On Tue, Aug 06, 2024 at 04:09:04PM -0700, Song Liu wrote:
> Add test for bpf_get_dentry_xattr on hook security_inode_getxattr.
> Verify that the kfunc can read the xattr. Also test failing getxattr
> from user space by returning non-zero from the LSM bpf program.
>
> Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> ---
> tools/testing/selftests/bpf/bpf_kfuncs.h | 9 +++++
> .../selftests/bpf/prog_tests/fs_kfuncs.c | 9 ++++-
> .../selftests/bpf/progs/test_get_xattr.c | 37 ++++++++++++++++---
> 3 files changed, 49 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/bpf_kfuncs.h b/tools/testing/selftests/bpf/bpf_kfuncs.h
> index 3b6675ab4086..efed458a3c0a 100644
> --- a/tools/testing/selftests/bpf/bpf_kfuncs.h
> +++ b/tools/testing/selftests/bpf/bpf_kfuncs.h
> @@ -78,4 +78,13 @@ extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr,
>
> extern bool bpf_session_is_return(void) __ksym __weak;
> extern __u64 *bpf_session_cookie(void) __ksym __weak;
> +
> +struct dentry;
> +/* Description
> + * Returns xattr of a dentry
> + * Returns__bpf_kfunc
nit, extra '__bpf_kfunc' suffix?
jirka
> + * Error code
> + */
> +extern int bpf_get_dentry_xattr(struct dentry *dentry, const char *name,
> + struct bpf_dynptr *value_ptr) __ksym __weak;
> #endif
> diff --git a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> index 37056ba73847..5a0b51157451 100644
> --- a/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> +++ b/tools/testing/selftests/bpf/prog_tests/fs_kfuncs.c
> @@ -16,6 +16,7 @@ static void test_xattr(void)
> {
> struct test_get_xattr *skel = NULL;
> int fd = -1, err;
> + int v[32];
>
> fd = open(testfile, O_CREAT | O_RDONLY, 0644);
> if (!ASSERT_GE(fd, 0, "create_file"))
> @@ -50,7 +51,13 @@ static void test_xattr(void)
> if (!ASSERT_GE(fd, 0, "open_file"))
> goto out;
>
> - ASSERT_EQ(skel->bss->found_xattr, 1, "found_xattr");
> + ASSERT_EQ(skel->bss->found_xattr_from_file, 1, "found_xattr_from_file");
> +
> + /* Trigger security_inode_getxattr */
> + err = getxattr(testfile, "user.kfuncs", v, sizeof(v));
> + ASSERT_EQ(err, -1, "getxattr_return");
> + ASSERT_EQ(errno, EINVAL, "getxattr_errno");
> + ASSERT_EQ(skel->bss->found_xattr_from_dentry, 1, "found_xattr_from_dentry");
>
> out:
> close(fd);
> diff --git a/tools/testing/selftests/bpf/progs/test_get_xattr.c b/tools/testing/selftests/bpf/progs/test_get_xattr.c
> index 7eb2a4e5a3e5..66e737720f7c 100644
> --- a/tools/testing/selftests/bpf/progs/test_get_xattr.c
> +++ b/tools/testing/selftests/bpf/progs/test_get_xattr.c
> @@ -2,6 +2,7 @@
> /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
>
> #include "vmlinux.h"
> +#include <errno.h>
> #include <bpf/bpf_helpers.h>
> #include <bpf/bpf_tracing.h>
> #include "bpf_kfuncs.h"
> @@ -9,10 +10,12 @@
> char _license[] SEC("license") = "GPL";
>
> __u32 monitored_pid;
> -__u32 found_xattr;
> +__u32 found_xattr_from_file;
> +__u32 found_xattr_from_dentry;
>
> static const char expected_value[] = "hello";
> -char value[32];
> +char value1[32];
> +char value2[32];
>
> SEC("lsm.s/file_open")
> int BPF_PROG(test_file_open, struct file *f)
> @@ -25,13 +28,37 @@ int BPF_PROG(test_file_open, struct file *f)
> if (pid != monitored_pid)
> return 0;
>
> - bpf_dynptr_from_mem(value, sizeof(value), 0, &value_ptr);
> + bpf_dynptr_from_mem(value1, sizeof(value1), 0, &value_ptr);
>
> ret = bpf_get_file_xattr(f, "user.kfuncs", &value_ptr);
> if (ret != sizeof(expected_value))
> return 0;
> - if (bpf_strncmp(value, ret, expected_value))
> + if (bpf_strncmp(value1, ret, expected_value))
> return 0;
> - found_xattr = 1;
> + found_xattr_from_file = 1;
> return 0;
> }
> +
> +SEC("lsm.s/inode_getxattr")
> +int BPF_PROG(test_inode_getxattr, struct dentry *dentry, char *name)
> +{
> + struct bpf_dynptr value_ptr;
> + __u32 pid;
> + int ret;
> +
> + pid = bpf_get_current_pid_tgid() >> 32;
> + if (pid != monitored_pid)
> + return 0;
> +
> + bpf_dynptr_from_mem(value2, sizeof(value2), 0, &value_ptr);
> +
> + ret = bpf_get_dentry_xattr(dentry, "user.kfuncs", &value_ptr);
> + if (ret != sizeof(expected_value))
> + return 0;
> + if (bpf_strncmp(value2, ret, expected_value))
> + return 0;
> + found_xattr_from_dentry = 1;
> +
> + /* return non-zero to fail getxattr from user space */
> + return -EINVAL;
> +}
> --
> 2.43.5
>
>
