xref: /linux/tools/testing/selftests/bpf/prog_tests/token.c (revision 5afca7e996c42aed1b4a42d4712817601ba42aff)
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
3 #define _GNU_SOURCE
4 #include <test_progs.h>
5 #include <bpf/btf.h>
6 #include "cap_helpers.h"
7 #include <fcntl.h>
8 #include <sched.h>
9 #include <signal.h>
10 #include <unistd.h>
11 #include <linux/filter.h>
12 #include <linux/unistd.h>
13 #include <linux/mount.h>
14 #include <sys/socket.h>
15 #include <sys/stat.h>
16 #include <sys/syscall.h>
17 #include <sys/un.h>
18 #include "priv_map.skel.h"
19 #include "priv_prog.skel.h"
20 #include "dummy_st_ops_success.skel.h"
21 #include "token_lsm.skel.h"
22 
23 static inline int sys_mount(const char *dev_name, const char *dir_name,
24 			    const char *type, unsigned long flags,
25 			    const void *data)
26 {
27 	return syscall(__NR_mount, dev_name, dir_name, type, flags, data);
28 }
29 
30 static inline int sys_fsopen(const char *fsname, unsigned flags)
31 {
32 	return syscall(__NR_fsopen, fsname, flags);
33 }
34 
35 static inline int sys_fspick(int dfd, const char *path, unsigned flags)
36 {
37 	return syscall(__NR_fspick, dfd, path, flags);
38 }
39 
40 static inline int sys_fsconfig(int fs_fd, unsigned cmd, const char *key, const void *val, int aux)
41 {
42 	return syscall(__NR_fsconfig, fs_fd, cmd, key, val, aux);
43 }
44 
45 static inline int sys_fsmount(int fs_fd, unsigned flags, unsigned ms_flags)
46 {
47 	return syscall(__NR_fsmount, fs_fd, flags, ms_flags);
48 }
49 
50 static inline int sys_move_mount(int from_dfd, const char *from_path,
51 				 int to_dfd, const char *to_path,
52 				 unsigned flags)
53 {
54 	return syscall(__NR_move_mount, from_dfd, from_path, to_dfd, to_path, flags);
55 }
56 
57 static int drop_priv_caps(__u64 *old_caps)
58 {
59 	return cap_disable_effective((1ULL << CAP_BPF) |
60 				     (1ULL << CAP_PERFMON) |
61 				     (1ULL << CAP_NET_ADMIN) |
62 				     (1ULL << CAP_SYS_ADMIN), old_caps);
63 }
64 
65 static int restore_priv_caps(__u64 old_caps)
66 {
67 	return cap_enable_effective(old_caps, NULL);
68 }
69 
70 static int set_delegate_mask(int fs_fd, const char *key, __u64 mask, const char *mask_str)
71 {
72 	char buf[32];
73 	int err;
74 
75 	if (!mask_str) {
76 		if (mask == ~0ULL) {
77 			mask_str = "any";
78 		} else {
79 			snprintf(buf, sizeof(buf), "0x%llx", (unsigned long long)mask);
80 			mask_str = buf;
81 		}
82 	}
83 
84 	err = sys_fsconfig(fs_fd, FSCONFIG_SET_STRING, key,
85 			   mask_str, 0);
86 	if (err < 0)
87 		err = -errno;
88 	return err;
89 }
90 
91 #define zclose(fd) do { if (fd >= 0) close(fd); fd = -1; } while (0)
92 
93 struct bpffs_opts {
94 	__u64 cmds;
95 	__u64 maps;
96 	__u64 progs;
97 	__u64 attachs;
98 	const char *cmds_str;
99 	const char *maps_str;
100 	const char *progs_str;
101 	const char *attachs_str;
102 };
103 
104 static int create_bpffs_fd(void)
105 {
106 	int fs_fd;
107 
108 	/* create VFS context */
109 	fs_fd = sys_fsopen("bpf", 0);
110 	ASSERT_GE(fs_fd, 0, "fs_fd");
111 
112 	return fs_fd;
113 }
114 
115 static int materialize_bpffs_fd(int fs_fd, struct bpffs_opts *opts)
116 {
117 	int mnt_fd, err;
118 
119 	/* set up token delegation mount options */
120 	err = set_delegate_mask(fs_fd, "delegate_cmds", opts->cmds, opts->cmds_str);
121 	if (!ASSERT_OK(err, "fs_cfg_cmds"))
122 		return err;
123 	err = set_delegate_mask(fs_fd, "delegate_maps", opts->maps, opts->maps_str);
124 	if (!ASSERT_OK(err, "fs_cfg_maps"))
125 		return err;
126 	err = set_delegate_mask(fs_fd, "delegate_progs", opts->progs, opts->progs_str);
127 	if (!ASSERT_OK(err, "fs_cfg_progs"))
128 		return err;
129 	err = set_delegate_mask(fs_fd, "delegate_attachs", opts->attachs, opts->attachs_str);
130 	if (!ASSERT_OK(err, "fs_cfg_attachs"))
131 		return err;
132 
133 	/* instantiate FS object */
134 	err = sys_fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
135 	if (err < 0)
136 		return -errno;
137 
138 	/* create O_PATH fd for detached mount */
139 	mnt_fd = sys_fsmount(fs_fd, 0, 0);
140 	if (err < 0)
141 		return -errno;
142 
143 	return mnt_fd;
144 }
145 
146 /* send FD over Unix domain (AF_UNIX) socket */
147 static int sendfd(int sockfd, int fd)
148 {
149 	struct msghdr msg = {};
150 	struct cmsghdr *cmsg;
151 	int fds[1] = { fd }, err;
152 	char iobuf[1];
153 	struct iovec io = {
154 		.iov_base = iobuf,
155 		.iov_len = sizeof(iobuf),
156 	};
157 	union {
158 		char buf[CMSG_SPACE(sizeof(fds))];
159 		struct cmsghdr align;
160 	} u;
161 
162 	msg.msg_iov = &io;
163 	msg.msg_iovlen = 1;
164 	msg.msg_control = u.buf;
165 	msg.msg_controllen = sizeof(u.buf);
166 	cmsg = CMSG_FIRSTHDR(&msg);
167 	cmsg->cmsg_level = SOL_SOCKET;
168 	cmsg->cmsg_type = SCM_RIGHTS;
169 	cmsg->cmsg_len = CMSG_LEN(sizeof(fds));
170 	memcpy(CMSG_DATA(cmsg), fds, sizeof(fds));
171 
172 	err = sendmsg(sockfd, &msg, 0);
173 	if (err < 0)
174 		err = -errno;
175 	if (!ASSERT_EQ(err, 1, "sendmsg"))
176 		return -EINVAL;
177 
178 	return 0;
179 }
180 
181 /* receive FD over Unix domain (AF_UNIX) socket */
182 static int recvfd(int sockfd, int *fd)
183 {
184 	struct msghdr msg = {};
185 	struct cmsghdr *cmsg;
186 	int fds[1], err;
187 	char iobuf[1];
188 	struct iovec io = {
189 		.iov_base = iobuf,
190 		.iov_len = sizeof(iobuf),
191 	};
192 	union {
193 		char buf[CMSG_SPACE(sizeof(fds))];
194 		struct cmsghdr align;
195 	} u;
196 
197 	msg.msg_iov = &io;
198 	msg.msg_iovlen = 1;
199 	msg.msg_control = u.buf;
200 	msg.msg_controllen = sizeof(u.buf);
201 
202 	err = recvmsg(sockfd, &msg, 0);
203 	if (err < 0)
204 		err = -errno;
205 	if (!ASSERT_EQ(err, 1, "recvmsg"))
206 		return -EINVAL;
207 
208 	cmsg = CMSG_FIRSTHDR(&msg);
209 	if (!ASSERT_OK_PTR(cmsg, "cmsg_null") ||
210 	    !ASSERT_EQ(cmsg->cmsg_len, CMSG_LEN(sizeof(fds)), "cmsg_len") ||
211 	    !ASSERT_EQ(cmsg->cmsg_level, SOL_SOCKET, "cmsg_level") ||
212 	    !ASSERT_EQ(cmsg->cmsg_type, SCM_RIGHTS, "cmsg_type"))
213 		return -EINVAL;
214 
215 	memcpy(fds, CMSG_DATA(cmsg), sizeof(fds));
216 	*fd = fds[0];
217 
218 	return 0;
219 }
220 
221 static ssize_t write_nointr(int fd, const void *buf, size_t count)
222 {
223 	ssize_t ret;
224 
225 	do {
226 		ret = write(fd, buf, count);
227 	} while (ret < 0 && errno == EINTR);
228 
229 	return ret;
230 }
231 
232 static int write_file(const char *path, const void *buf, size_t count)
233 {
234 	int fd;
235 	ssize_t ret;
236 
237 	fd = open(path, O_WRONLY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
238 	if (fd < 0)
239 		return -1;
240 
241 	ret = write_nointr(fd, buf, count);
242 	close(fd);
243 	if (ret < 0 || (size_t)ret != count)
244 		return -1;
245 
246 	return 0;
247 }
248 
249 static int create_and_enter_userns(void)
250 {
251 	uid_t uid;
252 	gid_t gid;
253 	char map[100];
254 
255 	uid = getuid();
256 	gid = getgid();
257 
258 	if (unshare(CLONE_NEWUSER))
259 		return -1;
260 
261 	if (write_file("/proc/self/setgroups", "deny", sizeof("deny") - 1) &&
262 	    errno != ENOENT)
263 		return -1;
264 
265 	snprintf(map, sizeof(map), "0 %d 1", uid);
266 	if (write_file("/proc/self/uid_map", map, strlen(map)))
267 		return -1;
268 
269 
270 	snprintf(map, sizeof(map), "0 %d 1", gid);
271 	if (write_file("/proc/self/gid_map", map, strlen(map)))
272 		return -1;
273 
274 	if (setgid(0))
275 		return -1;
276 
277 	if (setuid(0))
278 		return -1;
279 
280 	return 0;
281 }
282 
283 typedef int (*child_callback_fn)(int bpffs_fd, struct token_lsm *lsm_skel);
284 
285 static void child(int sock_fd, struct bpffs_opts *opts, child_callback_fn callback)
286 {
287 	int mnt_fd = -1, fs_fd = -1, err = 0, bpffs_fd = -1, token_fd = -1;
288 	struct token_lsm *lsm_skel = NULL;
289 
290 	/* load and attach LSM "policy" before we go into unpriv userns */
291 	lsm_skel = token_lsm__open_and_load();
292 	if (!ASSERT_OK_PTR(lsm_skel, "lsm_skel_load")) {
293 		err = -EINVAL;
294 		goto cleanup;
295 	}
296 	lsm_skel->bss->my_pid = getpid();
297 	err = token_lsm__attach(lsm_skel);
298 	if (!ASSERT_OK(err, "lsm_skel_attach"))
299 		goto cleanup;
300 
301 	/* setup userns with root mappings */
302 	err = create_and_enter_userns();
303 	if (!ASSERT_OK(err, "create_and_enter_userns"))
304 		goto cleanup;
305 
306 	/* setup mountns to allow creating BPF FS (fsopen("bpf")) from unpriv process */
307 	err = unshare(CLONE_NEWNS);
308 	if (!ASSERT_OK(err, "create_mountns"))
309 		goto cleanup;
310 
311 	err = sys_mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0);
312 	if (!ASSERT_OK(err, "remount_root"))
313 		goto cleanup;
314 
315 	fs_fd = create_bpffs_fd();
316 	if (!ASSERT_GE(fs_fd, 0, "create_bpffs_fd")) {
317 		err = -EINVAL;
318 		goto cleanup;
319 	}
320 
321 	/* ensure unprivileged child cannot set delegation options */
322 	err = set_delegate_mask(fs_fd, "delegate_cmds", 0x1, NULL);
323 	ASSERT_EQ(err, -EPERM, "delegate_cmd_eperm");
324 	err = set_delegate_mask(fs_fd, "delegate_maps", 0x1, NULL);
325 	ASSERT_EQ(err, -EPERM, "delegate_maps_eperm");
326 	err = set_delegate_mask(fs_fd, "delegate_progs", 0x1, NULL);
327 	ASSERT_EQ(err, -EPERM, "delegate_progs_eperm");
328 	err = set_delegate_mask(fs_fd, "delegate_attachs", 0x1, NULL);
329 	ASSERT_EQ(err, -EPERM, "delegate_attachs_eperm");
330 
331 	/* pass BPF FS context object to parent */
332 	err = sendfd(sock_fd, fs_fd);
333 	if (!ASSERT_OK(err, "send_fs_fd"))
334 		goto cleanup;
335 	zclose(fs_fd);
336 
337 	/* avoid mucking around with mount namespaces and mounting at
338 	 * well-known path, just get detach-mounted BPF FS fd back from parent
339 	 */
340 	err = recvfd(sock_fd, &mnt_fd);
341 	if (!ASSERT_OK(err, "recv_mnt_fd"))
342 		goto cleanup;
343 
344 	/* try to fspick() BPF FS and try to add some delegation options */
345 	fs_fd = sys_fspick(mnt_fd, "", FSPICK_EMPTY_PATH);
346 	if (!ASSERT_GE(fs_fd, 0, "bpffs_fspick")) {
347 		err = -EINVAL;
348 		goto cleanup;
349 	}
350 
351 	/* ensure unprivileged child cannot reconfigure to set delegation options */
352 	err = set_delegate_mask(fs_fd, "delegate_cmds", 0, "any");
353 	if (!ASSERT_EQ(err, -EPERM, "delegate_cmd_eperm_reconfig")) {
354 		err = -EINVAL;
355 		goto cleanup;
356 	}
357 	err = set_delegate_mask(fs_fd, "delegate_maps", 0, "any");
358 	if (!ASSERT_EQ(err, -EPERM, "delegate_maps_eperm_reconfig")) {
359 		err = -EINVAL;
360 		goto cleanup;
361 	}
362 	err = set_delegate_mask(fs_fd, "delegate_progs", 0, "any");
363 	if (!ASSERT_EQ(err, -EPERM, "delegate_progs_eperm_reconfig")) {
364 		err = -EINVAL;
365 		goto cleanup;
366 	}
367 	err = set_delegate_mask(fs_fd, "delegate_attachs", 0, "any");
368 	if (!ASSERT_EQ(err, -EPERM, "delegate_attachs_eperm_reconfig")) {
369 		err = -EINVAL;
370 		goto cleanup;
371 	}
372 	zclose(fs_fd);
373 
374 	bpffs_fd = openat(mnt_fd, ".", 0, O_RDWR);
375 	if (!ASSERT_GE(bpffs_fd, 0, "bpffs_open")) {
376 		err = -EINVAL;
377 		goto cleanup;
378 	}
379 
380 	/* create BPF token FD and pass it to parent for some extra checks */
381 	token_fd = bpf_token_create(bpffs_fd, NULL);
382 	if (!ASSERT_GT(token_fd, 0, "child_token_create")) {
383 		err = -EINVAL;
384 		goto cleanup;
385 	}
386 	err = sendfd(sock_fd, token_fd);
387 	if (!ASSERT_OK(err, "send_token_fd"))
388 		goto cleanup;
389 	zclose(token_fd);
390 
391 	/* do custom test logic with customly set up BPF FS instance */
392 	err = callback(bpffs_fd, lsm_skel);
393 	if (!ASSERT_OK(err, "test_callback"))
394 		goto cleanup;
395 
396 	err = 0;
397 cleanup:
398 	zclose(sock_fd);
399 	zclose(mnt_fd);
400 	zclose(fs_fd);
401 	zclose(bpffs_fd);
402 	zclose(token_fd);
403 
404 	lsm_skel->bss->my_pid = 0;
405 	token_lsm__destroy(lsm_skel);
406 
407 	exit(-err);
408 }
409 
410 static int wait_for_pid(pid_t pid)
411 {
412 	int status, ret;
413 
414 again:
415 	ret = waitpid(pid, &status, 0);
416 	if (ret == -1) {
417 		if (errno == EINTR)
418 			goto again;
419 
420 		return -1;
421 	}
422 
423 	if (!WIFEXITED(status))
424 		return -1;
425 
426 	return WEXITSTATUS(status);
427 }
428 
429 static void parent(int child_pid, struct bpffs_opts *bpffs_opts, int sock_fd)
430 {
431 	int fs_fd = -1, mnt_fd = -1, token_fd = -1, err;
432 
433 	err = recvfd(sock_fd, &fs_fd);
434 	if (!ASSERT_OK(err, "recv_bpffs_fd"))
435 		goto cleanup;
436 
437 	mnt_fd = materialize_bpffs_fd(fs_fd, bpffs_opts);
438 	if (!ASSERT_GE(mnt_fd, 0, "materialize_bpffs_fd")) {
439 		err = -EINVAL;
440 		goto cleanup;
441 	}
442 	zclose(fs_fd);
443 
444 	/* pass BPF FS context object to parent */
445 	err = sendfd(sock_fd, mnt_fd);
446 	if (!ASSERT_OK(err, "send_mnt_fd"))
447 		goto cleanup;
448 	zclose(mnt_fd);
449 
450 	/* receive BPF token FD back from child for some extra tests */
451 	err = recvfd(sock_fd, &token_fd);
452 	if (!ASSERT_OK(err, "recv_token_fd"))
453 		goto cleanup;
454 
455 	err = wait_for_pid(child_pid);
456 	ASSERT_OK(err, "waitpid_child");
457 
458 cleanup:
459 	zclose(sock_fd);
460 	zclose(fs_fd);
461 	zclose(mnt_fd);
462 	zclose(token_fd);
463 
464 	if (child_pid > 0)
465 		(void)kill(child_pid, SIGKILL);
466 }
467 
468 static void subtest_userns(struct bpffs_opts *bpffs_opts,
469 			   child_callback_fn child_cb)
470 {
471 	int sock_fds[2] = { -1, -1 };
472 	int child_pid = 0, err;
473 
474 	err = socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds);
475 	if (!ASSERT_OK(err, "socketpair"))
476 		goto cleanup;
477 
478 	child_pid = fork();
479 	if (!ASSERT_GE(child_pid, 0, "fork"))
480 		goto cleanup;
481 
482 	if (child_pid == 0) {
483 		zclose(sock_fds[0]);
484 		return child(sock_fds[1], bpffs_opts, child_cb);
485 
486 	} else {
487 		zclose(sock_fds[1]);
488 		return parent(child_pid, bpffs_opts, sock_fds[0]);
489 	}
490 
491 cleanup:
492 	zclose(sock_fds[0]);
493 	zclose(sock_fds[1]);
494 	if (child_pid > 0)
495 		(void)kill(child_pid, SIGKILL);
496 }
497 
498 static int userns_map_create(int mnt_fd, struct token_lsm *lsm_skel)
499 {
500 	LIBBPF_OPTS(bpf_map_create_opts, map_opts);
501 	int err, token_fd = -1, map_fd = -1;
502 	__u64 old_caps = 0;
503 
504 	/* create BPF token from BPF FS mount */
505 	token_fd = bpf_token_create(mnt_fd, NULL);
506 	if (!ASSERT_GT(token_fd, 0, "token_create")) {
507 		err = -EINVAL;
508 		goto cleanup;
509 	}
510 
511 	/* while inside non-init userns, we need both a BPF token *and*
512 	 * CAP_BPF inside current userns to create privileged map; let's test
513 	 * that neither BPF token alone nor namespaced CAP_BPF is sufficient
514 	 */
515 	err = drop_priv_caps(&old_caps);
516 	if (!ASSERT_OK(err, "drop_caps"))
517 		goto cleanup;
518 
519 	/* no token, no CAP_BPF -> fail */
520 	map_opts.map_flags = 0;
521 	map_opts.token_fd = 0;
522 	map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "wo_token_wo_bpf", 0, 8, 1, &map_opts);
523 	if (!ASSERT_LT(map_fd, 0, "stack_map_wo_token_wo_cap_bpf_should_fail")) {
524 		err = -EINVAL;
525 		goto cleanup;
526 	}
527 
528 	/* token without CAP_BPF -> fail */
529 	map_opts.map_flags = BPF_F_TOKEN_FD;
530 	map_opts.token_fd = token_fd;
531 	map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "w_token_wo_bpf", 0, 8, 1, &map_opts);
532 	if (!ASSERT_LT(map_fd, 0, "stack_map_w_token_wo_cap_bpf_should_fail")) {
533 		err = -EINVAL;
534 		goto cleanup;
535 	}
536 
537 	/* get back effective local CAP_BPF (and CAP_SYS_ADMIN) */
538 	err = restore_priv_caps(old_caps);
539 	if (!ASSERT_OK(err, "restore_caps"))
540 		goto cleanup;
541 
542 	/* CAP_BPF without token -> fail */
543 	map_opts.map_flags = 0;
544 	map_opts.token_fd = 0;
545 	map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "wo_token_w_bpf", 0, 8, 1, &map_opts);
546 	if (!ASSERT_LT(map_fd, 0, "stack_map_wo_token_w_cap_bpf_should_fail")) {
547 		err = -EINVAL;
548 		goto cleanup;
549 	}
550 
551 	/* finally, namespaced CAP_BPF + token -> success */
552 	map_opts.map_flags = BPF_F_TOKEN_FD;
553 	map_opts.token_fd = token_fd;
554 	map_fd = bpf_map_create(BPF_MAP_TYPE_STACK, "w_token_w_bpf", 0, 8, 1, &map_opts);
555 	if (!ASSERT_GT(map_fd, 0, "stack_map_w_token_w_cap_bpf")) {
556 		err = -EINVAL;
557 		goto cleanup;
558 	}
559 
560 cleanup:
561 	zclose(token_fd);
562 	zclose(map_fd);
563 	return err;
564 }
565 
566 static int userns_btf_load(int mnt_fd, struct token_lsm *lsm_skel)
567 {
568 	LIBBPF_OPTS(bpf_btf_load_opts, btf_opts);
569 	int err, token_fd = -1, btf_fd = -1;
570 	const void *raw_btf_data;
571 	struct btf *btf = NULL;
572 	__u32 raw_btf_size;
573 	__u64 old_caps = 0;
574 
575 	/* create BPF token from BPF FS mount */
576 	token_fd = bpf_token_create(mnt_fd, NULL);
577 	if (!ASSERT_GT(token_fd, 0, "token_create")) {
578 		err = -EINVAL;
579 		goto cleanup;
580 	}
581 
582 	/* while inside non-init userns, we need both a BPF token *and*
583 	 * CAP_BPF inside current userns to create privileged map; let's test
584 	 * that neither BPF token alone nor namespaced CAP_BPF is sufficient
585 	 */
586 	err = drop_priv_caps(&old_caps);
587 	if (!ASSERT_OK(err, "drop_caps"))
588 		goto cleanup;
589 
590 	/* setup a trivial BTF data to load to the kernel */
591 	btf = btf__new_empty();
592 	if (!ASSERT_OK_PTR(btf, "empty_btf"))
593 		goto cleanup;
594 
595 	ASSERT_GT(btf__add_int(btf, "int", 4, 0), 0, "int_type");
596 
597 	raw_btf_data = btf__raw_data(btf, &raw_btf_size);
598 	if (!ASSERT_OK_PTR(raw_btf_data, "raw_btf_data"))
599 		goto cleanup;
600 
601 	/* no token + no CAP_BPF -> failure */
602 	btf_opts.btf_flags = 0;
603 	btf_opts.token_fd = 0;
604 	btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
605 	if (!ASSERT_LT(btf_fd, 0, "no_token_no_cap_should_fail"))
606 		goto cleanup;
607 
608 	/* token + no CAP_BPF -> failure */
609 	btf_opts.btf_flags = BPF_F_TOKEN_FD;
610 	btf_opts.token_fd = token_fd;
611 	btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
612 	if (!ASSERT_LT(btf_fd, 0, "token_no_cap_should_fail"))
613 		goto cleanup;
614 
615 	/* get back effective local CAP_BPF (and CAP_SYS_ADMIN) */
616 	err = restore_priv_caps(old_caps);
617 	if (!ASSERT_OK(err, "restore_caps"))
618 		goto cleanup;
619 
620 	/* token + CAP_BPF -> success */
621 	btf_opts.btf_flags = BPF_F_TOKEN_FD;
622 	btf_opts.token_fd = token_fd;
623 	btf_fd = bpf_btf_load(raw_btf_data, raw_btf_size, &btf_opts);
624 	if (!ASSERT_GT(btf_fd, 0, "token_and_cap_success"))
625 		goto cleanup;
626 
627 	err = 0;
628 cleanup:
629 	btf__free(btf);
630 	zclose(btf_fd);
631 	zclose(token_fd);
632 	return err;
633 }
634 
635 static int userns_prog_load(int mnt_fd, struct token_lsm *lsm_skel)
636 {
637 	LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
638 	int err, token_fd = -1, prog_fd = -1;
639 	struct bpf_insn insns[] = {
640 		/* bpf_jiffies64() requires CAP_BPF */
641 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_jiffies64),
642 		/* bpf_get_current_task() requires CAP_PERFMON */
643 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_current_task),
644 		/* r0 = 0; exit; */
645 		BPF_MOV64_IMM(BPF_REG_0, 0),
646 		BPF_EXIT_INSN(),
647 	};
648 	size_t insn_cnt = ARRAY_SIZE(insns);
649 	__u64 old_caps = 0;
650 
651 	/* create BPF token from BPF FS mount */
652 	token_fd = bpf_token_create(mnt_fd, NULL);
653 	if (!ASSERT_GT(token_fd, 0, "token_create")) {
654 		err = -EINVAL;
655 		goto cleanup;
656 	}
657 
658 	/* validate we can successfully load BPF program with token; this
659 	 * being XDP program (CAP_NET_ADMIN) using bpf_jiffies64() (CAP_BPF)
660 	 * and bpf_get_current_task() (CAP_PERFMON) helpers validates we have
661 	 * BPF token wired properly in a bunch of places in the kernel
662 	 */
663 	prog_opts.prog_flags = BPF_F_TOKEN_FD;
664 	prog_opts.token_fd = token_fd;
665 	prog_opts.expected_attach_type = BPF_XDP;
666 	prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
667 				insns, insn_cnt, &prog_opts);
668 	if (!ASSERT_GT(prog_fd, 0, "prog_fd")) {
669 		err = -EPERM;
670 		goto cleanup;
671 	}
672 
673 	/* no token + caps -> failure */
674 	prog_opts.prog_flags = 0;
675 	prog_opts.token_fd = 0;
676 	prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
677 				insns, insn_cnt, &prog_opts);
678 	if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
679 		err = -EPERM;
680 		goto cleanup;
681 	}
682 
683 	err = drop_priv_caps(&old_caps);
684 	if (!ASSERT_OK(err, "drop_caps"))
685 		goto cleanup;
686 
687 	/* no caps + token -> failure */
688 	prog_opts.prog_flags = BPF_F_TOKEN_FD;
689 	prog_opts.token_fd = token_fd;
690 	prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
691 				insns, insn_cnt, &prog_opts);
692 	if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
693 		err = -EPERM;
694 		goto cleanup;
695 	}
696 
697 	/* no caps + no token -> definitely a failure */
698 	prog_opts.prog_flags = 0;
699 	prog_opts.token_fd = 0;
700 	prog_fd = bpf_prog_load(BPF_PROG_TYPE_XDP, "token_prog", "GPL",
701 				insns, insn_cnt, &prog_opts);
702 	if (!ASSERT_EQ(prog_fd, -EPERM, "prog_fd_eperm")) {
703 		err = -EPERM;
704 		goto cleanup;
705 	}
706 
707 	err = 0;
708 cleanup:
709 	zclose(prog_fd);
710 	zclose(token_fd);
711 	return err;
712 }
713 
714 static int userns_obj_priv_map(int mnt_fd, struct token_lsm *lsm_skel)
715 {
716 	LIBBPF_OPTS(bpf_object_open_opts, opts);
717 	char buf[256];
718 	struct priv_map *skel;
719 	int err;
720 
721 	skel = priv_map__open_and_load();
722 	if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
723 		priv_map__destroy(skel);
724 		return -EINVAL;
725 	}
726 
727 	/* use bpf_token_path to provide BPF FS path */
728 	snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
729 	opts.bpf_token_path = buf;
730 	skel = priv_map__open_opts(&opts);
731 	if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
732 		return -EINVAL;
733 
734 	err = priv_map__load(skel);
735 	priv_map__destroy(skel);
736 	if (!ASSERT_OK(err, "obj_token_path_load"))
737 		return -EINVAL;
738 
739 	return 0;
740 }
741 
742 static int userns_obj_priv_prog(int mnt_fd, struct token_lsm *lsm_skel)
743 {
744 	LIBBPF_OPTS(bpf_object_open_opts, opts);
745 	char buf[256];
746 	struct priv_prog *skel;
747 	int err;
748 
749 	skel = priv_prog__open_and_load();
750 	if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
751 		priv_prog__destroy(skel);
752 		return -EINVAL;
753 	}
754 
755 	/* use bpf_token_path to provide BPF FS path */
756 	snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
757 	opts.bpf_token_path = buf;
758 	skel = priv_prog__open_opts(&opts);
759 	if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
760 		return -EINVAL;
761 	err = priv_prog__load(skel);
762 	priv_prog__destroy(skel);
763 	if (!ASSERT_OK(err, "obj_token_path_load"))
764 		return -EINVAL;
765 
766 	/* provide BPF token, but reject bpf_token_capable() with LSM */
767 	lsm_skel->bss->reject_capable = true;
768 	lsm_skel->bss->reject_cmd = false;
769 	skel = priv_prog__open_opts(&opts);
770 	if (!ASSERT_OK_PTR(skel, "obj_token_lsm_reject_cap_open"))
771 		return -EINVAL;
772 	err = priv_prog__load(skel);
773 	priv_prog__destroy(skel);
774 	if (!ASSERT_ERR(err, "obj_token_lsm_reject_cap_load"))
775 		return -EINVAL;
776 
777 	/* provide BPF token, but reject bpf_token_cmd() with LSM */
778 	lsm_skel->bss->reject_capable = false;
779 	lsm_skel->bss->reject_cmd = true;
780 	skel = priv_prog__open_opts(&opts);
781 	if (!ASSERT_OK_PTR(skel, "obj_token_lsm_reject_cmd_open"))
782 		return -EINVAL;
783 	err = priv_prog__load(skel);
784 	priv_prog__destroy(skel);
785 	if (!ASSERT_ERR(err, "obj_token_lsm_reject_cmd_load"))
786 		return -EINVAL;
787 
788 	return 0;
789 }
790 
791 /* this test is called with BPF FS that doesn't delegate BPF_BTF_LOAD command,
792  * which should cause struct_ops application to fail, as BTF won't be uploaded
793  * into the kernel, even if STRUCT_OPS programs themselves are allowed
794  */
795 static int validate_struct_ops_load(int mnt_fd, bool expect_success)
796 {
797 	LIBBPF_OPTS(bpf_object_open_opts, opts);
798 	char buf[256];
799 	struct dummy_st_ops_success *skel;
800 	int err;
801 
802 	snprintf(buf, sizeof(buf), "/proc/self/fd/%d", mnt_fd);
803 	opts.bpf_token_path = buf;
804 	skel = dummy_st_ops_success__open_opts(&opts);
805 	if (!ASSERT_OK_PTR(skel, "obj_token_path_open"))
806 		return -EINVAL;
807 
808 	err = dummy_st_ops_success__load(skel);
809 	dummy_st_ops_success__destroy(skel);
810 	if (expect_success) {
811 		if (!ASSERT_OK(err, "obj_token_path_load"))
812 			return -EINVAL;
813 	} else /* expect failure */ {
814 		if (!ASSERT_ERR(err, "obj_token_path_load"))
815 			return -EINVAL;
816 	}
817 
818 	return 0;
819 }
820 
821 static int userns_obj_priv_btf_fail(int mnt_fd, struct token_lsm *lsm_skel)
822 {
823 	return validate_struct_ops_load(mnt_fd, false /* should fail */);
824 }
825 
826 static int userns_obj_priv_btf_success(int mnt_fd, struct token_lsm *lsm_skel)
827 {
828 	return validate_struct_ops_load(mnt_fd, true /* should succeed */);
829 }
830 
831 #define TOKEN_ENVVAR "LIBBPF_BPF_TOKEN_PATH"
832 #define TOKEN_BPFFS_CUSTOM "/bpf-token-fs"
833 
834 static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel)
835 {
836 	LIBBPF_OPTS(bpf_object_open_opts, opts);
837 	struct dummy_st_ops_success *skel;
838 	int err;
839 
840 	/* before we mount BPF FS with token delegation, struct_ops skeleton
841 	 * should fail to load
842 	 */
843 	skel = dummy_st_ops_success__open_and_load();
844 	if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
845 		dummy_st_ops_success__destroy(skel);
846 		return -EINVAL;
847 	}
848 
849 	/* mount custom BPF FS over /sys/fs/bpf so that libbpf can create BPF
850 	 * token automatically and implicitly
851 	 */
852 	err = sys_move_mount(mnt_fd, "", AT_FDCWD, "/sys/fs/bpf", MOVE_MOUNT_F_EMPTY_PATH);
853 	if (!ASSERT_OK(err, "move_mount_bpffs"))
854 		return -EINVAL;
855 
856 	/* disable implicit BPF token creation by setting
857 	 * LIBBPF_BPF_TOKEN_PATH envvar to empty value, load should fail
858 	 */
859 	err = setenv(TOKEN_ENVVAR, "", 1 /*overwrite*/);
860 	if (!ASSERT_OK(err, "setenv_token_path"))
861 		return -EINVAL;
862 	skel = dummy_st_ops_success__open_and_load();
863 	if (!ASSERT_ERR_PTR(skel, "obj_token_envvar_disabled_load")) {
864 		unsetenv(TOKEN_ENVVAR);
865 		dummy_st_ops_success__destroy(skel);
866 		return -EINVAL;
867 	}
868 	unsetenv(TOKEN_ENVVAR);
869 
870 	/* now the same struct_ops skeleton should succeed thanks to libbpf
871 	 * creating BPF token from /sys/fs/bpf mount point
872 	 */
873 	skel = dummy_st_ops_success__open_and_load();
874 	if (!ASSERT_OK_PTR(skel, "obj_implicit_token_load"))
875 		return -EINVAL;
876 
877 	dummy_st_ops_success__destroy(skel);
878 
879 	/* now disable implicit token through empty bpf_token_path, should fail */
880 	opts.bpf_token_path = "";
881 	skel = dummy_st_ops_success__open_opts(&opts);
882 	if (!ASSERT_OK_PTR(skel, "obj_empty_token_path_open"))
883 		return -EINVAL;
884 
885 	err = dummy_st_ops_success__load(skel);
886 	dummy_st_ops_success__destroy(skel);
887 	if (!ASSERT_ERR(err, "obj_empty_token_path_load"))
888 		return -EINVAL;
889 
890 	return 0;
891 }
892 
893 static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *lsm_skel)
894 {
895 	LIBBPF_OPTS(bpf_object_open_opts, opts);
896 	struct dummy_st_ops_success *skel;
897 	int err;
898 
899 	/* before we mount BPF FS with token delegation, struct_ops skeleton
900 	 * should fail to load
901 	 */
902 	skel = dummy_st_ops_success__open_and_load();
903 	if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load")) {
904 		dummy_st_ops_success__destroy(skel);
905 		return -EINVAL;
906 	}
907 
908 	/* mount custom BPF FS over custom location, so libbpf can't create
909 	 * BPF token implicitly, unless pointed to it through
910 	 * LIBBPF_BPF_TOKEN_PATH envvar
911 	 */
912 	rmdir(TOKEN_BPFFS_CUSTOM);
913 	if (!ASSERT_OK(mkdir(TOKEN_BPFFS_CUSTOM, 0777), "mkdir_bpffs_custom"))
914 		goto err_out;
915 	err = sys_move_mount(mnt_fd, "", AT_FDCWD, TOKEN_BPFFS_CUSTOM, MOVE_MOUNT_F_EMPTY_PATH);
916 	if (!ASSERT_OK(err, "move_mount_bpffs"))
917 		goto err_out;
918 
919 	/* even though we have BPF FS with delegation, it's not at default
920 	 * /sys/fs/bpf location, so we still fail to load until envvar is set up
921 	 */
922 	skel = dummy_st_ops_success__open_and_load();
923 	if (!ASSERT_ERR_PTR(skel, "obj_tokenless_load2")) {
924 		dummy_st_ops_success__destroy(skel);
925 		goto err_out;
926 	}
927 
928 	err = setenv(TOKEN_ENVVAR, TOKEN_BPFFS_CUSTOM, 1 /*overwrite*/);
929 	if (!ASSERT_OK(err, "setenv_token_path"))
930 		goto err_out;
931 
932 	/* now the same struct_ops skeleton should succeed thanks to libbpf
933 	 * creating BPF token from custom mount point
934 	 */
935 	skel = dummy_st_ops_success__open_and_load();
936 	if (!ASSERT_OK_PTR(skel, "obj_implicit_token_load"))
937 		goto err_out;
938 
939 	dummy_st_ops_success__destroy(skel);
940 
941 	/* now disable implicit token through empty bpf_token_path, envvar
942 	 * will be ignored, should fail
943 	 */
944 	opts.bpf_token_path = "";
945 	skel = dummy_st_ops_success__open_opts(&opts);
946 	if (!ASSERT_OK_PTR(skel, "obj_empty_token_path_open"))
947 		goto err_out;
948 
949 	err = dummy_st_ops_success__load(skel);
950 	dummy_st_ops_success__destroy(skel);
951 	if (!ASSERT_ERR(err, "obj_empty_token_path_load"))
952 		goto err_out;
953 
954 	rmdir(TOKEN_BPFFS_CUSTOM);
955 	unsetenv(TOKEN_ENVVAR);
956 	return 0;
957 err_out:
958 	rmdir(TOKEN_BPFFS_CUSTOM);
959 	unsetenv(TOKEN_ENVVAR);
960 	return -EINVAL;
961 }
962 
963 #define bit(n) (1ULL << (n))
964 
965 void test_token(void)
966 {
967 	if (test__start_subtest("map_token")) {
968 		struct bpffs_opts opts = {
969 			.cmds_str = "map_create",
970 			.maps_str = "stack",
971 		};
972 
973 		subtest_userns(&opts, userns_map_create);
974 	}
975 	if (test__start_subtest("btf_token")) {
976 		struct bpffs_opts opts = {
977 			.cmds = 1ULL << BPF_BTF_LOAD,
978 		};
979 
980 		subtest_userns(&opts, userns_btf_load);
981 	}
982 	if (test__start_subtest("prog_token")) {
983 		struct bpffs_opts opts = {
984 			.cmds_str = "PROG_LOAD",
985 			.progs_str = "XDP",
986 			.attachs_str = "xdp",
987 		};
988 
989 		subtest_userns(&opts, userns_prog_load);
990 	}
991 	if (test__start_subtest("obj_priv_map")) {
992 		struct bpffs_opts opts = {
993 			.cmds = bit(BPF_MAP_CREATE),
994 			.maps = bit(BPF_MAP_TYPE_QUEUE),
995 		};
996 
997 		subtest_userns(&opts, userns_obj_priv_map);
998 	}
999 	if (test__start_subtest("obj_priv_prog")) {
1000 		struct bpffs_opts opts = {
1001 			.cmds = bit(BPF_PROG_LOAD),
1002 			.progs = bit(BPF_PROG_TYPE_KPROBE),
1003 			.attachs = ~0ULL,
1004 		};
1005 
1006 		subtest_userns(&opts, userns_obj_priv_prog);
1007 	}
1008 	if (test__start_subtest("obj_priv_btf_fail")) {
1009 		struct bpffs_opts opts = {
1010 			/* disallow BTF loading */
1011 			.cmds = bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1012 			.maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1013 			.progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1014 			.attachs = ~0ULL,
1015 		};
1016 
1017 		subtest_userns(&opts, userns_obj_priv_btf_fail);
1018 	}
1019 	if (test__start_subtest("obj_priv_btf_success")) {
1020 		struct bpffs_opts opts = {
1021 			/* allow BTF loading */
1022 			.cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1023 			.maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1024 			.progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1025 			.attachs = ~0ULL,
1026 		};
1027 
1028 		subtest_userns(&opts, userns_obj_priv_btf_success);
1029 	}
1030 	if (test__start_subtest("obj_priv_implicit_token")) {
1031 		struct bpffs_opts opts = {
1032 			/* allow BTF loading */
1033 			.cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1034 			.maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1035 			.progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1036 			.attachs = ~0ULL,
1037 		};
1038 
1039 		subtest_userns(&opts, userns_obj_priv_implicit_token);
1040 	}
1041 	if (test__start_subtest("obj_priv_implicit_token_envvar")) {
1042 		struct bpffs_opts opts = {
1043 			/* allow BTF loading */
1044 			.cmds = bit(BPF_BTF_LOAD) | bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
1045 			.maps = bit(BPF_MAP_TYPE_STRUCT_OPS),
1046 			.progs = bit(BPF_PROG_TYPE_STRUCT_OPS),
1047 			.attachs = ~0ULL,
1048 		};
1049 
1050 		subtest_userns(&opts, userns_obj_priv_implicit_token_envvar);
1051 	}
1052 }
1053