Skip to content

Commit 9cde3be

Browse files
sinkapAlexei Starovoitov
authored andcommitted
bpf: Add tests for task_local_storage
The test exercises the syscall based map operations by creating a pidfd for the current process. For verifying kernel / LSM functionality, the test implements a simple MAC policy which denies an executable from unlinking itself. The LSM program bprm_committed_creds sets a task_local_storage with a pointer to the inode. This is then used to detect if the task is trying to unlink itself in the inode_unlink LSM hook. The test copies /bin/rm to /tmp and executes it in a child thread with the intention of deleting itself. A successful test should prevent the the running executable from deleting itself. The bpf programs are also updated to call bpf_spin_{lock, unlock} to trigger the verfier checks for spin locks. The temporary file is cleaned up later in the test. Signed-off-by: KP Singh <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> Acked-by: Martin KaFai Lau <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]
1 parent a367efa commit 9cde3be

File tree

2 files changed

+226
-20
lines changed

2 files changed

+226
-20
lines changed

tools/testing/selftests/bpf/prog_tests/test_local_storage.c

Lines changed: 172 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -4,30 +4,161 @@
44
* Copyright (C) 2020 Google LLC.
55
*/
66

7+
#include <asm-generic/errno-base.h>
8+
#include <sys/stat.h>
79
#include <test_progs.h>
810
#include <linux/limits.h>
911

1012
#include "local_storage.skel.h"
1113
#include "network_helpers.h"
1214

13-
int create_and_unlink_file(void)
15+
static inline int sys_pidfd_open(pid_t pid, unsigned int flags)
1416
{
15-
char fname[PATH_MAX] = "/tmp/fileXXXXXX";
16-
int fd;
17+
return syscall(__NR_pidfd_open, pid, flags);
18+
}
19+
20+
static inline ssize_t copy_file_range(int fd_in, loff_t *off_in, int fd_out,
21+
loff_t *off_out, size_t len,
22+
unsigned int flags)
23+
{
24+
return syscall(__NR_copy_file_range, fd_in, off_in, fd_out, off_out,
25+
len, flags);
26+
}
27+
28+
static unsigned int duration;
29+
30+
#define TEST_STORAGE_VALUE 0xbeefdead
1731

18-
fd = mkstemp(fname);
19-
if (fd < 0)
20-
return fd;
32+
struct storage {
33+
void *inode;
34+
unsigned int value;
35+
/* Lock ensures that spin locked versions of local stoage operations
36+
* also work, most operations in this tests are still single threaded
37+
*/
38+
struct bpf_spin_lock lock;
39+
};
40+
41+
/* Copies an rm binary to a temp file. dest is a mkstemp template */
42+
static int copy_rm(char *dest)
43+
{
44+
int fd_in, fd_out = -1, ret = 0;
45+
struct stat stat;
46+
47+
fd_in = open("/bin/rm", O_RDONLY);
48+
if (fd_in < 0)
49+
return -errno;
50+
51+
fd_out = mkstemp(dest);
52+
if (fd_out < 0) {
53+
ret = -errno;
54+
goto out;
55+
}
56+
57+
ret = fstat(fd_in, &stat);
58+
if (ret == -1) {
59+
ret = -errno;
60+
goto out;
61+
}
62+
63+
ret = copy_file_range(fd_in, NULL, fd_out, NULL, stat.st_size, 0);
64+
if (ret == -1) {
65+
ret = -errno;
66+
goto out;
67+
}
68+
69+
/* Set executable permission on the copied file */
70+
ret = chmod(dest, 0100);
71+
if (ret == -1)
72+
ret = -errno;
73+
74+
out:
75+
close(fd_in);
76+
close(fd_out);
77+
return ret;
78+
}
79+
80+
/* Fork and exec the provided rm binary and return the exit code of the
81+
* forked process and its pid.
82+
*/
83+
static int run_self_unlink(int *monitored_pid, const char *rm_path)
84+
{
85+
int child_pid, child_status, ret;
86+
int null_fd;
87+
88+
child_pid = fork();
89+
if (child_pid == 0) {
90+
null_fd = open("/dev/null", O_WRONLY);
91+
dup2(null_fd, STDOUT_FILENO);
92+
dup2(null_fd, STDERR_FILENO);
93+
close(null_fd);
94+
95+
*monitored_pid = getpid();
96+
/* Use the copied /usr/bin/rm to delete itself
97+
* /tmp/copy_of_rm /tmp/copy_of_rm.
98+
*/
99+
ret = execlp(rm_path, rm_path, rm_path, NULL);
100+
if (ret)
101+
exit(errno);
102+
} else if (child_pid > 0) {
103+
waitpid(child_pid, &child_status, 0);
104+
return WEXITSTATUS(child_status);
105+
}
106+
107+
return -EINVAL;
108+
}
21109

22-
close(fd);
23-
unlink(fname);
24-
return 0;
110+
static bool check_syscall_operations(int map_fd, int obj_fd)
111+
{
112+
struct storage val = { .value = TEST_STORAGE_VALUE, .lock = { 0 } },
113+
lookup_val = { .value = 0, .lock = { 0 } };
114+
int err;
115+
116+
/* Looking up an existing element should fail initially */
117+
err = bpf_map_lookup_elem_flags(map_fd, &obj_fd, &lookup_val,
118+
BPF_F_LOCK);
119+
if (CHECK(!err || errno != ENOENT, "bpf_map_lookup_elem",
120+
"err:%d errno:%d\n", err, errno))
121+
return false;
122+
123+
/* Create a new element */
124+
err = bpf_map_update_elem(map_fd, &obj_fd, &val,
125+
BPF_NOEXIST | BPF_F_LOCK);
126+
if (CHECK(err < 0, "bpf_map_update_elem", "err:%d errno:%d\n", err,
127+
errno))
128+
return false;
129+
130+
/* Lookup the newly created element */
131+
err = bpf_map_lookup_elem_flags(map_fd, &obj_fd, &lookup_val,
132+
BPF_F_LOCK);
133+
if (CHECK(err < 0, "bpf_map_lookup_elem", "err:%d errno:%d", err,
134+
errno))
135+
return false;
136+
137+
/* Check the value of the newly created element */
138+
if (CHECK(lookup_val.value != val.value, "bpf_map_lookup_elem",
139+
"value got = %x errno:%d", lookup_val.value, val.value))
140+
return false;
141+
142+
err = bpf_map_delete_elem(map_fd, &obj_fd);
143+
if (CHECK(err, "bpf_map_delete_elem()", "err:%d errno:%d\n", err,
144+
errno))
145+
return false;
146+
147+
/* The lookup should fail, now that the element has been deleted */
148+
err = bpf_map_lookup_elem_flags(map_fd, &obj_fd, &lookup_val,
149+
BPF_F_LOCK);
150+
if (CHECK(!err || errno != ENOENT, "bpf_map_lookup_elem",
151+
"err:%d errno:%d\n", err, errno))
152+
return false;
153+
154+
return true;
25155
}
26156

27157
void test_test_local_storage(void)
28158
{
159+
char tmp_exec_path[PATH_MAX] = "/tmp/copy_of_rmXXXXXX";
160+
int err, serv_sk = -1, task_fd = -1;
29161
struct local_storage *skel = NULL;
30-
int err, duration = 0, serv_sk = -1;
31162

32163
skel = local_storage__open_and_load();
33164
if (CHECK(!skel, "skel_load", "lsm skeleton failed\n"))
@@ -37,12 +168,37 @@ void test_test_local_storage(void)
37168
if (CHECK(err, "attach", "lsm attach failed: %d\n", err))
38169
goto close_prog;
39170

40-
skel->bss->monitored_pid = getpid();
171+
task_fd = sys_pidfd_open(getpid(), 0);
172+
if (CHECK(task_fd < 0, "pidfd_open",
173+
"failed to get pidfd err:%d, errno:%d", task_fd, errno))
174+
goto close_prog;
41175

42-
err = create_and_unlink_file();
43-
if (CHECK(err < 0, "exec_cmd", "err %d errno %d\n", err, errno))
176+
if (!check_syscall_operations(bpf_map__fd(skel->maps.task_storage_map),
177+
task_fd))
44178
goto close_prog;
45179

180+
err = copy_rm(tmp_exec_path);
181+
if (CHECK(err < 0, "copy_rm", "err %d errno %d\n", err, errno))
182+
goto close_prog;
183+
184+
/* Sets skel->bss->monitored_pid to the pid of the forked child
185+
* forks a child process that executes tmp_exec_path and tries to
186+
* unlink its executable. This operation should be denied by the loaded
187+
* LSM program.
188+
*/
189+
err = run_self_unlink(&skel->bss->monitored_pid, tmp_exec_path);
190+
if (CHECK(err != EPERM, "run_self_unlink", "err %d want EPERM\n", err))
191+
goto close_prog_unlink;
192+
193+
/* Set the process being monitored to be the current process */
194+
skel->bss->monitored_pid = getpid();
195+
196+
/* Remove the temporary created executable */
197+
err = unlink(tmp_exec_path);
198+
if (CHECK(err != 0, "unlink", "unable to unlink %s: %d", tmp_exec_path,
199+
errno))
200+
goto close_prog_unlink;
201+
46202
CHECK(skel->data->inode_storage_result != 0, "inode_storage_result",
47203
"inode_local_storage not set\n");
48204

@@ -55,6 +211,9 @@ void test_test_local_storage(void)
55211

56212
close(serv_sk);
57213

214+
close_prog_unlink:
215+
unlink(tmp_exec_path);
58216
close_prog:
217+
close(task_fd);
59218
local_storage__destroy(skel);
60219
}

tools/testing/selftests/bpf/progs/local_storage.c

Lines changed: 54 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,41 +17,64 @@ int monitored_pid = 0;
1717
int inode_storage_result = -1;
1818
int sk_storage_result = -1;
1919

20-
struct dummy_storage {
20+
struct local_storage {
21+
struct inode *exec_inode;
2122
__u32 value;
23+
struct bpf_spin_lock lock;
2224
};
2325

2426
struct {
2527
__uint(type, BPF_MAP_TYPE_INODE_STORAGE);
2628
__uint(map_flags, BPF_F_NO_PREALLOC);
2729
__type(key, int);
28-
__type(value, struct dummy_storage);
30+
__type(value, struct local_storage);
2931
} inode_storage_map SEC(".maps");
3032

3133
struct {
3234
__uint(type, BPF_MAP_TYPE_SK_STORAGE);
3335
__uint(map_flags, BPF_F_NO_PREALLOC | BPF_F_CLONE);
3436
__type(key, int);
35-
__type(value, struct dummy_storage);
37+
__type(value, struct local_storage);
3638
} sk_storage_map SEC(".maps");
3739

40+
struct {
41+
__uint(type, BPF_MAP_TYPE_TASK_STORAGE);
42+
__uint(map_flags, BPF_F_NO_PREALLOC);
43+
__type(key, int);
44+
__type(value, struct local_storage);
45+
} task_storage_map SEC(".maps");
46+
3847
SEC("lsm/inode_unlink")
3948
int BPF_PROG(unlink_hook, struct inode *dir, struct dentry *victim)
4049
{
4150
__u32 pid = bpf_get_current_pid_tgid() >> 32;
42-
struct dummy_storage *storage;
51+
struct local_storage *storage;
52+
bool is_self_unlink;
4353
int err;
4454

4555
if (pid != monitored_pid)
4656
return 0;
4757

58+
storage = bpf_task_storage_get(&task_storage_map,
59+
bpf_get_current_task_btf(), 0, 0);
60+
if (storage) {
61+
/* Don't let an executable delete itself */
62+
bpf_spin_lock(&storage->lock);
63+
is_self_unlink = storage->exec_inode == victim->d_inode;
64+
bpf_spin_unlock(&storage->lock);
65+
if (is_self_unlink)
66+
return -EPERM;
67+
}
68+
4869
storage = bpf_inode_storage_get(&inode_storage_map, victim->d_inode, 0,
4970
BPF_LOCAL_STORAGE_GET_F_CREATE);
5071
if (!storage)
5172
return 0;
5273

74+
bpf_spin_lock(&storage->lock);
5375
if (storage->value != DUMMY_STORAGE_VALUE)
5476
inode_storage_result = -1;
77+
bpf_spin_unlock(&storage->lock);
5578

5679
err = bpf_inode_storage_delete(&inode_storage_map, victim->d_inode);
5780
if (!err)
@@ -65,7 +88,7 @@ int BPF_PROG(socket_bind, struct socket *sock, struct sockaddr *address,
6588
int addrlen)
6689
{
6790
__u32 pid = bpf_get_current_pid_tgid() >> 32;
68-
struct dummy_storage *storage;
91+
struct local_storage *storage;
6992
int err;
7093

7194
if (pid != monitored_pid)
@@ -76,8 +99,10 @@ int BPF_PROG(socket_bind, struct socket *sock, struct sockaddr *address,
7699
if (!storage)
77100
return 0;
78101

102+
bpf_spin_lock(&storage->lock);
79103
if (storage->value != DUMMY_STORAGE_VALUE)
80104
sk_storage_result = -1;
105+
bpf_spin_unlock(&storage->lock);
81106

82107
err = bpf_sk_storage_delete(&sk_storage_map, sock->sk);
83108
if (!err)
@@ -91,7 +116,7 @@ int BPF_PROG(socket_post_create, struct socket *sock, int family, int type,
91116
int protocol, int kern)
92117
{
93118
__u32 pid = bpf_get_current_pid_tgid() >> 32;
94-
struct dummy_storage *storage;
119+
struct local_storage *storage;
95120

96121
if (pid != monitored_pid)
97122
return 0;
@@ -101,7 +126,9 @@ int BPF_PROG(socket_post_create, struct socket *sock, int family, int type,
101126
if (!storage)
102127
return 0;
103128

129+
bpf_spin_lock(&storage->lock);
104130
storage->value = DUMMY_STORAGE_VALUE;
131+
bpf_spin_unlock(&storage->lock);
105132

106133
return 0;
107134
}
@@ -110,7 +137,7 @@ SEC("lsm/file_open")
110137
int BPF_PROG(file_open, struct file *file)
111138
{
112139
__u32 pid = bpf_get_current_pid_tgid() >> 32;
113-
struct dummy_storage *storage;
140+
struct local_storage *storage;
114141

115142
if (pid != monitored_pid)
116143
return 0;
@@ -123,6 +150,26 @@ int BPF_PROG(file_open, struct file *file)
123150
if (!storage)
124151
return 0;
125152

153+
bpf_spin_lock(&storage->lock);
126154
storage->value = DUMMY_STORAGE_VALUE;
155+
bpf_spin_unlock(&storage->lock);
127156
return 0;
128157
}
158+
159+
/* This uses the local storage to remember the inode of the binary that a
160+
* process was originally executing.
161+
*/
162+
SEC("lsm/bprm_committed_creds")
163+
void BPF_PROG(exec, struct linux_binprm *bprm)
164+
{
165+
struct local_storage *storage;
166+
167+
storage = bpf_task_storage_get(&task_storage_map,
168+
bpf_get_current_task_btf(), 0,
169+
BPF_LOCAL_STORAGE_GET_F_CREATE);
170+
if (storage) {
171+
bpf_spin_lock(&storage->lock);
172+
storage->exec_inode = bprm->file->f_inode;
173+
bpf_spin_unlock(&storage->lock);
174+
}
175+
}

0 commit comments

Comments
 (0)