[PATCH bpf-next v1 12/13] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM
KP Singh
kpsingh at chromium.org
Fri Dec 20 15:42:07 UTC 2019
From: KP Singh <kpsingh at google.com>
* Load a BPF program that audits mprotect calls
* Attach the program to the "file_mprotect" LSM hook
* Verify if the program is actually loading by reading
securityfs
* Initialize the perf events buffer and poll for audit events
* Do an mprotect on some memory allocated on the heap
* Verify if the audit event was received
Signed-off-by: KP Singh <kpsingh at google.com>
---
MAINTAINERS | 2 +
.../bpf/prog_tests/lsm_mprotect_audit.c | 129 ++++++++++++++++++
.../selftests/bpf/progs/lsm_mprotect_audit.c | 58 ++++++++
3 files changed, 189 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
create mode 100644 tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 681ae39bb2f0..652c93292ae9 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3182,6 +3182,8 @@ L: bpf at vger.kernel.org
S: Maintained
F: security/bpf/
F: include/linux/bpf_lsm.h
+F: tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
+F: tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
BROADCOM B44 10/100 ETHERNET DRIVER
M: Michael Chan <michael.chan at broadcom.com>
diff --git a/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c b/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
new file mode 100644
index 000000000000..953531cec9fd
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/lsm_mprotect_audit.c
@@ -0,0 +1,129 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#include <test_progs.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <malloc.h>
+
+#define EXPECTED_PROG_NAME "mprotect_audit"
+#define MPROTECT_AUDIT_MAGIC 0xDEAD
+
+struct mprotect_audit_log {
+ int is_heap, magic;
+};
+
+static void on_sample(void *ctx, int cpu, void *data, __u32 size)
+{
+ struct mprotect_audit_log *audit_log = data;
+ int duration = 0;
+
+ if (audit_log->magic != MPROTECT_AUDIT_MAGIC)
+ return;
+
+ if (CHECK(audit_log->is_heap != 1, "mprotect on heap",
+ "is_heap = %d\n", audit_log->is_heap))
+ return;
+
+ *(bool *)ctx = true;
+}
+
+int heap_mprotect(void)
+{
+ void *buf;
+ long sz;
+
+ sz = sysconf(_SC_PAGESIZE);
+ if (sz < 0)
+ return sz;
+
+ buf = memalign(sz, 2 * sz);
+ if (buf == NULL)
+ return -ENOMEM;
+
+ return mprotect(buf, sz, PROT_READ | PROT_EXEC);
+}
+
+void test_lsm_mprotect_audit(void)
+{
+ struct bpf_prog_load_attr attr = {
+ .file = "./lsm_mprotect_audit.o",
+ };
+
+ struct perf_buffer_opts pb_opts = {};
+ struct perf_buffer *pb = NULL;
+ struct bpf_link *link = NULL;
+ struct bpf_map *perf_buf_map;
+ struct bpf_object *prog_obj;
+ struct bpf_program *prog;
+ int err, prog_fd, sfs_fd;
+ char sfs_buf[1024];
+ int duration = 0;
+ bool passed = false;
+
+ err = bpf_prog_load_xattr(&attr, &prog_obj, &prog_fd);
+ if (CHECK(err, "prog_load lsm/file_mprotect",
+ "err %d errno %d\n", err, errno))
+ goto close_prog;
+
+ prog = bpf_object__find_program_by_title(prog_obj, "lsm/file_mprotect");
+ if (CHECK(!prog, "find_prog", "lsm/file_mprotect not found\n"))
+ goto close_prog;
+
+ link = bpf_program__attach_lsm(prog);
+ if (CHECK(IS_ERR(link), "attach_lsm file_mprotect",
+ "err %ld\n", PTR_ERR(link)))
+ goto close_prog;
+
+ sfs_fd = open("/sys/kernel/security/bpf/file_mprotect", O_RDONLY);
+ if (CHECK(sfs_fd < 0, "sfs_open file_mprotect",
+ "err %d errno %d\n", sfs_fd, errno))
+ goto close_prog;
+
+ err = read(sfs_fd, sfs_buf, sizeof(sfs_buf));
+ if (CHECK(err < 0, "sfs_read file_mprotect",
+ "err %d errno %d\n", sfs_fd, errno))
+ goto close_prog;
+
+ err = strncmp(sfs_buf, EXPECTED_PROG_NAME, strlen(EXPECTED_PROG_NAME));
+ if (CHECK(err != 0,
+ "sfs_read value", "want = %s, got = %s\n",
+ EXPECTED_PROG_NAME, sfs_buf))
+ goto close_prog;
+
+ perf_buf_map = bpf_object__find_map_by_name(prog_obj, "perf_buf_map");
+ if (CHECK(!perf_buf_map, "find_perf_buf_map", "not found\n"))
+ goto close_prog;
+
+ /* set up perf buffer */
+ pb_opts.sample_cb = on_sample;
+ pb_opts.ctx = &passed;
+ pb = perf_buffer__new(bpf_map__fd(perf_buf_map), 1, &pb_opts);
+ if (CHECK(IS_ERR(pb), "perf_buf__new", "err %ld\n", PTR_ERR(pb)))
+ goto close_prog;
+
+ err = heap_mprotect();
+ if (CHECK(err < 0, "heap_mprotect",
+ "err %d errno %d\n", err, errno))
+ goto close_prog;
+
+ /* read perf buffer */
+ err = perf_buffer__poll(pb, 100);
+ if (CHECK(err < 0, "perf_buffer__poll", "err %d\n", err))
+ goto close_prog;
+
+ /*
+ * make sure mprotect_audit program was triggered
+ * and detected an mprotect on the heap
+ */
+ CHECK_FAIL(!passed);
+
+close_prog:
+ perf_buffer__free(pb);
+ if (!IS_ERR_OR_NULL(link))
+ bpf_link__destroy(link);
+ bpf_object__close(prog_obj);
+}
diff --git a/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c b/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
new file mode 100644
index 000000000000..85048315baae
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/lsm_mprotect_audit.c
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#include <linux/bpf.h>
+#include <stdbool.h>
+#include "bpf_helpers.h"
+#include "bpf_trace_helpers.h"
+
+char _license[] SEC("license") = "GPL";
+struct {
+ __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+ __uint(key_size, sizeof(int));
+ __uint(value_size, sizeof(int));
+} perf_buf_map SEC(".maps");
+
+#define MPROTECT_AUDIT_MAGIC 0xDEAD
+
+struct mprotect_audit_log {
+ int is_heap, magic;
+};
+
+/*
+ * Define some of the structs used in the BPF program.
+ * Only the field names and their sizes need to be the
+ * same as the kernel type, the order is irrelevant.
+ */
+struct mm_struct {
+ unsigned long start_brk, brk, start_stack;
+};
+
+struct vm_area_struct {
+ unsigned long start_brk, brk, start_stack;
+ unsigned long vm_start, vm_end;
+ struct mm_struct *vm_mm;
+ unsigned long vm_flags;
+};
+
+BPF_TRACE_3("lsm/file_mprotect", mprotect_audit,
+ struct vm_area_struct *, vma,
+ unsigned long, reqprot, unsigned long, prot)
+{
+ struct mprotect_audit_log audit_log = {};
+ int is_heap = 0;
+
+ __builtin_preserve_access_index(({
+ is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk);
+ }));
+
+ audit_log.magic = MPROTECT_AUDIT_MAGIC;
+ audit_log.is_heap = is_heap;
+ bpf_lsm_event_output(&perf_buf_map, BPF_F_CURRENT_CPU, &audit_log,
+ sizeof(audit_log));
+ return 0;
+}
--
2.20.1
More information about the Linux-security-module-archive
mailing list