linux/tools/testing/selftests/bpf/progs/nested_trust_failure.c

// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */

#include <vmlinux.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"

#include "nested_trust_common.h"

char _license[] SEC("license") = "GPL";

struct {
	__uint(type, BPF_MAP_TYPE_SK_STORAGE);
	__uint(map_flags, BPF_F_NO_PREALLOC);
	__type(key, int);
	__type(value, u64);
} sk_storage_map SEC(".maps");

/* Prototype for all of the program trace events below:
 *
 * TRACE_EVENT(task_newtask,
 *         TP_PROTO(struct task_struct *p, u64 clone_flags)
 */

SEC("tp_btf/task_newtask")
__failure __msg("R2 must be")
int BPF_PROG(test_invalid_nested_user_cpus, struct task_struct *task, u64 clone_flags)
{
	bpf_cpumask_test_cpu(0, task->user_cpus_ptr);
	return 0;
}

SEC("tp_btf/task_newtask")
__failure __msg("R1 must have zero offset when passed to release func or trusted arg to kfunc")
int BPF_PROG(test_invalid_nested_offset, struct task_struct *task, u64 clone_flags)
{
	bpf_cpumask_first_zero(&task->cpus_mask);
	return 0;
}

/* Although R2 is of type sk_buff but sock_common is expected, we will hit untrusted ptr first. */
SEC("tp_btf/tcp_probe")
__failure __msg("R2 type=untrusted_ptr_ expected=ptr_, trusted_ptr_, rcu_ptr_")
int BPF_PROG(test_invalid_skb_field, struct sock *sk, struct sk_buff *skb)
{
	bpf_sk_storage_get(&sk_storage_map, skb->next, 0, 0);
	return 0;
}
selftests/bpf: Add nested trust selftests suite Now that defining trusted fields in a struct is supported, we should add selftests to verify the behavior. This patch adds a few such testcases. Signed-off-by: David Vernet <void@manifault.com> Link: https://lore.kernel.org/r/20230125143816.721952-4-void@manifault.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2023-01-25 08:38:12 -06:00			`// SPDX-License-Identifier: GPL-2.0`
			`/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */`

			`#include <vmlinux.h>`
			`#include <bpf/bpf_tracing.h>`
			`#include <bpf/bpf_helpers.h>`
			`#include "bpf_misc.h"`

			`#include "nested_trust_common.h"`

			`char _license[] SEC("license") = "GPL";`

selftests/bpf: Add selftests for nested_trust Add selftests for nested_strust to check whehter PTR_UNTRUSTED is cleared as expected, the result as follows: #141/1 nested_trust/test_read_cpumask:OK #141/2 nested_trust/test_skb_field:OK <<<< #141/3 nested_trust/test_invalid_nested_user_cpus:OK #141/4 nested_trust/test_invalid_nested_offset:OK #141/5 nested_trust/test_invalid_skb_field:OK <<<< #141 nested_trust:OK The #141/2 and #141/5 are newly added. Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Link: https://lore.kernel.org/r/20230713025642.27477-3-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2023-07-13 02:56:40 +00:00			`struct {`
			`__uint(type, BPF_MAP_TYPE_SK_STORAGE);`
			`__uint(map_flags, BPF_F_NO_PREALLOC);`
			`__type(key, int);`
			`__type(value, u64);`
			`} sk_storage_map SEC(".maps");`

selftests/bpf: Add nested trust selftests suite Now that defining trusted fields in a struct is supported, we should add selftests to verify the behavior. This patch adds a few such testcases. Signed-off-by: David Vernet <void@manifault.com> Link: https://lore.kernel.org/r/20230125143816.721952-4-void@manifault.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2023-01-25 08:38:12 -06:00			`/* Prototype for all of the program trace events below:`
			`*`
			`* TRACE_EVENT(task_newtask,`
			`* TP_PROTO(struct task_struct *p, u64 clone_flags)`
			`*/`

			`SEC("tp_btf/task_newtask")`
bpf: Refactor RCU enforcement in the verifier. bpf_rcu_read_lock/unlock() are only available in clang compiled kernels. Lack of such key mechanism makes it impossible for sleepable bpf programs to use RCU pointers. Allow bpf_rcu_read_lock/unlock() in GCC compiled kernels (though GCC doesn't support btf_type_tag yet) and allowlist certain field dereferences in important data structures like tast_struct, cgroup, socket that are used by sleepable programs either as RCU pointer or full trusted pointer (which is valid outside of RCU CS). Use BTF_TYPE_SAFE_RCU and BTF_TYPE_SAFE_TRUSTED macros for such tagging. They will be removed once GCC supports btf_type_tag. With that refactor check_ptr_to_btf_access(). Make it strict in enforcing PTR_TRUSTED and PTR_UNTRUSTED while deprecating old PTR_TO_BTF_ID without modifier flags. There is a chance that this strict enforcement might break existing programs (especially on GCC compiled kernels), but this cleanup has to start sooner than later. Note PTR_TO_CTX access still yields old deprecated PTR_TO_BTF_ID. Once it's converted to strict PTR_TRUSTED or PTR_UNTRUSTED the kfuncs and helpers will be able to default to KF_TRUSTED_ARGS. KF_RCU will remain as a weaker version of KF_TRUSTED_ARGS where obj refcnt could be 0. Adjust rcu_read_lock selftest to run on gcc and clang compiled kernels. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: David Vernet <void@manifault.com> Link: https://lore.kernel.org/bpf/20230303041446.3630-7-alexei.starovoitov@gmail.com 2023-03-02 20:14:46 -08:00			`__failure __msg("R2 must be")`
selftests/bpf: Add nested trust selftests suite Now that defining trusted fields in a struct is supported, we should add selftests to verify the behavior. This patch adds a few such testcases. Signed-off-by: David Vernet <void@manifault.com> Link: https://lore.kernel.org/r/20230125143816.721952-4-void@manifault.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2023-01-25 08:38:12 -06:00			`int BPF_PROG(test_invalid_nested_user_cpus, struct task_struct *task, u64 clone_flags)`
			`{`
			`bpf_cpumask_test_cpu(0, task->user_cpus_ptr);`
			`return 0;`
			`}`

			`SEC("tp_btf/task_newtask")`
			`__failure __msg("R1 must have zero offset when passed to release func or trusted arg to kfunc")`
			`int BPF_PROG(test_invalid_nested_offset, struct task_struct *task, u64 clone_flags)`
			`{`
			`bpf_cpumask_first_zero(&task->cpus_mask);`
			`return 0;`
			`}`
selftests/bpf: Add selftests for nested_trust Add selftests for nested_strust to check whehter PTR_UNTRUSTED is cleared as expected, the result as follows: #141/1 nested_trust/test_read_cpumask:OK #141/2 nested_trust/test_skb_field:OK <<<< #141/3 nested_trust/test_invalid_nested_user_cpus:OK #141/4 nested_trust/test_invalid_nested_offset:OK #141/5 nested_trust/test_invalid_skb_field:OK <<<< #141 nested_trust:OK The #141/2 and #141/5 are newly added. Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Link: https://lore.kernel.org/r/20230713025642.27477-3-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2023-07-13 02:56:40 +00:00
			`/* Although R2 is of type sk_buff but sock_common is expected, we will hit untrusted ptr first. */`
			`SEC("tp_btf/tcp_probe")`
			`__failure __msg("R2 type=untrusted_ptr_ expected=ptr_, trusted_ptr_, rcu_ptr_")`
			`int BPF_PROG(test_invalid_skb_field, struct sock sk, struct sk_buff skb)`
			`{`
			`bpf_sk_storage_get(&sk_storage_map, skb->next, 0, 0);`
			`return 0;`
			`}`