Re: [PATCH bpf-next v3 2/2] selftests/bpf: Add test for bpftool access to read-only protected maps

2025-06-16 Thread Quentin Monnet 
2025-06-12 08:18 UTC+1000 ~ Slava Imameev 
> Add selftest cases that validate bpftool's expected behavior when
> accessing maps protected from modification via security_bpf_map.
> 
> The test includes a BPF program attached to security_bpf_map with two maps:
> - A protected map that only allows read-only access
> - An unprotected map that allows full access
> 
> The test script attaches the BPF program to security_bpf_map and
> verifies that for the bpftool map command:
> - Read access works on both maps
> - Write access fails on the protected map
> - Write access succeeds on the unprotected map
> - These behaviors remain consistent when the maps are pinned
> 
> Signed-off-by: Slava Imameev 


Acked-by: Quentin Monnet 

Thank you!

[PATCH bpf-next v3 2/2] selftests/bpf: Add test for bpftool access to read-only protected maps

2025-06-11 Thread Slava Imameev 
Add selftest cases that validate bpftool's expected behavior when
accessing maps protected from modification via security_bpf_map.

The test includes a BPF program attached to security_bpf_map with two maps:
- A protected map that only allows read-only access
- An unprotected map that allows full access

The test script attaches the BPF program to security_bpf_map and
verifies that for the bpftool map command:
- Read access works on both maps
- Write access fails on the protected map
- Write access succeeds on the unprotected map
- These behaviors remain consistent when the maps are pinned

Signed-off-by: Slava Imameev 
---
Changes in v2:
- fix for a test compilation error: "conflicting types for 'bpf_fentry_test1'"
Changes in v3:
- Addressed review feedback
- Added tests for map iterator, map and map-of-maps creation, deletion
- Cleaned up excessive output logging
---
---
 tools/testing/selftests/bpf/Makefile  |   1 +
 .../selftests/bpf/progs/bpf_iter_map_elem.c   |  22 ++
 .../selftests/bpf/progs/security_bpf_map.c|  69 
 .../testing/selftests/bpf/test_bpftool_map.sh | 363 ++
 4 files changed, 455 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/progs/bpf_iter_map_elem.c
 create mode 100644 tools/testing/selftests/bpf/progs/security_bpf_map.c
 create mode 100755 tools/testing/selftests/bpf/test_bpftool_map.sh

diff --git a/tools/testing/selftests/bpf/Makefile 
b/tools/testing/selftests/bpf/Makefile
index cf5ed3bee573..731a86407799 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -109,6 +109,7 @@ TEST_PROGS := test_kmod.sh \
test_xdping.sh \
test_bpftool_build.sh \
test_bpftool.sh \
+   test_bpftool_map.sh \
test_bpftool_metadata.sh \
test_doc_build.sh \
test_xsk.sh \
diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_map_elem.c 
b/tools/testing/selftests/bpf/progs/bpf_iter_map_elem.c
new file mode 100644
index ..2f20485e0de3
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/bpf_iter_map_elem.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include "vmlinux.h"
+#include 
+#include 
+
+char _license[] SEC("license") = "GPL";
+
+__u32 value_sum = 0;
+
+SEC("iter/bpf_map_elem")
+int dump_bpf_map_values(struct bpf_iter__bpf_map_elem *ctx)
+{
+   __u32 value = 0;
+
+   if (ctx->value == (void *)0)
+   return 0;
+
+   bpf_probe_read_kernel(&value, sizeof(value), ctx->value);
+   value_sum += value;
+   return 0;
+}
diff --git a/tools/testing/selftests/bpf/progs/security_bpf_map.c 
b/tools/testing/selftests/bpf/progs/security_bpf_map.c
new file mode 100644
index ..7176f8468641
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/security_bpf_map.c
@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include "vmlinux.h"
+#include 
+#include 
+
+char _license[] SEC("license") = "GPL";
+
+#define EPERM 1 /* Operation not permitted */
+
+/* From include/linux/mm.h. */
+#define FMODE_WRITE0x2
+
+struct map;
+
+struct {
+   __uint(type, BPF_MAP_TYPE_ARRAY);
+   __type(key, __u32);
+   __type(value, __u32);
+   __uint(max_entries, 1);
+} prot_status_map SEC(".maps");
+
+struct {
+   __uint(type, BPF_MAP_TYPE_HASH);
+   __type(key, __u32);
+   __type(value, __u32);
+   __uint(max_entries, 3);
+} prot_map SEC(".maps");
+
+struct {
+   __uint(type, BPF_MAP_TYPE_HASH);
+   __type(key, __u32);
+   __type(value, __u32);
+   __uint(max_entries, 3);
+} not_prot_map SEC(".maps");
+
+SEC("fmod_ret/security_bpf_map")
+int BPF_PROG(fmod_bpf_map, struct bpf_map *map, int fmode)
+{
+   __u32 key = 0;
+   __u32 *status_ptr = bpf_map_lookup_elem(&prot_status_map, &key);
+   if (!status_ptr || !*status_ptr) {
+   return 0;
+   }
+
+   if (map == &prot_map) {
+   /* Allow read-only access */
+   if (fmode & FMODE_WRITE)
+   return -EPERM;
+   }
+
+   return 0;
+}
+
+/*
+ * This program keeps references to maps. This is needed to prevent
+ * optimizing them out.
+ */
+SEC("fentry/bpf_fentry_test1")
+int BPF_PROG(fentry_dummy1, int a)
+{
+   __u32 key = 0;
+   __u32 val1 = a;
+   __u32 val2 = a + 1;
+
+   bpf_map_update_elem(&prot_map, &key, &val1, BPF_ANY);
+   bpf_map_update_elem(¬_prot_map, &key, &val2, BPF_ANY);
+   return 0;
+}
diff --git a/tools/testing/selftests/bpf/test_bpftool_map.sh 
b/tools/testing/selftests/bpf/test_bpftool_map.sh
new file mode 100755
index ..383e4df08f93
--- /dev/null
+++ b/tools/testing/selftests/bpf/test_bpftool_map.sh
@@ -0,0 +1,363 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+
+TESTNAME="bpftool_map"
+BPF_FILE="security_bpf_map.bpf.o"
+BPF_ITER_FILE="bpf_iter_map_elem.bpf.o"
+PROTECTED_MAP_NAME="prot_map"
+NOT_PROTECTED_MAP_NAME="no