006c0e44ed
Extend prog_tests with two test cases: # ./test_progs --allow=verifier_netfilter_retcode #278/1 verifier_netfilter_retcode/bpf_exit with invalid return code. test1:OK #278/2 verifier_netfilter_retcode/bpf_exit with valid return code. test2:OK #278/3 verifier_netfilter_retcode/bpf_exit with valid return code. test3:OK #278/4 verifier_netfilter_retcode/bpf_exit with invalid return code. test4:OK #278 verifier_netfilter_retcode:OK This checks that only accept and drop (0,1) are permitted. NF_QUEUE could be implemented later if we can guarantee that attachment of such programs can be rejected if they get attached to a pf/hook that doesn't support async reinjection. NF_STOLEN could be implemented via trusted helpers that can guarantee that the skb will eventually be free'd. v4: test case for bpf_nf_ctx access checks, requested by Alexei Starovoitov. v5: also check ctx->{state,skb} can be dereferenced (Alexei). # ./test_progs --allow=verifier_netfilter_ctx #281/1 verifier_netfilter_ctx/netfilter invalid context access, size too short:OK #281/2 verifier_netfilter_ctx/netfilter invalid context access, size too short:OK #281/3 verifier_netfilter_ctx/netfilter invalid context access, past end of ctx:OK #281/4 verifier_netfilter_ctx/netfilter invalid context, write:OK #281/5 verifier_netfilter_ctx/netfilter valid context read and invalid write:OK #281/6 verifier_netfilter_ctx/netfilter test prog with skb and state read access:OK #281/7 verifier_netfilter_ctx/netfilter test prog with skb and state read access @unpriv:OK #281 verifier_netfilter_ctx:OK Summary: 1/7 PASSED, 0 SKIPPED, 0 FAILED This checks: 1/2: partial reads of ctx->{skb,state} are rejected 3. read access past sizeof(ctx) is rejected 4. write to ctx content, e.g. 'ctx->skb = NULL;' is rejected 5. ctx->state content cannot be altered 6. ctx->state and ctx->skb can be dereferenced 7. ... same program fails for unpriv (CAP_NET_ADMIN needed). Link: https://lore.kernel.org/bpf/20230419021152.sjq4gttphzzy6b5f@dhcp-172-26-102-232.dhcp.thefacebook.com/ Link: https://lore.kernel.org/bpf/20230420201655.77kkgi3dh7fesoll@MacBook-Pro-6.local/ Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20230421170300.24115-8-fw@strlen.de Signed-off-by: Alexei Starovoitov <ast@kernel.org>
150 lines
6.4 KiB
C
150 lines
6.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
#include <test_progs.h>
|
|
|
|
#include "cap_helpers.h"
|
|
#include "verifier_and.skel.h"
|
|
#include "verifier_array_access.skel.h"
|
|
#include "verifier_basic_stack.skel.h"
|
|
#include "verifier_bounds_deduction.skel.h"
|
|
#include "verifier_bounds_deduction_non_const.skel.h"
|
|
#include "verifier_bounds_mix_sign_unsign.skel.h"
|
|
#include "verifier_cfg.skel.h"
|
|
#include "verifier_cgroup_inv_retcode.skel.h"
|
|
#include "verifier_cgroup_skb.skel.h"
|
|
#include "verifier_cgroup_storage.skel.h"
|
|
#include "verifier_const_or.skel.h"
|
|
#include "verifier_ctx_sk_msg.skel.h"
|
|
#include "verifier_direct_stack_access_wraparound.skel.h"
|
|
#include "verifier_div0.skel.h"
|
|
#include "verifier_div_overflow.skel.h"
|
|
#include "verifier_helper_access_var_len.skel.h"
|
|
#include "verifier_helper_packet_access.skel.h"
|
|
#include "verifier_helper_restricted.skel.h"
|
|
#include "verifier_helper_value_access.skel.h"
|
|
#include "verifier_int_ptr.skel.h"
|
|
#include "verifier_ld_ind.skel.h"
|
|
#include "verifier_leak_ptr.skel.h"
|
|
#include "verifier_map_ptr.skel.h"
|
|
#include "verifier_map_ret_val.skel.h"
|
|
#include "verifier_masking.skel.h"
|
|
#include "verifier_meta_access.skel.h"
|
|
#include "verifier_netfilter_ctx.skel.h"
|
|
#include "verifier_netfilter_retcode.skel.h"
|
|
#include "verifier_raw_stack.skel.h"
|
|
#include "verifier_raw_tp_writable.skel.h"
|
|
#include "verifier_reg_equal.skel.h"
|
|
#include "verifier_ringbuf.skel.h"
|
|
#include "verifier_spill_fill.skel.h"
|
|
#include "verifier_stack_ptr.skel.h"
|
|
#include "verifier_uninit.skel.h"
|
|
#include "verifier_value_adj_spill.skel.h"
|
|
#include "verifier_value.skel.h"
|
|
#include "verifier_value_or_null.skel.h"
|
|
#include "verifier_var_off.skel.h"
|
|
#include "verifier_xadd.skel.h"
|
|
#include "verifier_xdp.skel.h"
|
|
#include "verifier_xdp_direct_packet_access.skel.h"
|
|
|
|
#define MAX_ENTRIES 11
|
|
|
|
struct test_val {
|
|
unsigned int index;
|
|
int foo[MAX_ENTRIES];
|
|
};
|
|
|
|
__maybe_unused
|
|
static void run_tests_aux(const char *skel_name,
|
|
skel_elf_bytes_fn elf_bytes_factory,
|
|
pre_execution_cb pre_execution_cb)
|
|
{
|
|
struct test_loader tester = {};
|
|
__u64 old_caps;
|
|
int err;
|
|
|
|
/* test_verifier tests are executed w/o CAP_SYS_ADMIN, do the same here */
|
|
err = cap_disable_effective(1ULL << CAP_SYS_ADMIN, &old_caps);
|
|
if (err) {
|
|
PRINT_FAIL("failed to drop CAP_SYS_ADMIN: %i, %s\n", err, strerror(err));
|
|
return;
|
|
}
|
|
|
|
test_loader__set_pre_execution_cb(&tester, pre_execution_cb);
|
|
test_loader__run_subtests(&tester, skel_name, elf_bytes_factory);
|
|
test_loader_fini(&tester);
|
|
|
|
err = cap_enable_effective(old_caps, NULL);
|
|
if (err)
|
|
PRINT_FAIL("failed to restore CAP_SYS_ADMIN: %i, %s\n", err, strerror(err));
|
|
}
|
|
|
|
#define RUN(skel) run_tests_aux(#skel, skel##__elf_bytes, NULL)
|
|
|
|
void test_verifier_and(void) { RUN(verifier_and); }
|
|
void test_verifier_basic_stack(void) { RUN(verifier_basic_stack); }
|
|
void test_verifier_bounds_deduction(void) { RUN(verifier_bounds_deduction); }
|
|
void test_verifier_bounds_deduction_non_const(void) { RUN(verifier_bounds_deduction_non_const); }
|
|
void test_verifier_bounds_mix_sign_unsign(void) { RUN(verifier_bounds_mix_sign_unsign); }
|
|
void test_verifier_cfg(void) { RUN(verifier_cfg); }
|
|
void test_verifier_cgroup_inv_retcode(void) { RUN(verifier_cgroup_inv_retcode); }
|
|
void test_verifier_cgroup_skb(void) { RUN(verifier_cgroup_skb); }
|
|
void test_verifier_cgroup_storage(void) { RUN(verifier_cgroup_storage); }
|
|
void test_verifier_const_or(void) { RUN(verifier_const_or); }
|
|
void test_verifier_ctx_sk_msg(void) { RUN(verifier_ctx_sk_msg); }
|
|
void test_verifier_direct_stack_access_wraparound(void) { RUN(verifier_direct_stack_access_wraparound); }
|
|
void test_verifier_div0(void) { RUN(verifier_div0); }
|
|
void test_verifier_div_overflow(void) { RUN(verifier_div_overflow); }
|
|
void test_verifier_helper_access_var_len(void) { RUN(verifier_helper_access_var_len); }
|
|
void test_verifier_helper_packet_access(void) { RUN(verifier_helper_packet_access); }
|
|
void test_verifier_helper_restricted(void) { RUN(verifier_helper_restricted); }
|
|
void test_verifier_helper_value_access(void) { RUN(verifier_helper_value_access); }
|
|
void test_verifier_int_ptr(void) { RUN(verifier_int_ptr); }
|
|
void test_verifier_ld_ind(void) { RUN(verifier_ld_ind); }
|
|
void test_verifier_leak_ptr(void) { RUN(verifier_leak_ptr); }
|
|
void test_verifier_map_ptr(void) { RUN(verifier_map_ptr); }
|
|
void test_verifier_map_ret_val(void) { RUN(verifier_map_ret_val); }
|
|
void test_verifier_masking(void) { RUN(verifier_masking); }
|
|
void test_verifier_meta_access(void) { RUN(verifier_meta_access); }
|
|
void test_verifier_netfilter_ctx(void) { RUN(verifier_netfilter_ctx); }
|
|
void test_verifier_netfilter_retcode(void) { RUN(verifier_netfilter_retcode); }
|
|
void test_verifier_raw_stack(void) { RUN(verifier_raw_stack); }
|
|
void test_verifier_raw_tp_writable(void) { RUN(verifier_raw_tp_writable); }
|
|
void test_verifier_reg_equal(void) { RUN(verifier_reg_equal); }
|
|
void test_verifier_ringbuf(void) { RUN(verifier_ringbuf); }
|
|
void test_verifier_spill_fill(void) { RUN(verifier_spill_fill); }
|
|
void test_verifier_stack_ptr(void) { RUN(verifier_stack_ptr); }
|
|
void test_verifier_uninit(void) { RUN(verifier_uninit); }
|
|
void test_verifier_value_adj_spill(void) { RUN(verifier_value_adj_spill); }
|
|
void test_verifier_value(void) { RUN(verifier_value); }
|
|
void test_verifier_value_or_null(void) { RUN(verifier_value_or_null); }
|
|
void test_verifier_var_off(void) { RUN(verifier_var_off); }
|
|
void test_verifier_xadd(void) { RUN(verifier_xadd); }
|
|
void test_verifier_xdp(void) { RUN(verifier_xdp); }
|
|
void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); }
|
|
|
|
static int init_array_access_maps(struct bpf_object *obj)
|
|
{
|
|
struct bpf_map *array_ro;
|
|
struct test_val value = {
|
|
.index = (6 + 1) * sizeof(int),
|
|
.foo[6] = 0xabcdef12,
|
|
};
|
|
int err, key = 0;
|
|
|
|
array_ro = bpf_object__find_map_by_name(obj, "map_array_ro");
|
|
if (!ASSERT_OK_PTR(array_ro, "lookup map_array_ro"))
|
|
return -EINVAL;
|
|
|
|
err = bpf_map_update_elem(bpf_map__fd(array_ro), &key, &value, 0);
|
|
if (!ASSERT_OK(err, "map_array_ro update"))
|
|
return err;
|
|
|
|
return 0;
|
|
}
|
|
|
|
void test_verifier_array_access(void)
|
|
{
|
|
run_tests_aux("verifier_array_access",
|
|
verifier_array_access__elf_bytes,
|
|
init_array_access_maps);
|
|
}
|