On Mon, Oct 30, 2023 at 11:00 PM Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote:
>
> Implement test_run for seccomp program type. Default
> is to use an empty struct seccomp_data as bpf_context,
> but can be overridden by userspace. This will be used
> in selftests.
>
> Signed-off-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
> ---
> include/linux/bpf.h | 3 +++
> kernel/seccomp.c | 1 +
> net/bpf/test_run.c | 27 +++++++++++++++++++++++++++
> 3 files changed, 31 insertions(+)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index b4825d3cdb29..e25338e67ec4 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2376,6 +2376,9 @@ int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog,
> int bpf_prog_test_run_nf(struct bpf_prog *prog,
> const union bpf_attr *kattr,
> union bpf_attr __user *uattr);
> +int bpf_prog_test_run_seccomp(struct bpf_prog *prog,
> + const union bpf_attr *kattr,
> + union bpf_attr __user *uattr);
> bool btf_ctx_access(int off, int size, enum bpf_access_type type,
> const struct bpf_prog *prog,
> struct bpf_insn_access_aux *info);
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 5a6ed8630566..1fa2312654a5 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -2517,6 +2517,7 @@ int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
>
> #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_BPF_SYSCALL)
> const struct bpf_prog_ops seccomp_prog_ops = {
> + .test_run = bpf_prog_test_run_seccomp,
> };
>
> static bool seccomp_is_valid_access(int off, int size, enum bpf_access_type type,
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 0841f8d82419..db159b9c56ca 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -20,6 +20,7 @@
> #include <linux/smp.h>
> #include <linux/sock_diag.h>
> #include <linux/netfilter.h>
> +#include <linux/seccomp.h>
> #include <net/netdev_rx_queue.h>
> #include <net/xdp.h>
> #include <net/netfilter/nf_bpf_link.h>
> @@ -1665,6 +1666,32 @@ int bpf_prog_test_run_nf(struct bpf_prog *prog,
> return ret;
> }
>
> +int bpf_prog_test_run_seccomp(struct bpf_prog *prog,
> + const union bpf_attr *kattr,
> + union bpf_attr __user *uattr)
> +{
> + void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in);
> + __u32 ctx_size_in = kattr->test.ctx_size_in;
> + struct seccomp_data ctx = {};
> + __u32 retval;
> +
> + if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size)
> + return -EINVAL;
> +
what about ctx_out, ctx_size_out, data_size_in/data_size_out, etc,
etc. Should we enforce that they all stay zero? Similar questions to
repeat and duration.
> + if (ctx_size_in && ctx_size_in < sizeof(ctx))
> + return -EINVAL;
> +
> + if (ctx_size_in && copy_from_user(&ctx, ctx_in, sizeof(ctx)))
> + return -EFAULT;
> +
> + retval = bpf_prog_run_pin_on_cpu(prog, &ctx);
> +
> + if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval)))
> + return -EFAULT;
> +
> + return 0;
> +}
> +
> static const struct btf_kfunc_id_set bpf_prog_test_kfunc_set = {
> .owner = THIS_MODULE,
> .set = &test_sk_check_kfunc_ids,
> --
> 2.34.1
>
