// SPDX-License-Identifier: GPL-2.0 #include #include #include "cap_helpers.h" #include "test_tc_bpf.skel.h" #define LO_IFINDEX 1 #define TEST_DECLARE_OPTS(__fd) \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_h, .handle = 1); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_p, .priority = 1); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_f, .prog_fd = __fd); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hp, .handle = 1, .priority = 1); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hf, .handle = 1, .prog_fd = __fd); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_pf, .priority = 1, .prog_fd = __fd); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hpf, .handle = 1, .priority = 1, .prog_fd = __fd); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hpi, .handle = 1, .priority = 1, .prog_id = 42); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hpr, .handle = 1, .priority = 1, \ .flags = BPF_TC_F_REPLACE); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_hpfi, .handle = 1, .priority = 1, .prog_fd = __fd, \ .prog_id = 42); \ DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts_prio_max, .handle = 1, .priority = UINT16_MAX + 1); static int test_tc_bpf_basic(const struct bpf_tc_hook *hook, int fd) { DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts, .handle = 1, .priority = 1, .prog_fd = fd); struct bpf_prog_info info = {}; __u32 info_len = sizeof(info); int ret; ret = bpf_prog_get_info_by_fd(fd, &info, &info_len); if (!ASSERT_OK(ret, "bpf_prog_get_info_by_fd")) return ret; ret = bpf_tc_attach(hook, &opts); if (!ASSERT_OK(ret, "bpf_tc_attach")) return ret; if (!ASSERT_EQ(opts.handle, 1, "handle set") || !ASSERT_EQ(opts.priority, 1, "priority set") || !ASSERT_EQ(opts.prog_id, info.id, "prog_id set")) goto end; opts.prog_id = 0; opts.flags = BPF_TC_F_REPLACE; ret = bpf_tc_attach(hook, &opts); if (!ASSERT_OK(ret, "bpf_tc_attach replace mode")) goto end; opts.flags = opts.prog_fd = opts.prog_id = 0; ret = bpf_tc_query(hook, &opts); if (!ASSERT_OK(ret, "bpf_tc_query")) goto end; if (!ASSERT_EQ(opts.handle, 1, "handle set") || !ASSERT_EQ(opts.priority, 1, "priority set") || !ASSERT_EQ(opts.prog_id, info.id, "prog_id set")) goto end; end: opts.flags = opts.prog_fd = opts.prog_id = 0; ret = bpf_tc_detach(hook, &opts); ASSERT_OK(ret, "bpf_tc_detach"); return ret; } static int test_tc_bpf_api(struct bpf_tc_hook *hook, int fd) { DECLARE_LIBBPF_OPTS(bpf_tc_opts, attach_opts, .handle = 1, .priority = 1, .prog_fd = fd); DECLARE_LIBBPF_OPTS(bpf_tc_hook, inv_hook, .attach_point = BPF_TC_INGRESS); DECLARE_LIBBPF_OPTS(bpf_tc_opts, opts, .handle = 1, .priority = 1); int ret; ret = bpf_tc_hook_create(NULL); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_create invalid hook = NULL")) return -EINVAL; /* hook ifindex = 0 */ ret = bpf_tc_hook_create(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_create invalid hook ifindex == 0")) return -EINVAL; ret = bpf_tc_hook_destroy(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_destroy invalid hook ifindex == 0")) return -EINVAL; ret = bpf_tc_attach(&inv_hook, &attach_opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook ifindex == 0")) return -EINVAL; attach_opts.prog_id = 0; ret = bpf_tc_detach(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook ifindex == 0")) return -EINVAL; ret = bpf_tc_query(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook ifindex == 0")) return -EINVAL; /* hook ifindex < 0 */ inv_hook.ifindex = -1; ret = bpf_tc_hook_create(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_create invalid hook ifindex < 0")) return -EINVAL; ret = bpf_tc_hook_destroy(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_destroy invalid hook ifindex < 0")) return -EINVAL; ret = bpf_tc_attach(&inv_hook, &attach_opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook ifindex < 0")) return -EINVAL; attach_opts.prog_id = 0; ret = bpf_tc_detach(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook ifindex < 0")) return -EINVAL; ret = bpf_tc_query(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook ifindex < 0")) return -EINVAL; inv_hook.ifindex = LO_IFINDEX; /* hook.attach_point invalid */ inv_hook.attach_point = 0xabcd; ret = bpf_tc_hook_create(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_create invalid hook.attach_point")) return -EINVAL; ret = bpf_tc_hook_destroy(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_destroy invalid hook.attach_point")) return -EINVAL; ret = bpf_tc_attach(&inv_hook, &attach_opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook.attach_point")) return -EINVAL; ret = bpf_tc_detach(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook.attach_point")) return -EINVAL; ret = bpf_tc_query(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook.attach_point")) return -EINVAL; inv_hook.attach_point = BPF_TC_INGRESS; /* hook.attach_point valid, but parent invalid */ inv_hook.parent = TC_H_MAKE(1UL << 16, 10); ret = bpf_tc_hook_create(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_create invalid hook parent")) return -EINVAL; ret = bpf_tc_hook_destroy(&inv_hook); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_hook_destroy invalid hook parent")) return -EINVAL; ret = bpf_tc_attach(&inv_hook, &attach_opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook parent")) return -EINVAL; ret = bpf_tc_detach(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook parent")) return -EINVAL; ret = bpf_tc_query(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook parent")) return -EINVAL; inv_hook.attach_point = BPF_TC_CUSTOM; inv_hook.parent = 0; /* These return EOPNOTSUPP instead of EINVAL as parent is checked after * attach_point of the hook. */ ret = bpf_tc_hook_create(&inv_hook); if (!ASSERT_EQ(ret, -EOPNOTSUPP, "bpf_tc_hook_create invalid hook parent")) return -EINVAL; ret = bpf_tc_hook_destroy(&inv_hook); if (!ASSERT_EQ(ret, -EOPNOTSUPP, "bpf_tc_hook_destroy invalid hook parent")) return -EINVAL; ret = bpf_tc_attach(&inv_hook, &attach_opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook parent")) return -EINVAL; ret = bpf_tc_detach(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook parent")) return -EINVAL; ret = bpf_tc_query(&inv_hook, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook parent")) return -EINVAL; inv_hook.attach_point = BPF_TC_INGRESS; /* detach */ { TEST_DECLARE_OPTS(fd); ret = bpf_tc_detach(NULL, &opts_hp); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid hook = NULL")) return -EINVAL; ret = bpf_tc_detach(hook, NULL); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid opts = NULL")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_hpr); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid flags set")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_hpf); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid prog_fd set")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_hpi); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid prog_id set")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_p); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid handle unset")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_h); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid priority unset")) return -EINVAL; ret = bpf_tc_detach(hook, &opts_prio_max); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_detach invalid priority > UINT16_MAX")) return -EINVAL; } /* query */ { TEST_DECLARE_OPTS(fd); ret = bpf_tc_query(NULL, &opts); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid hook = NULL")) return -EINVAL; ret = bpf_tc_query(hook, NULL); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid opts = NULL")) return -EINVAL; ret = bpf_tc_query(hook, &opts_hpr); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid flags set")) return -EINVAL; ret = bpf_tc_query(hook, &opts_hpf); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid prog_fd set")) return -EINVAL; ret = bpf_tc_query(hook, &opts_hpi); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid prog_id set")) return -EINVAL; ret = bpf_tc_query(hook, &opts_p); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid handle unset")) return -EINVAL; ret = bpf_tc_query(hook, &opts_h); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid priority unset")) return -EINVAL; ret = bpf_tc_query(hook, &opts_prio_max); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query invalid priority > UINT16_MAX")) return -EINVAL; /* when chain is not present, kernel returns -EINVAL */ ret = bpf_tc_query(hook, &opts_hp); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_query valid handle, priority set")) return -EINVAL; } /* attach */ { TEST_DECLARE_OPTS(fd); ret = bpf_tc_attach(NULL, &opts_hp); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid hook = NULL")) return -EINVAL; ret = bpf_tc_attach(hook, NULL); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid opts = NULL")) return -EINVAL; opts_hp.flags = 42; ret = bpf_tc_attach(hook, &opts_hp); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid flags")) return -EINVAL; ret = bpf_tc_attach(hook, NULL); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid prog_fd unset")) return -EINVAL; ret = bpf_tc_attach(hook, &opts_hpi); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid prog_id set")) return -EINVAL; ret = bpf_tc_attach(hook, &opts_pf); if (!ASSERT_OK(ret, "bpf_tc_attach valid handle unset")) return -EINVAL; opts_pf.prog_fd = opts_pf.prog_id = 0; ASSERT_OK(bpf_tc_detach(hook, &opts_pf), "bpf_tc_detach"); ret = bpf_tc_attach(hook, &opts_hf); if (!ASSERT_OK(ret, "bpf_tc_attach valid priority unset")) return -EINVAL; opts_hf.prog_fd = opts_hf.prog_id = 0; ASSERT_OK(bpf_tc_detach(hook, &opts_hf), "bpf_tc_detach"); ret = bpf_tc_attach(hook, &opts_prio_max); if (!ASSERT_EQ(ret, -EINVAL, "bpf_tc_attach invalid priority > UINT16_MAX")) return -EINVAL; ret = bpf_tc_attach(hook, &opts_f); if (!ASSERT_OK(ret, "bpf_tc_attach valid both handle and priority unset")) return -EINVAL; opts_f.prog_fd = opts_f.prog_id = 0; ASSERT_OK(bpf_tc_detach(hook, &opts_f), "bpf_tc_detach"); } return 0; } void tc_bpf_root(void) { DECLARE_LIBBPF_OPTS(bpf_tc_hook, hook, .ifindex = LO_IFINDEX, .attach_point = BPF_TC_INGRESS); struct test_tc_bpf *skel = NULL; bool hook_created = false; int cls_fd, ret; skel = test_tc_bpf__open_and_load(); if (!ASSERT_OK_PTR(skel, "test_tc_bpf__open_and_load")) return; cls_fd = bpf_program__fd(skel->progs.cls); ret = bpf_tc_hook_create(&hook); if (ret == 0) hook_created = true; ret = ret == -EEXIST ? 0 : ret; if (!ASSERT_OK(ret, "bpf_tc_hook_create(BPF_TC_INGRESS)")) goto end; hook.attach_point = BPF_TC_CUSTOM; hook.parent = TC_H_MAKE(TC_H_CLSACT, TC_H_MIN_INGRESS); ret = bpf_tc_hook_create(&hook); if (!ASSERT_EQ(ret, -EOPNOTSUPP, "bpf_tc_hook_create invalid hook.attach_point")) goto end; ret = test_tc_bpf_basic(&hook, cls_fd); if (!ASSERT_OK(ret, "test_tc_internal ingress")) goto end; ret = bpf_tc_hook_destroy(&hook); if (!ASSERT_EQ(ret, -EOPNOTSUPP, "bpf_tc_hook_destroy invalid hook.attach_point")) goto end; hook.attach_point = BPF_TC_INGRESS; hook.parent = 0; bpf_tc_hook_destroy(&hook); ret = test_tc_bpf_basic(&hook, cls_fd); if (!ASSERT_OK(ret, "test_tc_internal ingress")) goto end; bpf_tc_hook_destroy(&hook); hook.attach_point = BPF_TC_EGRESS; ret = test_tc_bpf_basic(&hook, cls_fd); if (!ASSERT_OK(ret, "test_tc_internal egress")) goto end; bpf_tc_hook_destroy(&hook); ret = test_tc_bpf_api(&hook, cls_fd); if (!ASSERT_OK(ret, "test_tc_bpf_api")) goto end; bpf_tc_hook_destroy(&hook); end: if (hook_created) { hook.attach_point = BPF_TC_INGRESS | BPF_TC_EGRESS; bpf_tc_hook_destroy(&hook); } test_tc_bpf__destroy(skel); } void tc_bpf_non_root(void) { struct test_tc_bpf *skel = NULL; __u64 caps = 0; int ret; /* In case CAP_BPF and CAP_PERFMON is not set */ ret = cap_enable_effective(1ULL << CAP_BPF | 1ULL << CAP_NET_ADMIN, &caps); if (!ASSERT_OK(ret, "set_cap_bpf_cap_net_admin")) return; ret = cap_disable_effective(1ULL << CAP_SYS_ADMIN | 1ULL << CAP_PERFMON, NULL); if (!ASSERT_OK(ret, "disable_cap_sys_admin")) goto restore_cap; skel = test_tc_bpf__open_and_load(); if (!ASSERT_OK_PTR(skel, "test_tc_bpf__open_and_load")) goto restore_cap; test_tc_bpf__destroy(skel); restore_cap: if (caps) cap_enable_effective(caps, NULL); } void test_tc_bpf(void) { if (test__start_subtest("tc_bpf_root")) tc_bpf_root(); if (test__start_subtest("tc_bpf_non_root")) tc_bpf_non_root(); }