This commit adds a test case to verify that the
`bpf_sock_destroy` kfunc is not allowed from
program attach types other than BPF trace iterator.
Unsupprted programs calling the kfunc will be rejected by
the verifier.
Signed-off-by: Aditi Ghag <aditi.ghag@xxxxxxxxxxxxx>
Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
---
.../selftests/bpf/prog_tests/sock_destroy.c | 2 ++
.../bpf/progs/sock_destroy_prog_fail.c | 22 +++++++++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 tools/testing/selftests/bpf/progs/sock_destroy_prog_fail.c
diff --git a/tools/testing/selftests/bpf/prog_tests/sock_destroy.c b/tools/testing/selftests/bpf/prog_tests/sock_destroy.c
index 56b72594cd6b..b0583309a94e 100644
--- a/tools/testing/selftests/bpf/prog_tests/sock_destroy.c
+++ b/tools/testing/selftests/bpf/prog_tests/sock_destroy.c
@@ -3,6 +3,7 @@
#include <bpf/bpf_endian.h>
#include "sock_destroy_prog.skel.h"
+#include "sock_destroy_prog_fail.skel.h"
#include "network_helpers.h"
#define TEST_NS "sock_destroy_netns"
@@ -208,6 +209,7 @@ void test_sock_destroy(void)
if (test__start_subtest("udp_server"))
test_udp_server(skel);
+ RUN_TESTS(sock_destroy_prog_fail);
cleanup:
if (nstoken)
diff --git a/tools/testing/selftests/bpf/progs/sock_destroy_prog_fail.c b/tools/testing/selftests/bpf/progs/sock_destroy_prog_fail.c
new file mode 100644
index 000000000000..dd6850b58e25
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/sock_destroy_prog_fail.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "vmlinux.h"
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_helpers.h>
+
+#include "bpf_misc.h"
+
+char _license[] SEC("license") = "GPL";
+
+int bpf_sock_destroy(struct sock_common *sk) __ksym;
+
+SEC("tp_btf/tcp_destroy_sock")
+__failure __msg("calling kernel function bpf_sock_destroy is not allowed")
+int BPF_PROG(trace_tcp_destroy_sock, struct sock *sk)
+{
+ /* should not load */
+ bpf_sock_destroy((struct sock_common *)sk);
+
+ return 0;
+}
+
--
2.34.1
