Commit 9d8e92e1 authored by Alexei Starovoitov's avatar Alexei Starovoitov
Browse files

Merge branch 'bpf-copy-bpf-token-from-main-program-to-subprograms' 

Eduard Zingerman says:

====================
bpf: copy BPF token from main program to subprograms

bpf_jit_subprogs() omits aux->token when it creates a struct
bpf_prog_aux instances for a subprograms.
This means that for programs loaded via BPF token (i.e., from a
non-init user namespace), subprograms fail the bpf_token_capable()
check in bpf_prog_kallsyms_add() and don't appear in /proc/kallsyms.
Which in-turn makes it impossible to freplace such subprograms.

Changelog:
v3 -> v4:
- check sysctl_set calls for errors (sashiko).
v2 -> v3:
- mark selftest as serial (sashiko).
v1 -> v2:
- target bpf-next tree (fixups.c) instead of bpf tree (verifier.c).

v1: https://lore.kernel.org/bpf/20260414-subprog-token-fix-v1-0-5b1a38e01546@gmail.com/T/
v2: https://lore.kernel.org/bpf/20260414-subprog-token-fix-v2-0-59146c31f6f1@gmail.com/T/
v3: https://lore.kernel.org/bpf/20260415-subprog-token-fix-v3-0-6fefe1d51646@gmail.com/T/
====================

Link: https://patch.msgid.link/20260415-subprog-token-fix-v4-0-9bd000e8b068@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents d3fdb3db 969fb456

kernel/bpf/fixups.c

+1 −0
Original line number Diff line number Diff line
@@ -1110,6 +1110,7 @@ int bpf_jit_subprogs(struct bpf_verifier_env *env) 
		func[i]->aux->exception_cb = env->subprog_info[i].is_exception_cb;

		func[i]->aux->changes_pkt_data = env->subprog_info[i].changes_pkt_data;

		func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;

		func[i]->aux->token = prog->aux->token;

		if (!i)

			func[i]->aux->exception_boundary = env->seen_exception;

tools/testing/selftests/bpf/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -751,6 +751,7 @@ TRUNNER_EXTRA_SOURCES := test_progs.c \ 
			 btf_helpers.c		\

			 cap_helpers.c		\

			 unpriv_helpers.c 	\

			 sysctl_helpers.c	\

			 netlink_helpers.c	\

			 jit_disasm_helpers.c	\

			 io_helpers.c		\

tools/testing/selftests/bpf/prog_tests/token.c

+83 −3
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */

#define _GNU_SOURCE

#include <test_progs.h>

#include <bpf/btf.h>

#include "cap_helpers.h"

#include <fcntl.h>

#include <sched.h>

#include <signal.h>
@@ -15,9 +13,17 @@ 
#include <sys/stat.h>

#include <sys/syscall.h>

#include <sys/un.h>



#include "bpf_util.h"

#include "cap_helpers.h"

#include "sysctl_helpers.h"

#include "test_progs.h"

#include "trace_helpers.h"



#include "priv_map.skel.h"

#include "priv_prog.skel.h"

#include "dummy_st_ops_success.skel.h"

#include "token_kallsyms.skel.h"

#include "token_lsm.skel.h"

#include "priv_freplace_prog.skel.h"
@@ -1045,6 +1051,58 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l 
	return -EINVAL;

}



static bool kallsyms_has_bpf_func(struct ksyms *ksyms, const char *func_name)

{

	char name[256];

	int i;



	for (i = 0; i < ksyms->sym_cnt; i++) {

		if (sscanf(ksyms->syms[i].name, "bpf_prog_%*[^_]_%255s", name) == 1 &&

		    strcmp(name, func_name) == 0)

			return true;

	}

	return false;

}



static int userns_obj_priv_prog_kallsyms(int mnt_fd, struct token_lsm *lsm_skel)

{

	const char *func_names[] = { "xdp_main", "token_ksym_subprog" };

	LIBBPF_OPTS(bpf_object_open_opts, opts);

	struct token_kallsyms *skel;

	struct ksyms *ksyms = NULL;

	char buf[256];

	int i, err;



	snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);

	opts.bpf_token_path = buf;

	skel = token_kallsyms__open_opts(&opts);

	if (!ASSERT_OK_PTR(skel, "token_kallsyms__open_opts"))

		return -EINVAL;



	err = token_kallsyms__load(skel);

	if (!ASSERT_OK(err, "token_kallsyms__load"))

		goto cleanup;



	ksyms = load_kallsyms_local();

	if (!ASSERT_OK_PTR(ksyms, "load_kallsyms_local")) {

		err = -EINVAL;

		goto cleanup;

	}



	for (i = 0; i < ARRAY_SIZE(func_names); i++) {

		if (!ASSERT_TRUE(kallsyms_has_bpf_func(ksyms, func_names[i]),

				 func_names[i])) {

			err = -EINVAL;

			break;

		}

	}



cleanup:

	free_kallsyms_local(ksyms);

	token_kallsyms__destroy(skel);

	return err;

}



#define bit(n) (1ULL << (n))



static int userns_bpf_token_info(int mnt_fd, struct token_lsm *lsm_skel)
@@ -1082,7 +1140,7 @@ static int userns_bpf_token_info(int mnt_fd, struct token_lsm *lsm_skel) 
	return err;

}



void test_token(void)

void serial_test_token(void)

{

	if (test__start_subtest("map_token")) {

		struct bpffs_opts opts = {
@@ -1194,4 +1252,26 @@ void test_token(void) 


		subtest_userns(&opts, userns_bpf_token_info);

	}

	if (test__start_subtest("obj_priv_prog_kallsyms")) {

		char perf_paranoid_orig[32] = {};

		char kptr_restrict_orig[32] = {};

		struct bpffs_opts opts = {

			.cmds = bit(BPF_BTF_LOAD) | bit(BPF_PROG_LOAD),

			.progs = bit(BPF_PROG_TYPE_XDP),

			.attachs = ~0ULL,

		};



		if (sysctl_set_or_fail("/proc/sys/kernel/perf_event_paranoid", perf_paranoid_orig, "0"))

			goto cleanup;

		if (sysctl_set_or_fail("/proc/sys/kernel/kptr_restrict", kptr_restrict_orig, "0"))

			goto cleanup;



		subtest_userns(&opts, userns_obj_priv_prog_kallsyms);



cleanup:

		if (perf_paranoid_orig[0])

			sysctl_set_or_fail("/proc/sys/kernel/perf_event_paranoid", NULL, perf_paranoid_orig);

		if (kptr_restrict_orig[0])

			sysctl_set_or_fail("/proc/sys/kernel/kptr_restrict", NULL, kptr_restrict_orig);

	}

}

tools/testing/selftests/bpf/prog_tests/unpriv_bpf_disabled.c

+1 −20
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 


#include "cap_helpers.h"

#include "bpf_util.h"

#include "sysctl_helpers.h"



/* Using CAP_LAST_CAP is risky here, since it can get pulled in from

 * an old /usr/include/linux/capability.h and be < CAP_BPF; as a result
@@ -36,26 +37,6 @@ static void process_perfbuf(void *ctx, int cpu, void *data, __u32 len) 
		got_perfbuf_val = *(__u32 *)data;

}



static int sysctl_set(const char *sysctl_path, char *old_val, const char *new_val)

{

	int ret = 0;

	FILE *fp;



	fp = fopen(sysctl_path, "r+");

	if (!fp)

		return -errno;

	if (old_val && fscanf(fp, "%s", old_val) <= 0) {

		ret = -ENOENT;

	} else if (!old_val || strcmp(old_val, new_val) != 0) {

		fseek(fp, 0, SEEK_SET);

		if (fprintf(fp, "%s", new_val) < 0)

			ret = -errno;

	}

	fclose(fp);



	return ret;

}



static void test_unpriv_bpf_disabled_positive(struct test_unpriv_bpf_disabled *skel,

					      __u32 prog_id, int prog_fd, int perf_fd,

					      char **map_paths, int *map_fds)

tools/testing/selftests/bpf/progs/token_kallsyms.c

0 → 100644
+19 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

/* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */



#include "vmlinux.h"

#include <bpf/bpf_helpers.h>



char _license[] SEC("license") = "GPL";



__weak

int token_ksym_subprog(void)

{

	return 0;

}



SEC("xdp")

int xdp_main(struct xdp_md *xdp)

{

	return token_ksym_subprog();

}