July 2024 - Linux-kselftest-mirror

[PATCH net] selftests: forwarding: skip if kernel not support setting bridge fdb learning limit

by Hangbin Liu

If the testing kernel doesn't support setting fdb_max_learned or show fdb_n_learned, just skip it. Or we will get errors like ./bridge_fdb_learning_limit.sh: line 218: [: null: integer expression expected ./bridge_fdb_learning_limit.sh: line 225: [: null: integer expression expected Fixes: 6f84090333bb ("selftests: forwarding: bridge_fdb_learning_limit: Add a new selftest") Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> --- .../forwarding/bridge_fdb_learning_limit.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/testing/selftests/net/forwarding/bridge_fdb_learning_limit.sh b/tools/testing/selftests/net/forwarding/bridge_fdb_learning_limit.sh index 0760a34b7114..a21b7085da2e 100755 --- a/tools/testing/selftests/net/forwarding/bridge_fdb_learning_limit.sh +++ b/tools/testing/selftests/net/forwarding/bridge_fdb_learning_limit.sh @@ -178,6 +178,22 @@ fdb_del() check_err $? "Failed to remove a FDB entry of type ${type}" } +check_fdb_n_learned_support() +{ + if ! ip link help bridge 2>&1 | grep -q "fdb_max_learned"; then + echo "SKIP: iproute2 too old, missing bridge max learned support" + exit $ksft_skip + fi + + ip link add dev br0 type bridge + local learned=$(fdb_get_n_learned) + ip link del dev br0 + if [ "$learned" == "null" ]; then + echo "SKIP: kernel too old; bridge fdb_n_learned feature not supported." + exit $ksft_skip + fi +} + check_accounting_one_type() { local type=$1 is_counted=$2 overrides_learned=$3 @@ -274,6 +290,8 @@ check_limit() done } +check_fdb_n_learned_support + trap cleanup EXIT setup_prepare -- 2.45.0

8 months, 4 weeks

5
5
0 0

[PATCH v2] Documentation: KUnit: Update filename best practices

by Kees Cook

Based on feedback from Linus[1] and follow-up discussions, change the suggested file naming for KUnit tests. Link: https://lore.kernel.org/lkml/CAHk-=wgim6pNiGTBMhP8Kd3tsB7_JTAuvNJ=XYd3wPvvk… [1] Signed-off-by: Kees Cook <kees(a)kernel.org> --- Cc: David Gow <davidgow(a)google.com> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: Rae Moar <rmoar(a)google.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: linux-kselftest(a)vger.kernel.org Cc: kunit-dev(a)googlegroups.com Cc: linux-doc(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: linux-hardening(a)vger.kernel.org --- Documentation/dev-tools/kunit/style.rst | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/Documentation/dev-tools/kunit/style.rst b/Documentation/dev-tools/kunit/style.rst index b6d0d7359f00..1538835cd0e2 100644 --- a/Documentation/dev-tools/kunit/style.rst +++ b/Documentation/dev-tools/kunit/style.rst @@ -188,15 +188,20 @@ For example, a Kconfig entry might look like: Test File and Module Names ========================== -KUnit tests can often be compiled as a module. These modules should be named -after the test suite, followed by ``_test``. If this is likely to conflict with -non-KUnit tests, the suffix ``_kunit`` can also be used. - -The easiest way of achieving this is to name the file containing the test suite -``<suite>_test.c`` (or, as above, ``<suite>_kunit.c``). This file should be -placed next to the code under test. +Whether a KUnit test is compiled as a separate module or via an +``#include`` in a core kernel source file, the file should be named +after the test suite, followed by ``_kunit``, and live in a ``tests`` +subdirectory to avoid conflicting with regular modules (e.g. if "foobar" +is the core module, then "foobar_kunit" is the KUnit test module) or the +core kernel source file names (e.g. for tab-completion). Many existing +tests use a ``_test`` suffix, but this is considered deprecated. + +So for the common case, name the file containing the test suite +``tests/<suite>_kunit.c``. The ``tests`` directory should be placed at +the same level as the code under test. For example, tests for +``lib/string.c`` live in ``lib/tests/string_kunit.c``. If the suite name contains some or all of the name of the test's parent -directory, it may make sense to modify the source filename to reduce redundancy. -For example, a ``foo_firmware`` suite could be in the ``foo/firmware_test.c`` -file. +directory, it may make sense to modify the source filename to reduce +redundancy. For example, a ``foo_firmware`` suite could be in the +``tests/foo/firmware_kunit.c`` file. -- 2.34.1

8 months, 4 weeks

4
7
0 0

[PATCH bpf-next 00/15] use network helpers, part 11

by Geliang Tang

From: Geliang Tang <tanggeliang(a)kylinos.cn> This set is part 11 of series "use network helpers" all BPF selftests wide. Finally something new in this set. The helper make_sockaddr is extended to support sockets of AF_PACKET, AF_ALG and AF_VSOCK families. Then these types of sockets can be used to start_server_str() helper too. Imitating connect_to_* interfaces, send_to_* interfaces are added to support sendto() with given FD or the address string. Add more conditions to control listen: nolisten flag, listen_support() helper and clear "type" bits for listen. Patch 1 for AF_UNIX socket: Patch 1 uses start_server_str for a AF_UNIX socket. Patches 2-6 for AF_PACKET sockets: Patch 2 adds AF_PACKET support for make_sockaddr. Patch 3 uses start_server_str for a AF_PACKET socket. Patches 4-5 adds send_to_fd_opts/send_to_addr_str helpers. Patch 6 uses send_to_addr_str for a AF_PACKET socket. Patches 7-9 for AF_ALG sockets: Patch 7 adds AF_ALG support for make_sockaddr. Patch 8 add nolisten flag, needed by patch 9. Patch 9 uses send_to_addr_str for a AF_ALG socket. Patches 10-15 for AF_VSOCK sockets: Patch 10 adds AF_VSOCK support for make_sockaddr. Patches 11-12 uses make_sockaddr for AF_VSOCK sockets. Patches 13-14 adds more conditions to control listen. Patch 15 uses start_server_str for AF_VSOCK sockets. Geliang Tang (15): selftests/bpf: Use start_server_str in skc_to_unix_sock selftests/bpf: AF_PACKET support for make_sockaddr selftests/bpf: Use start_server_str in lwt_redirect selftests/bpf: Add send_to_fd_opts helper selftests/bpf: Add send_to_addr_str helper selftests/bpf: Use send_to_addr_str in xdp_bonding selftests/bpf: AF_ALG support for make_sockaddr selftests/bpf: Add nolisten for network_helper_opts selftests/bpf: Use start_server_str in crypto_sanity selftests/bpf: AF_VSOCK support for make_sockaddr selftests/bpf: Add loopback_addr_str helper selftests/bpf: Use make_sockaddr in sockmap_helpers selftests/bpf: Check listen support for start_server_addr selftests/bpf: Clear type bits for start_server_addr selftests/bpf: Use start_server_str in sockmap_helpers tools/testing/selftests/bpf/network_helpers.c | 144 +++++++++++++++--- tools/testing/selftests/bpf/network_helpers.h | 21 +++ .../selftests/bpf/prog_tests/crypto_sanity.c | 12 +- .../selftests/bpf/prog_tests/lwt_redirect.c | 21 +-- .../bpf/prog_tests/migrate_reuseport.c | 2 +- .../bpf/prog_tests/skc_to_unix_sock.c | 22 +-- .../bpf/prog_tests/sockmap_helpers.h | 101 +++--------- .../selftests/bpf/prog_tests/xdp_bonding.c | 20 +-- 8 files changed, 186 insertions(+), 157 deletions(-) -- 2.43.0

8 months, 4 weeks

2
19
0 0

[RESEND PATCH v2] selftests:Fix printf format string in kselftest_harness.h

by Zhu Jun

'%u' in format string requires 'unsigned int' in __wait_for_test() but the argument type is 'signed int' that this problem was discovered by reading code Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> --- Changes in v2: - modify commit info add how to find the problem in the log tools/testing/selftests/kselftest_harness.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h index b634969cbb6f..dbbbcc6c04ee 100644 --- a/tools/testing/selftests/kselftest_harness.h +++ b/tools/testing/selftests/kselftest_harness.h @@ -1084,7 +1084,7 @@ void __wait_for_test(struct __test_metadata *t) } } else { fprintf(TH_LOG_STREAM, - "# %s: Test ended in some other way [%u]\n", + "# %s: Test ended in some other way [%d]\n", t->name, status); } -- 2.17.1

8 months, 4 weeks

2
1
0 0

[RESEND bpf-next v2] selftests/bpf:fix a resource leak

by Zhu Jun

The requested resources should be closed before return in main(), otherwise resource leak will occur Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> --- Changes in v2: - check for cg_fd >= 0 and have just one out label tools/testing/selftests/bpf/test_sockmap.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c index a34e95040994..285a9a714666 100644 --- a/tools/testing/selftests/bpf/test_sockmap.c +++ b/tools/testing/selftests/bpf/test_sockmap.c @@ -2075,8 +2075,10 @@ int main(int argc, char **argv) if (!cg_fd) { cg_fd = cgroup_setup_and_join(CG_PATH); - if (cg_fd < 0) - return cg_fd; + if (cg_fd < 0) { + err = cg_fd; + goto out; + } cg_created = 1; } @@ -2092,7 +2094,7 @@ int main(int argc, char **argv) if (err) { fprintf(stderr, "populate program: (%s) %s\n", bpf_file, strerror(errno)); - return 1; + goto out; } running = 1; @@ -2109,7 +2111,8 @@ int main(int argc, char **argv) free(options.whitelist); if (options.blacklist) free(options.blacklist); - close(cg_fd); + if (cg_fd >= 0) + close(cg_fd); if (cg_created) cleanup_cgroup_environment(); return err; -- 2.17.1

8 months, 4 weeks

1
0
0 0

[PATCH bpf-next v1] selftests/bpf: Fix wrong binary in Makefile log output

by Tony Ambardar

Make log output incorrectly shows 'test_maps' as the binary name for every 'CLNG-BPF' build step, apparently picking up the last value defined for the $(TRUNNER_BINARY) variable. Update the 'CLANG_BPF_BUILD_RULE' variants to fix this confusing output. Current output: CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs] access_map_in_map.skel.h ... CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h ... CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h After fix: CLNG-BPF [test_progs] access_map_in_map.bpf.o GEN-SKEL [test_progs] access_map_in_map.skel.h ... CLNG-BPF [test_progs-no_alu32] access_map_in_map.bpf.o GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h ... CLNG-BPF [test_progs-cpuv4] access_map_in_map.bpf.o GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h Fixes: a5d0c26a2784 ("selftests/bpf: Add a cpuv4 test runner for cpu=v4 testing") Fixes: 89ad7420b25c ("selftests/bpf: Drop the need for LLVM's llc") Signed-off-by: Tony Ambardar <tony.ambardar(a)gmail.com> --- tools/testing/selftests/bpf/Makefile | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 0b4bfbc0ef68..67921e3367dd 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -425,27 +425,28 @@ $(OUTPUT)/flow_dissector_load.o: flow_dissector_load.h $(OUTPUT)/cgroup_getset_retval_hooks.o: cgroup_getset_retval_hooks.h # Build BPF object using Clang -# $1 - input .c file -# $2 - output .o file -# $3 - CFLAGS +# $1 - binary name +# $2 - input .c file +# $3 - output .o file +# $4 - CFLAGS define CLANG_BPF_BUILD_RULE - $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) - $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v3 -o $2 + $(call msg,CLNG-BPF,$1,$3) + $(Q)$(CLANG) $4 -O2 --target=bpf -c $2 -mcpu=v3 -o $3 endef # Similar to CLANG_BPF_BUILD_RULE, but with disabled alu32 define CLANG_NOALU32_BPF_BUILD_RULE - $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) - $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v2 -o $2 + $(call msg,CLNG-BPF,$1,$3) + $(Q)$(CLANG) $4 -O2 --target=bpf -c $2 -mcpu=v2 -o $3 endef # Similar to CLANG_BPF_BUILD_RULE, but with cpu-v4 define CLANG_CPUV4_BPF_BUILD_RULE - $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) - $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v4 -o $2 + $(call msg,CLNG-BPF,$1,$3) + $(Q)$(CLANG) $4 -O2 --target=bpf -c $2 -mcpu=v4 -o $3 endef # Build BPF object using GCC define GCC_BPF_BUILD_RULE - $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2) - $(Q)$(BPF_GCC) $3 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $1 -o $2 + $(call msg,GCC-BPF,$1,$3) + $(Q)$(BPF_GCC) $4 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $2 -o $3 endef SKEL_BLACKLIST := btf__% test_pinning_invalid.c test_sk_assign.c @@ -534,7 +535,7 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \ $(wildcard $(BPFDIR)/bpf_*.h) \ $(wildcard $(BPFDIR)/*.bpf.h) \ | $(TRUNNER_OUTPUT) $$(BPFOBJ) - $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \ + $$(call $(TRUNNER_BPF_BUILD_RULE),$(TRUNNER_BINARY),$$<,$$@, \ $(TRUNNER_BPF_CFLAGS) \ $$($$<-CFLAGS) \ $$($$<-$2-CFLAGS)) -- 2.34.1

8 months, 4 weeks

4
8
0 0

[PATCH bpf-next v1 0/2] selftests/bpf: Add support for MIPS systems

by Tony Ambardar

Hello, This series includes two fixes to support builds targeting MIPS systems. The patches have been tested both with the kernel-patches/bpf CI and locally using mips64el-gcc/musl-libc and QEMU with an OpenWrt rootfs. Patch 1 adds support for MIPS system includes when compiling BPF. Patch 2 fixes a MIPS GOT issue when linking uprobe_multi. Feedback and suggestions for improvement are welcome! Thanks, Tony Tony Ambardar (2): selftests/bpf: Add missing system defines for mips selftests/bpf: Fix error linking uprobe_multi on mips tools/testing/selftests/bpf/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -- 2.34.1

8 months, 4 weeks

3
8
0 0

mm, memcg: cg2 memory{.swap,}.peak write handlers

by David Finkel

This is an updated patchset following some excellent comments from Roman and Longman. [1] As suggested, I've broken this into two commits: 1) with the implementation changes 2) extending the tests tests I haven't been able to induce anything problematic, but I'm a bit unclear as to whether there's reference counting on cgroups such that we don't need to handle the case where the cgroup is freed before the one of the peak files is closed. Documentation/admin-guide/cgroup-v2.rst | 26 ++- include/linux/cgroup.h | 8 + include/linux/memcontrol.h | 5 + include/linux/page_counter.h | 11 +- kernel/cgroup/cgroup-internal.h | 2 + kernel/cgroup/cgroup.c | 7 + mm/memcontrol.c | 129 +++++++++++++-- mm/page_counter.c | 36 ++++- tools/testing/selftests/cgroup/cgroup_util.c | 22 +++ tools/testing/selftests/cgroup/cgroup_util.h | 2 + tools/testing/selftests/cgroup/test_memcontrol.c | 227 ++++++++++++++++++++++++++- 11 files changed, 444 insertions(+), 31 deletions(-) [1]: https://lore.kernel.org/cgroups/20240722151713.2724855-1-davidf@vimeo.com/T/ Thank you for your efforts and reviews, David Finkel Senior Principal Software Engineer Vimeo Inc.

8 months, 4 weeks

2
4
0 0

[PATCH bpf-next 0/4] use network helpers, part 10

by Geliang Tang

From: Geliang Tang <tanggeliang(a)kylinos.cn> This set is part 10 of series "use network helpers" all BPF selftests wide. Patches 1-3 drop local functions make_client(), make_socket() and inetaddr_len() in sk_lookup.c. Patch 4 drops a useless function __start_server() in network_helpers.c. Geliang Tang (4): selftests/bpf: Drop make_client in sk_lookup selftests/bpf: Drop make_socket in sk_lookup selftests/bpf: Drop inetaddr_len in sk_lookup selftests/bpf: Drop __start_server in network_helpers tools/testing/selftests/bpf/network_helpers.c | 26 ++--- .../selftests/bpf/prog_tests/sk_lookup.c | 110 +++++------------- 2 files changed, 40 insertions(+), 96 deletions(-) -- 2.43.0

8 months, 4 weeks

2
5
0 0

[PATCH bpf-next v4 00/20] Add return value range check for BPF LSM

by Xu Kuohai

From: Xu Kuohai <xukuohai(a)huawei.com> LSM BPF prog returning a positive number attached to the hook file_alloc_security makes kernel panic. Here is a panic log: [ 441.235774] BUG: kernel NULL pointer dereference, address: 00000000000009 [ 441.236748] #PF: supervisor write access in kernel mode [ 441.237429] #PF: error_code(0x0002) - not-present page [ 441.238119] PGD 800000000b02f067 P4D 800000000b02f067 PUD b031067 PMD 0 [ 441.238990] Oops: 0002 [#1] PREEMPT SMP PTI [ 441.239546] CPU: 0 PID: 347 Comm: loader Not tainted 6.8.0-rc6-gafe0cbf23373 #22 [ 441.240496] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b4 [ 441.241933] RIP: 0010:alloc_file+0x4b/0x190 [ 441.242485] Code: 8b 04 25 c0 3c 1f 00 48 8b b0 30 0c 00 00 e8 9c fe ff ff 48 3d 00 f0 ff fb [ 441.244820] RSP: 0018:ffffc90000c67c40 EFLAGS: 00010203 [ 441.245484] RAX: ffff888006a891a0 RBX: ffffffff8223bd00 RCX: 0000000035b08000 [ 441.246391] RDX: ffff88800b95f7b0 RSI: 00000000001fc110 RDI: f089cd0b8088ffff [ 441.247294] RBP: ffffc90000c67c58 R08: 0000000000000001 R09: 0000000000000001 [ 441.248209] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001 [ 441.249108] R13: ffffc90000c67c78 R14: ffffffff8223bd00 R15: fffffffffffffff4 [ 441.250007] FS: 00000000005f3300(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 441.251053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 441.251788] CR2: 00000000000001a9 CR3: 000000000bdc4003 CR4: 0000000000170ef0 [ 441.252688] Call Trace: [ 441.253011] <TASK> [ 441.253296] ? __die+0x24/0x70 [ 441.253702] ? page_fault_oops+0x15b/0x480 [ 441.254236] ? fixup_exception+0x26/0x330 [ 441.254750] ? exc_page_fault+0x6d/0x1c0 [ 441.255257] ? asm_exc_page_fault+0x26/0x30 [ 441.255792] ? alloc_file+0x4b/0x190 [ 441.256257] alloc_file_pseudo+0x9f/0xf0 [ 441.256760] __anon_inode_getfile+0x87/0x190 [ 441.257311] ? lock_release+0x14e/0x3f0 [ 441.257808] bpf_link_prime+0xe8/0x1d0 [ 441.258315] bpf_tracing_prog_attach+0x311/0x570 [ 441.258916] ? __pfx_bpf_lsm_file_alloc_security+0x10/0x10 [ 441.259605] __sys_bpf+0x1bb7/0x2dc0 [ 441.260070] __x64_sys_bpf+0x20/0x30 [ 441.260533] do_syscall_64+0x72/0x140 [ 441.261004] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 441.261643] RIP: 0033:0x4b0349 [ 441.262045] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 88 [ 441.264355] RSP: 002b:00007fff74daee38 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 441.265293] RAX: ffffffffffffffda RBX: 00007fff74daef30 RCX: 00000000004b0349 [ 441.266187] RDX: 0000000000000040 RSI: 00007fff74daee50 RDI: 000000000000001c [ 441.267114] RBP: 000000000000001b R08: 00000000005ef820 R09: 0000000000000000 [ 441.268018] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 441.268907] R13: 0000000000000004 R14: 00000000005ef018 R15: 00000000004004e8 This is because the filesystem uses IS_ERR to check if the return value is an error code. If it is not, the filesystem takes the return value as a file pointer. Since the positive number returned by the BPF prog is not a real file pointer, this misinterpretation causes a panic. Since other LSM modules always return either a negative error code or a valid pointer, this specific issue only exists in BPF LSM. The proposed solution is to reject LSM BPF progs returning unexpected values in the verifier. This patch set adds return value check to ensure only BPF progs returning expected values are accepted. Since each LSM hook has different excepted return values, we need to know the expected return values for each individual hook to do the check. Earlier versions of the patch set used LSM hook annotations to specify the return value range for each hook. Based on Paul's suggestion, current version gets rid of such annotations and instead converts hook return values to a common pattern: return 0 on success and negative error code on failure. Basically, LSM hooks are divided into two types: hooks that return a negative error code and zero or other values, and hooks that do not return a negative error code. This patch set converts all hooks of the first type and part of the second type to return 0 on success and a negative error code on failure (see patches 1-10). For certain hooks, like ismaclabel and inode_xattr_skipcap, the hook name already imply that returning 0 or 1 is the best choice, so they are not converted. There are four unconverted hooks. Except for ismaclabel, which is not used by BPF LSM, the other three are specified with a BTF ID list to only return 0 or 1. v4: 1. remove LSM_HOOK return value annotaion and convert LSM hook return value to a common patern: return 0 on success and negative error code on failure (patch 1-10) 2. enable BPF LSM progs to read and write output params (patch 12) 3. add a special case for bitwise AND on range [-1, 0] (patch 16) 4. add a 32-bit comparing flag for retval_range_within (patch 15) 5. collect ACKs, style fix, etc v3: https://lore.kernel.org/bpf/20240411122752.2873562-1-xukuohai@huaweicloud.c… 1. Fix incorrect lsm hook return value ranges, and add disabled hook list for bpf lsm, and merge two LSM_RET_INT patches. (KP Singh) 2. Avoid bpf lsm progs attached to different hooks to call each other with tail call 3. Fix a CI failure caused by false rejection of AND operation 4. Add tests v2: https://lore.kernel.org/bpf/20240325095653.1720123-1-xukuohai@huaweicloud.c… fix bpf ci failure v1: https://lore.kernel.org/bpf/20240316122359.1073787-1-xukuohai@huaweicloud.c… Xu Kuohai (20): lsm: Refactor return value of LSM hook vm_enough_memory lsm: Refactor return value of LSM hook inode_need_killpriv lsm: Refactor return value of LSM hook inode_getsecurity lsm: Refactor return value of LSM hook inode_listsecurity lsm: Refactor return value of LSM hook inode_copy_up_xattr lsm: Refactor return value of LSM hook getselfattr lsm: Refactor return value of LSM hook setprocattr lsm: Refactor return value of LSM hook getprocattr lsm: Refactor return value of LSM hook key_getsecurity lsm: Refactor return value of LSM hook audit_rule_match bpf, lsm: Add disabled BPF LSM hook list bpf, lsm: Enable BPF LSM prog to read/write return value parameters bpf, lsm: Add check for BPF LSM return value bpf: Prevent tail call between progs attached to different hooks bpf: Fix compare error in function retval_range_within bpf: Add a special case for bitwise AND on range [-1, 0] selftests/bpf: Avoid load failure for token_lsm.c selftests/bpf: Add return value checks for failed tests selftests/bpf: Add test for lsm tail call selftests/bpf: Add verifier tests for bpf lsm fs/attr.c | 5 +- fs/inode.c | 4 +- fs/nfs/nfs4proc.c | 5 +- fs/overlayfs/copy_up.c | 6 +- fs/proc/base.c | 10 +- fs/xattr.c | 24 +- include/linux/bpf.h | 2 + include/linux/bpf_lsm.h | 15 + include/linux/lsm_hook_defs.h | 22 +- include/linux/security.h | 62 ++-- include/linux/tnum.h | 3 + kernel/bpf/bpf_lsm.c | 64 +++- kernel/bpf/btf.c | 21 +- kernel/bpf/core.c | 21 +- kernel/bpf/tnum.c | 25 ++ kernel/bpf/verifier.c | 173 ++++++++++- net/socket.c | 9 +- security/apparmor/audit.c | 22 +- security/apparmor/include/audit.h | 2 +- security/apparmor/lsm.c | 22 +- security/commoncap.c | 32 +- security/integrity/evm/evm_main.c | 2 +- security/keys/keyctl.c | 11 +- security/lsm_syscalls.c | 6 +- security/security.c | 167 ++++++++--- security/selinux/hooks.c | 94 +++--- security/selinux/include/audit.h | 8 +- security/selinux/ss/services.c | 54 ++-- security/smack/smack_lsm.c | 104 ++++--- .../selftests/bpf/prog_tests/test_lsm.c | 46 ++- .../selftests/bpf/prog_tests/verifier.c | 2 + tools/testing/selftests/bpf/progs/err.h | 10 + .../selftests/bpf/progs/lsm_tailcall.c | 34 +++ .../selftests/bpf/progs/test_sig_in_xattr.c | 4 + .../bpf/progs/test_verify_pkcs7_sig.c | 8 +- tools/testing/selftests/bpf/progs/token_lsm.c | 4 +- .../bpf/progs/verifier_global_subprogs.c | 7 +- .../selftests/bpf/progs/verifier_lsm.c | 274 ++++++++++++++++++ 38 files changed, 1098 insertions(+), 286 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/lsm_tailcall.c create mode 100644 tools/testing/selftests/bpf/progs/verifier_lsm.c -- 2.30.2

8 months, 4 weeks

6
46
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror July 2024