From patchwork Mon Mar 17 17:40:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14019783 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C0B01A3BD8 for ; Mon, 17 Mar 2025 17:40:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233250; cv=none; b=mZMM7d+Trrze4YaF81Sf4kl0qS+Fmj6G8nqMI4VH0CizzZflcleqNAjVtcQihKCh+zlSJOM8wAmeK55aK5mjZ9ABL3rULyPyhIWALoMsSwm3kEBJoPzwza1O8bwoeqLBHj2voMhg9WFtUw29Q6+I9tTYyXI9v/vT9kKnoDJoUdg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233250; c=relaxed/simple; bh=Ji2Ba0mEo0uL66GGJzlIxVFVlfmIEBnN7jfk/Bak/vc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rdBMwT/Qf0rZngqYutaPB8EkKMEfdjgiPDRhxpkg0dtpAjwSb4PcPxvWczAh3mq07krAwxyKxq6ZDxHq89JAX2awhA+jOS0ieVHVIS5IySOPavLDlKId0JE/Jl88QSUPtFDh6lIB1PqG7jtmYZXGq+x5ETdtpvKwhFytRpWBlAc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Os5gS6D5; arc=none smtp.client-ip=209.85.218.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Os5gS6D5" Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-aaf900cc7fbso902391966b.3 for ; Mon, 17 Mar 2025 10:40:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742233246; x=1742838046; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RK2WJxGMiM1UEfiQkWDkn8HQwhzaM2gGVNmTxMRnlUA=; b=Os5gS6D5xEdpFtfwwo4+7SxFH6Q3XDCnYKgFhSeezjRWm84ZZ58siISLTzeFKvL9Xx DzErvrj2KQJEhM/Zea17i71hCXe3UNMNb9NIgOvk/Nlrjysiq8326Jt/Yvj1iDcz/jfz aqpChAXIfsJj7d/gQJmIEyNuocd+jLOlMt9NqrBZd0YEqU4Z08AVfAcaLx79URmXRPEx DPVmopIrr/LMEfDk2bc+P0SCiXBHaSljpgEq6aIrHMuUJYSpKcO3Oa4pqhGQVwDle34Q /tDpFvcQpR/COvVINz0izBGcivD+mmscgjyEay5LJ/7BtwZjwsxvI3Zmhzn06Cg0RgII f6nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742233246; x=1742838046; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RK2WJxGMiM1UEfiQkWDkn8HQwhzaM2gGVNmTxMRnlUA=; b=e43uucpomq6igaacYZotzScmGTnOW71UZ8PnN0TadGKc+9GC2nu+DAVznH5PaLGQep ReOIkfqNMPH7dlmMr9cHXdfzORfHqdKh9BLokWgcfDbkWG+ZFYW4JNIM3wHM3vGXLkMM zW9v2HALLUZ8GOGDRSA0FdgswnUILnTGmFYJ/PYo1DBQwOkXF/pBY4BnUeXxnXQ2Zcho UdHKW1/qqGFBU0fsADRduG91eFGhr+413eG9lfWOyOOsS8O3AeiLwgL2cxJ97NJir/vh lXPcbnCq8IZpTLF9jtvoywaiwbiHfU76XRN1hW5Lsz/65QDY/aoxZLK3a7rG08mNId5d CkDg== X-Gm-Message-State: AOJu0YxBUFbo8mIyiBWtpxMDkSaE25f6h1QZ1SFtbaadpfIMYPKknnR6 clmiKAJ0TwBo4BxqWUCTXURjvrvLhhmCJHpJI+PZPXaKhxunhx0+KBnR3g== X-Gm-Gg: ASbGncvhRf2SETtBm0LQFIvIxyB5cC1t9bOXgHM7C8D4lJqec6w97zmOf63g4n1hWwm YPJ9SeO/ydrAMyQDrz4FUkSL5a5xh9L33N6F+xu8SHMTfDhIR6F0UuQVU8oK71yltcQHpMphUhE VUGxouCUT8D0NDkMERsyue7dKiPlCpOuZSKgjK7xw7Y/CwZrOGvDa+dPpq4u2Q4vwQ2KXr3yeA2 7rdjRpnX3jg1nlrpYIbd0hMfH0FFRfq563fRa1FX1eyy262mPQbXC87CQDhrTUvGGY+DrJYqqwI 5pKG4LbDaPmMfXdLY+PQ/36rqvTGNTR43sfn8VY3nr9GffkhvKFukc1HuA== X-Google-Smtp-Source: AGHT+IEkEBLHYanb3HO2QMhPboI9L8kl/SL6pJUIfRN6ZGRdOZHnbXlNDHOSp4EFLbkZAk3T5A+vTQ== X-Received: by 2002:a17:907:bb4c:b0:ac3:3e40:e183 with SMTP id a640c23a62f3a-ac38d366f4cmr62538466b.3.1742233246306; Mon, 17 Mar 2025 10:40:46 -0700 (PDT) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::4:812]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac3147e9cadsm693917166b.48.2025.03.17.10.40.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Mar 2025 10:40:45 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v6 1/4] bpf: BPF token support for BPF_BTF_GET_FD_BY_ID Date: Mon, 17 Mar 2025 17:40:36 +0000 Message-ID: <20250317174039.161275-2-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> References: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Currently BPF_BTF_GET_FD_BY_ID requires CAP_SYS_ADMIN, which does not allow running it from user namespace. This creates a problem when freplace program running from user namespace needs to query target program BTF. This patch relaxes capable check from CAP_SYS_ADMIN to CAP_BPF and adds support for BPF token that can be passed in attributes to syscall. Signed-off-by: Mykyta Yatsenko --- include/uapi/linux/bpf.h | 1 + kernel/bpf/syscall.c | 23 +++++++++++++++++++++-- tools/include/uapi/linux/bpf.h | 1 + 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index bb37897c0393..661de2444965 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 fd_by_id_token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 6a8f20ee2851..419f82c78203 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5120,15 +5120,34 @@ static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_ return btf_new_fd(attr, uattr, uattr_size); } -#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id +#define BPF_BTF_GET_FD_BY_ID_LAST_FIELD fd_by_id_token_fd static int bpf_btf_get_fd_by_id(const union bpf_attr *attr) { + struct bpf_token *token = NULL; + if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (attr->open_flags & ~BPF_F_TOKEN_FD) + return -EINVAL; + + if (attr->open_flags & BPF_F_TOKEN_FD) { + token = bpf_token_get_from_fd(attr->fd_by_id_token_fd); + if (IS_ERR(token)) + return PTR_ERR(token); + if (!bpf_token_allow_cmd(token, BPF_BTF_GET_FD_BY_ID)) { + bpf_token_put(token); + token = NULL; + } + } + + if (!bpf_token_capable(token, CAP_SYS_ADMIN)) { + bpf_token_put(token); return -EPERM; + } + + bpf_token_put(token); return btf_get_fd_by_id(attr->btf_id); } diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index bb37897c0393..661de2444965 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1652,6 +1652,7 @@ union bpf_attr { }; __u32 next_id; __u32 open_flags; + __s32 fd_by_id_token_fd; }; struct { /* anonymous struct used by BPF_OBJ_GET_INFO_BY_FD */ From patchwork Mon Mar 17 17:40:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14019784 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 231351ACECB for ; Mon, 17 Mar 2025 17:40:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233251; cv=none; b=jhnzDXgJvGkUtUMnaRu5acDDT3egEvbKTO8NSELb3FjSjgDVHstZBfOn/Zulu3RBXbHoxCMuVtpDGHWdWIIsspKHnnfKF+LJ0zFhQ4TG1z0/DpBv3YVB2e/oWfgMPIU7pSFWaT0fKx4d6nVC/yMpa5OLv5tlN92UKppkQhOm1A8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233251; c=relaxed/simple; bh=UuWI1MvcsSe1GaZFO3DkoWFOTDolCBhhtF72RwT+Xfo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TWSZhu7Z297VJ+oGnNWWo+VERj+/OveATnvmCfooqy3VYyekliCd0wwSW1/0EeFyj4zTy/ThqnCIUSvg42bCOxGuRVJJywJ7aioS2It7T9ss+KjkOK0LIIecf84M/0sHnbO7152TWKElxjdZhC/dgtPmhxs5j0XRmECdO+VMNa8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f+7e1vPM; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f+7e1vPM" Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-ac29af3382dso780751666b.2 for ; Mon, 17 Mar 2025 10:40:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742233248; x=1742838048; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OAF2qp6ZtRzU7ssMsaG7q/XW9qJxfKpU/OmYtkN9VwE=; b=f+7e1vPMQBcTm/HyKDXGI8ck+fOV8d8nXrjGrJ8Hv8IaZBoYA7aBGY1SiHjnscjuQW yFAlu851YldY77sTDgunn7m3c/dH9ejDKsBqhelTxWShkKJEwrrpcLjZM9FA3qKrB4Ga mqsfJMHZBP7OlwrcyEojiJT7qnW6Z8FAPjg3WeQjyLqjBzUCB69jqXAM64RO19UvLIcP NK+QXWRkjL7G5ZP8M68PaD/HkRjGEkZiPitGdsTuXe7CoGIixSVuKgmkr6uPF36quQwf RVZjfXbBuXXAZvryyxU26M68whIb/Dp4SUzbE0vpEDJTQvjDKZxvQImgWthQHgRSIn9b TV0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742233248; x=1742838048; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OAF2qp6ZtRzU7ssMsaG7q/XW9qJxfKpU/OmYtkN9VwE=; b=GwsJdCyDJHySUE3F/ZdBCTWu1jc+ZYbyADaZksSfRfJy+gH96r02rjMrsILzmO4Lv+ oa+kjP4glMft19fbgo6Ig//OdcEae2gqGRH91zRsJlC5heNg4VZpq2i1lndH2apIdHf9 ICK3GPrSRLgiaXd8oCYv9f3auw93x/8+cN+b9mRpSGJ2pmjd4t9iIMciFrvKrtfy6Gsv wdwc1J4C29g5yrkXfMOY1aH9QglzjQ4pjkKdzrzhXwJfQJE2CJee6ylHaPL6I5clpqhc lR6EgLiQJZnqnRqXeKGUPPmKGLGKppy9S4sYojIAN1XO3AH3JGvpp+zyk7rp6pcmowVD iVkQ== X-Gm-Message-State: AOJu0YzJSMs8c29HV0q4p4jYydBtMGEFx6rjFXx6TvwVRXACffUal69b PVaLnbHC6LFHjmU2nXD3Xl/BKB7cPA/9QGkWspoxsk5KkkQ6898KT+M7Yg== X-Gm-Gg: ASbGncv2ySjFGYBap6qTBvIQlv6o37RtmHOPLjZ4HSrTd7KFDV4srnspFA+/ZYDar/K +6r/OrabcahZhGD/sC0xBG6JXEvVaG4iRkM+1FAMMN1zr8msap8Yvr/scDDe6wl5JWcSa7+cqxU lr8w7SmOV1pIGVBMs6RwiL0W21S0GPTJKhc56x7NFlUKOSxSm3IQR/u/ipTciUaOGC1tQkE7cAh IuQk3r9ar10/Dqp9vRp1K3ui9ok0v/rJVuA/b3qEXb8eEwjG4zCSP9XTYdQaNPMgbF8GiDlPvGf 6SZV995Wt6oKqe+5XK1rLN1g0mkNTCjE/UmUBcaART1+leeFukIcFzoN5A== X-Google-Smtp-Source: AGHT+IFTj63OSlkHNShGDL7TvzLMyPoEMGNlHtDIZdUv0F6NvlYl1Dn+nhV2MjTKFRMPxou8HKhuhw== X-Received: by 2002:a17:907:7f0f:b0:abf:75d7:72a2 with SMTP id a640c23a62f3a-ac330444f85mr1273615466b.38.1742233248017; Mon, 17 Mar 2025 10:40:48 -0700 (PDT) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::4:812]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac3147e9cadsm693917166b.48.2025.03.17.10.40.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Mar 2025 10:40:47 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v6 2/4] bpf: return prog btf_id without capable check Date: Mon, 17 Mar 2025 17:40:37 +0000 Message-ID: <20250317174039.161275-3-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> References: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Return prog's btf_id from bpf_prog_get_info_by_fd regardless of capable check. This patch enables scenario, when freplace program, running from user namespace, requires to query target prog's btf. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- kernel/bpf/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 419f82c78203..380b445a304c 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4732,6 +4732,8 @@ static int bpf_prog_get_info_by_fd(struct file *file, info.recursion_misses = stats.misses; info.verified_insns = prog->aux->verified_insns; + if (prog->aux->btf) + info.btf_id = btf_obj_id(prog->aux->btf); if (!bpf_capable()) { info.jited_prog_len = 0; @@ -4878,8 +4880,6 @@ static int bpf_prog_get_info_by_fd(struct file *file, } } - if (prog->aux->btf) - info.btf_id = btf_obj_id(prog->aux->btf); info.attach_btf_id = prog->aux->attach_btf_id; if (attach_btf) info.attach_btf_obj_id = btf_obj_id(attach_btf); From patchwork Mon Mar 17 17:40:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14019785 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83AF21A3BD8 for ; Mon, 17 Mar 2025 17:40:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233253; cv=none; b=S3ZVv1ldRGq0Xr9OiSiv096R5p0dd1zrc5PnZWjykkR1P6oJBR6uZvX4Xa4xL5aAaTb4LofUFcmLd131O7pCUCngBKo0r4BOReSqQ+x1oDZQ4MmwsN9vf9pL0zdLAxdIutpRy8D8KAdyJpNGP6XzhXoNRnqvJcW02B3XPVo/Jbw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233253; c=relaxed/simple; bh=WrTQfOLg8ZbwWKlI4huPsh2RoBWA0mthoXYTmUuK3bk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BNhvk12Rzy5G8hhAqXpXKHBaRgj6cgqW0vOK9WjV37zYlfOvw7Leu61dAOB+GwiNkOvRC2f8g5LEWmh+sHYV74gHUVy6SxCKVzQE+QO0+PskhffCOYXzRaizRhmu5hRShtGSVGnfYeBhbXKQEQMCBQ4ZHIfOx+Zf4SEdPwvLVVQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FcOgmqF9; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FcOgmqF9" Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-ac2aeada833so925408466b.0 for ; Mon, 17 Mar 2025 10:40:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742233250; x=1742838050; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Etrm9x8xkyPVlC012p8LxpAAlEOufd5DjE1GG/S8pDI=; b=FcOgmqF9Cc2ytfSChmzQtcVm4C7xICHUdqxh5h94Y2jM8/R1YkOj2RG7PnRMErno1k ySU1gLYjvAI/PU0EZFD+4AVCF2knscxPgnJdzQQW9FZN4NvUkvbUcHUx4acAUKVuzILF qtfpDa0rr28mzMG6SLTsWUcGMCpD0zQPuzoWR4p9L5HCanMprLKsb8+uXwLkscreRTfe 6JozDSvrB4adyBnPdCr5BJec1RkfJsT4zCKDP3Ejc4+NWAyI5oKotjXKUh8c/+HHLatc Q55B/sHMsS1eqfGU+/FCpZSZlTPgB6ZsqALmx4rBEGcSBRrPD1oz3Zs9DwlTzXHnJApP d6Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742233250; x=1742838050; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Etrm9x8xkyPVlC012p8LxpAAlEOufd5DjE1GG/S8pDI=; b=WoKrxY5etJKZzaDFt3MZye2ciMwK0bB9A4agKdQ5cQ2uhLfGYbRA0rVoA/cQhQptVe FXRsOJHEenQn8piinrZiWRCksiIco+IBmTBNeKCJ7Ur+B8E122n4a9WLWZ3TvYvFbkpl 1G2BKkZUTW73TEkF2IP8yJ3Ccn1ovbUetPqUwnDQ+2CIBAFeycoxsNhRp6w6PGPS7bW5 fjaQoZ66dD9xo9qCm5s0R+gtEBg9nc/RAsJxmAjSI++3UHW5CyUZ1VuqRljsH3Pbla1O 4QYVKCw05mDyxh+OQI9Ek8kFmjTSJ9jWkQsueK60tYveYHliRyd0GYEgqGUebIwxGQZc VBNA== X-Gm-Message-State: AOJu0YxZUFODx3BZG+74B34MHEmufElYXt5Q9VJVolDUC2aIDNdJ9NUN Ugv0jKKA0DSbPG9sjuGseZPdhgxMEVbvOXvE3YTmo2tJl2wjXWJnsnEcWw== X-Gm-Gg: ASbGncv5mVWOwhHlRVdt1sqZDRq0vaOm2YPi4z+J17DorxJxWbDBNpqiIojVaNxrFkS 6pqNcKOI4TtYZbGlwGoywSni5wi0KZ1FJNunYe5cViNuNb15d8QxJBTDh1uIyCB0+Anlzsz7brp Mda5Qne6NYmZ+Xhq4hV81kbSVshISB+Sd9dBHpR2SRqEXiEA+EFrYx6vyfqjriRylINwlPfSOA+ twirTnU6BKD47BmO+Qjfoi+j7QsQChnvHknVGWiTSJMuDt+iqINZ7c4hI5KDf4H+qHk1qQ/yTgn pwbjL/HyJ+hqRHW5kvwg/zh3PtrNfDjYCADfEH2YNxkb17WKlcscm0DZQw== X-Google-Smtp-Source: AGHT+IHTO7FD1YCmzFXZrLsjS1Gr8LjcRVw1x/49Go4t+nModLmGADEamFfCD7/fejPCDyd3TjYc6g== X-Received: by 2002:a17:907:d2dc:b0:ac3:8895:2775 with SMTP id a640c23a62f3a-ac38f7dc415mr45476166b.13.1742233249699; Mon, 17 Mar 2025 10:40:49 -0700 (PDT) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::4:812]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac3147e9cadsm693917166b.48.2025.03.17.10.40.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Mar 2025 10:40:49 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v6 3/4] libbpf: pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID Date: Mon, 17 Mar 2025 17:40:38 +0000 Message-ID: <20250317174039.161275-4-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> References: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Pass BPF token from bpf_program__set_attach_target to BPF_BTF_GET_FD_BY_ID bpf command. When freplace program attaches to target program, it needs to look up for BTF of the target, this may require BPF token, if, for example, running from user namespace. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- tools/lib/bpf/bpf.c | 3 ++- tools/lib/bpf/bpf.h | 3 ++- tools/lib/bpf/btf.c | 15 +++++++++++++-- tools/lib/bpf/libbpf.c | 10 +++++----- tools/lib/bpf/libbpf_internal.h | 1 + 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c index 359f73ead613..a9c3e33d0f8a 100644 --- a/tools/lib/bpf/bpf.c +++ b/tools/lib/bpf/bpf.c @@ -1097,7 +1097,7 @@ int bpf_map_get_fd_by_id(__u32 id) int bpf_btf_get_fd_by_id_opts(__u32 id, const struct bpf_get_fd_by_id_opts *opts) { - const size_t attr_sz = offsetofend(union bpf_attr, open_flags); + const size_t attr_sz = offsetofend(union bpf_attr, fd_by_id_token_fd); union bpf_attr attr; int fd; @@ -1107,6 +1107,7 @@ int bpf_btf_get_fd_by_id_opts(__u32 id, memset(&attr, 0, attr_sz); attr.btf_id = id; attr.open_flags = OPTS_GET(opts, open_flags, 0); + attr.fd_by_id_token_fd = OPTS_GET(opts, token_fd, 0); fd = sys_bpf_fd(BPF_BTF_GET_FD_BY_ID, &attr, attr_sz); return libbpf_err_errno(fd); diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h index 435da95d2058..777627d33d25 100644 --- a/tools/lib/bpf/bpf.h +++ b/tools/lib/bpf/bpf.h @@ -487,9 +487,10 @@ LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); struct bpf_get_fd_by_id_opts { size_t sz; /* size of this struct for forward/backward compatibility */ __u32 open_flags; /* permissions requested for the operation on fd */ + __u32 token_fd; size_t :0; }; -#define bpf_get_fd_by_id_opts__last_field open_flags +#define bpf_get_fd_by_id_opts__last_field token_fd LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); LIBBPF_API int bpf_prog_get_fd_by_id_opts(__u32 id, diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c index eea99c766a20..38bc6b14b066 100644 --- a/tools/lib/bpf/btf.c +++ b/tools/lib/bpf/btf.c @@ -1619,12 +1619,18 @@ struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf) return btf; } -struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd) { struct btf *btf; int btf_fd; + LIBBPF_OPTS(bpf_get_fd_by_id_opts, opts); + + if (token_fd) { + opts.open_flags |= BPF_F_TOKEN_FD; + opts.token_fd = token_fd; + } - btf_fd = bpf_btf_get_fd_by_id(id); + btf_fd = bpf_btf_get_fd_by_id_opts(id, &opts); if (btf_fd < 0) return libbpf_err_ptr(-errno); @@ -1634,6 +1640,11 @@ struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) return libbpf_ptr(btf); } +struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) +{ + return btf_load_from_kernel(id, base_btf, 0); +} + struct btf *btf__load_from_kernel_by_id(__u32 id) { return btf__load_from_kernel_by_id_split(id, NULL); diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 8e32286854ef..6b85060f07b3 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -10024,7 +10024,7 @@ int libbpf_find_vmlinux_btf_id(const char *name, return libbpf_err(err); } -static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) +static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd, int token_fd) { struct bpf_prog_info info; __u32 info_len = sizeof(info); @@ -10044,7 +10044,7 @@ static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) pr_warn("The target program doesn't have BTF\n"); goto out; } - btf = btf__load_from_kernel_by_id(info.btf_id); + btf = btf_load_from_kernel(info.btf_id, NULL, token_fd); err = libbpf_get_error(btf); if (err) { pr_warn("Failed to get BTF %d of the program: %s\n", info.btf_id, errstr(err)); @@ -10127,7 +10127,7 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac pr_warn("prog '%s': attach program FD is not set\n", prog->name); return -EINVAL; } - err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd); + err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd, prog->obj->token_fd); if (err < 0) { pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %s\n", prog->name, attach_prog_fd, attach_name, errstr(err)); @@ -12923,7 +12923,7 @@ struct bpf_link *bpf_program__attach_freplace(const struct bpf_program *prog, if (target_fd) { LIBBPF_OPTS(bpf_link_create_opts, target_opts); - btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd); + btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err_ptr(btf_id); @@ -13744,7 +13744,7 @@ int bpf_program__set_attach_target(struct bpf_program *prog, if (attach_prog_fd) { btf_id = libbpf_find_prog_btf_id(attach_func_name, - attach_prog_fd); + attach_prog_fd, prog->obj->token_fd); if (btf_id < 0) return libbpf_err(btf_id); } else { diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h index de498e2dd6b0..76669c73dcd1 100644 --- a/tools/lib/bpf/libbpf_internal.h +++ b/tools/lib/bpf/libbpf_internal.h @@ -409,6 +409,7 @@ int libbpf__load_raw_btf(const char *raw_types, size_t types_len, int btf_load_into_kernel(struct btf *btf, char *log_buf, size_t log_sz, __u32 log_level, int token_fd); +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd); struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf); void btf_get_kernel_prefix_kind(enum bpf_attach_type attach_type, From patchwork Mon Mar 17 17:40:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mykyta Yatsenko X-Patchwork-Id: 14019786 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A24031B043E for ; Mon, 17 Mar 2025 17:40:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233255; cv=none; b=V2Xtdxi0RQfdM7fzKhTQKC5QsieGdpU7i1zF305/oTqK8goK5GLX80Boik4+S91AP+IZ2CXGPohrNti0BgqXxC6IvY/P9FANA2EtpHOOXMut1kv9qIPH6yen5NmujC8C8uhX2zffOksbNhMyenwV6NuIAE5ufdOP3MxeMlGqIfE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742233255; c=relaxed/simple; bh=qlVzoobfcMKhrZJlUXVsYUBWE3RYkGGNjsUv4tABpv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XzKJzV7BWNNMym/FaGKCZsUU43lLBmq2o/BZ/+/gjCn6/vcDC81iwJgC7yWyrCjtG0Q5LjERLQw9r/nieG21UZZAk2e0iRo32yEDHq6yls+M0ic1cWdjdvffpk2ABF1aT1I4G2Vz3/ovH6clR6+CXocoMGJZsRt9zoTDvhoprSw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CbMk/dP5; arc=none smtp.client-ip=209.85.218.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CbMk/dP5" Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-ac2a089fbbdso838677066b.1 for ; Mon, 17 Mar 2025 10:40:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742233252; x=1742838052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5cWjdThWCRTh5geVzdUfIM+DjntvFxskQHUQIqGAp+g=; b=CbMk/dP5YfFYSNSoVFls9MHG3CZY9Qy0xcv/5YZNsfag2bHH0WUPyBaUUmFB7+hxS1 MHizz96rSMD1+s56eqgIhRPvuIBizd7QALsOIrzWayEZtJ3kylUnhtUmS5KfDjPwGE4E 8+zskjLhZDgGKAGtOuKLU9xf62LciDQgzBPg/PfKRSLoifLKvs7NymSstkWq4I/Ax6Od mScPddKD1TWH+bJzl1f6RLUueYA/Papt0W6Vclw33UDGD5htsnkTJU2sakmAL1DZnEmT qVk8K3u6uq7zJwToOr7Y3EsZtMiRXtqtaL+Y4Wq2mjiGfyLluJ/NkDocUrvgQVutthbj eOVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742233252; x=1742838052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5cWjdThWCRTh5geVzdUfIM+DjntvFxskQHUQIqGAp+g=; b=DoJTwgTQr57iJjGalhMeRK/EReb47p+J9TNGvbDJyfCYNaGZ0SyJJYFz4CWxsvByNw Z3Oamh79mFIqt8cA4QIrcgnDMjoWy+qo0qV0fTH3j0G+IG2d1y2oTTOmWYnE1E/2iETQ fCjWZxbj4T4JV29sWEu5jJwHNTlKBB9gRzzBSoRHxTfIU46hlrkCkOlLztpw7IkrETdr 5mx5n14G5hRTuDEhy4ebikQd4kJUeAakfaD6ysw+MlsZinMYXEZWRf3aWmLULLunyV0h +45lIjFYe6MnRelRfY2twXOlGZAVpLtaPtfrc/ocb8zJejn2u+iR8xwkS+vZhZve2o8n Oz7Q== X-Gm-Message-State: AOJu0Yxu2XdHA9/JVLKta8W8WM867Be0bxcZb9vgKPkvLaYhQN/ogCtu OKwjscm1170dEjnagr1gJUN6ezZeY1bzbg69SKPWgmoECzsi/F3/TMzvhQ== X-Gm-Gg: ASbGncvG9A5xHcHms6S8l4HvJdFf429tyFuj7EU6kOuyDhoyzSGe2E8svyAOo/j1t6s jFSYQ77ClCqjEixdupM6Wg8e+rmE9ephFayR15uGP+l5xP6y4pBT//ortLcr2plgPJ3TTDhzLeE wOD0BHRdGIwVRzz2zv+K69ojqxgM+AVG1KEuoub9XFfxb1aIvUwhvXP5g019Xdm/hoKRHAD1VUN CLVVvLU1rT/zPnGtWm1GXcW6iJsGjOPFiPgZvkbqGecGF24XJy9yvc3NM9MVEoUNGvgxB0Y9aD1 f0+W0GogzPI+JIr0adUKEhT+m7zffljE9fUzqwxraOnDclmUUXHYjB9pAQ== X-Google-Smtp-Source: AGHT+IFnXK3a0VXDTwjNeb7qdvaqupkLDGSsyYOdAVr+rOEu5doTvsJm6giVv5Wcu0WmUnpE7qtW2A== X-Received: by 2002:a17:907:e84c:b0:ac3:14e1:27a5 with SMTP id a640c23a62f3a-ac38f6d8321mr40328466b.1.1742233251466; Mon, 17 Mar 2025 10:40:51 -0700 (PDT) Received: from msi-laptop.thefacebook.com ([2620:10d:c092:500::4:812]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac3147e9cadsm693917166b.48.2025.03.17.10.40.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Mar 2025 10:40:51 -0700 (PDT) From: Mykyta Yatsenko To: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com, eddyz87@gmail.com, olsajiri@gmail.com, yonghong.song@linux.dev Cc: Mykyta Yatsenko Subject: [PATCH bpf-next v6 4/4] selftests/bpf: test freplace from user namespace Date: Mon, 17 Mar 2025 17:40:39 +0000 Message-ID: <20250317174039.161275-5-mykyta.yatsenko5@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> References: <20250317174039.161275-1-mykyta.yatsenko5@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net From: Mykyta Yatsenko Add selftests to verify that it is possible to load freplace program from user namespace if BPF token is initialized by bpf_object__prepare before calling bpf_program__set_attach_target. Negative test is added as well. Modified type of the priv_prog to xdp, as kprobe did not work on aarch64 and s390x. Signed-off-by: Mykyta Yatsenko Acked-by: Yonghong Song --- .../testing/selftests/bpf/prog_tests/token.c | 97 ++++++++++++++++++- .../selftests/bpf/progs/priv_freplace_prog.c | 13 +++ tools/testing/selftests/bpf/progs/priv_prog.c | 6 +- 3 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/priv_freplace_prog.c diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c index c3ab9b6fb069..f9392df23f8a 100644 --- a/tools/testing/selftests/bpf/prog_tests/token.c +++ b/tools/testing/selftests/bpf/prog_tests/token.c @@ -19,6 +19,7 @@ #include "priv_prog.skel.h" #include "dummy_st_ops_success.skel.h" #include "token_lsm.skel.h" +#include "priv_freplace_prog.skel.h" static inline int sys_mount(const char *dev_name, const char *dir_name, const char *type, unsigned long flags, @@ -788,6 +789,84 @@ static int userns_obj_priv_prog(int mnt_fd, struct token_lsm *lsm_skel) return 0; } +static int userns_obj_priv_freplace_setup(int mnt_fd, struct priv_freplace_prog **fr_skel, + struct priv_prog **skel, int *tgt_fd) +{ + LIBBPF_OPTS(bpf_object_open_opts, opts); + int err; + char buf[256]; + + /* use bpf_token_path to provide BPF FS path */ + snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd); + opts.bpf_token_path = buf; + *skel = priv_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_prog__open_opts")) + return -EINVAL; + err = priv_prog__load(*skel); + if (!ASSERT_OK(err, "priv_prog__load")) + return -EINVAL; + + *fr_skel = priv_freplace_prog__open_opts(&opts); + if (!ASSERT_OK_PTR(*skel, "priv_freplace_prog__open_opts")) + return -EINVAL; + + *tgt_fd = bpf_program__fd((*skel)->progs.xdp_prog1); + return 0; +} + +/* Verify that freplace works from user namespace, because bpf token is loaded + * in bpf_object__prepare + */ +static int userns_obj_priv_freplace_prog(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_object__prepare(fr_skel->obj); + if (!ASSERT_OK(err, "freplace__prepare")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_xdp_prog2, tgt_fd, "xdp_prog1"); + if (!ASSERT_OK(err, "set_attach_target")) + goto out; + + err = priv_freplace_prog__load(fr_skel); + ASSERT_OK(err, "priv_freplace_prog__load"); + +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + +/* Verify that replace fails to set attach target from user namespace without bpf token */ +static int userns_obj_priv_freplace_prog_fail(int mnt_fd, struct token_lsm *lsm_skel) +{ + struct priv_freplace_prog *fr_skel = NULL; + struct priv_prog *skel = NULL; + int err, tgt_fd; + + err = userns_obj_priv_freplace_setup(mnt_fd, &fr_skel, &skel, &tgt_fd); + if (!ASSERT_OK(err, "setup")) + goto out; + + err = bpf_program__set_attach_target(fr_skel->progs.new_xdp_prog2, tgt_fd, "xdp_prog1"); + if (ASSERT_ERR(err, "attach fails")) + err = 0; + else + err = -EINVAL; + +out: + priv_freplace_prog__destroy(fr_skel); + priv_prog__destroy(skel); + return err; +} + /* this test is called with BPF FS that doesn't delegate BPF_BTF_LOAD command, * which should cause struct_ops application to fail, as BTF won't be uploaded * into the kernel, even if STRUCT_OPS programs themselves are allowed @@ -1004,12 +1083,28 @@ void test_token(void) if (test__start_subtest("obj_priv_prog")) { struct bpffs_opts opts = { .cmds = bit(BPF_PROG_LOAD), - .progs = bit(BPF_PROG_TYPE_KPROBE), + .progs = bit(BPF_PROG_TYPE_XDP), .attachs = ~0ULL, }; subtest_userns(&opts, userns_obj_priv_prog); } + if (test__start_subtest("obj_priv_freplace_prog")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD) | bit(BPF_BTF_GET_FD_BY_ID), + .progs = bit(BPF_PROG_TYPE_EXT) | bit(BPF_PROG_TYPE_XDP), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog); + } + if (test__start_subtest("obj_priv_freplace_prog_fail")) { + struct bpffs_opts opts = { + .cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD) | bit(BPF_BTF_GET_FD_BY_ID), + .progs = bit(BPF_PROG_TYPE_EXT) | bit(BPF_PROG_TYPE_XDP), + .attachs = ~0ULL, + }; + subtest_userns(&opts, userns_obj_priv_freplace_prog_fail); + } if (test__start_subtest("obj_priv_btf_fail")) { struct bpffs_opts opts = { /* disallow BTF loading */ diff --git a/tools/testing/selftests/bpf/progs/priv_freplace_prog.c b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c new file mode 100644 index 000000000000..ccf1b04010ba --- /dev/null +++ b/tools/testing/selftests/bpf/progs/priv_freplace_prog.c @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include "vmlinux.h" +#include + +char _license[] SEC("license") = "GPL"; + +SEC("freplace/xdp_prog1") +int new_xdp_prog2(struct xdp_md *xd) +{ + return XDP_DROP; +} diff --git a/tools/testing/selftests/bpf/progs/priv_prog.c b/tools/testing/selftests/bpf/progs/priv_prog.c index 3c7b2b618c8a..725e29595079 100644 --- a/tools/testing/selftests/bpf/progs/priv_prog.c +++ b/tools/testing/selftests/bpf/progs/priv_prog.c @@ -6,8 +6,8 @@ char _license[] SEC("license") = "GPL"; -SEC("kprobe") -int kprobe_prog(void *ctx) +SEC("xdp") +int xdp_prog1(struct xdp_md *xdp) { - return 1; + return XDP_DROP; }