tools/testing/selftests/bpf/progs/test_set_remove_xattr.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0
 /* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */

 #include "vmlinux.h"
 #include <errno.h>
 #include <bpf/bpf_tracing.h>
 #include "bpf_kfuncs.h"
 #include "bpf_misc.h"

 char _license[] SEC("license") = "GPL";

 __u32 monitored_pid;

 const char xattr_foo[] = "security.bpf.foo";
 const char xattr_bar[] = "security.bpf.bar";
 static const char xattr_selinux[] = "security.selinux";
 char value_bar[] = "world";
 char read_value[32];

 bool set_security_bpf_bar_success;
 bool remove_security_bpf_bar_success;
 bool set_security_selinux_fail;
 bool remove_security_selinux_fail;

 char name_buf[32];

 static inline bool name_match_foo(const char *name)
 {
 	bpf_probe_read_kernel(name_buf, sizeof(name_buf), name);

 	return !bpf_strncmp(name_buf, sizeof(xattr_foo), xattr_foo);
 }

 /* Test bpf_set_dentry_xattr and bpf_remove_dentry_xattr */
 SEC("lsm.s/inode_getxattr")
 int BPF_PROG(test_inode_getxattr, struct dentry *dentry, char *name)
 {
 	struct bpf_dynptr value_ptr;
 	__u32 pid;
 	int ret;

 	pid = bpf_get_current_pid_tgid() >> 32;
 	if (pid != monitored_pid)
 		return 0;

 	/* Only do the following for security.bpf.foo */
 	if (!name_match_foo(name))
 		return 0;

 	bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);

 	/* read security.bpf.bar */
 	ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);

 	if (ret < 0) {
 		/* If security.bpf.bar doesn't exist, set it */
 		bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);

 		ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
 		if (!ret)
 			set_security_bpf_bar_success = true;
 		ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
 		if (ret)
 			set_security_selinux_fail = true;
 	} else {
 		/* If security.bpf.bar exists, remove it */
 		ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
 		if (!ret)
 			remove_security_bpf_bar_success = true;

 		ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
 		if (ret)
 			remove_security_selinux_fail = true;
 	}

 	return 0;
 }

 bool locked_set_security_bpf_bar_success;
 bool locked_remove_security_bpf_bar_success;
 bool locked_set_security_selinux_fail;
 bool locked_remove_security_selinux_fail;

 /* Test bpf_set_dentry_xattr_locked and bpf_remove_dentry_xattr_locked.
  * It not necessary to differentiate the _locked version and the
  * not-_locked version in the BPF program. The verifier will fix them up
  * properly.
  */
 SEC("lsm.s/inode_setxattr")
 int BPF_PROG(test_inode_setxattr, struct mnt_idmap *idmap,
 	     struct dentry *dentry, const char *name,
 	     const void *value, size_t size, int flags)
 {
 	struct bpf_dynptr value_ptr;
 	__u32 pid;
 	int ret;

 	pid = bpf_get_current_pid_tgid() >> 32;
 	if (pid != monitored_pid)
 		return 0;

 	/* Only do the following for security.bpf.foo */
 	if (!name_match_foo(name))
 		return 0;

 	bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);

 	/* read security.bpf.bar */
 	ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);

 	if (ret < 0) {
 		/* If security.bpf.bar doesn't exist, set it */
 		bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);

 		ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
 		if (!ret)
 			locked_set_security_bpf_bar_success = true;
 		ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
 		if (ret)
 			locked_set_security_selinux_fail = true;
 	} else {
 		/* If security.bpf.bar exists, remove it */
 		ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
 		if (!ret)
 			locked_remove_security_bpf_bar_success = true;

 		ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
 		if (ret)
 			locked_remove_security_selinux_fail = true;
 	}

 	return 0;
 }
	// SPDX-License-Identifier: GPL-2.0
	/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */

	#include "vmlinux.h"
	#include <errno.h>
	#include <bpf/bpf_tracing.h>
	#include "bpf_kfuncs.h"
	#include "bpf_misc.h"

	char _license[] SEC("license") = "GPL";

	__u32 monitored_pid;

	const char xattr_foo[] = "security.bpf.foo";
	const char xattr_bar[] = "security.bpf.bar";
	static const char xattr_selinux[] = "security.selinux";
	char value_bar[] = "world";
	char read_value[32];

	bool set_security_bpf_bar_success;
	bool remove_security_bpf_bar_success;
	bool set_security_selinux_fail;
	bool remove_security_selinux_fail;

	char name_buf[32];

	static inline bool name_match_foo(const char *name)
	{
	bpf_probe_read_kernel(name_buf, sizeof(name_buf), name);

	return !bpf_strncmp(name_buf, sizeof(xattr_foo), xattr_foo);
	}

	/* Test bpf_set_dentry_xattr and bpf_remove_dentry_xattr */
	SEC("lsm.s/inode_getxattr")
	int BPF_PROG(test_inode_getxattr, struct dentry dentry, char name)
	{
	struct bpf_dynptr value_ptr;
	__u32 pid;
	int ret;

	pid = bpf_get_current_pid_tgid() >> 32;
	if (pid != monitored_pid)
	return 0;

	/* Only do the following for security.bpf.foo */
	if (!name_match_foo(name))
	return 0;

	bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);

	/* read security.bpf.bar */
	ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);

	if (ret < 0) {
	/* If security.bpf.bar doesn't exist, set it */
	bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);

	ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
	if (!ret)
	set_security_bpf_bar_success = true;
	ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
	if (ret)
	set_security_selinux_fail = true;
	} else {
	/* If security.bpf.bar exists, remove it */
	ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
	if (!ret)
	remove_security_bpf_bar_success = true;

	ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
	if (ret)
	remove_security_selinux_fail = true;
	}

	return 0;
	}

	bool locked_set_security_bpf_bar_success;
	bool locked_remove_security_bpf_bar_success;
	bool locked_set_security_selinux_fail;
	bool locked_remove_security_selinux_fail;

	/* Test bpf_set_dentry_xattr_locked and bpf_remove_dentry_xattr_locked.
	* It not necessary to differentiate the _locked version and the
	* not-_locked version in the BPF program. The verifier will fix them up
	* properly.
	*/
	SEC("lsm.s/inode_setxattr")
	int BPF_PROG(test_inode_setxattr, struct mnt_idmap *idmap,
	struct dentry dentry, const char name,
	const void *value, size_t size, int flags)
	{
	struct bpf_dynptr value_ptr;
	__u32 pid;
	int ret;

	pid = bpf_get_current_pid_tgid() >> 32;
	if (pid != monitored_pid)
	return 0;

	/* Only do the following for security.bpf.foo */
	if (!name_match_foo(name))
	return 0;

	bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);

	/* read security.bpf.bar */
	ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);

	if (ret < 0) {
	/* If security.bpf.bar doesn't exist, set it */
	bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);

	ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
	if (!ret)
	locked_set_security_bpf_bar_success = true;
	ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
	if (ret)
	locked_set_security_selinux_fail = true;
	} else {
	/* If security.bpf.bar exists, remove it */
	ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
	if (!ret)
	locked_remove_security_bpf_bar_success = true;

	ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
	if (ret)
	locked_remove_security_selinux_fail = true;
	}

	return 0;
	}