提交 f198222f 编写于 作者: D Daniel Borkmann

Merge branch 'bpf-sendmsg-hook'

Andrey Ignatov says:

====================
v3 -> v4:
* handle static key correctly for CONFIG_CGROUP_BPF=n.

v2 -> v3:
* place BPF logic under static key in udp_sendmsg, udpv6_sendmsg;
* rebase.

v1 -> v2:
* return ENOTSUPP if bpf_prog rewrote IPv6-only with IPv4-mapped IPv6;
* add test for IPv4-mapped IPv6 use-case;
* fix build for CONFIG_CGROUP_BPF=n;
* rebase.

This path set adds BPF hooks for sys_sendmsg similar to existing hooks for
sys_bind and sys_connect.

Hooks allow to override source IP (including the case when it's set via
cmsg(3)) and destination IP:port for unconnected UDP (slow path). TCP and
connected UDP (fast path) are not affected. This makes UDP support
complete: connected UDP is handled by sys_connect hooks, unconnected by
sys_sendmsg ones.

Similar to sys_connect hooks, sys_sendmsg ones can be used to make system
calls such as sendmsg(2) and sendto(2) return EPERM.

Please see patch 0002 for more details.
====================
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
...@@ -66,7 +66,8 @@ int __cgroup_bpf_run_filter_sk(struct sock *sk, ...@@ -66,7 +66,8 @@ int __cgroup_bpf_run_filter_sk(struct sock *sk,
int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
struct sockaddr *uaddr, struct sockaddr *uaddr,
enum bpf_attach_type type); enum bpf_attach_type type,
void *t_ctx);
int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
struct bpf_sock_ops_kern *sock_ops, struct bpf_sock_ops_kern *sock_ops,
...@@ -120,16 +121,18 @@ int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, ...@@ -120,16 +121,18 @@ int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
({ \ ({ \
int __ret = 0; \ int __ret = 0; \
if (cgroup_bpf_enabled) \ if (cgroup_bpf_enabled) \
__ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type); \ __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type, \
NULL); \
__ret; \ __ret; \
}) })
#define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, type) \ #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, type, t_ctx) \
({ \ ({ \
int __ret = 0; \ int __ret = 0; \
if (cgroup_bpf_enabled) { \ if (cgroup_bpf_enabled) { \
lock_sock(sk); \ lock_sock(sk); \
__ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type); \ __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type, \
t_ctx); \
release_sock(sk); \ release_sock(sk); \
} \ } \
__ret; \ __ret; \
...@@ -151,10 +154,16 @@ int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, ...@@ -151,10 +154,16 @@ int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
BPF_CGROUP_RUN_SA_PROG(sk, uaddr, BPF_CGROUP_INET6_CONNECT) BPF_CGROUP_RUN_SA_PROG(sk, uaddr, BPF_CGROUP_INET6_CONNECT)
#define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) \ #define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) \
BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET4_CONNECT) BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET4_CONNECT, NULL)
#define BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr) \ #define BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr) \
BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET6_CONNECT) BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET6_CONNECT, NULL)
#define BPF_CGROUP_RUN_PROG_UDP4_SENDMSG_LOCK(sk, uaddr, t_ctx) \
BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP4_SENDMSG, t_ctx)
#define BPF_CGROUP_RUN_PROG_UDP6_SENDMSG_LOCK(sk, uaddr, t_ctx) \
BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP6_SENDMSG, t_ctx)
#define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) \ #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) \
({ \ ({ \
...@@ -185,6 +194,7 @@ struct cgroup_bpf {}; ...@@ -185,6 +194,7 @@ struct cgroup_bpf {};
static inline void cgroup_bpf_put(struct cgroup *cgrp) {} static inline void cgroup_bpf_put(struct cgroup *cgrp) {}
static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; } static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; }
#define cgroup_bpf_enabled (0)
#define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0) #define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0)
#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; }) #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; })
#define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; }) #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; })
...@@ -197,6 +207,8 @@ static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; } ...@@ -197,6 +207,8 @@ static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; }
#define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) ({ 0; }) #define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) ({ 0; })
#define BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr) ({ 0; }) #define BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr) ({ 0; })
#define BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr) ({ 0; }) #define BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr) ({ 0; })
#define BPF_CGROUP_RUN_PROG_UDP4_SENDMSG_LOCK(sk, uaddr, t_ctx) ({ 0; })
#define BPF_CGROUP_RUN_PROG_UDP6_SENDMSG_LOCK(sk, uaddr, t_ctx) ({ 0; })
#define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; }) #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; })
#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; }) #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; })
......
...@@ -1010,6 +1010,7 @@ struct bpf_sock_addr_kern { ...@@ -1010,6 +1010,7 @@ struct bpf_sock_addr_kern {
* only two (src and dst) are available at convert_ctx_access time * only two (src and dst) are available at convert_ctx_access time
*/ */
u64 tmp_reg; u64 tmp_reg;
void *t_ctx; /* Attach type specific context. */
}; };
struct bpf_sock_ops_kern { struct bpf_sock_ops_kern {
......
...@@ -160,6 +160,8 @@ enum bpf_attach_type { ...@@ -160,6 +160,8 @@ enum bpf_attach_type {
BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET4_POST_BIND,
BPF_CGROUP_INET6_POST_BIND, BPF_CGROUP_INET6_POST_BIND,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
...@@ -2363,6 +2365,12 @@ struct bpf_sock_addr { ...@@ -2363,6 +2365,12 @@ struct bpf_sock_addr {
__u32 family; /* Allows 4-byte read, but no write */ __u32 family; /* Allows 4-byte read, but no write */
__u32 type; /* Allows 4-byte read, but no write */ __u32 type; /* Allows 4-byte read, but no write */
__u32 protocol; /* Allows 4-byte read, but no write */ __u32 protocol; /* Allows 4-byte read, but no write */
__u32 msg_src_ip4; /* Allows 1,2,4-byte read an 4-byte write.
* Stored in network byte order.
*/
__u32 msg_src_ip6[4]; /* Allows 1,2,4-byte read an 4-byte write.
* Stored in network byte order.
*/
}; };
/* User bpf_sock_ops struct to access socket values and specify request ops /* User bpf_sock_ops struct to access socket values and specify request ops
......
...@@ -500,6 +500,7 @@ EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk); ...@@ -500,6 +500,7 @@ EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
* @sk: sock struct that will use sockaddr * @sk: sock struct that will use sockaddr
* @uaddr: sockaddr struct provided by user * @uaddr: sockaddr struct provided by user
* @type: The type of program to be exectuted * @type: The type of program to be exectuted
* @t_ctx: Pointer to attach type specific context
* *
* socket is expected to be of type INET or INET6. * socket is expected to be of type INET or INET6.
* *
...@@ -508,12 +509,15 @@ EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk); ...@@ -508,12 +509,15 @@ EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
*/ */
int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
struct sockaddr *uaddr, struct sockaddr *uaddr,
enum bpf_attach_type type) enum bpf_attach_type type,
void *t_ctx)
{ {
struct bpf_sock_addr_kern ctx = { struct bpf_sock_addr_kern ctx = {
.sk = sk, .sk = sk,
.uaddr = uaddr, .uaddr = uaddr,
.t_ctx = t_ctx,
}; };
struct sockaddr_storage unspec;
struct cgroup *cgrp; struct cgroup *cgrp;
int ret; int ret;
...@@ -523,6 +527,11 @@ int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, ...@@ -523,6 +527,11 @@ int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6) if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
return 0; return 0;
if (!ctx.uaddr) {
memset(&unspec, 0, sizeof(unspec));
ctx.uaddr = (struct sockaddr *)&unspec;
}
cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN); ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
......
...@@ -1249,6 +1249,8 @@ bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type, ...@@ -1249,6 +1249,8 @@ bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type,
case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
return 0; return 0;
default: default:
return -EINVAL; return -EINVAL;
...@@ -1565,6 +1567,8 @@ static int bpf_prog_attach(const union bpf_attr *attr) ...@@ -1565,6 +1567,8 @@ static int bpf_prog_attach(const union bpf_attr *attr)
case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR; ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
break; break;
case BPF_CGROUP_SOCK_OPS: case BPF_CGROUP_SOCK_OPS:
...@@ -1635,6 +1639,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) ...@@ -1635,6 +1639,8 @@ static int bpf_prog_detach(const union bpf_attr *attr)
case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR; ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
break; break;
case BPF_CGROUP_SOCK_OPS: case BPF_CGROUP_SOCK_OPS:
...@@ -1692,6 +1698,8 @@ static int bpf_prog_query(const union bpf_attr *attr, ...@@ -1692,6 +1698,8 @@ static int bpf_prog_query(const union bpf_attr *attr,
case BPF_CGROUP_INET6_POST_BIND: case BPF_CGROUP_INET6_POST_BIND:
case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
case BPF_CGROUP_SOCK_OPS: case BPF_CGROUP_SOCK_OPS:
case BPF_CGROUP_DEVICE: case BPF_CGROUP_DEVICE:
break; break;
......
...@@ -5299,6 +5299,7 @@ static bool sock_addr_is_valid_access(int off, int size, ...@@ -5299,6 +5299,7 @@ static bool sock_addr_is_valid_access(int off, int size,
switch (prog->expected_attach_type) { switch (prog->expected_attach_type) {
case BPF_CGROUP_INET4_BIND: case BPF_CGROUP_INET4_BIND:
case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
break; break;
default: default:
return false; return false;
...@@ -5308,6 +5309,24 @@ static bool sock_addr_is_valid_access(int off, int size, ...@@ -5308,6 +5309,24 @@ static bool sock_addr_is_valid_access(int off, int size,
switch (prog->expected_attach_type) { switch (prog->expected_attach_type) {
case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP6_SENDMSG:
break;
default:
return false;
}
break;
case bpf_ctx_range(struct bpf_sock_addr, msg_src_ip4):
switch (prog->expected_attach_type) {
case BPF_CGROUP_UDP4_SENDMSG:
break;
default:
return false;
}
break;
case bpf_ctx_range_till(struct bpf_sock_addr, msg_src_ip6[0],
msg_src_ip6[3]):
switch (prog->expected_attach_type) {
case BPF_CGROUP_UDP6_SENDMSG:
break; break;
default: default:
return false; return false;
...@@ -5318,6 +5337,9 @@ static bool sock_addr_is_valid_access(int off, int size, ...@@ -5318,6 +5337,9 @@ static bool sock_addr_is_valid_access(int off, int size,
switch (off) { switch (off) {
case bpf_ctx_range(struct bpf_sock_addr, user_ip4): case bpf_ctx_range(struct bpf_sock_addr, user_ip4):
case bpf_ctx_range_till(struct bpf_sock_addr, user_ip6[0], user_ip6[3]): case bpf_ctx_range_till(struct bpf_sock_addr, user_ip6[0], user_ip6[3]):
case bpf_ctx_range(struct bpf_sock_addr, msg_src_ip4):
case bpf_ctx_range_till(struct bpf_sock_addr, msg_src_ip6[0],
msg_src_ip6[3]):
/* Only narrow read access allowed for now. */ /* Only narrow read access allowed for now. */
if (type == BPF_READ) { if (type == BPF_READ) {
bpf_ctx_record_field_size(info, size_default); bpf_ctx_record_field_size(info, size_default);
...@@ -6072,6 +6094,23 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type, ...@@ -6072,6 +6094,23 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type,
*insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, *insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg,
SK_FL_PROTO_SHIFT); SK_FL_PROTO_SHIFT);
break; break;
case offsetof(struct bpf_sock_addr, msg_src_ip4):
/* Treat t_ctx as struct in_addr for msg_src_ip4. */
SOCK_ADDR_LOAD_OR_STORE_NESTED_FIELD_SIZE_OFF(
struct bpf_sock_addr_kern, struct in_addr, t_ctx,
s_addr, BPF_SIZE(si->code), 0, tmp_reg);
break;
case bpf_ctx_range_till(struct bpf_sock_addr, msg_src_ip6[0],
msg_src_ip6[3]):
off = si->off;
off -= offsetof(struct bpf_sock_addr, msg_src_ip6[0]);
/* Treat t_ctx as struct in6_addr for msg_src_ip6. */
SOCK_ADDR_LOAD_OR_STORE_NESTED_FIELD_SIZE_OFF(
struct bpf_sock_addr_kern, struct in6_addr, t_ctx,
s6_addr32[0], BPF_SIZE(si->code), off, tmp_reg);
break;
} }
return insn - insn_buf; return insn - insn_buf;
......
...@@ -901,6 +901,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) ...@@ -901,6 +901,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
{ {
struct inet_sock *inet = inet_sk(sk); struct inet_sock *inet = inet_sk(sk);
struct udp_sock *up = udp_sk(sk); struct udp_sock *up = udp_sk(sk);
DECLARE_SOCKADDR(struct sockaddr_in *, usin, msg->msg_name);
struct flowi4 fl4_stack; struct flowi4 fl4_stack;
struct flowi4 *fl4; struct flowi4 *fl4;
int ulen = len; int ulen = len;
...@@ -955,8 +956,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) ...@@ -955,8 +956,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
/* /*
* Get and verify the address. * Get and verify the address.
*/ */
if (msg->msg_name) { if (usin) {
DECLARE_SOCKADDR(struct sockaddr_in *, usin, msg->msg_name);
if (msg->msg_namelen < sizeof(*usin)) if (msg->msg_namelen < sizeof(*usin))
return -EINVAL; return -EINVAL;
if (usin->sin_family != AF_INET) { if (usin->sin_family != AF_INET) {
...@@ -1010,6 +1010,22 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) ...@@ -1010,6 +1010,22 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
rcu_read_unlock(); rcu_read_unlock();
} }
if (cgroup_bpf_enabled && !connected) {
err = BPF_CGROUP_RUN_PROG_UDP4_SENDMSG_LOCK(sk,
(struct sockaddr *)usin, &ipc.addr);
if (err)
goto out_free;
if (usin) {
if (usin->sin_port == 0) {
/* BPF program set invalid port. Reject it. */
err = -EINVAL;
goto out_free;
}
daddr = usin->sin_addr.s_addr;
dport = usin->sin_port;
}
}
saddr = ipc.addr; saddr = ipc.addr;
ipc.addr = faddr = daddr; ipc.addr = faddr = daddr;
......
...@@ -1316,6 +1316,29 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) ...@@ -1316,6 +1316,29 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
fl6.saddr = np->saddr; fl6.saddr = np->saddr;
fl6.fl6_sport = inet->inet_sport; fl6.fl6_sport = inet->inet_sport;
if (cgroup_bpf_enabled && !connected) {
err = BPF_CGROUP_RUN_PROG_UDP6_SENDMSG_LOCK(sk,
(struct sockaddr *)sin6, &fl6.saddr);
if (err)
goto out_no_dst;
if (sin6) {
if (ipv6_addr_v4mapped(&sin6->sin6_addr)) {
/* BPF program rewrote IPv6-only by IPv4-mapped
* IPv6. It's currently unsupported.
*/
err = -ENOTSUPP;
goto out_no_dst;
}
if (sin6->sin6_port == 0) {
/* BPF program set invalid port. Reject it. */
err = -EINVAL;
goto out_no_dst;
}
fl6.fl6_dport = sin6->sin6_port;
fl6.daddr = sin6->sin6_addr;
}
}
final_p = fl6_update_dst(&fl6, opt, &final); final_p = fl6_update_dst(&fl6, opt, &final);
if (final_p) if (final_p)
connected = false; connected = false;
...@@ -1395,6 +1418,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) ...@@ -1395,6 +1418,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
out: out:
dst_release(dst); dst_release(dst);
out_no_dst:
fl6_sock_release(flowlabel); fl6_sock_release(flowlabel);
txopt_put(opt_to_free); txopt_put(opt_to_free);
if (!err) if (!err)
......
...@@ -160,6 +160,8 @@ enum bpf_attach_type { ...@@ -160,6 +160,8 @@ enum bpf_attach_type {
BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET4_POST_BIND,
BPF_CGROUP_INET6_POST_BIND, BPF_CGROUP_INET6_POST_BIND,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
...@@ -2363,6 +2365,12 @@ struct bpf_sock_addr { ...@@ -2363,6 +2365,12 @@ struct bpf_sock_addr {
__u32 family; /* Allows 4-byte read, but no write */ __u32 family; /* Allows 4-byte read, but no write */
__u32 type; /* Allows 4-byte read, but no write */ __u32 type; /* Allows 4-byte read, but no write */
__u32 protocol; /* Allows 4-byte read, but no write */ __u32 protocol; /* Allows 4-byte read, but no write */
__u32 msg_src_ip4; /* Allows 1,2,4-byte read an 4-byte write.
* Stored in network byte order.
*/
__u32 msg_src_ip6[4]; /* Allows 1,2,4-byte read an 4-byte write.
* Stored in network byte order.
*/
}; };
/* User bpf_sock_ops struct to access socket values and specify request ops /* User bpf_sock_ops struct to access socket values and specify request ops
......
...@@ -2043,6 +2043,8 @@ static const struct { ...@@ -2043,6 +2043,8 @@ static const struct {
BPF_SA_PROG_SEC("cgroup/bind6", BPF_CGROUP_INET6_BIND), BPF_SA_PROG_SEC("cgroup/bind6", BPF_CGROUP_INET6_BIND),
BPF_SA_PROG_SEC("cgroup/connect4", BPF_CGROUP_INET4_CONNECT), BPF_SA_PROG_SEC("cgroup/connect4", BPF_CGROUP_INET4_CONNECT),
BPF_SA_PROG_SEC("cgroup/connect6", BPF_CGROUP_INET6_CONNECT), BPF_SA_PROG_SEC("cgroup/connect6", BPF_CGROUP_INET6_CONNECT),
BPF_SA_PROG_SEC("cgroup/sendmsg4", BPF_CGROUP_UDP4_SENDMSG),
BPF_SA_PROG_SEC("cgroup/sendmsg6", BPF_CGROUP_UDP6_SENDMSG),
BPF_S_PROG_SEC("cgroup/post_bind4", BPF_CGROUP_INET4_POST_BIND), BPF_S_PROG_SEC("cgroup/post_bind4", BPF_CGROUP_INET4_POST_BIND),
BPF_S_PROG_SEC("cgroup/post_bind6", BPF_CGROUP_INET6_POST_BIND), BPF_S_PROG_SEC("cgroup/post_bind6", BPF_CGROUP_INET6_POST_BIND),
}; };
......
...@@ -34,7 +34,7 @@ TEST_GEN_FILES = test_pkt_access.o test_xdp.o test_l4lb.o test_tcp_estats.o test ...@@ -34,7 +34,7 @@ TEST_GEN_FILES = test_pkt_access.o test_xdp.o test_l4lb.o test_tcp_estats.o test
sockmap_tcp_msg_prog.o connect4_prog.o connect6_prog.o test_adjust_tail.o \ sockmap_tcp_msg_prog.o connect4_prog.o connect6_prog.o test_adjust_tail.o \
test_btf_haskv.o test_btf_nokv.o test_sockmap_kern.o test_tunnel_kern.o \ test_btf_haskv.o test_btf_nokv.o test_sockmap_kern.o test_tunnel_kern.o \
test_get_stack_rawtp.o test_sockmap_kern.o test_sockhash_kern.o \ test_get_stack_rawtp.o test_sockmap_kern.o test_sockhash_kern.o \
test_lwt_seg6local.o test_lwt_seg6local.o sendmsg4_prog.o sendmsg6_prog.o
# Order correspond to 'make run_tests' order # Order correspond to 'make run_tests' order
TEST_PROGS := test_kmod.sh \ TEST_PROGS := test_kmod.sh \
......
// SPDX-License-Identifier: GPL-2.0
// Copyright (c) 2018 Facebook
#include <linux/stddef.h>
#include <linux/bpf.h>
#include <sys/socket.h>
#include "bpf_helpers.h"
#include "bpf_endian.h"
#define SRC1_IP4 0xAC100001U /* 172.16.0.1 */
#define SRC2_IP4 0x00000000U
#define SRC_REWRITE_IP4 0x7f000004U
#define DST_IP4 0xC0A801FEU /* 192.168.1.254 */
#define DST_REWRITE_IP4 0x7f000001U
#define DST_PORT 4040
#define DST_REWRITE_PORT4 4444
int _version SEC("version") = 1;
SEC("cgroup/sendmsg4")
int sendmsg_v4_prog(struct bpf_sock_addr *ctx)
{
if (ctx->type != SOCK_DGRAM)
return 0;
/* Rewrite source. */
if (ctx->msg_src_ip4 == bpf_htonl(SRC1_IP4) ||
ctx->msg_src_ip4 == bpf_htonl(SRC2_IP4)) {
ctx->msg_src_ip4 = bpf_htonl(SRC_REWRITE_IP4);
} else {
/* Unexpected source. Reject sendmsg. */
return 0;
}
/* Rewrite destination. */
if ((ctx->user_ip4 >> 24) == (bpf_htonl(DST_IP4) >> 24) &&
ctx->user_port == bpf_htons(DST_PORT)) {
ctx->user_ip4 = bpf_htonl(DST_REWRITE_IP4);
ctx->user_port = bpf_htons(DST_REWRITE_PORT4);
} else {
/* Unexpected source. Reject sendmsg. */
return 0;
}
return 1;
}
char _license[] SEC("license") = "GPL";
// SPDX-License-Identifier: GPL-2.0
// Copyright (c) 2018 Facebook
#include <linux/stddef.h>
#include <linux/bpf.h>
#include <sys/socket.h>
#include "bpf_helpers.h"
#include "bpf_endian.h"
#define SRC_REWRITE_IP6_0 0
#define SRC_REWRITE_IP6_1 0
#define SRC_REWRITE_IP6_2 0
#define SRC_REWRITE_IP6_3 6
#define DST_REWRITE_IP6_0 0
#define DST_REWRITE_IP6_1 0
#define DST_REWRITE_IP6_2 0
#define DST_REWRITE_IP6_3 1
#define DST_REWRITE_PORT6 6666
int _version SEC("version") = 1;
SEC("cgroup/sendmsg6")
int sendmsg_v6_prog(struct bpf_sock_addr *ctx)
{
if (ctx->type != SOCK_DGRAM)
return 0;
/* Rewrite source. */
if (ctx->msg_src_ip6[3] == bpf_htonl(1) ||
ctx->msg_src_ip6[3] == bpf_htonl(0)) {
ctx->msg_src_ip6[0] = bpf_htonl(SRC_REWRITE_IP6_0);
ctx->msg_src_ip6[1] = bpf_htonl(SRC_REWRITE_IP6_1);
ctx->msg_src_ip6[2] = bpf_htonl(SRC_REWRITE_IP6_2);
ctx->msg_src_ip6[3] = bpf_htonl(SRC_REWRITE_IP6_3);
} else {
/* Unexpected source. Reject sendmsg. */
return 0;
}
/* Rewrite destination. */
if ((ctx->user_ip6[0] & 0xFFFF) == bpf_htons(0xFACE) &&
ctx->user_ip6[0] >> 16 == bpf_htons(0xB00C)) {
ctx->user_ip6[0] = bpf_htonl(DST_REWRITE_IP6_0);
ctx->user_ip6[1] = bpf_htonl(DST_REWRITE_IP6_1);
ctx->user_ip6[2] = bpf_htonl(DST_REWRITE_IP6_2);
ctx->user_ip6[3] = bpf_htonl(DST_REWRITE_IP6_3);
ctx->user_port = bpf_htons(DST_REWRITE_PORT6);
} else {
/* Unexpected destination. Reject sendmsg. */
return 0;
}
return 1;
}
char _license[] SEC("license") = "GPL";
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
// Copyright (c) 2018 Facebook // Copyright (c) 2018 Facebook
#define _GNU_SOURCE
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/select.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <linux/filter.h> #include <linux/filter.h>
...@@ -17,34 +21,465 @@ ...@@ -17,34 +21,465 @@
#include "cgroup_helpers.h" #include "cgroup_helpers.h"
#include "bpf_rlimit.h" #include "bpf_rlimit.h"
#ifndef ENOTSUPP
# define ENOTSUPP 524
#endif
#ifndef ARRAY_SIZE
# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
#endif
#define CG_PATH "/foo" #define CG_PATH "/foo"
#define CONNECT4_PROG_PATH "./connect4_prog.o" #define CONNECT4_PROG_PATH "./connect4_prog.o"
#define CONNECT6_PROG_PATH "./connect6_prog.o" #define CONNECT6_PROG_PATH "./connect6_prog.o"
#define SENDMSG4_PROG_PATH "./sendmsg4_prog.o"
#define SENDMSG6_PROG_PATH "./sendmsg6_prog.o"
#define SERV4_IP "192.168.1.254" #define SERV4_IP "192.168.1.254"
#define SERV4_REWRITE_IP "127.0.0.1" #define SERV4_REWRITE_IP "127.0.0.1"
#define SRC4_IP "172.16.0.1"
#define SRC4_REWRITE_IP "127.0.0.4"
#define SERV4_PORT 4040 #define SERV4_PORT 4040
#define SERV4_REWRITE_PORT 4444 #define SERV4_REWRITE_PORT 4444
#define SERV6_IP "face:b00c:1234:5678::abcd" #define SERV6_IP "face:b00c:1234:5678::abcd"
#define SERV6_REWRITE_IP "::1" #define SERV6_REWRITE_IP "::1"
#define SERV6_V4MAPPED_IP "::ffff:192.168.0.4"
#define SRC6_IP "::1"
#define SRC6_REWRITE_IP "::6"
#define SERV6_PORT 6060 #define SERV6_PORT 6060
#define SERV6_REWRITE_PORT 6666 #define SERV6_REWRITE_PORT 6666
#define INET_NTOP_BUF 40 #define INET_NTOP_BUF 40
typedef int (*load_fn)(enum bpf_attach_type, const char *comment); struct sock_addr_test;
typedef int (*load_fn)(const struct sock_addr_test *test);
typedef int (*info_fn)(int, struct sockaddr *, socklen_t *); typedef int (*info_fn)(int, struct sockaddr *, socklen_t *);
struct program { char bpf_log_buf[BPF_LOG_BUF_SIZE];
enum bpf_attach_type type;
struct sock_addr_test {
const char *descr;
/* BPF prog properties */
load_fn loadfn; load_fn loadfn;
int fd; enum bpf_attach_type expected_attach_type;
const char *name; enum bpf_attach_type attach_type;
enum bpf_attach_type invalid_type; /* Socket properties */
int domain;
int type;
/* IP:port pairs for BPF prog to override */
const char *requested_ip;
unsigned short requested_port;
const char *expected_ip;
unsigned short expected_port;
const char *expected_src_ip;
/* Expected test result */
enum {
LOAD_REJECT,
ATTACH_REJECT,
SYSCALL_EPERM,
SYSCALL_ENOTSUPP,
SUCCESS,
} expected_result;
}; };
char bpf_log_buf[BPF_LOG_BUF_SIZE]; static int bind4_prog_load(const struct sock_addr_test *test);
static int bind6_prog_load(const struct sock_addr_test *test);
static int connect4_prog_load(const struct sock_addr_test *test);
static int connect6_prog_load(const struct sock_addr_test *test);
static int sendmsg_deny_prog_load(const struct sock_addr_test *test);
static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test);
static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test);
static struct sock_addr_test tests[] = {
/* bind */
{
"bind4: load prog with wrong expected attach type",
bind4_prog_load,
BPF_CGROUP_INET6_BIND,
BPF_CGROUP_INET4_BIND,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"bind4: attach prog with wrong attach type",
bind4_prog_load,
BPF_CGROUP_INET4_BIND,
BPF_CGROUP_INET6_BIND,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"bind4: rewrite IP & TCP port in",
bind4_prog_load,
BPF_CGROUP_INET4_BIND,
BPF_CGROUP_INET4_BIND,
AF_INET,
SOCK_STREAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
NULL,
SUCCESS,
},
{
"bind4: rewrite IP & UDP port in",
bind4_prog_load,
BPF_CGROUP_INET4_BIND,
BPF_CGROUP_INET4_BIND,
AF_INET,
SOCK_DGRAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
NULL,
SUCCESS,
},
{
"bind6: load prog with wrong expected attach type",
bind6_prog_load,
BPF_CGROUP_INET4_BIND,
BPF_CGROUP_INET6_BIND,
AF_INET6,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"bind6: attach prog with wrong attach type",
bind6_prog_load,
BPF_CGROUP_INET6_BIND,
BPF_CGROUP_INET4_BIND,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"bind6: rewrite IP & TCP port in",
bind6_prog_load,
BPF_CGROUP_INET6_BIND,
BPF_CGROUP_INET6_BIND,
AF_INET6,
SOCK_STREAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
NULL,
SUCCESS,
},
{
"bind6: rewrite IP & UDP port in",
bind6_prog_load,
BPF_CGROUP_INET6_BIND,
BPF_CGROUP_INET6_BIND,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
NULL,
SUCCESS,
},
/* connect */
{
"connect4: load prog with wrong expected attach type",
connect4_prog_load,
BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET4_CONNECT,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"connect4: attach prog with wrong attach type",
connect4_prog_load,
BPF_CGROUP_INET4_CONNECT,
BPF_CGROUP_INET6_CONNECT,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"connect4: rewrite IP & TCP port",
connect4_prog_load,
BPF_CGROUP_INET4_CONNECT,
BPF_CGROUP_INET4_CONNECT,
AF_INET,
SOCK_STREAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
SRC4_REWRITE_IP,
SUCCESS,
},
{
"connect4: rewrite IP & UDP port",
connect4_prog_load,
BPF_CGROUP_INET4_CONNECT,
BPF_CGROUP_INET4_CONNECT,
AF_INET,
SOCK_DGRAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
SRC4_REWRITE_IP,
SUCCESS,
},
{
"connect6: load prog with wrong expected attach type",
connect6_prog_load,
BPF_CGROUP_INET4_CONNECT,
BPF_CGROUP_INET6_CONNECT,
AF_INET6,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"connect6: attach prog with wrong attach type",
connect6_prog_load,
BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET4_CONNECT,
AF_INET,
SOCK_STREAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"connect6: rewrite IP & TCP port",
connect6_prog_load,
BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET6_CONNECT,
AF_INET6,
SOCK_STREAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SUCCESS,
},
{
"connect6: rewrite IP & UDP port",
connect6_prog_load,
BPF_CGROUP_INET6_CONNECT,
BPF_CGROUP_INET6_CONNECT,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SUCCESS,
},
/* sendmsg */
{
"sendmsg4: load prog with wrong expected attach type",
sendmsg4_rw_asm_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP4_SENDMSG,
AF_INET,
SOCK_DGRAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"sendmsg4: attach prog with wrong attach type",
sendmsg4_rw_asm_prog_load,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET,
SOCK_DGRAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"sendmsg4: rewrite IP & port (asm)",
sendmsg4_rw_asm_prog_load,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP4_SENDMSG,
AF_INET,
SOCK_DGRAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
SRC4_REWRITE_IP,
SUCCESS,
},
{
"sendmsg4: rewrite IP & port (C)",
sendmsg4_rw_c_prog_load,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP4_SENDMSG,
AF_INET,
SOCK_DGRAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
SRC4_REWRITE_IP,
SUCCESS,
},
{
"sendmsg4: deny call",
sendmsg_deny_prog_load,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP4_SENDMSG,
AF_INET,
SOCK_DGRAM,
SERV4_IP,
SERV4_PORT,
SERV4_REWRITE_IP,
SERV4_REWRITE_PORT,
SRC4_REWRITE_IP,
SYSCALL_EPERM,
},
{
"sendmsg6: load prog with wrong expected attach type",
sendmsg6_rw_asm_prog_load,
BPF_CGROUP_UDP4_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET6,
SOCK_DGRAM,
NULL,
0,
NULL,
0,
NULL,
LOAD_REJECT,
},
{
"sendmsg6: attach prog with wrong attach type",
sendmsg6_rw_asm_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP4_SENDMSG,
AF_INET6,
SOCK_DGRAM,
NULL,
0,
NULL,
0,
NULL,
ATTACH_REJECT,
},
{
"sendmsg6: rewrite IP & port (asm)",
sendmsg6_rw_asm_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SUCCESS,
},
{
"sendmsg6: rewrite IP & port (C)",
sendmsg6_rw_c_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SUCCESS,
},
{
"sendmsg6: IPv4-mapped IPv6",
sendmsg6_rw_v4mapped_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SYSCALL_ENOTSUPP,
},
{
"sendmsg6: deny call",
sendmsg_deny_prog_load,
BPF_CGROUP_UDP6_SENDMSG,
BPF_CGROUP_UDP6_SENDMSG,
AF_INET6,
SOCK_DGRAM,
SERV6_IP,
SERV6_PORT,
SERV6_REWRITE_IP,
SERV6_REWRITE_PORT,
SRC6_REWRITE_IP,
SYSCALL_EPERM,
},
};
static int mk_sockaddr(int domain, const char *ip, unsigned short port, static int mk_sockaddr(int domain, const char *ip, unsigned short port,
struct sockaddr *addr, socklen_t addr_len) struct sockaddr *addr, socklen_t addr_len)
...@@ -84,25 +519,23 @@ static int mk_sockaddr(int domain, const char *ip, unsigned short port, ...@@ -84,25 +519,23 @@ static int mk_sockaddr(int domain, const char *ip, unsigned short port,
return 0; return 0;
} }
static int load_insns(enum bpf_attach_type attach_type, static int load_insns(const struct sock_addr_test *test,
const struct bpf_insn *insns, size_t insns_cnt, const struct bpf_insn *insns, size_t insns_cnt)
const char *comment)
{ {
struct bpf_load_program_attr load_attr; struct bpf_load_program_attr load_attr;
int ret; int ret;
memset(&load_attr, 0, sizeof(struct bpf_load_program_attr)); memset(&load_attr, 0, sizeof(struct bpf_load_program_attr));
load_attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR; load_attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
load_attr.expected_attach_type = attach_type; load_attr.expected_attach_type = test->expected_attach_type;
load_attr.insns = insns; load_attr.insns = insns;
load_attr.insns_cnt = insns_cnt; load_attr.insns_cnt = insns_cnt;
load_attr.license = "GPL"; load_attr.license = "GPL";
ret = bpf_load_program_xattr(&load_attr, bpf_log_buf, BPF_LOG_BUF_SIZE); ret = bpf_load_program_xattr(&load_attr, bpf_log_buf, BPF_LOG_BUF_SIZE);
if (ret < 0 && comment) { if (ret < 0 && test->expected_result != LOAD_REJECT) {
log_err(">>> Loading %s program error.\n" log_err(">>> Loading program error.\n"
">>> Output from verifier:\n%s\n-------\n", ">>> Verifier output:\n%s\n-------\n", bpf_log_buf);
comment, bpf_log_buf);
} }
return ret; return ret;
...@@ -119,8 +552,7 @@ static int load_insns(enum bpf_attach_type attach_type, ...@@ -119,8 +552,7 @@ static int load_insns(enum bpf_attach_type attach_type,
* to count jumps properly. * to count jumps properly.
*/ */
static int bind4_prog_load(enum bpf_attach_type attach_type, static int bind4_prog_load(const struct sock_addr_test *test)
const char *comment)
{ {
union { union {
uint8_t u4_addr8[4]; uint8_t u4_addr8[4];
...@@ -186,12 +618,10 @@ static int bind4_prog_load(enum bpf_attach_type attach_type, ...@@ -186,12 +618,10 @@ static int bind4_prog_load(enum bpf_attach_type attach_type,
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}; };
return load_insns(attach_type, insns, return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
sizeof(insns) / sizeof(struct bpf_insn), comment);
} }
static int bind6_prog_load(enum bpf_attach_type attach_type, static int bind6_prog_load(const struct sock_addr_test *test)
const char *comment)
{ {
struct sockaddr_in6 addr6_rw; struct sockaddr_in6 addr6_rw;
struct in6_addr ip6; struct in6_addr ip6;
...@@ -254,13 +684,10 @@ static int bind6_prog_load(enum bpf_attach_type attach_type, ...@@ -254,13 +684,10 @@ static int bind6_prog_load(enum bpf_attach_type attach_type,
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}; };
return load_insns(attach_type, insns, return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
sizeof(insns) / sizeof(struct bpf_insn), comment);
} }
static int connect_prog_load_path(const char *path, static int load_path(const struct sock_addr_test *test, const char *path)
enum bpf_attach_type attach_type,
const char *comment)
{ {
struct bpf_prog_load_attr attr; struct bpf_prog_load_attr attr;
struct bpf_object *obj; struct bpf_object *obj;
...@@ -269,75 +696,218 @@ static int connect_prog_load_path(const char *path, ...@@ -269,75 +696,218 @@ static int connect_prog_load_path(const char *path,
memset(&attr, 0, sizeof(struct bpf_prog_load_attr)); memset(&attr, 0, sizeof(struct bpf_prog_load_attr));
attr.file = path; attr.file = path;
attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR; attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
attr.expected_attach_type = attach_type; attr.expected_attach_type = test->expected_attach_type;
if (bpf_prog_load_xattr(&attr, &obj, &prog_fd)) { if (bpf_prog_load_xattr(&attr, &obj, &prog_fd)) {
if (comment) if (test->expected_result != LOAD_REJECT)
log_err(">>> Loading %s program at %s error.\n", log_err(">>> Loading program (%s) error.\n", path);
comment, path);
return -1; return -1;
} }
return prog_fd; return prog_fd;
} }
static int connect4_prog_load(enum bpf_attach_type attach_type, static int connect4_prog_load(const struct sock_addr_test *test)
const char *comment)
{ {
return connect_prog_load_path(CONNECT4_PROG_PATH, attach_type, comment); return load_path(test, CONNECT4_PROG_PATH);
} }
static int connect6_prog_load(enum bpf_attach_type attach_type, static int connect6_prog_load(const struct sock_addr_test *test)
const char *comment)
{ {
return connect_prog_load_path(CONNECT6_PROG_PATH, attach_type, comment); return load_path(test, CONNECT6_PROG_PATH);
} }
static void print_ip_port(int sockfd, info_fn fn, const char *fmt) static int sendmsg_deny_prog_load(const struct sock_addr_test *test)
{ {
char addr_buf[INET_NTOP_BUF]; struct bpf_insn insns[] = {
struct sockaddr_storage addr; /* return 0 */
struct sockaddr_in6 *addr6; BPF_MOV64_IMM(BPF_REG_0, 0),
struct sockaddr_in *addr4; BPF_EXIT_INSN(),
socklen_t addr_len; };
unsigned short port; return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
void *nip; }
addr_len = sizeof(struct sockaddr_storage); static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test)
memset(&addr, 0, addr_len); {
struct sockaddr_in dst4_rw_addr;
if (fn(sockfd, (struct sockaddr *)&addr, (socklen_t *)&addr_len) == 0) { struct in_addr src4_rw_ip;
if (addr.ss_family == AF_INET) {
addr4 = (struct sockaddr_in *)&addr; if (inet_pton(AF_INET, SRC4_REWRITE_IP, (void *)&src4_rw_ip) != 1) {
nip = (void *)&addr4->sin_addr; log_err("Invalid IPv4: %s", SRC4_REWRITE_IP);
port = ntohs(addr4->sin_port); return -1;
} else if (addr.ss_family == AF_INET6) {
addr6 = (struct sockaddr_in6 *)&addr;
nip = (void *)&addr6->sin6_addr;
port = ntohs(addr6->sin6_port);
} else {
return;
} }
const char *addr_str =
inet_ntop(addr.ss_family, nip, addr_buf, INET_NTOP_BUF); if (mk_sockaddr(AF_INET, SERV4_REWRITE_IP, SERV4_REWRITE_PORT,
printf(fmt, addr_str ? addr_str : "??", port); (struct sockaddr *)&dst4_rw_addr,
sizeof(dst4_rw_addr)) == -1)
return -1;
struct bpf_insn insns[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
/* if (sk.family == AF_INET && */
BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
offsetof(struct bpf_sock_addr, family)),
BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET, 8),
/* sk.type == SOCK_DGRAM) { */
BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
offsetof(struct bpf_sock_addr, type)),
BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_DGRAM, 6),
/* msg_src_ip4 = src4_rw_ip */
BPF_MOV32_IMM(BPF_REG_7, src4_rw_ip.s_addr),
BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
offsetof(struct bpf_sock_addr, msg_src_ip4)),
/* user_ip4 = dst4_rw_addr.sin_addr */
BPF_MOV32_IMM(BPF_REG_7, dst4_rw_addr.sin_addr.s_addr),
BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
offsetof(struct bpf_sock_addr, user_ip4)),
/* user_port = dst4_rw_addr.sin_port */
BPF_MOV32_IMM(BPF_REG_7, dst4_rw_addr.sin_port),
BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
offsetof(struct bpf_sock_addr, user_port)),
/* } */
/* return 1 */
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
};
return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
}
static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test)
{
return load_path(test, SENDMSG4_PROG_PATH);
}
static int sendmsg6_rw_dst_asm_prog_load(const struct sock_addr_test *test,
const char *rw_dst_ip)
{
struct sockaddr_in6 dst6_rw_addr;
struct in6_addr src6_rw_ip;
if (inet_pton(AF_INET6, SRC6_REWRITE_IP, (void *)&src6_rw_ip) != 1) {
log_err("Invalid IPv6: %s", SRC6_REWRITE_IP);
return -1;
} }
if (mk_sockaddr(AF_INET6, rw_dst_ip, SERV6_REWRITE_PORT,
(struct sockaddr *)&dst6_rw_addr,
sizeof(dst6_rw_addr)) == -1)
return -1;
struct bpf_insn insns[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
/* if (sk.family == AF_INET6) { */
BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
offsetof(struct bpf_sock_addr, family)),
BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET6, 18),
#define STORE_IPV6_WORD_N(DST, SRC, N) \
BPF_MOV32_IMM(BPF_REG_7, SRC[N]), \
BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, \
offsetof(struct bpf_sock_addr, DST[N]))
#define STORE_IPV6(DST, SRC) \
STORE_IPV6_WORD_N(DST, SRC, 0), \
STORE_IPV6_WORD_N(DST, SRC, 1), \
STORE_IPV6_WORD_N(DST, SRC, 2), \
STORE_IPV6_WORD_N(DST, SRC, 3)
STORE_IPV6(msg_src_ip6, src6_rw_ip.s6_addr32),
STORE_IPV6(user_ip6, dst6_rw_addr.sin6_addr.s6_addr32),
/* user_port = dst6_rw_addr.sin6_port */
BPF_MOV32_IMM(BPF_REG_7, dst6_rw_addr.sin6_port),
BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
offsetof(struct bpf_sock_addr, user_port)),
/* } */
/* return 1 */
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
};
return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
}
static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test)
{
return sendmsg6_rw_dst_asm_prog_load(test, SERV6_REWRITE_IP);
}
static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test)
{
return sendmsg6_rw_dst_asm_prog_load(test, SERV6_V4MAPPED_IP);
}
static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test)
{
return load_path(test, SENDMSG6_PROG_PATH);
} }
static void print_local_ip_port(int sockfd, const char *fmt) static int cmp_addr(const struct sockaddr_storage *addr1,
const struct sockaddr_storage *addr2, int cmp_port)
{ {
print_ip_port(sockfd, getsockname, fmt); const struct sockaddr_in *four1, *four2;
const struct sockaddr_in6 *six1, *six2;
if (addr1->ss_family != addr2->ss_family)
return -1;
if (addr1->ss_family == AF_INET) {
four1 = (const struct sockaddr_in *)addr1;
four2 = (const struct sockaddr_in *)addr2;
return !((four1->sin_port == four2->sin_port || !cmp_port) &&
four1->sin_addr.s_addr == four2->sin_addr.s_addr);
} else if (addr1->ss_family == AF_INET6) {
six1 = (const struct sockaddr_in6 *)addr1;
six2 = (const struct sockaddr_in6 *)addr2;
return !((six1->sin6_port == six2->sin6_port || !cmp_port) &&
!memcmp(&six1->sin6_addr, &six2->sin6_addr,
sizeof(struct in6_addr)));
}
return -1;
}
static int cmp_sock_addr(info_fn fn, int sock1,
const struct sockaddr_storage *addr2, int cmp_port)
{
struct sockaddr_storage addr1;
socklen_t len1 = sizeof(addr1);
memset(&addr1, 0, len1);
if (fn(sock1, (struct sockaddr *)&addr1, (socklen_t *)&len1) != 0)
return -1;
return cmp_addr(&addr1, addr2, cmp_port);
} }
static void print_remote_ip_port(int sockfd, const char *fmt) static int cmp_local_ip(int sock1, const struct sockaddr_storage *addr2)
{ {
print_ip_port(sockfd, getpeername, fmt); return cmp_sock_addr(getsockname, sock1, addr2, /*cmp_port*/ 0);
}
static int cmp_local_addr(int sock1, const struct sockaddr_storage *addr2)
{
return cmp_sock_addr(getsockname, sock1, addr2, /*cmp_port*/ 1);
}
static int cmp_peer_addr(int sock1, const struct sockaddr_storage *addr2)
{
return cmp_sock_addr(getpeername, sock1, addr2, /*cmp_port*/ 1);
} }
static int start_server(int type, const struct sockaddr_storage *addr, static int start_server(int type, const struct sockaddr_storage *addr,
socklen_t addr_len) socklen_t addr_len)
{ {
int fd; int fd;
fd = socket(addr->ss_family, type, 0); fd = socket(addr->ss_family, type, 0);
...@@ -358,8 +928,6 @@ static int start_server(int type, const struct sockaddr_storage *addr, ...@@ -358,8 +928,6 @@ static int start_server(int type, const struct sockaddr_storage *addr,
} }
} }
print_local_ip_port(fd, "\t Actual: bind(%s, %d)\n");
goto out; goto out;
close_out: close_out:
close(fd); close(fd);
...@@ -372,19 +940,19 @@ static int connect_to_server(int type, const struct sockaddr_storage *addr, ...@@ -372,19 +940,19 @@ static int connect_to_server(int type, const struct sockaddr_storage *addr,
socklen_t addr_len) socklen_t addr_len)
{ {
int domain; int domain;
int fd; int fd = -1;
domain = addr->ss_family; domain = addr->ss_family;
if (domain != AF_INET && domain != AF_INET6) { if (domain != AF_INET && domain != AF_INET6) {
log_err("Unsupported address family"); log_err("Unsupported address family");
return -1; goto err;
} }
fd = socket(domain, type, 0); fd = socket(domain, type, 0);
if (fd == -1) { if (fd == -1) {
log_err("Failed to creating client socket"); log_err("Failed to create client socket");
return -1; goto err;
} }
if (connect(fd, (const struct sockaddr *)addr, addr_len) == -1) { if (connect(fd, (const struct sockaddr *)addr, addr_len) == -1) {
...@@ -392,162 +960,394 @@ static int connect_to_server(int type, const struct sockaddr_storage *addr, ...@@ -392,162 +960,394 @@ static int connect_to_server(int type, const struct sockaddr_storage *addr,
goto err; goto err;
} }
print_remote_ip_port(fd, "\t Actual: connect(%s, %d)"); goto out;
print_local_ip_port(fd, " from (%s, %d)\n"); err:
close(fd);
fd = -1;
out:
return fd;
}
int init_pktinfo(int domain, struct cmsghdr *cmsg)
{
struct in6_pktinfo *pktinfo6;
struct in_pktinfo *pktinfo4;
if (domain == AF_INET) {
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
pktinfo4 = (struct in_pktinfo *)CMSG_DATA(cmsg);
memset(pktinfo4, 0, sizeof(struct in_pktinfo));
if (inet_pton(domain, SRC4_IP,
(void *)&pktinfo4->ipi_spec_dst) != 1)
return -1;
} else if (domain == AF_INET6) {
cmsg->cmsg_level = SOL_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
pktinfo6 = (struct in6_pktinfo *)CMSG_DATA(cmsg);
memset(pktinfo6, 0, sizeof(struct in6_pktinfo));
if (inet_pton(domain, SRC6_IP,
(void *)&pktinfo6->ipi6_addr) != 1)
return -1;
} else {
return -1;
}
return 0; return 0;
}
static int sendmsg_to_server(const struct sockaddr_storage *addr,
socklen_t addr_len, int set_cmsg, int *syscall_err)
{
union {
char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
struct cmsghdr align;
} control6;
union {
char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
struct cmsghdr align;
} control4;
struct msghdr hdr;
struct iovec iov;
char data = 'a';
int domain;
int fd = -1;
domain = addr->ss_family;
if (domain != AF_INET && domain != AF_INET6) {
log_err("Unsupported address family");
goto err;
}
fd = socket(domain, SOCK_DGRAM, 0);
if (fd == -1) {
log_err("Failed to create client socket");
goto err;
}
memset(&iov, 0, sizeof(iov));
iov.iov_base = &data;
iov.iov_len = sizeof(data);
memset(&hdr, 0, sizeof(hdr));
hdr.msg_name = (void *)addr;
hdr.msg_namelen = addr_len;
hdr.msg_iov = &iov;
hdr.msg_iovlen = 1;
if (set_cmsg) {
if (domain == AF_INET) {
hdr.msg_control = &control4;
hdr.msg_controllen = sizeof(control4.buf);
} else if (domain == AF_INET6) {
hdr.msg_control = &control6;
hdr.msg_controllen = sizeof(control6.buf);
}
if (init_pktinfo(domain, CMSG_FIRSTHDR(&hdr))) {
log_err("Fail to init pktinfo");
goto err;
}
}
if (sendmsg(fd, &hdr, 0) != sizeof(data)) {
log_err("Fail to send message to server");
*syscall_err = errno;
goto err;
}
goto out;
err: err:
close(fd); close(fd);
fd = -1;
out:
return fd;
}
static int recvmsg_from_client(int sockfd, struct sockaddr_storage *src_addr)
{
struct timeval tv;
struct msghdr hdr;
struct iovec iov;
char data[64];
fd_set rfds;
FD_ZERO(&rfds);
FD_SET(sockfd, &rfds);
tv.tv_sec = 2;
tv.tv_usec = 0;
if (select(sockfd + 1, &rfds, NULL, NULL, &tv) <= 0 ||
!FD_ISSET(sockfd, &rfds))
return -1; return -1;
memset(&iov, 0, sizeof(iov));
iov.iov_base = data;
iov.iov_len = sizeof(data);
memset(&hdr, 0, sizeof(hdr));
hdr.msg_name = src_addr;
hdr.msg_namelen = sizeof(struct sockaddr_storage);
hdr.msg_iov = &iov;
hdr.msg_iovlen = 1;
return recvmsg(sockfd, &hdr, 0);
} }
static void print_test_case_num(int domain, int type) static int init_addrs(const struct sock_addr_test *test,
struct sockaddr_storage *requested_addr,
struct sockaddr_storage *expected_addr,
struct sockaddr_storage *expected_src_addr)
{ {
static int test_num; socklen_t addr_len = sizeof(struct sockaddr_storage);
printf("Test case #%d (%s/%s):\n", ++test_num, if (mk_sockaddr(test->domain, test->expected_ip, test->expected_port,
(domain == AF_INET ? "IPv4" : (struct sockaddr *)expected_addr, addr_len) == -1)
domain == AF_INET6 ? "IPv6" : goto err;
"unknown_domain"),
(type == SOCK_STREAM ? "TCP" : if (mk_sockaddr(test->domain, test->requested_ip, test->requested_port,
type == SOCK_DGRAM ? "UDP" : (struct sockaddr *)requested_addr, addr_len) == -1)
"unknown_type")); goto err;
if (test->expected_src_ip &&
mk_sockaddr(test->domain, test->expected_src_ip, 0,
(struct sockaddr *)expected_src_addr, addr_len) == -1)
goto err;
return 0;
err:
return -1;
} }
static int run_test_case(int domain, int type, const char *ip, static int run_bind_test_case(const struct sock_addr_test *test)
unsigned short port)
{ {
struct sockaddr_storage addr; socklen_t addr_len = sizeof(struct sockaddr_storage);
socklen_t addr_len = sizeof(addr); struct sockaddr_storage requested_addr;
struct sockaddr_storage expected_addr;
int clientfd = -1;
int servfd = -1; int servfd = -1;
int err = 0; int err = 0;
print_test_case_num(domain, type); if (init_addrs(test, &requested_addr, &expected_addr, NULL))
goto err;
if (mk_sockaddr(domain, ip, port, (struct sockaddr *)&addr,
addr_len) == -1)
return -1;
printf("\tRequested: bind(%s, %d) ..\n", ip, port); servfd = start_server(test->type, &requested_addr, addr_len);
servfd = start_server(type, &addr, addr_len);
if (servfd == -1) if (servfd == -1)
goto err; goto err;
printf("\tRequested: connect(%s, %d) from (*, *) ..\n", ip, port); if (cmp_local_addr(servfd, &expected_addr))
if (connect_to_server(type, &addr, addr_len)) goto err;
/* Try to connect to server just in case */
clientfd = connect_to_server(test->type, &expected_addr, addr_len);
if (clientfd == -1)
goto err; goto err;
goto out; goto out;
err: err:
err = -1; err = -1;
out: out:
close(clientfd);
close(servfd); close(servfd);
return err; return err;
} }
static void close_progs_fds(struct program *progs, size_t prog_cnt) static int run_connect_test_case(const struct sock_addr_test *test)
{ {
size_t i; socklen_t addr_len = sizeof(struct sockaddr_storage);
struct sockaddr_storage expected_src_addr;
struct sockaddr_storage requested_addr;
struct sockaddr_storage expected_addr;
int clientfd = -1;
int servfd = -1;
int err = 0;
for (i = 0; i < prog_cnt; ++i) { if (init_addrs(test, &requested_addr, &expected_addr,
close(progs[i].fd); &expected_src_addr))
progs[i].fd = -1; goto err;
}
/* Prepare server to connect to */
servfd = start_server(test->type, &expected_addr, addr_len);
if (servfd == -1)
goto err;
clientfd = connect_to_server(test->type, &requested_addr, addr_len);
if (clientfd == -1)
goto err;
/* Make sure src and dst addrs were overridden properly */
if (cmp_peer_addr(clientfd, &expected_addr))
goto err;
if (cmp_local_ip(clientfd, &expected_src_addr))
goto err;
goto out;
err:
err = -1;
out:
close(clientfd);
close(servfd);
return err;
} }
static int load_and_attach_progs(int cgfd, struct program *progs, static int run_sendmsg_test_case(const struct sock_addr_test *test)
size_t prog_cnt)
{ {
size_t i; socklen_t addr_len = sizeof(struct sockaddr_storage);
struct sockaddr_storage expected_src_addr;
struct sockaddr_storage requested_addr;
struct sockaddr_storage expected_addr;
struct sockaddr_storage real_src_addr;
int clientfd = -1;
int servfd = -1;
int set_cmsg;
int err = 0;
for (i = 0; i < prog_cnt; ++i) { if (test->type != SOCK_DGRAM)
printf("Load %s with invalid type (can pollute stderr) ",
progs[i].name);
fflush(stdout);
progs[i].fd = progs[i].loadfn(progs[i].invalid_type, NULL);
if (progs[i].fd != -1) {
log_err("Load with invalid type accepted for %s",
progs[i].name);
goto err; goto err;
}
printf("... REJECTED\n");
printf("Load %s with valid type", progs[i].name); if (init_addrs(test, &requested_addr, &expected_addr,
progs[i].fd = progs[i].loadfn(progs[i].type, progs[i].name); &expected_src_addr))
if (progs[i].fd == -1) {
log_err("Failed to load program %s", progs[i].name);
goto err; goto err;
}
printf(" ... OK\n");
printf("Attach %s with invalid type", progs[i].name); /* Prepare server to sendmsg to */
if (bpf_prog_attach(progs[i].fd, cgfd, progs[i].invalid_type, servfd = start_server(test->type, &expected_addr, addr_len);
BPF_F_ALLOW_OVERRIDE) != -1) { if (servfd == -1)
log_err("Attach with invalid type accepted for %s",
progs[i].name);
goto err; goto err;
}
printf(" ... REJECTED\n");
printf("Attach %s with valid type", progs[i].name); for (set_cmsg = 0; set_cmsg <= 1; ++set_cmsg) {
if (bpf_prog_attach(progs[i].fd, cgfd, progs[i].type, if (clientfd >= 0)
BPF_F_ALLOW_OVERRIDE) == -1) { close(clientfd);
log_err("Failed to attach program %s", progs[i].name);
clientfd = sendmsg_to_server(&requested_addr, addr_len,
set_cmsg, &err);
if (err)
goto out;
else if (clientfd == -1)
goto err;
/* Try to receive message on server instead of using
* getpeername(2) on client socket, to check that client's
* destination address was rewritten properly, since
* getpeername(2) doesn't work with unconnected datagram
* sockets.
*
* Get source address from recvmsg(2) as well to make sure
* source was rewritten properly: getsockname(2) can't be used
* since socket is unconnected and source defined for one
* specific packet may differ from the one used by default and
* returned by getsockname(2).
*/
if (recvmsg_from_client(servfd, &real_src_addr) == -1)
goto err;
if (cmp_addr(&real_src_addr, &expected_src_addr, /*cmp_port*/0))
goto err; goto err;
}
printf(" ... OK\n");
} }
return 0; goto out;
err: err:
close_progs_fds(progs, prog_cnt); err = -1;
return -1; out:
close(clientfd);
close(servfd);
return err;
} }
static int run_domain_test(int domain, int cgfd, struct program *progs, static int run_test_case(int cgfd, const struct sock_addr_test *test)
size_t prog_cnt, const char *ip, unsigned short port)
{ {
int progfd = -1;
int err = 0; int err = 0;
if (load_and_attach_progs(cgfd, progs, prog_cnt) == -1) printf("Test case: %s .. ", test->descr);
progfd = test->loadfn(test);
if (test->expected_result == LOAD_REJECT && progfd < 0)
goto out;
else if (test->expected_result == LOAD_REJECT || progfd < 0)
goto err; goto err;
if (run_test_case(domain, SOCK_STREAM, ip, port) == -1) err = bpf_prog_attach(progfd, cgfd, test->attach_type,
BPF_F_ALLOW_OVERRIDE);
if (test->expected_result == ATTACH_REJECT && err) {
err = 0; /* error was expected, reset it */
goto out;
} else if (test->expected_result == ATTACH_REJECT || err) {
goto err; goto err;
}
if (run_test_case(domain, SOCK_DGRAM, ip, port) == -1) switch (test->attach_type) {
case BPF_CGROUP_INET4_BIND:
case BPF_CGROUP_INET6_BIND:
err = run_bind_test_case(test);
break;
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
err = run_connect_test_case(test);
break;
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
err = run_sendmsg_test_case(test);
break;
default:
goto err;
}
if (test->expected_result == SYSCALL_EPERM && err == EPERM) {
err = 0; /* error was expected, reset it */
goto out;
}
if (test->expected_result == SYSCALL_ENOTSUPP && err == ENOTSUPP) {
err = 0; /* error was expected, reset it */
goto out;
}
if (err || test->expected_result != SUCCESS)
goto err; goto err;
goto out; goto out;
err: err:
err = -1; err = -1;
out: out:
close_progs_fds(progs, prog_cnt); /* Detaching w/o checking return code: best effort attempt. */
if (progfd != -1)
bpf_prog_detach(cgfd, test->attach_type);
close(progfd);
printf("[%s]\n", err ? "FAIL" : "PASS");
return err; return err;
} }
static int run_test(void) static int run_tests(int cgfd)
{
int passes = 0;
int fails = 0;
int i;
for (i = 0; i < ARRAY_SIZE(tests); ++i) {
if (run_test_case(cgfd, &tests[i]))
++fails;
else
++passes;
}
printf("Summary: %d PASSED, %d FAILED\n", passes, fails);
return fails ? -1 : 0;
}
int main(int argc, char **argv)
{ {
size_t inet6_prog_cnt;
size_t inet_prog_cnt;
int cgfd = -1; int cgfd = -1;
int err = 0; int err = 0;
struct program inet6_progs[] = { if (argc < 2) {
{BPF_CGROUP_INET6_BIND, bind6_prog_load, -1, "bind6", fprintf(stderr,
BPF_CGROUP_INET4_BIND}, "%s has to be run via %s.sh. Skip direct run.\n",
{BPF_CGROUP_INET6_CONNECT, connect6_prog_load, -1, "connect6", argv[0], argv[0]);
BPF_CGROUP_INET4_CONNECT}, exit(err);
}; }
inet6_prog_cnt = sizeof(inet6_progs) / sizeof(struct program);
struct program inet_progs[] = {
{BPF_CGROUP_INET4_BIND, bind4_prog_load, -1, "bind4",
BPF_CGROUP_INET6_BIND},
{BPF_CGROUP_INET4_CONNECT, connect4_prog_load, -1, "connect4",
BPF_CGROUP_INET6_CONNECT},
};
inet_prog_cnt = sizeof(inet_progs) / sizeof(struct program);
if (setup_cgroup_environment()) if (setup_cgroup_environment())
goto err; goto err;
...@@ -559,12 +1359,7 @@ static int run_test(void) ...@@ -559,12 +1359,7 @@ static int run_test(void)
if (join_cgroup(CG_PATH)) if (join_cgroup(CG_PATH))
goto err; goto err;
if (run_domain_test(AF_INET, cgfd, inet_progs, inet_prog_cnt, SERV4_IP, if (run_tests(cgfd))
SERV4_PORT) == -1)
goto err;
if (run_domain_test(AF_INET6, cgfd, inet6_progs, inet6_prog_cnt,
SERV6_IP, SERV6_PORT) == -1)
goto err; goto err;
goto out; goto out;
...@@ -573,17 +1368,5 @@ static int run_test(void) ...@@ -573,17 +1368,5 @@ static int run_test(void)
out: out:
close(cgfd); close(cgfd);
cleanup_cgroup_environment(); cleanup_cgroup_environment();
printf(err ? "### FAIL\n" : "### SUCCESS\n");
return err; return err;
} }
int main(int argc, char **argv)
{
if (argc < 2) {
fprintf(stderr,
"%s has to be run via %s.sh. Skip direct run.\n",
argv[0], argv[0]);
exit(0);
}
return run_test();
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册