mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 58c449a969
			
		
	
	
		58c449a969
		
	
	
	
	
		
			
			This tests that when an unprivileged ICMP ping socket connects, the hooks are actually invoked. We also ensure that if the hook does not call bpf_bind(), the bound address is unmodified, and if the hook calls bpf_bind(), the bound address is exactly what we provided to the helper. A new netns is used to enable ping_group_range in the test without affecting ouside of the test, because by default, not even root is permitted to use unprivileged ICMP ping... Signed-off-by: YiFei Zhu <zhuyifei@google.com> Link: https://lore.kernel.org/r/086b227c1b97f4e94193e58aae7576d0261b68a4.1662682323.git.zhuyifei@google.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
		
			
				
	
	
		
			179 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			179 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0-only
 | |
| 
 | |
| /*
 | |
|  * Copyright 2022 Google LLC.
 | |
|  */
 | |
| 
 | |
| #define _GNU_SOURCE
 | |
| #include <sys/mount.h>
 | |
| 
 | |
| #include "test_progs.h"
 | |
| #include "cgroup_helpers.h"
 | |
| #include "network_helpers.h"
 | |
| 
 | |
| #include "connect_ping.skel.h"
 | |
| 
 | |
| /* 2001:db8::1 */
 | |
| #define BINDADDR_V6 { { { 0x20,0x01,0x0d,0xb8,0,0,0,0,0,0,0,0,0,0,0,1 } } }
 | |
| static const struct in6_addr bindaddr_v6 = BINDADDR_V6;
 | |
| 
 | |
| static void subtest(int cgroup_fd, struct connect_ping *skel,
 | |
| 		    int family, int do_bind)
 | |
| {
 | |
| 	struct sockaddr_in sa4 = {
 | |
| 		.sin_family = AF_INET,
 | |
| 		.sin_addr.s_addr = htonl(INADDR_LOOPBACK),
 | |
| 	};
 | |
| 	struct sockaddr_in6 sa6 = {
 | |
| 		.sin6_family = AF_INET6,
 | |
| 		.sin6_addr = IN6ADDR_LOOPBACK_INIT,
 | |
| 	};
 | |
| 	struct sockaddr *sa;
 | |
| 	socklen_t sa_len;
 | |
| 	int protocol;
 | |
| 	int sock_fd;
 | |
| 
 | |
| 	switch (family) {
 | |
| 	case AF_INET:
 | |
| 		sa = (struct sockaddr *)&sa4;
 | |
| 		sa_len = sizeof(sa4);
 | |
| 		protocol = IPPROTO_ICMP;
 | |
| 		break;
 | |
| 	case AF_INET6:
 | |
| 		sa = (struct sockaddr *)&sa6;
 | |
| 		sa_len = sizeof(sa6);
 | |
| 		protocol = IPPROTO_ICMPV6;
 | |
| 		break;
 | |
| 	}
 | |
| 
 | |
| 	memset(skel->bss, 0, sizeof(*skel->bss));
 | |
| 	skel->bss->do_bind = do_bind;
 | |
| 
 | |
| 	sock_fd = socket(family, SOCK_DGRAM, protocol);
 | |
| 	if (!ASSERT_GE(sock_fd, 0, "sock-create"))
 | |
| 		return;
 | |
| 
 | |
| 	if (!ASSERT_OK(connect(sock_fd, sa, sa_len), "connect"))
 | |
| 		goto close_sock;
 | |
| 
 | |
| 	if (!ASSERT_EQ(skel->bss->invocations_v4, family == AF_INET ? 1 : 0,
 | |
| 		       "invocations_v4"))
 | |
| 		goto close_sock;
 | |
| 	if (!ASSERT_EQ(skel->bss->invocations_v6, family == AF_INET6 ? 1 : 0,
 | |
| 		       "invocations_v6"))
 | |
| 		goto close_sock;
 | |
| 	if (!ASSERT_EQ(skel->bss->has_error, 0, "has_error"))
 | |
| 		goto close_sock;
 | |
| 
 | |
| 	if (!ASSERT_OK(getsockname(sock_fd, sa, &sa_len),
 | |
| 		       "getsockname"))
 | |
| 		goto close_sock;
 | |
| 
 | |
| 	switch (family) {
 | |
| 	case AF_INET:
 | |
| 		if (!ASSERT_EQ(sa4.sin_family, family, "sin_family"))
 | |
| 			goto close_sock;
 | |
| 		if (!ASSERT_EQ(sa4.sin_addr.s_addr,
 | |
| 			       htonl(do_bind ? 0x01010101 : INADDR_LOOPBACK),
 | |
| 			       "sin_addr"))
 | |
| 			goto close_sock;
 | |
| 		break;
 | |
| 	case AF_INET6:
 | |
| 		if (!ASSERT_EQ(sa6.sin6_family, AF_INET6, "sin6_family"))
 | |
| 			goto close_sock;
 | |
| 		if (!ASSERT_EQ(memcmp(&sa6.sin6_addr,
 | |
| 				      do_bind ? &bindaddr_v6 : &in6addr_loopback,
 | |
| 				      sizeof(sa6.sin6_addr)),
 | |
| 			       0, "sin6_addr"))
 | |
| 			goto close_sock;
 | |
| 		break;
 | |
| 	}
 | |
| 
 | |
| close_sock:
 | |
| 	close(sock_fd);
 | |
| }
 | |
| 
 | |
| void test_connect_ping(void)
 | |
| {
 | |
| 	struct connect_ping *skel;
 | |
| 	int cgroup_fd;
 | |
| 
 | |
| 	if (!ASSERT_OK(unshare(CLONE_NEWNET | CLONE_NEWNS), "unshare"))
 | |
| 		return;
 | |
| 
 | |
| 	/* overmount sysfs, and making original sysfs private so overmount
 | |
| 	 * does not propagate to other mntns.
 | |
| 	 */
 | |
| 	if (!ASSERT_OK(mount("none", "/sys", NULL, MS_PRIVATE, NULL),
 | |
| 		       "remount-private-sys"))
 | |
| 		return;
 | |
| 	if (!ASSERT_OK(mount("sysfs", "/sys", "sysfs", 0, NULL),
 | |
| 		       "mount-sys"))
 | |
| 		return;
 | |
| 	if (!ASSERT_OK(mount("bpffs", "/sys/fs/bpf", "bpf", 0, NULL),
 | |
| 		       "mount-bpf"))
 | |
| 		goto clean_mount;
 | |
| 
 | |
| 	if (!ASSERT_OK(system("ip link set dev lo up"), "lo-up"))
 | |
| 		goto clean_mount;
 | |
| 	if (!ASSERT_OK(system("ip addr add 1.1.1.1 dev lo"), "lo-addr-v4"))
 | |
| 		goto clean_mount;
 | |
| 	if (!ASSERT_OK(system("ip -6 addr add 2001:db8::1 dev lo"), "lo-addr-v6"))
 | |
| 		goto clean_mount;
 | |
| 	if (write_sysctl("/proc/sys/net/ipv4/ping_group_range", "0 0"))
 | |
| 		goto clean_mount;
 | |
| 
 | |
| 	cgroup_fd = test__join_cgroup("/connect_ping");
 | |
| 	if (!ASSERT_GE(cgroup_fd, 0, "cg-create"))
 | |
| 		goto clean_mount;
 | |
| 
 | |
| 	skel = connect_ping__open_and_load();
 | |
| 	if (!ASSERT_OK_PTR(skel, "skel-load"))
 | |
| 		goto close_cgroup;
 | |
| 	skel->links.connect_v4_prog =
 | |
| 		bpf_program__attach_cgroup(skel->progs.connect_v4_prog, cgroup_fd);
 | |
| 	if (!ASSERT_OK_PTR(skel->links.connect_v4_prog, "cg-attach-v4"))
 | |
| 		goto skel_destroy;
 | |
| 	skel->links.connect_v6_prog =
 | |
| 		bpf_program__attach_cgroup(skel->progs.connect_v6_prog, cgroup_fd);
 | |
| 	if (!ASSERT_OK_PTR(skel->links.connect_v6_prog, "cg-attach-v6"))
 | |
| 		goto skel_destroy;
 | |
| 
 | |
| 	/* Connect a v4 ping socket to localhost, assert that only v4 is called,
 | |
| 	 * and called exactly once, and that the socket's bound address is
 | |
| 	 * original loopback address.
 | |
| 	 */
 | |
| 	if (test__start_subtest("ipv4"))
 | |
| 		subtest(cgroup_fd, skel, AF_INET, 0);
 | |
| 
 | |
| 	/* Connect a v4 ping socket to localhost, assert that only v4 is called,
 | |
| 	 * and called exactly once, and that the socket's bound address is
 | |
| 	 * address we explicitly bound.
 | |
| 	 */
 | |
| 	if (test__start_subtest("ipv4-bind"))
 | |
| 		subtest(cgroup_fd, skel, AF_INET, 1);
 | |
| 
 | |
| 	/* Connect a v6 ping socket to localhost, assert that only v6 is called,
 | |
| 	 * and called exactly once, and that the socket's bound address is
 | |
| 	 * original loopback address.
 | |
| 	 */
 | |
| 	if (test__start_subtest("ipv6"))
 | |
| 		subtest(cgroup_fd, skel, AF_INET6, 0);
 | |
| 
 | |
| 	/* Connect a v6 ping socket to localhost, assert that only v6 is called,
 | |
| 	 * and called exactly once, and that the socket's bound address is
 | |
| 	 * address we explicitly bound.
 | |
| 	 */
 | |
| 	if (test__start_subtest("ipv6-bind"))
 | |
| 		subtest(cgroup_fd, skel, AF_INET6, 1);
 | |
| 
 | |
| skel_destroy:
 | |
| 	connect_ping__destroy(skel);
 | |
| 
 | |
| close_cgroup:
 | |
| 	close(cgroup_fd);
 | |
| 
 | |
| clean_mount:
 | |
| 	umount2("/sys", MNT_DETACH);
 | |
| }
 |