS) diff --git a/tools/testing/selftests/bpf/test_sock.c b/tools/testing/selftests/bpf/test_sock.c deleted file mode 100644 index f97850f1d84a..000000000000 --- a/tools/testing/selftests/bpf/test_sock.c +++ /dev/null @@ -1,231 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -// Copyright (c) 2018 Facebook - -#include -#include - -#include -#include -#include - -#include - -#include - -#include "cgroup_helpers.h" -#include -#include "bpf_util.h" - -#define CG_PATH "/foo" -#define MAX_INSNS 512 - -char bpf_log_buf[BPF_LOG_BUF_SIZE]; -static bool verbose = false; - -struct sock_test { - const char *descr; - /* BPF prog properties */ - struct bpf_insn insns[MAX_INSNS]; - enum bpf_attach_type expected_attach_type; - enum bpf_attach_type attach_type; - /* Socket properties */ - int domain; - int type; - /* Endpoint to bind() to */ - const char *ip; - unsigned short port; - unsigned short port_retry; - /* Expected test result */ - enum { - LOAD_REJECT, - ATTACH_REJECT, - BIND_REJECT, - SUCCESS, - RETRY_SUCCESS, - RETRY_REJECT - } result; -}; - -static struct sock_test tests[] = { -}; - -static size_t probe_prog_length(const struct bpf_insn *fp) -{ - size_t len; - - for (len = MAX_INSNS - 1; len > 0; --len) - if (fp[len].code != 0 || fp[len].imm != 0) - break; - return len + 1; -} - -static int load_sock_prog(const struct bpf_insn *prog, - enum bpf_attach_type attach_type) -{ - LIBBPF_OPTS(bpf_prog_load_opts, opts); - int ret, insn_cnt; - - insn_cnt = probe_prog_length(prog); - - opts.expected_attach_type = attach_type; - opts.log_buf = bpf_log_buf; - opts.log_size = BPF_LOG_BUF_SIZE; - opts.log_level = 2; - - ret = bpf_prog_load(BPF_PROG_TYPE_CGROUP_SOCK, NULL, "GPL", prog, insn_cnt, &opts); - if (verbose && ret < 0) - fprintf(stderr, "%s\n", bpf_log_buf); - - return ret; -} - -static int attach_sock_prog(int cgfd, int progfd, - enum bpf_attach_type attach_type) -{ - return bpf_prog_attach(progfd, cgfd, attach_type, BPF_F_ALLOW_OVERRIDE); -} - -static int bind_sock(int domain, int type, const char *ip, - unsigned short port, unsigned short port_retry) -{ - struct sockaddr_storage addr; - struct sockaddr_in6 *addr6; - struct sockaddr_in *addr4; - int sockfd = -1; - socklen_t len; - int res = SUCCESS; - - sockfd = socket(domain, type, 0); - if (sockfd < 0) - goto err; - - memset(&addr, 0, sizeof(addr)); - - if (domain == AF_INET) { - len = sizeof(struct sockaddr_in); - addr4 = (struct sockaddr_in *)&addr; - addr4->sin_family = domain; - addr4->sin_port = htons(port); - if (inet_pton(domain, ip, (void *)&addr4->sin_addr) != 1) - goto err; - } else if (domain == AF_INET6) { - len = sizeof(struct sockaddr_in6); - addr6 = (struct sockaddr_in6 *)&addr; - addr6->sin6_family = domain; - addr6->sin6_port = htons(port); - if (inet_pton(domain, ip, (void *)&addr6->sin6_addr) != 1) - goto err; - } else { - goto err; - } - - if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) { - /* sys_bind() may fail for different reasons, errno has to be - * checked to confirm that BPF program rejected it. - */ - if (errno != EPERM) - goto err; - if (port_retry) - goto retry; - res = BIND_REJECT; - goto out; - } - - goto out; -retry: - if (domain == AF_INET) - addr4->sin_port = htons(port_retry); - else - addr6->sin6_port = htons(port_retry); - if (bind(sockfd, (const struct sockaddr *)&addr, len) == -1) { - if (errno != EPERM) - goto err; - res = RETRY_REJECT; - } else { - res = RETRY_SUCCESS; - } - goto out; -err: - res = -1; -out: - close(sockfd); - return res; -} - -static int run_test_case(int cgfd, const struct sock_test *test) -{ - int progfd = -1; - int err = 0; - int res; - - printf("Test case: %s .. ", test->descr); - progfd = load_sock_prog(test->insns, test->expected_attach_type); - if (progfd < 0) { - if (test->result == LOAD_REJECT) - goto out; - else - goto err; - } - - if (attach_sock_prog(cgfd, progfd, test->attach_type) < 0) { - if (test->result == ATTACH_REJECT) - goto out; - else - goto err; - } - - res = bind_sock(test->domain, test->type, test->ip, test->port, - test->port_retry); - if (res > 0 && test->result == res) - goto out; - -err: - err = -1; -out: - /* Detaching w/o checking return code: best effort attempt. */ - if (progfd != -1) - bpf_prog_detach(cgfd, test->attach_type); - close(progfd); - printf("[%s]\n", err ? "FAIL" : "PASS"); - return err; -} - -static int run_tests(int cgfd) -{ - int passes = 0; - int fails = 0; - int i; - - for (i = 0; i < ARRAY_SIZE(tests); ++i) { - if (run_test_case(cgfd, &tests[i])) - ++fails; - else - ++passes; - } - printf("Summary: %d PASSED, %d FAILED\n", passes, fails); - return fails ? -1 : 0; -} - -int main(int argc, char **argv) -{ - int cgfd = -1; - int err = 0; - - cgfd = cgroup_setup_and_join(CG_PATH); - if (cgfd < 0) - goto err; - - /* Use libbpf 1.0 API mode */ - libbpf_set_strict_mode(LIBBPF_STRICT_ALL); - - if (run_tests(cgfd)) - goto err; - - goto out; -err: - err = -1; -out: - close(cgfd); - cleanup_cgroup_environment(); - return err; -}