diff options
author | Andrii Nakryiko <andrii@kernel.org> | 2024-01-23 18:21:27 -0800 |
---|---|---|
committer | Alexei Starovoitov <ast@kernel.org> | 2024-01-24 16:21:03 -0800 |
commit | 906ee42cb1be1152ef24465704cc89edc3f571c1 (patch) | |
tree | d9b85c5c1cc0518b3c7d98fbd814a4aa51b636d5 /tools/testing/selftests/bpf/progs/token_lsm.c | |
parent | fadf54935e859c4d512aed6ad54f639b87a3b4d3 (diff) | |
download | linux-906ee42cb1be1152ef24465704cc89edc3f571c1.tar.gz linux-906ee42cb1be1152ef24465704cc89edc3f571c1.tar.bz2 linux-906ee42cb1be1152ef24465704cc89edc3f571c1.zip |
selftests/bpf: Incorporate LSM policy to token-based tests
Add tests for LSM interactions (both bpf_token_capable and bpf_token_cmd
LSM hooks) with BPF token in bpf() subsystem. Now child process passes
back token FD for parent to be able to do tests with token originating
in "wrong" userns. But we also create token in initns and check that
token LSMs don't accidentally reject BPF operations when capable()
checks pass without BPF token.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20240124022127.2379740-31-andrii@kernel.org
Diffstat (limited to 'tools/testing/selftests/bpf/progs/token_lsm.c')
-rw-r--r-- | tools/testing/selftests/bpf/progs/token_lsm.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/progs/token_lsm.c b/tools/testing/selftests/bpf/progs/token_lsm.c new file mode 100644 index 000000000000..e4d59b6ba743 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/token_lsm.c @@ -0,0 +1,32 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */ + +#include "vmlinux.h" +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> + +char _license[] SEC("license") = "GPL"; + +int my_pid; +bool reject_capable; +bool reject_cmd; + +SEC("lsm/bpf_token_capable") +int BPF_PROG(token_capable, struct bpf_token *token, int cap) +{ + if (my_pid == 0 || my_pid != (bpf_get_current_pid_tgid() >> 32)) + return 0; + if (reject_capable) + return -1; + return 0; +} + +SEC("lsm/bpf_token_cmd") +int BPF_PROG(token_cmd, struct bpf_token *token, enum bpf_cmd cmd) +{ + if (my_pid == 0 || my_pid != (bpf_get_current_pid_tgid() >> 32)) + return 0; + if (reject_cmd) + return -1; + return 0; +} |