From: Roberto Sassu <[email protected]>
===
All credits of this patch set go to Lorenz Bauer <[email protected]>, as he
identified this issue and proposed a number of solutions.
===
Lorenz presented at the Linux Plumbers EU 2022 a talk with title 'Closing
the BPF map permission loophole', where he reported that read-only fds can
be used for map update operations, if they were provided to eBPF programs.
This work initially started as PoC to reproduce the reported bug, and
became the test for validating an idea on how to fix the bug.
Patch 1 adds a dependency necessary for the tests.
The actual fix, in patch 2, is relatively simple. It is based on an already
existing enforcement mechanism in the eBPF verifier for map flags. As
Lorenz mentioned, a problem would be backporting this fix to stable kernels
which don't have that enforcement mechanism. However, backporting just the
enforcement mechanism itself (without introducing the new map flags and
allowing user space to use them) could meet the stable kernel criteria.
Alternatively, a completely different fix can be developed for older stable
kernels, like what Lorenz suggested, to refuse fds which are not
read/write.
Finally, patch 3 introduces the tests.
Roberto Sassu (3):
libbpf: Define bpf_get_fd_opts and introduce
bpf_map_get_fd_by_id_opts()
bpf: Enforce granted permissions in a map fd at verifier level
selftests/bpf: Test enforcement of map fd permissions at verifier
level
include/linux/bpf.h | 13 +
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 26 +-
tools/lib/bpf/bpf.c | 12 +-
tools/lib/bpf/bpf.h | 10 +
tools/lib/bpf/libbpf.map | 3 +-
.../selftests/bpf/prog_tests/map_fd_perm.c | 227 ++++++++++++++++++
7 files changed, 288 insertions(+), 4 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
--
2.25.1
From: Roberto Sassu <[email protected]>
Define a new data structure called bpf_get_fd_opts, with the member
open_flags, to be used by callers of the _opts variants of
bpf_*_get_fd_by_id() to specify the permissions needed for the file
descriptor to be obtained.
Also, introduce bpf_map_get_fd_by_id_opts(), to let the caller pass a
bpf_get_fd_opts structure.
Finally, keep the existing bpf_map_get_fd_by_id(), and call
bpf_map_get_fd_by_id_opts() with NULL as opts argument, to request
read-write permissions (current behavior).
Signed-off-by: Roberto Sassu <[email protected]>
---
tools/lib/bpf/bpf.c | 12 +++++++++++-
tools/lib/bpf/bpf.h | 10 ++++++++++
tools/lib/bpf/libbpf.map | 3 ++-
3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
index 1d49a0352836..4b03063edf1d 100644
--- a/tools/lib/bpf/bpf.c
+++ b/tools/lib/bpf/bpf.c
@@ -948,19 +948,29 @@ int bpf_prog_get_fd_by_id(__u32 id)
return libbpf_err_errno(fd);
}
-int bpf_map_get_fd_by_id(__u32 id)
+int bpf_map_get_fd_by_id_opts(__u32 id,
+ const struct bpf_get_fd_opts *opts)
{
const size_t attr_sz = offsetofend(union bpf_attr, open_flags);
union bpf_attr attr;
int fd;
+ if (!OPTS_VALID(opts, bpf_get_fd_opts))
+ return libbpf_err(-EINVAL);
+
memset(&attr, 0, attr_sz);
attr.map_id = id;
+ attr.open_flags = OPTS_GET(opts, open_flags, 0);
fd = sys_bpf_fd(BPF_MAP_GET_FD_BY_ID, &attr, attr_sz);
return libbpf_err_errno(fd);
}
+int bpf_map_get_fd_by_id(__u32 id)
+{
+ return bpf_map_get_fd_by_id_opts(id, NULL);
+}
+
int bpf_btf_get_fd_by_id(__u32 id)
{
const size_t attr_sz = offsetofend(union bpf_attr, open_flags);
diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
index 9c50beabdd14..38a1b7eccfc8 100644
--- a/tools/lib/bpf/bpf.h
+++ b/tools/lib/bpf/bpf.h
@@ -365,7 +365,17 @@ LIBBPF_API int bpf_prog_get_next_id(__u32 start_id, __u32 *next_id);
LIBBPF_API int bpf_map_get_next_id(__u32 start_id, __u32 *next_id);
LIBBPF_API int bpf_btf_get_next_id(__u32 start_id, __u32 *next_id);
LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id);
+
+struct bpf_get_fd_opts {
+ size_t sz; /* size of this struct for forward/backward compatibility */
+ __u32 open_flags; /* permissions requested for the operation on fd */
+ __u32 :0;
+};
+#define bpf_get_fd_opts__last_field open_flags
+
LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id);
+LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id,
+ const struct bpf_get_fd_opts *opts);
LIBBPF_API int bpf_map_get_fd_by_id(__u32 id);
LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id);
LIBBPF_API int bpf_link_get_fd_by_id(__u32 id);
diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map
index c1d6aa7c82b6..2e665b21d84f 100644
--- a/tools/lib/bpf/libbpf.map
+++ b/tools/lib/bpf/libbpf.map
@@ -367,10 +367,11 @@ LIBBPF_1.0.0 {
libbpf_bpf_map_type_str;
libbpf_bpf_prog_type_str;
perf_buffer__buffer;
-};
+} LIBBPF_0.8.0;
LIBBPF_1.1.0 {
global:
+ bpf_map_get_fd_by_id_opts;
user_ring_buffer__discard;
user_ring_buffer__free;
user_ring_buffer__new;
--
2.25.1
From: Roberto Sassu <[email protected]>
Commit afdb09c720b62 ("security: bpf: Add LSM hooks for bpf object related
syscall") introduced new eBPF-related hooks in the LSM framework, for
programs and maps, aiming at enforcing permissions per eBPF object.
Commit 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps")
further introduced the BPF_F_RDONLY and BPF_F_WRONLY flags, for user space
to request specific permissions when using a given eBPF object.
The two patches are related, as the first ensures that LSMs grant to user
space the requested permissions (read and/or write) for performing
operations on an eBPF object. The second ensures that the granted
permissions are sufficient to perform a requested operation.
While the second check has been added for operations of the bpf() system
call that directly deal with a map, such as BPF_MAP_*_ELEM, it is missing
for bpf() system call operations that still receive a map fd, but modify a
map indirectly: map iterators (addressed separately) and the eBPF verifier.
An eBPF program might contain a map fd as argument of the BPF_PSEUDO_MAP_FD
and BPF_PSEUDO_MAP_IDX instructions. The eBPF verifier processes those
instructions, and replaces the map fd with the corresponding map address,
which can be then passed to eBPF helpers, such as bpf_map_lookup_elem() and
bpf_map_update_elem(). This has the same effect of invoking the bpf()
system call and executing the BPF_MAP_*_ELEM operations.
The problem is that, unlike BPF_MAP_*_ELEM operations of the bpf() system
call, the eBPF verifier does not check the fd modes before letting the eBPF
program do map operations. As a consequence, for example, a read-only fd
can be provided to the eBPF program, allowing it to do a map update.
A different behavior occurs when the map flags BPF_F_RDONLY_PROG and
BPF_F_WRONLY_PROG are set at map creation time. Commit 591fe9888d78 ("bpf:
add program side {rd, wr}only support for maps") ensures that only the map
operations compatible with the map flags can be executed by the eBPF
program, otherwise the verifier refuses to run that program.
As the verifier can already restrict map operations, rely on the same
mechanism to enforce permissions given with the fd. Providing a read-only
fd has the same effect of setting the BPF_F_RDONLY_PROG map flag, except
that the effect is limited to the program execution and not for the map
lifetime.
If multiple map fds are provided to the eBPF program, combine the fd modes,
as the verifier is not able to track the exact fd a map address has been
obtained from.
Finally, make sure that the resulting fd modes don't give to the eBPF
program more permissions than the ones granted by map flags. Instead, given
the initial permissions granted by map flags, clear the ones that are
missing from the fd.
Although normally map fd-based operations are not affected by BPF_F_*_PROG,
in this case it cannot be, as it is the eBPF program itself doing map
operations, which is what BPF_F_*_PROG are designed to restrict.
Cc: [email protected]
Fixes: 6e71b04a82248 ("bpf: Add file mode configuration into bpf maps")
Reported by: Lorenz Bauer <[email protected]>
Signed-off-by: Roberto Sassu <[email protected]>
---
include/linux/bpf.h | 13 +++++++++++++
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 26 ++++++++++++++++++++++++--
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index edd43edb27d6..1e18f11df7ca 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1415,6 +1415,19 @@ static inline u32 bpf_map_flags_to_cap(struct bpf_map *map)
return BPF_MAP_CAN_READ | BPF_MAP_CAN_WRITE;
}
+static inline u32 bpf_fd_modes_to_cap(fmode_t mode)
+{
+ u32 cap = 0;
+
+ if (mode & FMODE_CAN_READ)
+ cap |= BPF_MAP_CAN_READ;
+
+ if (mode & FMODE_CAN_WRITE)
+ cap |= BPF_MAP_CAN_WRITE;
+
+ return cap;
+}
+
static inline bool bpf_map_flags_access_ok(u32 access_flags)
{
return (access_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG)) !=
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 9e1e6965f407..3f490bae0bcd 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -501,6 +501,7 @@ struct bpf_verifier_env {
struct bpf_verifier_state_list **explored_states; /* search pruning optimization */
struct bpf_verifier_state_list *free_list;
struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
+ u32 used_maps_caps[MAX_USED_MAPS]; /* array of map capabilities possessed by eBPF program */
struct btf_mod_pair used_btfs[MAX_USED_BTFS]; /* array of BTF's used by BPF program */
u32 used_map_cnt; /* number of used maps */
u32 used_btf_cnt; /* number of used BTF objects */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6f6d2d511c06..ac9bd4402169 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3531,6 +3531,14 @@ static int check_map_access_type(struct bpf_verifier_env *env, u32 regno,
struct bpf_reg_state *regs = cur_regs(env);
struct bpf_map *map = regs[regno].map_ptr;
u32 cap = bpf_map_flags_to_cap(map);
+ int i;
+
+ for (i = 0; i < env->used_map_cnt; i++) {
+ if (env->used_maps[i] == map) {
+ cap &= env->used_maps_caps[i];
+ break;
+ }
+ }
if (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) {
verbose(env, "write into map forbidden, value_size=%d off=%d size=%d\n",
@@ -7040,6 +7048,8 @@ record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
{
struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];
struct bpf_map *map = meta->map_ptr;
+ u32 cap;
+ int i;
if (func_id != BPF_FUNC_tail_call &&
func_id != BPF_FUNC_map_lookup_elem &&
@@ -7058,11 +7068,20 @@ record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
return -EINVAL;
}
+ cap = bpf_map_flags_to_cap(map);
+
+ for (i = 0; i < env->used_map_cnt; i++) {
+ if (env->used_maps[i] == map) {
+ cap &= env->used_maps_caps[i];
+ break;
+ }
+ }
+
/* In case of read-only, some additional restrictions
* need to be applied in order to prevent altering the
* state of the map from program side.
*/
- if ((map->map_flags & BPF_F_RDONLY_PROG) &&
+ if (!(cap & BPF_MAP_CAN_WRITE) &&
(func_id == BPF_FUNC_map_delete_elem ||
func_id == BPF_FUNC_map_update_elem ||
func_id == BPF_FUNC_map_push_elem ||
@@ -12870,6 +12889,7 @@ static int resolve_pseudo_ldimm64(struct bpf_verifier_env *env)
/* check whether we recorded this map already */
for (j = 0; j < env->used_map_cnt; j++) {
if (env->used_maps[j] == map) {
+ env->used_maps_caps[j] |= bpf_fd_modes_to_cap(f.file->f_mode);
aux->map_index = j;
fdput(f);
goto next_insn;
@@ -12889,7 +12909,9 @@ static int resolve_pseudo_ldimm64(struct bpf_verifier_env *env)
bpf_map_inc(map);
aux->map_index = env->used_map_cnt;
- env->used_maps[env->used_map_cnt++] = map;
+ env->used_maps[env->used_map_cnt] = map;
+ env->used_maps_caps[env->used_map_cnt] = bpf_fd_modes_to_cap(f.file->f_mode);
+ env->used_map_cnt++;
if (bpf_map_is_cgroup_storage(map) &&
bpf_cgroup_storage_assign(env->prog->aux, map)) {
--
2.25.1
From: Roberto Sassu <[email protected]>
Create two maps, one read/writable and another only readable. Also, define
four programs, that respectively read, read/write, read/write (with two map
fds), and write to a given map.
For the read/writable map, two additional fds are obtained to test the
ability of the verifier to restrict operations by a program depending on
the map permissions granted.
To make testing easier, the map fd for the BPF_LD_MAP_FD instruction is
always the same (20), and dup2() is used to make sure that the program
takes the correct map at the time it is loaded.
In addition, a second fd (21) set with dup2() is passed to one eBPF program
to check the merging of fd modes (read-only and write-only).
The tests first verify the correct behavior, i.e. a program is successfully
executed if it has sufficient permissions on the map. Then, they verify the
incorrect combinations (e.g. a program willing to perform read/write
operations on a map referenced with a write-only fd), and ensure that the
verifier emits the expected error message.
Signed-off-by: Roberto Sassu <[email protected]>
---
.../selftests/bpf/prog_tests/map_fd_perm.c | 227 ++++++++++++++++++
1 file changed, 227 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
diff --git a/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c b/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
new file mode 100644
index 000000000000..eaabf6f5bb9b
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/map_fd_perm.c
@@ -0,0 +1,227 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <[email protected]>
+ */
+
+#include <test_progs.h>
+
+#define TARGET_MAP_FD 20
+#define TARGET_MAP_FD2 21
+#define EXPECTED_MAP_VALUE 2
+
+char bpf_log_buf[BPF_LOG_BUF_SIZE];
+
+struct bpf_insn prog_r[] = {
+ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
+ BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+ BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
+ BPF_EXIT_INSN(),
+};
+
+struct bpf_insn prog_rw[] = {
+ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
+ BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+ BPF_MOV64_IMM(BPF_REG_1, EXPECTED_MAP_VALUE),
+ BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_0, BPF_REG_1, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
+ BPF_EXIT_INSN(),
+};
+
+struct bpf_insn prog_rw_merge[] = {
+ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
+ BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD),
+ BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD2),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+ BPF_MOV64_IMM(BPF_REG_1, EXPECTED_MAP_VALUE),
+ BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_0, BPF_REG_1, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
+ BPF_EXIT_INSN(),
+};
+
+struct bpf_insn prog_w[] = {
+ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
+ BPF_MOV64_IMM(BPF_REG_0, EXPECTED_MAP_VALUE),
+ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8), /* *(u32 *)(fp - 8) = r0 */
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
+ BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), /* r3 = fp - 8 */
+ BPF_LD_MAP_FD(BPF_REG_1, TARGET_MAP_FD),
+ BPF_MOV64_IMM(BPF_REG_4, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
+ BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
+ BPF_EXIT_INSN(),
+};
+
+static int load_prog(struct bpf_insn *prog, int num_insn, int map_fd,
+ int map_fd2, int map_check_fd, int expected_map_value,
+ const char *expected_err_msg)
+{
+ u32 key = 0, value;
+ int ret, prog_fd, link_fd;
+
+ LIBBPF_OPTS(bpf_prog_load_opts, trace_opts,
+ .expected_attach_type = BPF_TRACE_FENTRY,
+ .log_buf = bpf_log_buf,
+ .log_size = BPF_LOG_BUF_SIZE,
+ );
+
+ memset(bpf_log_buf, 0, sizeof(bpf_log_buf));
+
+ trace_opts.attach_btf_id =
+ libbpf_find_vmlinux_btf_id("array_map_lookup_elem",
+ trace_opts.expected_attach_type);
+
+ ret = dup2(map_fd, TARGET_MAP_FD);
+ if (ret < 0)
+ return ret;
+
+ if (map_fd2 != -1) {
+ ret = dup2(map_fd2, TARGET_MAP_FD2);
+ if (ret < 0) {
+ close(TARGET_MAP_FD);
+ return ret;
+ }
+ }
+
+ prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACING, NULL, "GPL",
+ prog, num_insn, &trace_opts);
+
+ close(TARGET_MAP_FD);
+ if (map_fd2 != -1)
+ close(TARGET_MAP_FD2);
+
+ if (prog_fd < 0) {
+ if (expected_err_msg && strstr(bpf_log_buf, expected_err_msg))
+ return 0;
+
+ printf("%s\n", bpf_log_buf);
+ return -EINVAL;
+ }
+
+ if (map_check_fd >= 0) {
+ link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_FENTRY, NULL);
+ if (link_fd < 0) {
+ ret = -errno;
+ close(prog_fd);
+ return ret;
+ }
+
+ ret = bpf_map_lookup_elem(map_check_fd, &key, &value);
+
+ close(prog_fd);
+ close(link_fd);
+
+ if (ret < 0)
+ return ret;
+
+ if (value != expected_map_value)
+ return -EINVAL;
+ } else {
+ close(prog_fd);
+ }
+
+ return 0;
+}
+
+void test_map_fd_perm(void)
+{
+ int map_fd, map_fd_rdonly, map_fd_wronly;
+ int map_rdonly_fd;
+ struct bpf_map_info info_m = { 0 };
+ __u32 len = sizeof(info_m);
+ int ret;
+
+ DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_rdonly,
+ .open_flags = BPF_F_RDONLY,
+ );
+
+ DECLARE_LIBBPF_OPTS(bpf_get_fd_opts, fd_opts_wronly,
+ .open_flags = BPF_F_WRONLY,
+ );
+
+ DECLARE_LIBBPF_OPTS(bpf_map_create_opts, create_opts,
+ .map_flags = BPF_F_RDONLY_PROG,
+ );
+
+ map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, NULL, sizeof(u32),
+ sizeof(u32), 1, NULL);
+ ASSERT_GE(map_fd, 0, "failed to create rw map");
+
+ map_rdonly_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, NULL, sizeof(u32),
+ sizeof(u32), 1, &create_opts);
+ ASSERT_GE(map_rdonly_fd, 0, "failed to create ro map");
+
+ ret = bpf_obj_get_info_by_fd(map_fd, &info_m, &len);
+ ASSERT_OK(ret, "bpf_obj_get_info_by_fd");
+
+ map_fd_rdonly = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_rdonly);
+ ASSERT_GE(map_fd_rdonly, 0, "bpf_map_get_fd_by_id_opts rw map ro fd");
+
+ map_fd_wronly = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_wronly);
+ ASSERT_GE(map_fd_wronly, 0, "bpf_map_get_fd_by_id_opts rw map wo fd");
+
+ ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_fd_rdonly, -1, -1, -1,
+ NULL);
+ ASSERT_OK(ret, "load ro prog, rw map, ro fd");
+
+ ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd, -1, map_fd,
+ EXPECTED_MAP_VALUE, NULL);
+ ASSERT_OK(ret, "load rw prog, rw map, rw fd");
+
+ ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_fd_wronly, -1, map_fd,
+ EXPECTED_MAP_VALUE, NULL);
+ ASSERT_OK(ret, "load wo prog, rw map, wo fd");
+
+ ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_rdonly_fd, -1, -1, -1,
+ NULL);
+ ASSERT_OK(ret, "load ro prog, ro map, ro fd");
+
+ /* Existing value was set by prog_w, so it is EXPECTED_MAP_VALUE * 2. */
+ ret = load_prog(prog_rw_merge, ARRAY_SIZE(prog_rw_merge), map_fd_rdonly,
+ map_fd_wronly, map_fd, EXPECTED_MAP_VALUE * 2, NULL);
+ ASSERT_OK(ret, "load rw prog merge, ro fd, wo fd");
+
+ ret = load_prog(prog_r, ARRAY_SIZE(prog_r), map_fd_wronly, -1, -1, -1,
+ "read from map forbidden");
+ ASSERT_OK(ret, "load ro prog, rw map, wo fd");
+
+ ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_fd_rdonly, -1, -1, -1,
+ "write into map forbidden");
+ ASSERT_OK(ret, "load wo prog, rw map, ro fd");
+
+ ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd_rdonly, -1, -1, -1,
+ "write into map forbidden");
+ ASSERT_OK(ret, "load rw prog, rw map, ro fd");
+
+ ret = load_prog(prog_rw, ARRAY_SIZE(prog_rw), map_fd_wronly, -1, -1, -1,
+ "read from map forbidden");
+ ASSERT_OK(ret, "load rw prog, rw map, wo fd");
+
+ ret = load_prog(prog_w, ARRAY_SIZE(prog_w), map_rdonly_fd, -1, -1, -1,
+ "write into map forbidden");
+ ASSERT_OK(ret, "load wo prog, ro map, rw fd");
+}
--
2.25.1
On Mon, Sep 26, 2022 at 8:45 AM Roberto Sassu
<[email protected]> wrote:
>
> From: Roberto Sassu <[email protected]>
>
> Define a new data structure called bpf_get_fd_opts, with the member
> open_flags, to be used by callers of the _opts variants of
> bpf_*_get_fd_by_id() to specify the permissions needed for the file
> descriptor to be obtained.
>
> Also, introduce bpf_map_get_fd_by_id_opts(), to let the caller pass a
> bpf_get_fd_opts structure.
>
> Finally, keep the existing bpf_map_get_fd_by_id(), and call
> bpf_map_get_fd_by_id_opts() with NULL as opts argument, to request
> read-write permissions (current behavior).
>
> Signed-off-by: Roberto Sassu <[email protected]>
> ---
looks good overall, but please see two nits below
> tools/lib/bpf/bpf.c | 12 +++++++++++-
> tools/lib/bpf/bpf.h | 10 ++++++++++
> tools/lib/bpf/libbpf.map | 3 ++-
> 3 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
> index 1d49a0352836..4b03063edf1d 100644
> --- a/tools/lib/bpf/bpf.c
> +++ b/tools/lib/bpf/bpf.c
> @@ -948,19 +948,29 @@ int bpf_prog_get_fd_by_id(__u32 id)
> return libbpf_err_errno(fd);
> }
>
> -int bpf_map_get_fd_by_id(__u32 id)
> +int bpf_map_get_fd_by_id_opts(__u32 id,
> + const struct bpf_get_fd_opts *opts)
> {
> const size_t attr_sz = offsetofend(union bpf_attr, open_flags);
> union bpf_attr attr;
> int fd;
>
> + if (!OPTS_VALID(opts, bpf_get_fd_opts))
> + return libbpf_err(-EINVAL);
> +
> memset(&attr, 0, attr_sz);
> attr.map_id = id;
> + attr.open_flags = OPTS_GET(opts, open_flags, 0);
>
> fd = sys_bpf_fd(BPF_MAP_GET_FD_BY_ID, &attr, attr_sz);
> return libbpf_err_errno(fd);
> }
>
> +int bpf_map_get_fd_by_id(__u32 id)
> +{
> + return bpf_map_get_fd_by_id_opts(id, NULL);
> +}
> +
> int bpf_btf_get_fd_by_id(__u32 id)
> {
> const size_t attr_sz = offsetofend(union bpf_attr, open_flags);
> diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
> index 9c50beabdd14..38a1b7eccfc8 100644
> --- a/tools/lib/bpf/bpf.h
> +++ b/tools/lib/bpf/bpf.h
> @@ -365,7 +365,17 @@ LIBBPF_API int bpf_prog_get_next_id(__u32 start_id, __u32 *next_id);
> LIBBPF_API int bpf_map_get_next_id(__u32 start_id, __u32 *next_id);
> LIBBPF_API int bpf_btf_get_next_id(__u32 start_id, __u32 *next_id);
> LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id);
> +
> +struct bpf_get_fd_opts {
> + size_t sz; /* size of this struct for forward/backward compatibility */
> + __u32 open_flags; /* permissions requested for the operation on fd */
> + __u32 :0;
this should be size_t: 0
> +};
> +#define bpf_get_fd_opts__last_field open_flags
> +
> LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id);
> +LIBBPF_API int bpf_map_get_fd_by_id_opts(__u32 id,
> + const struct bpf_get_fd_opts *opts);
> LIBBPF_API int bpf_map_get_fd_by_id(__u32 id);
> LIBBPF_API int bpf_btf_get_fd_by_id(__u32 id);
> LIBBPF_API int bpf_link_get_fd_by_id(__u32 id);
> diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map
> index c1d6aa7c82b6..2e665b21d84f 100644
> --- a/tools/lib/bpf/libbpf.map
> +++ b/tools/lib/bpf/libbpf.map
> @@ -367,10 +367,11 @@ LIBBPF_1.0.0 {
> libbpf_bpf_map_type_str;
> libbpf_bpf_prog_type_str;
> perf_buffer__buffer;
> -};
> +} LIBBPF_0.8.0;
>
good catch, please send this as a separate fix, thanks!
> LIBBPF_1.1.0 {
> global:
> + bpf_map_get_fd_by_id_opts;
> user_ring_buffer__discard;
> user_ring_buffer__free;
> user_ring_buffer__new;
> --
> 2.25.1
>