selftests: bpf: use the new helper to get netns_ino

This shows how a sockops program could be restricted to a specific network namespace. The sockops program looks at the current netns by calling the bpf_sk_get_netns helper and checks if the value matches the configuration in the new BPF map "sock_netns". The test program ./test_sockmap accepts a new parameter "--netns"; the default value is the current netns found by stat() on /proc/self/ns/net, so the previous tests still pass: sudo ./test_sockmap ... Summary: 412 PASSED 0 FAILED ... Summary: 824 PASSED 0 FAILED I run my additional test in the following way: NETNS=$(readlink /proc/self/ns/net | sed 's/^net:\[$.*$\]$/\1/') CGR=/sys/fs/cgroup/unified/user.slice/user-1000.slice/session-5.scope/ sudo ./test_sockmap --cgroup $CGR --netns $NETNS & cat /sys/kernel/debug/tracing/trace_pipe echo foo | nc -l 127.0.0.1 8080 & echo bar | nc 127.0.0.1 8080 => the connection goes through the sockmap When testing with a wrong $NETNS, I get the trace_pipe log: > not binding connection on netns 4026531992 Signed-off-by: Alban Crequy <alban@kinvolk.io> Signed-off-by: Krzesimir Nowak <krzesimir@kinvolk.io> --- Changes since v1: - tools/include/uapi/linux/bpf.h: update with netns_dev - tools/testing/selftests/bpf/test_sockmap_kern.h: print debugs with both netns_dev and netns_ino Changes since v2: - update commitmsg to refer to netns_ino Changes since v5: - update to use the helper
kinvolk · Jun 27, 2019 · 0cf6a6d · 0cf6a6d
1 parent c5bd3a4
commit 0cf6a6d
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 4 deletions.
diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
@@ -298,6 +298,8 @@ static unsigned int (*bpf_set_hash)(void *ctx, __u32 hash) =
 static int (*bpf_skb_adjust_room)(void *ctx, __s32 len_diff, __u32 mode,
 				  unsigned long long flags) =
 	(void *) BPF_FUNC_skb_adjust_room;
+static int (*bpf_sk_get_netns)(void *ctx, __u64 *dev, __u64 *ino, __u32 flags) =
+	(void *) BPF_FUNC_sk_get_netns;
 
 /* Scan the ARCH passed in from ARCH env variable (see Makefile) */
 #if defined(__TARGET_ARCH_x86)

diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
@@ -2,6 +2,7 @@
 // Copyright (c) 2017-2018 Covalent IO, Inc. http://covalent.io
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <sys/select.h>
@@ -21,6 +22,7 @@
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/sendfile.h>
+#include <sys/stat.h>
 
 #include <linux/netlink.h>
 #include <linux/socket.h>
@@ -63,8 +65,8 @@ int s1, s2, c1, c2, p1, p2;
 int test_cnt;
 int passed;
 int failed;
-int map_fd[8];
-struct bpf_map *maps[8];
+int map_fd[9];
+struct bpf_map *maps[9];
 int prog_fd[11];
 
 int txmsg_pass;
@@ -84,6 +86,7 @@ int txmsg_ingress;
 int txmsg_skb;
 int ktls;
 int peek_flag;
+uint64_t netns_opt;
 
 static const struct option long_options[] = {
 	{"help",	no_argument,		NULL, 'h' },
@@ -111,6 +114,7 @@ static const struct option long_options[] = {
 	{"txmsg_skb", no_argument,		&txmsg_skb, 1 },
 	{"ktls", no_argument,			&ktls, 1 },
 	{"peek", no_argument,			&peek_flag, 1 },
+	{"netns",	required_argument,	NULL, 'n'},
 	{0, 0, NULL, 0 }
 };
 
@@ -1585,6 +1589,7 @@ char *map_names[] = {
 	"sock_bytes",
 	"sock_redir_flags",
 	"sock_skb_opts",
+	"sock_netns",
 };
 
 int prog_attach_type[] = {
@@ -1619,6 +1624,8 @@ static int populate_progs(char *bpf_file)
 	struct bpf_object *obj;
 	int i = 0;
 	long err;
+	struct stat netns_sb;
+	uint64_t netns_ino;
 
 	obj = bpf_object__open(bpf_file);
 	err = libbpf_get_error(obj);
@@ -1655,6 +1662,28 @@ static int populate_progs(char *bpf_file)
 		}
 	}
 
+	if (netns_opt == 0) {
+		err = stat("/proc/self/ns/net", &netns_sb);
+		if (err) {
+			fprintf(stderr,
+				"ERROR: cannot stat network namespace: %ld (%s)\n",
+				err, strerror(errno));
+			return -1;
+		}
+		netns_ino = netns_sb.st_ino;
+	} else {
+		netns_ino = netns_opt;
+	}
+	i = 1;
+	err = bpf_map_update_elem(map_fd[8], &netns_ino, &i, BPF_ANY);
+	if (err) {
+		fprintf(stderr,
+			"ERROR: bpf_map_update_elem (netns):  %ld (%s)\n",
+			err, strerror(errno));
+		return -1;
+	}
+
+
 	return 0;
 }
 
@@ -1738,7 +1767,7 @@ int main(int argc, char **argv)
 	if (argc < 2)
 		return test_suite(-1);
 
-	while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:",
+	while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:n:",
 				  long_options, &longindex)) != -1) {
 		switch (opt) {
 		case 's':
@@ -1805,6 +1834,9 @@ int main(int argc, char **argv)
 				return -1;
 			}
 			break;
+		case 'n':
+			netns_opt = strtoull(optarg, NULL, 10);
+			break;
 		case 0:
 			break;
 		case 'h':

diff --git a/tools/testing/selftests/bpf/test_sockmap_kern.h b/tools/testing/selftests/bpf/test_sockmap_kern.h
@@ -91,6 +91,13 @@ struct bpf_map_def SEC("maps") sock_skb_opts = {
 	.max_entries = 1
 };
 
+struct bpf_map_def SEC("maps") sock_netns = {
+	.type = BPF_MAP_TYPE_HASH,
+	.key_size = sizeof(__u64),
+	.value_size = sizeof(int),
+	.max_entries = 16
+};
+
 SEC("sk_skb1")
 int bpf_prog1(struct __sk_buff *skb)
 {
@@ -132,9 +139,25 @@ int bpf_sockmap(struct bpf_sock_ops *skops)
 {
 	__u32 lport, rport;
 	int op, err = 0, index, key, ret;
-
+	int i = 0;
+	__u64 netns_dev, netns_ino;
+	int *allowed;
 
 	op = (int) skops->op;
+	if (bpf_sk_get_netns(skops, &netns_dev, &netns_ino, 3)) {
+		bpf_printk("bpf_sockmap: failed to get netns\n");
+		netns_dev = netns_ino = 0;
+	} else
+		bpf_printk("bpf_sockmap: netns_dev = %lu netns_ino = %lu\n",
+			   netns_dev, netns_ino);
+
+	// Only allow sockmap connection on the configured network namespace
+	allowed = bpf_map_lookup_elem(&sock_netns, &netns_ino);
+	if (allowed == NULL || *allowed == 0) {
+		bpf_printk("not binding connection on netns_ino %lu\n",
+			   netns_ino);
+		return 0;
+	}
 
 	switch (op) {
 	case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: