From patchwork Fri May 22 04:24:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 218732 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09EF6C433E0 for ; Fri, 22 May 2020 04:24:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DA69C206DD for ; Fri, 22 May 2020 04:24:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cT1HgshI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727855AbgEVEYk (ORCPT ); Fri, 22 May 2020 00:24:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbgEVEYk (ORCPT ); Fri, 22 May 2020 00:24:40 -0400 Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0EB22C061A0E; Thu, 21 May 2020 21:24:40 -0700 (PDT) Received: by mail-pf1-x444.google.com with SMTP id y198so4629806pfb.4; Thu, 21 May 2020 21:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=8be0dtX8Bx/Brc6sNGJ5yvfgieIe1YrD5dF5nmEn7pI=; b=cT1HgshI4I0n0b+SflxNfDkbf3zlrNCPRS4X8hXeDgqoYfdLwjOV3W1MWt1xlFmxrA m7iHWHlT+//ig2t27WQ7HdDP97+P5IdCjyMTNb9sXqx5q1O2KA40Q68cs3QbciM8BFXw TwOKaEDCQMxcDCr0SKpeEvRIEvB8J8mwyQrwix0/cHyewP721JR3UBUKdDt88u0QnRaO Y8FECRUQlDk8SNX+ybqNsrnpJYCy6+lqmX8h0RAX7sDC24Moj5K654ebrkMdkPQg/T+J r+xdypLY75GTTRGFZDwP7aUiFgjgAVyD87WG6v6+H5DaSbc+fwV+hhasrtZZoTVUYxlx 3VaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=8be0dtX8Bx/Brc6sNGJ5yvfgieIe1YrD5dF5nmEn7pI=; b=CtrYaZ9g71ZiWv0EOR1eN/Tz6LDEM/SNnzJ6s9jt6LFhjbTxzihGsb4pgCgGE2wDE+ WykvHsr4pqPiGJjTMJSr5/fap9ZfCFYuuhCqdSLfD11kDfx0Zct3rCmwmjpUAGTe6CZ4 QRhgMTjE3vXPBH5ADMwoAG/udJM7u0TxtgobwiccAhyDTv+OnO1ZSG7662wL4elZcOFd YoFYaxhcmDUt5shHBPuTYdvZKQfsKMWQW5JfQ/RsjlDSvQLSfnvhQ6QOiqyiDXfJk1cl fhlVquX4Gs1IzEMnqYX/BdMgGRdA/P7QdBtwUe/CexBwlzY0Gtg+1mkZRjFLrYH7Irg1 R99w== X-Gm-Message-State: AOAM532MOgTcnNd47JtDuGZrJegqC9FNgInj/RYtrjohtDXfmUcuFTX4 J/IOhmipbaPsXI4DiAG80Hk= X-Google-Smtp-Source: ABdhPJx5ymzSVvKTn0gURA/z/0XsLCCNRlJiQtWV7lcVHXjPgQhzf8ET2yF2LpNvTBw17/HABs+gJQ== X-Received: by 2002:a62:19d5:: with SMTP id 204mr2159724pfz.189.1590121479566; Thu, 21 May 2020 21:24:39 -0700 (PDT) Received: from [127.0.1.1] ([184.63.162.180]) by smtp.gmail.com with ESMTPSA id z23sm4931236pga.86.2020.05.21.21.24.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 May 2020 21:24:38 -0700 (PDT) Subject: [bpf-next PATCH v4 2/5] bpf: extend bpf_base_func_proto helpers with probe_* and *current_task* From: John Fastabend To: yhs@fb.com, andrii.nakryiko@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, john.fastabend@gmail.com, jakub@cloudflare.com, lmb@cloudflare.com Date: Thu, 21 May 2020 21:24:23 -0700 Message-ID: <159012146282.14791.7652481804905295417.stgit@john-Precision-5820-Tower> In-Reply-To: <159012108670.14791.18091717338621259928.stgit@john-Precision-5820-Tower> References: <159012108670.14791.18091717338621259928.stgit@john-Precision-5820-Tower> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Often it is useful when applying policy to know something about the task. If the administrator has CAP_SYS_ADMIN rights then they can use kprobe + networking hook and link the two programs together to accomplish this. However, this is a bit clunky and also means we have to call both the network program and kprobe program when we could just use a single program and avoid passing metadata through sk_msg/skb->cb, socket, maps, etc. To accomplish this add probe_* helpers to bpf_base_func_proto programs guarded by a perfmon_capable() check. New supported helpers are the following, BPF_FUNC_get_current_task BPF_FUNC_current_task_under_cgroup BPF_FUNC_probe_read_user BPF_FUNC_probe_read_kernel BPF_FUNC_probe_read_user_str BPF_FUNC_probe_read_kernel_str Signed-off-by: John Fastabend Acked-by: Yonghong Song --- 0 files changed diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 886949f..ee992dd 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -601,6 +601,13 @@ const struct bpf_func_proto bpf_event_output_data_proto = { .arg5_type = ARG_CONST_SIZE_OR_ZERO, }; +const struct bpf_func_proto bpf_current_task_under_cgroup_proto __weak; +const struct bpf_func_proto bpf_get_current_task_proto __weak; +const struct bpf_func_proto bpf_probe_read_user_proto __weak; +const struct bpf_func_proto bpf_probe_read_user_str_proto __weak; +const struct bpf_func_proto bpf_probe_read_kernel_proto __weak; +const struct bpf_func_proto bpf_probe_read_kernel_str_proto __weak; + const struct bpf_func_proto * bpf_base_func_proto(enum bpf_func_id func_id) { @@ -648,6 +655,26 @@ bpf_base_func_proto(enum bpf_func_id func_id) case BPF_FUNC_jiffies64: return &bpf_jiffies64_proto; default: + break; + } + + if (!perfmon_capable()) + return NULL; + + switch (func_id) { + case BPF_FUNC_get_current_task: + return &bpf_get_current_task_proto; + case BPF_FUNC_current_task_under_cgroup: + return &bpf_current_task_under_cgroup_proto; + case BPF_FUNC_probe_read_user: + return &bpf_probe_read_user_proto; + case BPF_FUNC_probe_read_kernel: + return &bpf_probe_read_kernel_proto; + case BPF_FUNC_probe_read_user_str: + return &bpf_probe_read_user_str_proto; + case BPF_FUNC_probe_read_kernel_str: + return &bpf_probe_read_kernel_str_proto; + default: return NULL; } } diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 9531f54..6fabbc4 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -147,7 +147,7 @@ BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, return ret; } -static const struct bpf_func_proto bpf_probe_read_user_proto = { +const struct bpf_func_proto bpf_probe_read_user_proto = { .func = bpf_probe_read_user, .gpl_only = true, .ret_type = RET_INTEGER, @@ -167,7 +167,7 @@ BPF_CALL_3(bpf_probe_read_user_str, void *, dst, u32, size, return ret; } -static const struct bpf_func_proto bpf_probe_read_user_str_proto = { +const struct bpf_func_proto bpf_probe_read_user_str_proto = { .func = bpf_probe_read_user_str, .gpl_only = true, .ret_type = RET_INTEGER, @@ -198,7 +198,7 @@ BPF_CALL_3(bpf_probe_read_kernel, void *, dst, u32, size, return bpf_probe_read_kernel_common(dst, size, unsafe_ptr, false); } -static const struct bpf_func_proto bpf_probe_read_kernel_proto = { +const struct bpf_func_proto bpf_probe_read_kernel_proto = { .func = bpf_probe_read_kernel, .gpl_only = true, .ret_type = RET_INTEGER, @@ -213,7 +213,7 @@ BPF_CALL_3(bpf_probe_read_compat, void *, dst, u32, size, return bpf_probe_read_kernel_common(dst, size, unsafe_ptr, true); } -static const struct bpf_func_proto bpf_probe_read_compat_proto = { +const struct bpf_func_proto bpf_probe_read_compat_proto = { .func = bpf_probe_read_compat, .gpl_only = true, .ret_type = RET_INTEGER, @@ -253,7 +253,7 @@ BPF_CALL_3(bpf_probe_read_kernel_str, void *, dst, u32, size, return bpf_probe_read_kernel_str_common(dst, size, unsafe_ptr, false); } -static const struct bpf_func_proto bpf_probe_read_kernel_str_proto = { +const struct bpf_func_proto bpf_probe_read_kernel_str_proto = { .func = bpf_probe_read_kernel_str, .gpl_only = true, .ret_type = RET_INTEGER, @@ -268,7 +268,7 @@ BPF_CALL_3(bpf_probe_read_compat_str, void *, dst, u32, size, return bpf_probe_read_kernel_str_common(dst, size, unsafe_ptr, true); } -static const struct bpf_func_proto bpf_probe_read_compat_str_proto = { +const struct bpf_func_proto bpf_probe_read_compat_str_proto = { .func = bpf_probe_read_compat_str, .gpl_only = true, .ret_type = RET_INTEGER, @@ -907,7 +907,7 @@ BPF_CALL_0(bpf_get_current_task) return (long) current; } -static const struct bpf_func_proto bpf_get_current_task_proto = { +const struct bpf_func_proto bpf_get_current_task_proto = { .func = bpf_get_current_task, .gpl_only = true, .ret_type = RET_INTEGER, @@ -928,7 +928,7 @@ BPF_CALL_2(bpf_current_task_under_cgroup, struct bpf_map *, map, u32, idx) return task_under_cgroup_hierarchy(current, cgrp); } -static const struct bpf_func_proto bpf_current_task_under_cgroup_proto = { +const struct bpf_func_proto bpf_current_task_under_cgroup_proto = { .func = bpf_current_task_under_cgroup, .gpl_only = false, .ret_type = RET_INTEGER, From patchwork Fri May 22 04:25:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 218731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F035BC433E1 for ; Fri, 22 May 2020 04:25:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D05D1206F6 for ; Fri, 22 May 2020 04:25:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n1TWrpNJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728009AbgEVEZY (ORCPT ); Fri, 22 May 2020 00:25:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbgEVEZY (ORCPT ); Fri, 22 May 2020 00:25:24 -0400 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 152A9C061A0E; Thu, 21 May 2020 21:25:24 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id s10so4435726pgm.0; Thu, 21 May 2020 21:25:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=P1MJ05uFAxDfNHMQqVnK1prcFqS5udLDYsJyc1jGlFg=; b=n1TWrpNJZmdBlO7ubJPEI57aDbYEJ5DrAAJ7t8xGQ2+ToJc3m3G+dope/ZwK8dEdMk tXDEK6sYbh0cPv5VsIqh3xM47k4Lc1wG9JCeQEXczGfF0H4Z+23VtZbnLKXLeExhmXvT BEJmgqNA0eppJN+mfM3fGbXZkbOLt51YCAnVOhIR0d2wIt5xFRfcpKYyv4iTfScuafW0 SzHil8c85fPTGIyBM1K/2Fc6eRjl/Qf+rzyUiei31XAOvC7C7yYcVkYsAxiZNxMMa66C YWO4tzcUHkn8RBwTYPwAzuI2wjkcBk6ceBA3niKhi3mfqlj/aensn3tVmD44/CUoeEW8 K4xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=P1MJ05uFAxDfNHMQqVnK1prcFqS5udLDYsJyc1jGlFg=; b=GNbKtoT8gNDGMhRhQWN5DdYNDlZSjw/UanVy0wFgwzTKgdWcqkt2/7cm8xjBqFojVx zlkmp0R+T3h5JfY9xrCF/lWSz4b6gFguTUVEjArfj5DVigHE62DgXRfvxbq0/aXlIsh9 JqwA1+w3tqWCLEfJfVgLgCe8+nZmwhEMHD5R9ZrpyWr+UPikpuS/O5Iu82D80T03Qvx7 4P9laXva/FbNv+TVs6zOXhzxeZVWwAU6LEr9hgukExkgCOfgAwgvKgpF/IvB+JpRRlr4 09BqcDuSXvi/UWPeQmn+rOhgLa54Uue9sw57G17SG4bhZ7AFcg1x1d9F9Wln9BFVISWg MH2Q== X-Gm-Message-State: AOAM531gweQsYkQeyUtIULg+FRRsu237ekFGcxORjTWJyHIoo8xz+T2k s4tcBTdH0gwErhyiHJB01aVAZRgp X-Google-Smtp-Source: ABdhPJyqZjwxHNMljaXZ4pOVqBtfS3sZEnlI7EMTkLGcm6YVfoss+FAZbDqR8bwJjgD7Z+94RmIfow== X-Received: by 2002:a17:90a:714c:: with SMTP id g12mr2293417pjs.31.1590121523641; Thu, 21 May 2020 21:25:23 -0700 (PDT) Received: from [127.0.1.1] ([184.63.162.180]) by smtp.gmail.com with ESMTPSA id g9sm5134354pgj.89.2020.05.21.21.25.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 May 2020 21:25:22 -0700 (PDT) Subject: [bpf-next PATCH v4 4/5] bpf: selftests, add sk_msg helpers load and attach test From: John Fastabend To: yhs@fb.com, andrii.nakryiko@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, john.fastabend@gmail.com, jakub@cloudflare.com, lmb@cloudflare.com Date: Thu, 21 May 2020 21:25:06 -0700 Message-ID: <159012150674.14791.15054968668193084791.stgit@john-Precision-5820-Tower> In-Reply-To: <159012108670.14791.18091717338621259928.stgit@john-Precision-5820-Tower> References: <159012108670.14791.18091717338621259928.stgit@john-Precision-5820-Tower> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The test itself is not particularly useful but it encodes a common pattern we have. Namely do a sk storage lookup then depending on data here decide if we need to do more work or alternatively allow packet to PASS. Then if we need to do more work consult task_struct for more information about the running task. Finally based on this additional information drop or pass the data. In this case the suspicious check is not so realisitic but it encodes the general pattern and uses the helpers so we test the workflow. This is a load test to ensure verifier correctly handles this case. Signed-off-by: John Fastabend --- .../selftests/bpf/prog_tests/sockmap_basic.c | 35 +++++++++++++++ .../selftests/bpf/progs/test_skmsg_load_helpers.c | 47 ++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/test_skmsg_load_helpers.c diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c index aa43e0b..96e7b7f 100644 --- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c @@ -1,7 +1,9 @@ // SPDX-License-Identifier: GPL-2.0 // Copyright (c) 2020 Cloudflare +#include #include "test_progs.h" +#include "test_skmsg_load_helpers.skel.h" #define TCP_REPAIR 19 /* TCP sock is under repair right now */ @@ -70,10 +72,43 @@ static void test_sockmap_create_update_free(enum bpf_map_type map_type) close(s); } +static void test_skmsg_helpers(enum bpf_map_type map_type) +{ + struct test_skmsg_load_helpers *skel; + int err, map, verdict; + + skel = test_skmsg_load_helpers__open_and_load(); + if (CHECK_FAIL(!skel)) { + perror("test_skmsg_load_helpers__open_and_load"); + return; + } + + verdict = bpf_program__fd(skel->progs.prog_msg_verdict); + map = bpf_map__fd(skel->maps.sock_map); + + err = bpf_prog_attach(verdict, map, BPF_SK_MSG_VERDICT, 0); + if (CHECK_FAIL(err)) { + perror("bpf_prog_attach"); + goto out; + } + + err = bpf_prog_detach2(verdict, map, BPF_SK_MSG_VERDICT); + if (CHECK_FAIL(err)) { + perror("bpf_prog_detach2"); + goto out; + } +out: + test_skmsg_load_helpers__destroy(skel); +} + void test_sockmap_basic(void) { if (test__start_subtest("sockmap create_update_free")) test_sockmap_create_update_free(BPF_MAP_TYPE_SOCKMAP); if (test__start_subtest("sockhash create_update_free")) test_sockmap_create_update_free(BPF_MAP_TYPE_SOCKHASH); + if (test__start_subtest("sockmap sk_msg load helpers")) + test_skmsg_helpers(BPF_MAP_TYPE_SOCKMAP); + if (test__start_subtest("sockhash sk_msg load helpers")) + test_skmsg_helpers(BPF_MAP_TYPE_SOCKHASH); } diff --git a/tools/testing/selftests/bpf/progs/test_skmsg_load_helpers.c b/tools/testing/selftests/bpf/progs/test_skmsg_load_helpers.c new file mode 100644 index 0000000..45e8fc7 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_skmsg_load_helpers.c @@ -0,0 +1,47 @@ +// SPDX-License-Identifier: GPL-2.0 +// Copyright (c) 2020 Isovalent, Inc. +#include "vmlinux.h" +#include + +struct { + __uint(type, BPF_MAP_TYPE_SOCKMAP); + __uint(max_entries, 2); + __type(key, __u32); + __type(value, __u64); +} sock_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_SOCKHASH); + __uint(max_entries, 2); + __type(key, __u32); + __type(value, __u64); +} sock_hash SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_SK_STORAGE); + __uint(map_flags, BPF_F_NO_PREALLOC); + __type(key, __u32); + __type(value, __u64); +} socket_storage SEC(".maps"); + +SEC("sk_msg") +int prog_msg_verdict(struct sk_msg_md *msg) +{ + struct task_struct *task = (struct task_struct *)bpf_get_current_task(); + int verdict = SK_PASS; + __u32 pid, tpid; + __u64 *sk_stg; + + pid = bpf_get_current_pid_tgid() >> 32; + sk_stg = bpf_sk_storage_get(&socket_storage, msg->sk, 0, BPF_SK_STORAGE_GET_F_CREATE); + if (!sk_stg) + return SK_DROP; + *sk_stg = pid; + bpf_probe_read_kernel(&tpid , sizeof(tpid), &task->tgid); + if (pid != tpid) + verdict = SK_DROP; + bpf_sk_storage_delete(&socket_storage, (void *)msg->sk); + return verdict; +} + +char _license[] SEC("license") = "GPL";