selftests/bpf: Add verifier tests for bpf lsm

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add verifier tests to check bpf lsm return values and disabled hooks.

Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20240719110059.797546-10-xukuohai@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

authored by

Xu Kuohai and committed by

Andrii Nakryiko 2 years ago 04d8243b d463dd9c

+164

2 changed files

expand all

tools

testing

selftests

bpf

prog_tests

verifier.c

progs

verifier_lsm.c

tools/testing/selftests/bpf/prog_tests/verifier.c

··· 88 88 #include "verifier_xdp.skel.h" 89 89 #include "verifier_xdp_direct_packet_access.skel.h" 90 90 #include "verifier_bits_iter.skel.h" 91 + #include "verifier_lsm.skel.h" 91 92 92 93 #define MAX_ENTRIES 11 93 94 ··· 207 206 void test_verifier_xdp(void) { RUN(verifier_xdp); } 208 207 void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); } 209 208 void test_verifier_bits_iter(void) { RUN(verifier_bits_iter); } 209 + void test_verifier_lsm(void) { RUN(verifier_lsm); } 210 210 211 211 static int init_test_val_map(struct bpf_object *obj, char *map_name) 212 212 {

+162

tools/testing/selftests/bpf/progs/verifier_lsm.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + #include <linux/bpf.h> 4 + #include <bpf/bpf_helpers.h> 5 + #include "bpf_misc.h" 6 + 7 + SEC("lsm/file_alloc_security") 8 + __description("lsm bpf prog with -4095~0 retval. test 1") 9 + __success 10 + __naked int errno_zero_retval_test1(void *ctx) 11 + { 12 + asm volatile ( 13 + "r0 = 0;" 14 + "exit;" 15 + ::: __clobber_all); 16 + } 17 + 18 + SEC("lsm/file_alloc_security") 19 + __description("lsm bpf prog with -4095~0 retval. test 2") 20 + __success 21 + __naked int errno_zero_retval_test2(void *ctx) 22 + { 23 + asm volatile ( 24 + "r0 = -4095;" 25 + "exit;" 26 + ::: __clobber_all); 27 + } 28 + 29 + SEC("lsm/file_mprotect") 30 + __description("lsm bpf prog with -4095~0 retval. test 4") 31 + __failure __msg("R0 has smin=-4096 smax=-4096 should have been in [-4095, 0]") 32 + __naked int errno_zero_retval_test4(void *ctx) 33 + { 34 + asm volatile ( 35 + "r0 = -4096;" 36 + "exit;" 37 + ::: __clobber_all); 38 + } 39 + 40 + SEC("lsm/file_mprotect") 41 + __description("lsm bpf prog with -4095~0 retval. test 5") 42 + __failure __msg("R0 has smin=4096 smax=4096 should have been in [-4095, 0]") 43 + __naked int errno_zero_retval_test5(void *ctx) 44 + { 45 + asm volatile ( 46 + "r0 = 4096;" 47 + "exit;" 48 + ::: __clobber_all); 49 + } 50 + 51 + SEC("lsm/file_mprotect") 52 + __description("lsm bpf prog with -4095~0 retval. test 6") 53 + __failure __msg("R0 has smin=1 smax=1 should have been in [-4095, 0]") 54 + __naked int errno_zero_retval_test6(void *ctx) 55 + { 56 + asm volatile ( 57 + "r0 = 1;" 58 + "exit;" 59 + ::: __clobber_all); 60 + } 61 + 62 + SEC("lsm/audit_rule_known") 63 + __description("lsm bpf prog with bool retval. test 1") 64 + __success 65 + __naked int bool_retval_test1(void *ctx) 66 + { 67 + asm volatile ( 68 + "r0 = 1;" 69 + "exit;" 70 + ::: __clobber_all); 71 + } 72 + 73 + SEC("lsm/audit_rule_known") 74 + __description("lsm bpf prog with bool retval. test 2") 75 + __success 76 + __success 77 + __naked int bool_retval_test2(void *ctx) 78 + { 79 + asm volatile ( 80 + "r0 = 0;" 81 + "exit;" 82 + ::: __clobber_all); 83 + } 84 + 85 + SEC("lsm/audit_rule_known") 86 + __description("lsm bpf prog with bool retval. test 3") 87 + __failure __msg("R0 has smin=-1 smax=-1 should have been in [0, 1]") 88 + __naked int bool_retval_test3(void *ctx) 89 + { 90 + asm volatile ( 91 + "r0 = -1;" 92 + "exit;" 93 + ::: __clobber_all); 94 + } 95 + 96 + SEC("lsm/audit_rule_known") 97 + __description("lsm bpf prog with bool retval. test 4") 98 + __failure __msg("R0 has smin=2 smax=2 should have been in [0, 1]") 99 + __naked int bool_retval_test4(void *ctx) 100 + { 101 + asm volatile ( 102 + "r0 = 2;" 103 + "exit;" 104 + ::: __clobber_all); 105 + } 106 + 107 + SEC("lsm/file_free_security") 108 + __success 109 + __description("lsm bpf prog with void retval. test 1") 110 + __naked int void_retval_test1(void *ctx) 111 + { 112 + asm volatile ( 113 + "r0 = -4096;" 114 + "exit;" 115 + ::: __clobber_all); 116 + } 117 + 118 + SEC("lsm/file_free_security") 119 + __success 120 + __description("lsm bpf prog with void retval. test 2") 121 + __naked int void_retval_test2(void *ctx) 122 + { 123 + asm volatile ( 124 + "r0 = 4096;" 125 + "exit;" 126 + ::: __clobber_all); 127 + } 128 + 129 + SEC("lsm/getprocattr") 130 + __description("lsm disabled hook: getprocattr") 131 + __failure __msg("points to disabled hook") 132 + __naked int disabled_hook_test1(void *ctx) 133 + { 134 + asm volatile ( 135 + "r0 = 0;" 136 + "exit;" 137 + ::: __clobber_all); 138 + } 139 + 140 + SEC("lsm/setprocattr") 141 + __description("lsm disabled hook: setprocattr") 142 + __failure __msg("points to disabled hook") 143 + __naked int disabled_hook_test2(void *ctx) 144 + { 145 + asm volatile ( 146 + "r0 = 0;" 147 + "exit;" 148 + ::: __clobber_all); 149 + } 150 + 151 + SEC("lsm/ismaclabel") 152 + __description("lsm disabled hook: ismaclabel") 153 + __failure __msg("points to disabled hook") 154 + __naked int disabled_hook_test3(void *ctx) 155 + { 156 + asm volatile ( 157 + "r0 = 0;" 158 + "exit;" 159 + ::: __clobber_all); 160 + } 161 + 162 + char _license[] SEC("license") = "GPL";