From patchwork Mon Mar 10 00:13:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14009118 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B90906FB9 for ; Mon, 10 Mar 2025 00:13:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565628; cv=none; b=sBLTQscwAHM/0iW0cq70dbIhULGAiT+ENb3sVKk8Z45vRYYtvo+9YYKk0u0pvb/Kk2+NZS92704HzwAg+omyoGyR/qlcNySymJsXjNjOJGrfZP/aPHqIABxEJLb7iMRIGF5HTRnX76z1jMAszKfaE4u1fzSiB8l4AmXXWOEOOy4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565628; c=relaxed/simple; bh=tPfOISyTomxE0PK1qymV2CFghcYkSGVu5uIhSdTYgXM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tMNSKNjRHvWtVyN70Cro61MHWfmF9bt9sDYauIdNKRkJ/Yt2psVovQ8sN/2PAHWkXyNqDml4Q7FdbwIyZR0yP3xOSDphJIkPExSX35yR1dD+WCDiarKKeUzF26o+H0SfX0f7Tkli4RVzaGfnghKkRxhdz6zkOBMc9XupT14dtwM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jV4IFhSn; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jV4IFhSn" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-43bc48ff815so20823405e9.0 for ; Sun, 09 Mar 2025 17:13:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741565625; x=1742170425; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FIcl+Fhy4bXXisU8YWVearNnfy+maQSoiKTaRtHzSYk=; b=jV4IFhSnm1ejYeSwmuWIEN3zplfDBk5lM4TavG3xBr1jWglxEf5+5KPYqnj/0Xaba+ 3ConJRZEpPWLWku3Ef4v2uSgEzWqRyyXtCSWPpoiTMzBURot1P67UXxgHCdu9+vSsUQH I59YHw4F+i3kh54oEZSoujmGe0tpIlCfZk1/J0MuN5DKIx5Wesgasgzou2UqXGaOHXka DsvUQ9C0nKOp4SIjAeSFgaVY/uLu4x2E12KV5UzFy9PFvFb/G+zQ2uwuYaLJCr/EIRUX 8VDHHrb+EWTQFYUba5ZlxePqI48G5z/943vm+PSusIRdSERCjD6JGZbB30P53d2oVDy5 ayvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741565625; x=1742170425; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FIcl+Fhy4bXXisU8YWVearNnfy+maQSoiKTaRtHzSYk=; b=D7z1I+TmJKdsPUcBSa08qxc5F3XeP4m2qCsJ2UHvqG5hYpQQQtdgCEOxQDhgKE+Vca bKskJqXjp33yIo1AxlwrCJLESsRpKOqGcBSVYONRIj+JLtQPtBnHaOA2P/5e1uqdejKX zzdx0FrCWizsTikZYgskgm6voprV6dbSaCQG0pQrVBdPQrGgqG7xZL/3LZUWSL6ocMj2 JF8YMckeOso275PpHfX/qxCh3mN1m/BclOZCGGss/Vr/06kJEzoqP50P72eahbmt0aGj 1ISXZLbXx/RssRzy6fQHYjBOocvDK+1dQk41PVIBbfw4YiVYoajKYZ8Xyi7ER1vQ0vJo SRbw== X-Gm-Message-State: AOJu0YxVCV+Guqn60zFbTiQIFSqwQ7rkQjA5xWIxfQqGV6H8CYGyv1g6 3L292EEPuUqXGCB/wkp33zYvgqU9SQjwPpxkd90WcHl9Ch+1cf+sVuADUA== X-Gm-Gg: ASbGncvtFe5/FXF+Pd17Xyrv4ou8ttYrSeJ8bCh6dz5uLmNlqqaMgF5ePgMzppqoVUe iAlAclpmDiBCrn/QwHxRjZzL9qYmyDGtqQ16conTFcnSwsdtX9xlKxfKpZdfqwq6G2V7+ZL/5b8 JgRBu/JsFVlnI9vp9xYhf8TictgLuY9ng9Ko4nCSZa7fuUJUqIHpWDfl4llHYUfjs2EbbbfAVmh TmApJUyWnQty2nBDBDXXI/EdaPTY+FnQDjN36pYlmpLFdy9nYLLXFiwOk1FxM8ZtaGVft6hFctI HAq/NaLri/9GLlDQVk/D+EobR9Dtt/ax5nGvqaHj6zwVyJTdT6/0bNzCe2GIgvOavr6dqrwYK7J 2BRTbIggFuekHU0yyCqhiJKWv4H1IefkYIupITnv0xBolBzzxIA== X-Google-Smtp-Source: AGHT+IHx2ZUOOgqkQI67Fo84LFUqbglcMJhTcJbpGbUx9PvSdInFHSyPshx/TD/vQIm89MXuPseXQQ== X-Received: by 2002:a05:600c:a47:b0:439:9434:4f3b with SMTP id 5b1f17b1804b1-43ce4ad68a2mr39854175e9.8.1741565624723; Sun, 09 Mar 2025 17:13:44 -0700 (PDT) Received: from localhost.localdomain (cpc158789-hari22-2-0-cust468.20-2.cable.virginm.net. [86.26.115.213]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bee262esm13181050f8f.0.2025.03.09.17.13.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Mar 2025 17:13:44 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v4 1/4] bpf: BPF token support for BPF_BTF_GET_FD_BY_ID Date: Mon, 10 Mar 2025 00:13:16 +0000 Message-ID: <20250310001319.41393-2-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> References: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Currently BPF_BTF_GET_FD_BY_ID requires CAP_SYS_ADMIN, which does not allow running it from user namespace. This creates a problem when freplace program running from user namespace needs to query target program BTF. This patch relaxes capable check from CAP_SYS_ADMIN to CAP_BPF and adds support for BPF token that can be passed in attributes to syscall. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- include/uapi/linux/bpf.h | 1 + kernel/bpf/syscall.c | 21 ++++++++++++++++--- tools/include/uapi/linux/bpf.h | 1 + .../bpf/prog_tests/libbpf_get_fd_by_id_opts.c | 3 +-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index bb37897c0393..73c23daacabf 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 57a438706215..eb3a31aefa70 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5137,17 +5137,32 @@ static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_ return btf_new_fd(attr, uattr, uattr_size); } -#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id +#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD token_fd static int bpf_btf_get_fd_by_id(const union bpf_attr *attr) { + struct bpf_token *token = NULL; + if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; + if (attr->open_flags & BPF_F_TOKEN_FD) { + token = bpf_token_get_from_fd(attr->token_fd); + if (IS_ERR(token)) + return PTR_ERR(token); + if (!bpf_token_allow_cmd(token, BPF_BTF_GET_FD_BY_ID)) + goto out; + } + + if (!bpf_token_capable(token, CAP_SYS_ADMIN)) + goto out; + + bpf_token_put(token); return btf_get_fd_by_id(attr->btf_id); +out: + bpf_token_put(token); + return -EPERM; } static int bpf_task_fd_query_copy(const union bpf_attr *attr, diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index bb37897c0393..73c23daacabf 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c index a3f238f51d05..976ff38a6d43 100644 --- a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c +++ b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c @@ -75,9 +75,8 @@ void test_libbpf_get_fd_by_id_opts(void) if (!ASSERT_EQ(ret, -EINVAL, "bpf_link_get_fd_by_id_opts")) goto close_prog; - /* BTF get fd with opts set should not work (no kernel support). */ ret = bpf_btf_get_fd_by_id_opts(0, &fd_opts_rdonly); - ASSERT_EQ(ret, -EINVAL, "bpf_btf_get_fd_by_id_opts"); + ASSERT_EQ(ret, -ENOENT, "bpf_btf_get_fd_by_id_opts"); close_prog: if (fd >= 0) From patchwork Mon Mar 10 00:13:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14009119 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2B2E101DE for ; Mon, 10 Mar 2025 00:13:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565631; cv=none; b=GLeLnvGxYP3l4BndzwO0Z+IG5PUi8ietaxi94bREuR4OjV49qbGX44TQZB1EkczBDge1y1/ud5VqKdNlbd5gjQXTBvIlI3+ddRsi8nVjBStdqB0w5cpqi5K4IlSDn2nmOIWWdl43R8KGRyrLJWJK2OKNzRv2WFrVdJOG5p2Y60M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565631; c=relaxed/simple; bh=wOlpi3Zy/WO68TdaXGkCtss/2YZVtPQKxA4/TPQjA0M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XmRWYt9oh45WPzPQrCc0pTGypqVZRzHqYDLeHZR8ybwRQ8adpX6QqcdT8s8jZQATzofJSQyzOfuC5Y4Ny59wuguur8No/MJ4g9bUni/1pdD+XkCNvP+Bg1TWT/m+RERG0UASfbeVKebl02fFbGjnhvO/S4h1YcRFIjMVWYgISxE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fQaSNyVF; arc=none smtp.client-ip=209.85.221.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fQaSNyVF" Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-3914bc3e01aso56228f8f.2 for ; Sun, 09 Mar 2025 17:13:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741565628; x=1742170428; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=G5rOxfVbTn8+bu8IRFdtEps5cs4BX04FRt9YrVz+YvI=; b=fQaSNyVFOMsHMgan7z0BUKiGuEAURTmAUqGfSn7ZlAx+4Piz/xOoycOfdEzFwuhPNW ie9yhVll2SGHl+Lkn9tR4P0l/SaQoVrWyUu9VIrq0wIudbLMa6JQUzIbm3MUZM0Ft8vm 0fVjsmpQQXKljKqDadNYR6wYDH2+JFlPT3PMj6tIylJDxCzQ2eMnVCnsi5X0WO5js5md kHvrGQXCOeeUY0WxsWptO3RzRCKuPvZ3Rx/yBmDOdqjXqZ4eVSVgcLGA+mVf0HayGbaH b5WIaxmYCzgmx6bOFJySsKLWxEqU/Apra9NLoQ3S0LzPYH1gtJZmZ9wzWMXbewvqxcGj L9Bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741565628; x=1742170428; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G5rOxfVbTn8+bu8IRFdtEps5cs4BX04FRt9YrVz+YvI=; b=QLJbPflYv7JQmUvMBOP39drvIey/ZHCcfC8FcS6tj/TfryvZC2BMiC/dSIUrE4pm82 vPdIRcimIgvV1hTGqu1Io7aE/6nGtTvnO3Rw3QQjhXGmA+Le8CAT+uqZqzSzF70ejv7U kWAvnLwi90p4YbN1qTDBhsN0xXJTeIzV5toanfZsLXIYr+WKduBDloWJX7s8qNCyHAR/ UCpmiv1lRToW/liPNJO/1+MG/VHSBLUq3Jqtd/Dz+/gO2TaC0BEpKiapf/6sLTJ4puvL r6jmdlVhju+zPHHNwexty8yC8uXdd6Q6OzhHzYZPQBGSWGDYIZd1lDkc1YWivP7YhzVN /Jbg== X-Gm-Message-State: AOJu0YxhyMbeMmqAw3r+6hVscrxThLllLBzWBqE7Men1Wr6XbYiWSVSb UKzj0ga2P4w78tatfqJlIhpFnGJfqeCX2QAVnln0iuvfYfq9M+lox8DCyw== X-Gm-Gg: ASbGncsu/jmxTcOKUFu1DfL0p8xGCQoFQMdzVPhlyOB0uYs+Vlx+toPpPcaWkPbHk5a LNRb9oue9BVHI3eCHB/mJ9unt5TiT4Aa6S9oki1cOdKYUyrKGXZWhxs5KfS2ngVphRGieTxccyx nK+SsIP1w0AKELmBC7BvxKP47+ZwwZKfrntPh65t9yIT3MPROZ5HmqBGTxXxvSXChcxRFRTDM+z +JRsm/ylPPMHD6M6PNV6K44nffmtEZsMWOiZWA5mCb3qU0h5JcD00SgLLkGz21NFMqYgZJype7Y m5dCIz+WJ6K3484t7NoVDdLLO/PoX9nNTPW0r9/hoSgTikiJLpzYtSNHN3+caTjEdFvr1gtupvJ 9UFI3SLhLfHVcwC2vgdpL1ol6Pi6+biMUxNLs2nAcolvproQQo7FR/gOzVai0 X-Google-Smtp-Source: AGHT+IGsal/Aw+WoJX+MAglnrPuFuYDW6UkcsK4jdtrkF4yoD8E/VJ+7fBp1uzFHIFvhe3otpLt+2w== X-Received: by 2002:a5d:47c8:0:b0:391:2889:4ea4 with SMTP id ffacd0b85a97d-39132d06142mr7426692f8f.9.1741565628021; Sun, 09 Mar 2025 17:13:48 -0700 (PDT) Received: from localhost.localdomain (cpc158789-hari22-2-0-cust468.20-2.cable.virginm.net. [86.26.115.213]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bee262esm13181050f8f.0.2025.03.09.17.13.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Mar 2025 17:13:47 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v4 2/4] bpf: return prog btf_id without capable check Date: Mon, 10 Mar 2025 00:13:17 +0000 Message-ID: <20250310001319.41393-3-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> References: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Return prog's btf_id from bpf_prog_get_info_by_fd regardless of capable check. This patch enables scenario, when freplace program, running from user namespace, requires to query target prog's btf. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- kernel/bpf/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index eb3a31aefa70..9dfe6859eb5c 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4749,6 +4749,8 @@ static int bpf_prog_get_info_by_fd(struct file *file, info.recursion_misses = stats.misses; info.verified_insns = prog->aux->verified_insns; + if (prog->aux->btf) + info.btf_id = btf_obj_id(prog->aux->btf); if (!bpf_capable()) { info.jited_prog_len = 0; @@ -4895,8 +4897,6 @@ static int bpf_prog_get_info_by_fd(struct file *file, } } - if (prog->aux->btf) - info.btf_id = btf_obj_id(prog->aux->btf); info.attach_btf_id = prog->aux->attach_btf_id; if (attach_btf) info.attach_btf_obj_id = btf_obj_id(attach_btf); From patchwork Mon Mar 10 00:13:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14009120 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9AD75234 for ; Mon, 10 Mar 2025 00:13:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565634; cv=none; b=rrOSBwti9p7qVehMy9j4r32jmznRC2lnkZmXzzi4EPqajX738WKFkAkB6ODrBhqr9elvn1ZTuVnR2g0uUgd6ZqZXnIaC4fJw4GajgmD+gnSpi78js+2v3QatF94bj04a4muYcnd19N1urh84eEmrcbr5L6BHGSVgwFDEFQ3qEFA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565634; c=relaxed/simple; bh=kp/e0qNgxefwuXywmlYVPGMm2rI2DWDgEWT016wzcjQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rbJzYLT6NiL7UBIuweEZGQzRILC/zBLmJ6ihdLRHLkXXc7cs7D6B80gP9iJYTO/k+lbEEIzkXqFWb+2O/JsZpjOabjXKQa+XRiCoFsABmqloseVsY7oMv1yNFsKJyySxHFDjo+SziwfUTlmNyQ01CvXKznbrMUBHHLX6CuWeTvk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GpdWcHqE; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GpdWcHqE" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-43bb6b0b898so30833955e9.1 for ; Sun, 09 Mar 2025 17:13:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741565631; x=1742170431; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1UNF5GwknDE0vG6ee0NeasWfh0uGpqULTZqDPRg4pUU=; b=GpdWcHqEcRros0XT8Gr9BlJCsfFE5IFTU7DRsA+gIsUTLIyjAPVtU6ZrhjSUqFpd0e 2EfRYu5s4nXYWuyR8RXLnI30lWDReVgLk4ZfQqjoZvQPuVT1Ue8KZSsnifyXqnBl6BhN 7w4DbJ9KI3GA8yIeJqnCG+s9IDPWukqVospBh2g/JGeGmFX5NIn8+++RH4QdUVriw9o/ TTJ87EqUTGiH5yHfr1f7FKF8b4ZvwFaO9+l8XEEiUERITNa6FN1R8YDAD/7c7Yh1Ozu0 MK2WV1Gaf1nVI7mAzkHOe3s0vg+jDs5ap6pkBYeKslUkz/yvbu1mYVhC2PwbeX2ahaeP Q0cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741565631; x=1742170431; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1UNF5GwknDE0vG6ee0NeasWfh0uGpqULTZqDPRg4pUU=; b=jSXMA5t3P+kQrZrYybeSSqMhwutSBD7sVBouUC35eiHwpmC6YeecDskHBx82U3OrZh WqqtihSLolbJnhNdzd9zw6Wsw6frI5GpIz5OZkHMnQZcxtGjzn+ZVJ99JP/tWmGNwOkP 2r9L3cuEdGL54QpRc63l055mh2Dl1yoaMUmkAH8lrq07p9TjwEGbAhclVTOdT2PEhC3m 5SUMXUkMqpDKbfyF865ymJ1Lcoft+/3xZXWMJ22/+er2k8PgI9wjlHe30oSB7b3yhIGB wrT0HkWWBwuHsEwN9UpxE/ehXNMWovBKXDc8XrrREzy1cnB6dYToE4SpXv2AsJVkH9a2 mamA== X-Gm-Message-State: AOJu0Yxiu15WC47GkfDtxVMHi7bnPoz23zXw4Bd8pUPdX3rJGMba+7ZL bZozeOl/LVWOlDS2GyRqOm1Uc79UV4QhOWTuLv6OySc8k+2NnV1INhyD9A== X-Gm-Gg: ASbGnctk4AOHImMjqhARDfY0rudez0mKJImYx4GuCtLWw6cBJDAnmVA6bCBM4GPmXRu k+MiSLK3R2GoMWI8WmSmco/sRE1uThfHGc6TUg2rJE1/VUwQS0IyjT5StEO09cjiYDQJK3Husns X0LSs1B02Ztf6vylVVMP4p+XQVmwSEb7B1RF1uZyKYCXhaDlnHjEwLjVX7sEVzz8xMEgObBn3t9 uKr6OIVFRRff7+BO5e60bd3LiT7Kp2/WfY9JNu3NPxzRTb3WHjIYpcb0fUTAlpaMpoMFf7u5FcI saf+IfOyYk2NB87Wf6XMfi3P2Z3ywrrL9a1TvXYoNAWqNJDk20RN9BnIypjoH58BJVjcuSjuEi7 NEfoXhUPikoiT9sAiohC6N/Bvv07m+Mai73LmekDiHUGIIRtfkcsDPf0ltmeo X-Google-Smtp-Source: AGHT+IGcMwxRyqLW6YdkrOnlK8E2m79BgR/omERIcliztyZzLsJXn3dP6bhusR3lNSAAo8BgLyb1eA== X-Received: by 2002:a05:600c:3b28:b0:43c:f332:7038 with SMTP id 5b1f17b1804b1-43cf3327200mr15103515e9.21.1741565630764; Sun, 09 Mar 2025 17:13:50 -0700 (PDT) Received: from localhost.localdomain (cpc158789-hari22-2-0-cust468.20-2.cable.virginm.net. [86.26.115.213]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bee262esm13181050f8f.0.2025.03.09.17.13.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Mar 2025 17:13:49 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v4 3/4] libbpf: pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID Date: Mon, 10 Mar 2025 00:13:18 +0000 Message-ID: <20250310001319.41393-4-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> References: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Pass BPF token from bpf_program__set_attach_target to BPF_BTF_GET_FD_BY_ID bpf command. When freplace program attaches to target program, it needs to look up for BTF of the target, this may require BPF token, if, for example, running from user namespace. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- tools/lib/bpf/bpf.c | 3 ++- tools/lib/bpf/bpf.h | 4 +++- tools/lib/bpf/btf.c | 15 +++++++++++++-- tools/lib/bpf/libbpf.c | 10 +++++----- tools/lib/bpf/libbpf_internal.h | 1 + 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 359f73ead613..783274172e56 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -1097,7 +1097,7 @@ int bpf_map_get_fd_by_id(__u32 id) int bpf_btf_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_by_id_opts *opts) { - const size_t attr_sz = offsetofend(union bpf_attr, open_flags); + const size_t attr_sz = offsetofend(union bpf_attr, token_fd); union bpf_attr attr; int fd; @@ -1107,6 +1107,7 @@ int bpf_btf_get_fd_by_id_opts(__u32 id, memset(&attr, 0, attr_sz); attr.btf_id = id; attr.open_flags = OPTS_GET(opts, open_flags, 0); + attr.token_fd = OPTS_GET(opts, token_fd, 0); fd = sys_bpf_fd(BPF_BTF_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 435da95d2058..544215d7137c 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -487,9 +487,11 @@ LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); struct bpf_get_fd_by_id_opts { size_t sz; /* size of this struct for forward/backward compatibility */ __u32 open_flags; /* permissions requested for the operation on fd */ + __u32 token_fd; size_t :0; }; -#define bpf_get_fd_by_id_opts__last_field open_flags + +#define bpf_get_fd_by_id_opts__last_field token_fd LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); LIBBPF_API int bpf_prog_get_fd_by_id_opts(__u32 id, diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c index eea99c766a20..38bc6b14b066 100644 --- a/tools/lib/bpf/btf.c +++ b/tools/lib/bpf/btf.c @@ -1619,12 +1619,18 @@ struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf) return btf; } -struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd) { struct btf *btf; int btf_fd; + LIBBPF_OPTS(bpf_get_fd_by_id_opts, opts); + + if (token_fd) { + opts.open_flags |= BPF_F_TOKEN_FD; + opts.token_fd = token_fd; + } - btf_fd = bpf_btf_get_fd_by_id(id); + btf_fd = bpf_btf_get_fd_by_id_opts(id, &opts); if (btf_fd < 0) return libbpf_err_ptr(-errno); @@ -1634,6 +1640,11 @@ struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) return libbpf_ptr(btf); } +struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +{ + return btf_load_from_kernel(id, base_btf, 0); +} + struct btf *btf__load_from_kernel_by_id(__u32 id) { return btf__load_from_kernel_by_id_split(id, NULL); diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 8e32286854ef..6b85060f07b3 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -10024,7 +10024,7 @@ int libbpf_find_vmlinux_btf_id(const char *name, return libbpf_err(err); } -static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) +static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd, int token_fd) { struct bpf_prog_info info; __u32 info_len = sizeof(info); @@ -10044,7 +10044,7 @@ static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) pr_warn("The target program doesn't have BTF\n"); goto out; } - btf = btf__load_from_kernel_by_id(info.btf_id); + btf = btf_load_from_kernel(info.btf_id, NULL, token_fd); err = libbpf_get_error(btf); if (err) { pr_warn("Failed to get BTF %d of the program: %s\n", info.btf_id, errstr(err)); @@ -10127,7 +10127,7 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac pr_warn("prog '%s': attach program FD is not set\n", prog->name); return -EINVAL; } - err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd); + err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd, prog->obj->token_fd); if (err < 0) { pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %s\n", prog->name, attach_prog_fd, attach_name, errstr(err)); @@ -12923,7 +12923,7 @@ struct bpf_link *bpf_program__attach_freplace(const struct bpf_program *prog, if (target_fd) { LIBBPF_OPTS(bpf_link_create_opts, target_opts); - btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd); + btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err_ptr(btf_id); @@ -13744,7 +13744,7 @@ int bpf_program__set_attach_target(struct bpf_program *prog, if (attach_prog_fd) { btf_id = libbpf_find_prog_btf_id(attach_func_name, - attach_prog_fd); + attach_prog_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err(btf_id); } else { diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h index de498e2dd6b0..76669c73dcd1 100644 --- a/tools/lib/bpf/libbpf_internal.h +++ b/tools/lib/bpf/libbpf_internal.h @@ -409,6 +409,7 @@ int libbpf__load_raw_btf(const char *raw_types, size_t types_len, int btf_load_into_kernel(struct btf *btf, char *log_buf, size_t log_sz, __u32 log_level, int token_fd); +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd); struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf); void btf_get_kernel_prefix_kind(enum bpf_attach_type attach_type, From patchwork Mon Mar 10 00:13:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14009121 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C82D279C0 for ; Mon, 10 Mar 2025 00:13:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565637; cv=none; b=MCGWqGiQU8oeGT+VlqNNoRh56/8f0ZE6BpNy87cqXx+7pnC3+haZ1nxbqT9WCY/WbghY+yfHpHCFX3bNZsIFwyi3t9X3bHM7pDFaly/FOyaLOVMRM8JhA+efO024ybGvibZgWTJbSVldpSxvHQcPDXeiR+/eEXPUGZ5JxqfgQ80= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741565637; c=relaxed/simple; bh=qlVzoobfcMKhrZJlUXVsYUBWE3RYkGGNjsUv4tABpv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X/vpvi6nWEWbuKWN2JpwJR6nVfbO1JYshdQlsGCb2pzQselJDpbRh8rtHbwa0EfQs3rmKqudFbUcVYMWYLX9Q8P+Anrrpf12rxhM3kkFPU49UKynI6G9B1VFuBPOYDUMmDvMBarG6ncFBter4QJmJDJfK3EJjTYXhbZQizee8XU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=A+foJHPD; arc=none smtp.client-ip=209.85.221.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="A+foJHPD" Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-391342fc0b5so2804666f8f.3 for ; Sun, 09 Mar 2025 17:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741565634; x=1742170434; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5cWjdThWCRTh5geVzdUfIM+DjntvFxskQHUQIqGAp+g=; b=A+foJHPDgfK7KQyoD4MwdESu/tWWHznkmkA7Kf0wyC9aNGihk+OivTEZWNYAN//so/ TVQ6Q9EguKQnxa1XfqbVCHgCjTTTB+qq8r5nH7AGoYFVq1BxnT4itXWAApf+98pC2d6W 7H0u5MCSxFS/JE1bs7ZELTxTckhhCHzgWRnI+3inENMd5NdDI3ZrAAi2fZLQmMJSx0ez lt74FBNjeHrOamEv6R+wSrTHr1xH/XtAtoQUfvZ6eKq5Ji3/tYXZYZV84bSdprnuQV/t 5GKoZx7UDq+R0H4f/+T9bHpMVfmELck3E70EJgI1tSaIPBBw14u2W8DDEIL5egx1vJzF widg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741565634; x=1742170434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5cWjdThWCRTh5geVzdUfIM+DjntvFxskQHUQIqGAp+g=; b=MCgrc5+GLwGGFSG68bjsJcs+gxLCNoan/vmpMTSalMZIeV9smD2QZS0fMEGJSgtPoZ RrEo+UbwFQi9/35AO72j7laJ2r1tGUUxhDtAzSPwBfGiwi2s0pW43pkeC4hgrOXKqxHb EOP09BqToKqJewe8tk1a7rVmUuHhLVlWYkX31J+I/Q4gmywRhBn0cWKaDlY8JS+/levT YHnArbSlvOBH55OJNGJRfkI4ErK8+RkKr5mEDPeyMICqYAqKnrgM3dyx+Ltp/aY8tu7y 6qo1IKAvN5kD9EuZfvlDuLacH780T8bZSYQf4KH5WRB8SudLD6Tw4JsUwh6EeUBfMNdx xu/g== X-Gm-Message-State: AOJu0YyZ9ZIBrzjIZ8H264AFeScKHwh9fo3Qz0u34eBHnYD820QqU9y2 IXbjbNBzYeUIjKcyF1kdaNUEy0kfqzbjSYq+zouEmkR9LoC2mC04mbGQAQ== X-Gm-Gg: ASbGncuJIy3iuj/yeY1SJPqJhTxHxjwC7N2mUOca0BKIHrAnk8OkYx9FmlqJiQlpPbJ ol8mJCOiu4/FFBfiPOEMsIcfOWSS9kE6ZOHyoTlTqToRNJRSBsuRQaMN31DNnG26XerAjHu9JdN E186O2SzW8Bg+aD83piplWKMIAr5SxQThL5yo6RBeZEvk6x9zD47HpfR2N5UJ/ta96DgFxsJcZX 3Z+SaoAZfQAfUra3h3HRi/SK1ijTDH40FNKyIINsulstYH8b/liaVC9mfvB+2G7J6SlP8yORvx9 02wP+sWkrZGNOw6LcTvErZPy1Og6Yrja/rKjChMymBsyNQaPKxmiqAw7GNUlRVo2icFt4opsfrU lkFi8WtKrerMAqRqwZ2QstJ0Q3L9ZiSHIKXlOJ5Q+Al/4upqWHw== X-Google-Smtp-Source: AGHT+IGbQnba+cIAzrcR9RrRJFxuFAkGdsDxiePzK2vs9EkkHBAqAZaKA1VCOUbF6jGWNo6F5H5swA== X-Received: by 2002:a05:6000:1f8a:b0:391:2e31:c7e5 with SMTP id ffacd0b85a97d-39132d093f8mr8368509f8f.6.1741565633966; Sun, 09 Mar 2025 17:13:53 -0700 (PDT) Received: from localhost.localdomain (cpc158789-hari22-2-0-cust468.20-2.cable.virginm.net. [86.26.115.213]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912bee262esm13181050f8f.0.2025.03.09.17.13.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Mar 2025 17:13:52 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v4 4/4] selftests/bpf: test freplace from user namespace Date: Mon, 10 Mar 2025 00:13:19 +0000 Message-ID: <20250310001319.41393-5-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> References: <20250310001319.41393-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Add selftests to verify that it is possible to load freplace program from user namespace if BPF token is initialized by bpf_object__prepare before calling bpf_program__set_attach_target. Negative test is added as well. Modified type of the priv_prog to xdp, as kprobe did not work on aarch64 and s390x. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- .../testing/selftests/bpf/prog_tests/token.c | 97 ++++++++++++++++++- .../selftests/bpf/progs/priv_freplace_prog.c | 13 +++ tools/testing/selftests/bpf/progs/priv_prog.c | 6 +- 3 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/priv_freplace_prog.c diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c index c3ab9b6fb069..f9392df23f8a 100644 --- a/tools/testing/selftests/bpf/prog_tests/token.c +++ b/tools/testing/selftests/bpf/prog_tests/token.c @@ -19,6 +19,7 @@ #include "priv_prog.skel.h" #include "dummy_st_ops_success.skel.h" #include "token_lsm.skel.h" +#include "priv_freplace_prog.skel.h" static inline int sys_mount(const char *dev_name, const char *dir_name, const char *type, unsigned long flags, @@ -788,6 +789,84 @@ static int userns_obj_priv_prog(int mnt_fd, struct token_lsm *lsm_skel) return 0; } +static int userns_obj_priv_freplace_setup(int mnt_fd, struct priv_freplace_prog **fr_skel, + struct priv_prog **skel, int *tgt_fd) +{ + LIBBPF_OPTS(bpf_object_open_opts, opts); + int err; + char buf[256]; + + /* use bpf_token_path to provide BPF FS path */ + snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd); + opts.bpf_token_path = buf; + *skel = priv_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_prog__open_opts")) + return -EINVAL; + err = priv_prog__load(*skel); + if (!ASSERT_OK(err, "priv_prog__load")) + return -EINVAL; + + *fr_skel = priv_freplace_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_freplace_prog__open_opts")) + return -EINVAL; + + *tgt_fd = bpf_program__fd((*skel)->progs.xdp_prog1); + return 0; +} + +/* Verify that freplace works from user namespace, because bpf token is loaded + * in bpf_object__prepare + */ +static int userns_obj_priv_freplace_prog(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_object__prepare(fr_skel->obj); + if (!ASSERT_OK(err, "freplace__prepare")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_xdp_prog2, tgt_fd, "xdp_prog1"); + if (!ASSERT_OK(err, "set_attach_target")) + goto out; + + err = priv_freplace_prog__load(fr_skel); + ASSERT_OK(err, "priv_freplace_prog__load"); + +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + +/* Verify that replace fails to set attach target from user namespace without bpf token */ +static int userns_obj_priv_freplace_prog_fail(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_xdp_prog2, tgt_fd, "xdp_prog1"); + if (ASSERT_ERR(err, "attach fails")) + err = 0; + else + err = -EINVAL; + +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + /* this test is called with BPF FS that doesn't delegate BPF_BTF_LOAD command, * which should cause struct_ops application to fail, as BTF won't be uploaded * into the kernel, even if STRUCT_OPS programs themselves are allowed @@ -1004,12 +1083,28 @@ void test_token(void) if (test__start_subtest("obj_priv_prog")) { struct bpffs_opts opts = { .cmds = bit(BPF_PROG_LOAD), - .progs = bit(BPF_PROG_TYPE_KPROBE), + .progs = bit(BPF_PROG_TYPE_XDP), .attachs = ~0ULL, }; subtest_userns(&opts, userns_obj_priv_prog); } + if (test__start_subtest("obj_priv_freplace_prog")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD) | bit(BPF_BTF_GET_FD_BY_ID), + .progs = bit(BPF_PROG_TYPE_EXT) | bit(BPF_PROG_TYPE_XDP), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog); + } + if (test__start_subtest("obj_priv_freplace_prog_fail")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD) | bit(BPF_BTF_GET_FD_BY_ID), + .progs = bit(BPF_PROG_TYPE_EXT) | bit(BPF_PROG_TYPE_XDP), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog_fail); + } if (test__start_subtest("obj_priv_btf_fail")) { struct bpffs_opts opts = { /* disallow BTF loading */ diff --git a/tools/testing/selftests/bpf/progs/priv_freplace_prog.c b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c new file mode 100644 index 000000000000..ccf1b04010ba --- /dev/null +++ b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include "vmlinux.h" +#include + +char _license[] SEC("license") = "GPL"; + +SEC("freplace/xdp_prog1") +int new_xdp_prog2(struct xdp_md *xd) +{ + return XDP_DROP; +} diff --git a/tools/testing/selftests/bpf/progs/priv_prog.c b/tools/testing/selftests/bpf/progs/priv_prog.c index 3c7b2b618c8a..725e29595079 100644 --- a/tools/testing/selftests/bpf/progs/priv_prog.c +++ b/tools/testing/selftests/bpf/progs/priv_prog.c @@ -6,8 +6,8 @@ char _license[] SEC("license") = "GPL"; -SEC("kprobe") -int kprobe_prog(void *ctx) +SEC("xdp") +int xdp_prog1(struct xdp_md *xdp) { - return 1; + return XDP_DROP; }