sefltests/bpf: Expand sockaddr hook deny tests

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch expands test coverage for EPERM tests to include connect and
bind calls and rounds out the coverage for sendmsg by adding tests for
sendmsg_unix.

Signed-off-by: Jordan Rife <jrife@google.com>
Link: https://lore.kernel.org/r/20240510190246.3247730-16-jrife@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Jordan Rife and committed by

Alexei Starovoitov 2 years ago dfb7539b 1e0a8367

+378

7 changed files

expand all

tools

testing

selftests

bpf

prog_tests

sock_addr.c

progs

bind4_prog.c

bind6_prog.c

connect4_prog.c

connect6_prog.c

connect_unix_prog.c

sendmsg_unix_prog.c

+342

tools/testing/selftests/bpf/prog_tests/sock_addr.c

··· 439 439 440 440 BPF_SKEL_FUNCS(bind4_prog, bind_v4_prog); 441 441 BPF_SKEL_FUNCS_RAW(bind4_prog, bind_v4_prog); 442 + BPF_SKEL_FUNCS(bind4_prog, bind_v4_deny_prog); 442 443 BPF_SKEL_FUNCS(bind6_prog, bind_v6_prog); 443 444 BPF_SKEL_FUNCS_RAW(bind6_prog, bind_v6_prog); 445 + BPF_SKEL_FUNCS(bind6_prog, bind_v6_deny_prog); 444 446 BPF_SKEL_FUNCS(connect4_prog, connect_v4_prog); 445 447 BPF_SKEL_FUNCS_RAW(connect4_prog, connect_v4_prog); 448 + BPF_SKEL_FUNCS(connect4_prog, connect_v4_deny_prog); 446 449 BPF_SKEL_FUNCS(connect6_prog, connect_v6_prog); 447 450 BPF_SKEL_FUNCS_RAW(connect6_prog, connect_v6_prog); 451 + BPF_SKEL_FUNCS(connect6_prog, connect_v6_deny_prog); 448 452 BPF_SKEL_FUNCS(connect_unix_prog, connect_unix_prog); 453 + BPF_SKEL_FUNCS(connect_unix_prog, connect_unix_deny_prog); 449 454 BPF_SKEL_FUNCS(sendmsg4_prog, sendmsg_v4_prog); 450 455 BPF_SKEL_FUNCS_RAW(sendmsg4_prog, sendmsg_v4_prog); 451 456 BPF_SKEL_FUNCS(sendmsg4_prog, sendmsg_v4_deny_prog); ··· 461 456 BPF_SKEL_FUNCS(sendmsg6_prog, sendmsg_v6_v4mapped_prog); 462 457 BPF_SKEL_FUNCS(sendmsg6_prog, sendmsg_v6_wildcard_prog); 463 458 BPF_SKEL_FUNCS(sendmsg_unix_prog, sendmsg_unix_prog); 459 + BPF_SKEL_FUNCS(sendmsg_unix_prog, sendmsg_unix_deny_prog); 464 460 BPF_SKEL_FUNCS(recvmsg4_prog, recvmsg4_prog); 465 461 BPF_SKEL_FUNCS(recvmsg6_prog, recvmsg6_prog); 466 462 BPF_SKEL_FUNCS(recvmsg_unix_prog, recvmsg_unix_prog); ··· 488 482 }, 489 483 { 490 484 SOCK_ADDR_TEST_BIND, 485 + "bind4: bind deny (stream)", 486 + bind_v4_deny_prog_load, 487 + bind_v4_deny_prog_destroy, 488 + BPF_CGROUP_INET4_BIND, 489 + &user_ops, 490 + AF_INET, 491 + SOCK_STREAM, 492 + SERV4_IP, 493 + SERV4_PORT, 494 + SERV4_REWRITE_IP, 495 + SERV4_REWRITE_PORT, 496 + NULL, 497 + SYSCALL_EPERM, 498 + }, 499 + { 500 + SOCK_ADDR_TEST_BIND, 491 501 "bind4: bind (dgram)", 492 502 bind_v4_prog_load, 493 503 bind_v4_prog_destroy, ··· 517 495 SERV4_REWRITE_PORT, 518 496 NULL, 519 497 SUCCESS, 498 + }, 499 + { 500 + SOCK_ADDR_TEST_BIND, 501 + "bind4: bind deny (dgram)", 502 + bind_v4_deny_prog_load, 503 + bind_v4_deny_prog_destroy, 504 + BPF_CGROUP_INET4_BIND, 505 + &user_ops, 506 + AF_INET, 507 + SOCK_DGRAM, 508 + SERV4_IP, 509 + SERV4_PORT, 510 + SERV4_REWRITE_IP, 511 + SERV4_REWRITE_PORT, 512 + NULL, 513 + SYSCALL_EPERM, 520 514 }, 521 515 { 522 516 SOCK_ADDR_TEST_BIND, ··· 584 546 }, 585 547 { 586 548 SOCK_ADDR_TEST_BIND, 549 + "bind6: bind deny (stream)", 550 + bind_v6_deny_prog_load, 551 + bind_v6_deny_prog_destroy, 552 + BPF_CGROUP_INET6_BIND, 553 + &user_ops, 554 + AF_INET6, 555 + SOCK_STREAM, 556 + SERV6_IP, 557 + SERV6_PORT, 558 + SERV6_REWRITE_IP, 559 + SERV6_REWRITE_PORT, 560 + NULL, 561 + SYSCALL_EPERM, 562 + }, 563 + { 564 + SOCK_ADDR_TEST_BIND, 587 565 "bind6: bind (dgram)", 588 566 bind_v6_prog_load, 589 567 bind_v6_prog_destroy, ··· 613 559 SERV6_REWRITE_PORT, 614 560 NULL, 615 561 SUCCESS, 562 + }, 563 + { 564 + SOCK_ADDR_TEST_BIND, 565 + "bind6: bind deny (dgram)", 566 + bind_v6_deny_prog_load, 567 + bind_v6_deny_prog_destroy, 568 + BPF_CGROUP_INET6_BIND, 569 + &user_ops, 570 + AF_INET6, 571 + SOCK_DGRAM, 572 + SERV6_IP, 573 + SERV6_PORT, 574 + SERV6_REWRITE_IP, 575 + SERV6_REWRITE_PORT, 576 + NULL, 577 + SYSCALL_EPERM, 616 578 }, 617 579 { 618 580 SOCK_ADDR_TEST_BIND, ··· 682 612 }, 683 613 { 684 614 SOCK_ADDR_TEST_BIND, 615 + "bind4: kernel_bind deny (stream)", 616 + bind_v4_deny_prog_load, 617 + bind_v4_deny_prog_destroy, 618 + BPF_CGROUP_INET4_BIND, 619 + &kern_ops_sock_sendmsg, 620 + AF_INET, 621 + SOCK_STREAM, 622 + SERV4_IP, 623 + SERV4_PORT, 624 + SERV4_REWRITE_IP, 625 + SERV4_REWRITE_PORT, 626 + NULL, 627 + SYSCALL_EPERM, 628 + }, 629 + { 630 + SOCK_ADDR_TEST_BIND, 685 631 "bind4: kernel_bind (dgram)", 686 632 bind_v4_prog_load, 687 633 bind_v4_prog_destroy, ··· 711 625 SERV4_REWRITE_PORT, 712 626 NULL, 713 627 SUCCESS, 628 + }, 629 + { 630 + SOCK_ADDR_TEST_BIND, 631 + "bind4: kernel_bind deny (dgram)", 632 + bind_v4_deny_prog_load, 633 + bind_v4_deny_prog_destroy, 634 + BPF_CGROUP_INET4_BIND, 635 + &kern_ops_sock_sendmsg, 636 + AF_INET, 637 + SOCK_DGRAM, 638 + SERV4_IP, 639 + SERV4_PORT, 640 + SERV4_REWRITE_IP, 641 + SERV4_REWRITE_PORT, 642 + NULL, 643 + SYSCALL_EPERM, 714 644 }, 715 645 { 716 646 SOCK_ADDR_TEST_BIND, ··· 746 644 }, 747 645 { 748 646 SOCK_ADDR_TEST_BIND, 647 + "bind6: kernel_bind deny (stream)", 648 + bind_v6_deny_prog_load, 649 + bind_v6_deny_prog_destroy, 650 + BPF_CGROUP_INET6_BIND, 651 + &kern_ops_sock_sendmsg, 652 + AF_INET6, 653 + SOCK_STREAM, 654 + SERV6_IP, 655 + SERV6_PORT, 656 + SERV6_REWRITE_IP, 657 + SERV6_REWRITE_PORT, 658 + NULL, 659 + SYSCALL_EPERM, 660 + }, 661 + { 662 + SOCK_ADDR_TEST_BIND, 749 663 "bind6: kernel_bind (dgram)", 750 664 bind_v6_prog_load, 751 665 bind_v6_prog_destroy, ··· 775 657 SERV6_REWRITE_PORT, 776 658 NULL, 777 659 SUCCESS, 660 + }, 661 + { 662 + SOCK_ADDR_TEST_BIND, 663 + "bind6: kernel_bind deny (dgram)", 664 + bind_v6_deny_prog_load, 665 + bind_v6_deny_prog_destroy, 666 + BPF_CGROUP_INET6_BIND, 667 + &kern_ops_sock_sendmsg, 668 + AF_INET6, 669 + SOCK_DGRAM, 670 + SERV6_IP, 671 + SERV6_PORT, 672 + SERV6_REWRITE_IP, 673 + SERV6_REWRITE_PORT, 674 + NULL, 675 + SYSCALL_EPERM, 778 676 }, 779 677 780 678 /* connect - system calls */ ··· 812 678 }, 813 679 { 814 680 SOCK_ADDR_TEST_CONNECT, 681 + "connect4: connect deny (stream)", 682 + connect_v4_deny_prog_load, 683 + connect_v4_deny_prog_destroy, 684 + BPF_CGROUP_INET4_CONNECT, 685 + &user_ops, 686 + AF_INET, 687 + SOCK_STREAM, 688 + SERV4_IP, 689 + SERV4_PORT, 690 + SERV4_REWRITE_IP, 691 + SERV4_REWRITE_PORT, 692 + SRC4_REWRITE_IP, 693 + SYSCALL_EPERM, 694 + }, 695 + { 696 + SOCK_ADDR_TEST_CONNECT, 815 697 "connect4: connect (dgram)", 816 698 connect_v4_prog_load, 817 699 connect_v4_prog_destroy, ··· 841 691 SERV4_REWRITE_PORT, 842 692 SRC4_REWRITE_IP, 843 693 SUCCESS, 694 + }, 695 + { 696 + SOCK_ADDR_TEST_CONNECT, 697 + "connect4: connect deny (dgram)", 698 + connect_v4_deny_prog_load, 699 + connect_v4_deny_prog_destroy, 700 + BPF_CGROUP_INET4_CONNECT, 701 + &user_ops, 702 + AF_INET, 703 + SOCK_DGRAM, 704 + SERV4_IP, 705 + SERV4_PORT, 706 + SERV4_REWRITE_IP, 707 + SERV4_REWRITE_PORT, 708 + SRC4_REWRITE_IP, 709 + SYSCALL_EPERM, 844 710 }, 845 711 { 846 712 SOCK_ADDR_TEST_CONNECT, ··· 908 742 }, 909 743 { 910 744 SOCK_ADDR_TEST_CONNECT, 745 + "connect6: connect deny (stream)", 746 + connect_v6_deny_prog_load, 747 + connect_v6_deny_prog_destroy, 748 + BPF_CGROUP_INET6_CONNECT, 749 + &user_ops, 750 + AF_INET6, 751 + SOCK_STREAM, 752 + SERV6_IP, 753 + SERV6_PORT, 754 + SERV6_REWRITE_IP, 755 + SERV6_REWRITE_PORT, 756 + SRC6_REWRITE_IP, 757 + SYSCALL_EPERM, 758 + }, 759 + { 760 + SOCK_ADDR_TEST_CONNECT, 911 761 "connect6: connect (dgram)", 912 762 connect_v6_prog_load, 913 763 connect_v6_prog_destroy, ··· 937 755 SERV6_REWRITE_PORT, 938 756 SRC6_REWRITE_IP, 939 757 SUCCESS, 758 + }, 759 + { 760 + SOCK_ADDR_TEST_CONNECT, 761 + "connect6: connect deny (dgram)", 762 + connect_v6_deny_prog_load, 763 + connect_v6_deny_prog_destroy, 764 + BPF_CGROUP_INET6_CONNECT, 765 + &user_ops, 766 + AF_INET6, 767 + SOCK_DGRAM, 768 + SERV6_IP, 769 + SERV6_PORT, 770 + SERV6_REWRITE_IP, 771 + SERV6_REWRITE_PORT, 772 + SRC6_REWRITE_IP, 773 + SYSCALL_EPERM, 940 774 }, 941 775 { 942 776 SOCK_ADDR_TEST_CONNECT, ··· 1002 804 NULL, 1003 805 SUCCESS, 1004 806 }, 807 + { 808 + SOCK_ADDR_TEST_CONNECT, 809 + "connect_unix: connect deny (stream)", 810 + connect_unix_deny_prog_load, 811 + connect_unix_deny_prog_destroy, 812 + BPF_CGROUP_UNIX_CONNECT, 813 + &user_ops, 814 + AF_UNIX, 815 + SOCK_STREAM, 816 + SERVUN_ADDRESS, 817 + 0, 818 + SERVUN_REWRITE_ADDRESS, 819 + 0, 820 + NULL, 821 + SYSCALL_EPERM, 822 + }, 1005 823 1006 824 /* connect - kernel calls */ 1007 825 { ··· 1038 824 }, 1039 825 { 1040 826 SOCK_ADDR_TEST_CONNECT, 827 + "connect4: kernel_connect deny (stream)", 828 + connect_v4_deny_prog_load, 829 + connect_v4_deny_prog_destroy, 830 + BPF_CGROUP_INET4_CONNECT, 831 + &kern_ops_sock_sendmsg, 832 + AF_INET, 833 + SOCK_STREAM, 834 + SERV4_IP, 835 + SERV4_PORT, 836 + SERV4_REWRITE_IP, 837 + SERV4_REWRITE_PORT, 838 + SRC4_REWRITE_IP, 839 + SYSCALL_EPERM, 840 + }, 841 + { 842 + SOCK_ADDR_TEST_CONNECT, 1041 843 "connect4: kernel_connect (dgram)", 1042 844 connect_v4_prog_load, 1043 845 connect_v4_prog_destroy, ··· 1067 837 SERV4_REWRITE_PORT, 1068 838 SRC4_REWRITE_IP, 1069 839 SUCCESS, 840 + }, 841 + { 842 + SOCK_ADDR_TEST_CONNECT, 843 + "connect4: kernel_connect deny (dgram)", 844 + connect_v4_deny_prog_load, 845 + connect_v4_deny_prog_destroy, 846 + BPF_CGROUP_INET4_CONNECT, 847 + &kern_ops_sock_sendmsg, 848 + AF_INET, 849 + SOCK_DGRAM, 850 + SERV4_IP, 851 + SERV4_PORT, 852 + SERV4_REWRITE_IP, 853 + SERV4_REWRITE_PORT, 854 + SRC4_REWRITE_IP, 855 + SYSCALL_EPERM, 1070 856 }, 1071 857 { 1072 858 SOCK_ADDR_TEST_CONNECT, ··· 1102 856 }, 1103 857 { 1104 858 SOCK_ADDR_TEST_CONNECT, 859 + "connect6: kernel_connect deny (stream)", 860 + connect_v6_deny_prog_load, 861 + connect_v6_deny_prog_destroy, 862 + BPF_CGROUP_INET6_CONNECT, 863 + &kern_ops_sock_sendmsg, 864 + AF_INET6, 865 + SOCK_STREAM, 866 + SERV6_IP, 867 + SERV6_PORT, 868 + SERV6_REWRITE_IP, 869 + SERV6_REWRITE_PORT, 870 + SRC6_REWRITE_IP, 871 + SYSCALL_EPERM, 872 + }, 873 + { 874 + SOCK_ADDR_TEST_CONNECT, 1105 875 "connect6: kernel_connect (dgram)", 1106 876 connect_v6_prog_load, 1107 877 connect_v6_prog_destroy, ··· 1134 872 }, 1135 873 { 1136 874 SOCK_ADDR_TEST_CONNECT, 875 + "connect6: kernel_connect deny (dgram)", 876 + connect_v6_deny_prog_load, 877 + connect_v6_deny_prog_destroy, 878 + BPF_CGROUP_INET6_CONNECT, 879 + &kern_ops_sock_sendmsg, 880 + AF_INET6, 881 + SOCK_DGRAM, 882 + SERV6_IP, 883 + SERV6_PORT, 884 + SERV6_REWRITE_IP, 885 + SERV6_REWRITE_PORT, 886 + SRC6_REWRITE_IP, 887 + SYSCALL_EPERM, 888 + }, 889 + { 890 + SOCK_ADDR_TEST_CONNECT, 1137 891 "connect_unix: kernel_connect (dgram)", 1138 892 connect_unix_prog_load, 1139 893 connect_unix_prog_destroy, ··· 1163 885 0, 1164 886 NULL, 1165 887 SUCCESS, 888 + }, 889 + { 890 + SOCK_ADDR_TEST_CONNECT, 891 + "connect_unix: kernel_connect deny (dgram)", 892 + connect_unix_deny_prog_load, 893 + connect_unix_deny_prog_destroy, 894 + BPF_CGROUP_UNIX_CONNECT, 895 + &kern_ops_sock_sendmsg, 896 + AF_UNIX, 897 + SOCK_STREAM, 898 + SERVUN_ADDRESS, 899 + 0, 900 + SERVUN_REWRITE_ADDRESS, 901 + 0, 902 + NULL, 903 + SYSCALL_EPERM, 1166 904 }, 1167 905 1168 906 /* sendmsg - system calls */ ··· 1374 1080 NULL, 1375 1081 SUCCESS, 1376 1082 }, 1083 + { 1084 + SOCK_ADDR_TEST_SENDMSG, 1085 + "sendmsg_unix: sendmsg deny (dgram)", 1086 + sendmsg_unix_deny_prog_load, 1087 + sendmsg_unix_deny_prog_destroy, 1088 + BPF_CGROUP_UNIX_SENDMSG, 1089 + &user_ops, 1090 + AF_UNIX, 1091 + SOCK_DGRAM, 1092 + SERVUN_ADDRESS, 1093 + 0, 1094 + SERVUN_REWRITE_ADDRESS, 1095 + 0, 1096 + NULL, 1097 + SYSCALL_EPERM, 1098 + }, 1377 1099 1378 1100 /* sendmsg - kernel calls (sock_sendmsg) */ 1379 1101 { ··· 1488 1178 NULL, 1489 1179 SUCCESS, 1490 1180 }, 1181 + { 1182 + SOCK_ADDR_TEST_SENDMSG, 1183 + "sendmsg_unix: sock_sendmsg deny (dgram)", 1184 + sendmsg_unix_deny_prog_load, 1185 + sendmsg_unix_deny_prog_destroy, 1186 + BPF_CGROUP_UNIX_SENDMSG, 1187 + &kern_ops_sock_sendmsg, 1188 + AF_UNIX, 1189 + SOCK_DGRAM, 1190 + SERVUN_ADDRESS, 1191 + 0, 1192 + SERVUN_REWRITE_ADDRESS, 1193 + 0, 1194 + NULL, 1195 + SYSCALL_EPERM, 1196 + }, 1491 1197 1492 1198 /* sendmsg - kernel calls (kernel_sendmsg) */ 1493 1199 { ··· 1601 1275 0, 1602 1276 NULL, 1603 1277 SUCCESS, 1278 + }, 1279 + { 1280 + SOCK_ADDR_TEST_SENDMSG, 1281 + "sendmsg_unix: kernel_sendmsg deny (dgram)", 1282 + sendmsg_unix_deny_prog_load, 1283 + sendmsg_unix_deny_prog_destroy, 1284 + BPF_CGROUP_UNIX_SENDMSG, 1285 + &kern_ops_kernel_sendmsg, 1286 + AF_UNIX, 1287 + SOCK_DGRAM, 1288 + SERVUN_ADDRESS, 1289 + 0, 1290 + SERVUN_REWRITE_ADDRESS, 1291 + 0, 1292 + NULL, 1293 + SYSCALL_EPERM, 1604 1294 }, 1605 1295 1606 1296 /* recvmsg - system calls */

tools/testing/selftests/bpf/progs/bind4_prog.c

··· 158 158 return 1; 159 159 } 160 160 161 + SEC("cgroup/bind4") 162 + int bind_v4_deny_prog(struct bpf_sock_addr *ctx) 163 + { 164 + return 0; 165 + } 166 + 161 167 char _license[] SEC("license") = "GPL";

tools/testing/selftests/bpf/progs/bind6_prog.c

··· 175 175 return 1; 176 176 } 177 177 178 + SEC("cgroup/bind6") 179 + int bind_v6_deny_prog(struct bpf_sock_addr *ctx) 180 + { 181 + return 0; 182 + } 183 + 178 184 char _license[] SEC("license") = "GPL";

tools/testing/selftests/bpf/progs/connect4_prog.c

··· 199 199 return do_bind(ctx) ? 1 : 0; 200 200 } 201 201 202 + SEC("cgroup/connect4") 203 + int connect_v4_deny_prog(struct bpf_sock_addr *ctx) 204 + { 205 + return 0; 206 + } 207 + 202 208 char _license[] SEC("license") = "GPL";

tools/testing/selftests/bpf/progs/connect6_prog.c

··· 90 90 return 1; 91 91 } 92 92 93 + SEC("cgroup/connect6") 94 + int connect_v6_deny_prog(struct bpf_sock_addr *ctx) 95 + { 96 + return 0; 97 + } 98 + 93 99 char _license[] SEC("license") = "GPL";

tools/testing/selftests/bpf/progs/connect_unix_prog.c

··· 36 36 return 1; 37 37 } 38 38 39 + SEC("cgroup/connect_unix") 40 + int connect_unix_deny_prog(struct bpf_sock_addr *ctx) 41 + { 42 + return 0; 43 + } 44 + 39 45 char _license[] SEC("license") = "GPL";

tools/testing/selftests/bpf/progs/sendmsg_unix_prog.c

··· 36 36 return 1; 37 37 } 38 38 39 + SEC("cgroup/sendmsg_unix") 40 + int sendmsg_unix_deny_prog(struct bpf_sock_addr *ctx) 41 + { 42 + return 0; 43 + } 44 + 39 45 char _license[] SEC("license") = "GPL";