From nobody Thu Dec 18 04:43:57 2025 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B407C2E8DF3; Thu, 11 Dec 2025 02:13:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765419212; cv=none; b=urduuvkFTgTM+XcpQd9zFz7D42XWtLaWbUq54bJu45oeW5geqSwG23gKu6UbKmtJF5aMnjw+Swa2dRLHJjZdzE1DZVNrBIHlEmY5WFDM1ookNw6TETGj7TIjCU1AI+vYirVYn5LcKRX0oyEXPxA1WFTZcG+4ms4gPE3yXSlVJaY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765419212; c=relaxed/simple; bh=bU1syixsdUU9erFGRh3p4odK64b/fnWTtdkrDOy+C6w=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PnMPS49oFUAj4k587No3iX+yt3/9aLioJVe1ZMU6a0oZ6IJ8kTLvJ6ZiyY9mGgnwofPMIcIOdEfO3qfvA+LTCiut/oJFyptGy8GWB75a0V1uOd2y/0dOHAHglI21rfWrynshaRAYaS6vw6XSZxJT3hrLAUlvzc8hy2+apzg3HNo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=EOhVABtz; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="EOhVABtz" Received: from narnia.corp.microsoft.com (unknown [40.78.12.133]) by linux.microsoft.com (Postfix) with ESMTPSA id 9F98B2116043; Wed, 10 Dec 2025 18:13:28 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9F98B2116043 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1765419209; bh=tQoMsWo/rligOQ/1VDMbzQ8q+5PIN7gnOlz3Zgc/UI4=; h=From:To:Subject:Date:In-Reply-To:References:From; b=EOhVABtzUGMULcnl9okOuI5HzmXVzs7fkolR2ZZaHdI2opfVxDF4plkKtYTI7F3pH XDh55JPJPebHlzJHAAc3l47fdzU9wwcchS3ZkS+NY7j+eLZOAXAR3hc1ASgpXEl5hS rM793oQIwgZR3VmJQPm6wZJwuz2TByqM9Xd9J6bo= From: Blaise Boscaccy To: Blaise Boscaccy , Jonathan Corbet , Paul Moore , James Morris , "Serge E. Hallyn" , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , =?UTF-8?q?G=C3=BCnther=20Noack?= , "Dr. David Alan Gilbert" , Andrew Morton , James.Bottomley@HansenPartnership.com, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Subject: [RFC 11/11] selftests/hornet: Add a selftest for the Hornet LSM Date: Wed, 10 Dec 2025 18:12:06 -0800 Message-ID: <20251211021257.1208712-12-bboscaccy@linux.microsoft.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211021257.1208712-1-bboscaccy@linux.microsoft.com> References: <20251211021257.1208712-1-bboscaccy@linux.microsoft.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This selftest contains a testcase that utilizes light skeleton eBPF loaders and exercises hornet's map validation. Signed-off-by: Blaise Boscaccy --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/hornet/Makefile | 63 ++++++++++++++++++++ tools/testing/selftests/hornet/loader.c | 21 +++++++ tools/testing/selftests/hornet/trivial.bpf.c | 33 ++++++++++ 4 files changed, 118 insertions(+) create mode 100644 tools/testing/selftests/hornet/Makefile create mode 100644 tools/testing/selftests/hornet/loader.c create mode 100644 tools/testing/selftests/hornet/trivial.bpf.c diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Mak= efile index c46ebdb9b8ef7..4631893f0e91e 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -43,6 +43,7 @@ TARGETS +=3D ftrace TARGETS +=3D futex TARGETS +=3D gpio TARGETS +=3D hid +TARGETS +=3D hornet TARGETS +=3D intel_pstate TARGETS +=3D iommu TARGETS +=3D ipc diff --git a/tools/testing/selftests/hornet/Makefile b/tools/testing/selfte= sts/hornet/Makefile new file mode 100644 index 0000000000000..ccb4d503425d2 --- /dev/null +++ b/tools/testing/selftests/hornet/Makefile @@ -0,0 +1,63 @@ +# SPDX-License-Identifier: GPL-2.0 +include ../../../build/Build.include +include ../../../scripts/Makefile.arch +include ../../../scripts/Makefile.include + +CLANG ?=3D clang +CFLAGS :=3D -g -O2 -Wall +BPFTOOL ?=3D $(TOOLSDIR)/bpf/bpftool/bpftool +SCRIPTSDIR :=3D $(abspath ../../../../scripts/hornet) +TOOLSDIR :=3D $(abspath ../../..) +LIBDIR :=3D $(TOOLSDIR)/lib +BPFDIR :=3D $(LIBDIR)/bpf +TOOLSINCDIR :=3D $(TOOLSDIR)/include +APIDIR :=3D $(TOOLSINCDIR)/uapi +CERTDIR :=3D $(abspath ../../../../certs) +PKG_CONFIG ?=3D $(CROSS_COMPILE)pkg-config + +TEST_GEN_PROGS :=3D loader +TEST_GEN_FILES :=3D vmlinux.h loader.h trivial.bpf.o map.bin sig.bin insn.= bin signed_loader.h +$(TEST_GEN_PROGS): LDLIBS +=3D -lbpf +$(TEST_GEN_PROGS): $(TEST_GEN_FILES) + +include ../lib.mk + +BPF_CFLAGS :=3D -target bpf \ + -D__TARGET_ARCH_$(ARCH) \ + -I/usr/include/$(shell uname -m)-linux-gnu \ + $(KHDR_INCLUDES) + +vmlinux.h: + $(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h + +trivial.bpf.o: trivial.bpf.c vmlinux.h + $(CLANG) $(CFLAGS) $(BPF_CFLAGS) -c $< -o $@ + +loader.h: trivial.bpf.o + $(BPFTOOL) gen skeleton -S -k $(CERTDIR)/signing_key.pem -i $(CERTDIR)/si= gning_key.x509 \ + -L $< name trivial > $@ + +insn.bin: loader.h + $(SCRIPTSDIR)/extract-insn.sh $< > $@ + +map.bin: loader.h + $(SCRIPTSDIR)/extract-map.sh $< > $@ + +$(OUTPUT)/gen_sig: ../../../../scripts/hornet/gen_sig.c + $(call msg,GEN_SIG,,$@) + $(Q)$(CC) $(shell $(PKG_CONFIG) --cflags libcrypto 2> /dev/null) \ + $< -o $@ \ + $(shell $(PKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto) + +sig.bin: insn.bin map.bin $(OUTPUT)/gen_sig + $(OUTPUT)/gen_sig -key $(CERTDIR)/signing_key.pem -cert $(CERTDIR)/signin= g_key.x509 \ + -data insn.bin --add-hash map.bin -out sig.bin + +signed_loader.h: sig.bin + $(SCRIPTSDIR)/write-sig.sh loader.h sig.bin > $@ + +loader: loader.c signed_loader.h + $(CC) $(CFLAGS) -I$(LIBDIR) -I$(APIDIR) $< -o $@ -lbpf + + +EXTRA_CLEAN =3D $(OUTPUT)/gen_sig diff --git a/tools/testing/selftests/hornet/loader.c b/tools/testing/selfte= sts/hornet/loader.c new file mode 100644 index 0000000000000..f27580c7262b3 --- /dev/null +++ b/tools/testing/selftests/hornet/loader.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + +#include +#include +#include +#include +#include +#include +#include "signed_loader.h" + +int main(int argc, char **argv) +{ + struct trivial *skel; + + skel =3D trivial__open_and_load(); + if (!skel) + return -1; + + trivial__destroy(skel); + return 0; +} diff --git a/tools/testing/selftests/hornet/trivial.bpf.c b/tools/testing/s= elftests/hornet/trivial.bpf.c new file mode 100644 index 0000000000000..d38c5b53ff932 --- /dev/null +++ b/tools/testing/selftests/hornet/trivial.bpf.c @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + +#include "vmlinux.h" + +#include +#include +#include + +char LICENSE[] SEC("license") =3D "Dual BSD/GPL"; + +int monitored_pid =3D 0; + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_enter_unlink(struct trace_event_raw_sys_enter *ctx) +{ + char filename[128] =3D { 0 }; + struct task_struct *task; + unsigned long start_time =3D 0; + int pid =3D bpf_get_current_pid_tgid() >> 32; + char *pathname_ptr =3D (char *) BPF_CORE_READ(ctx, args[1]); + + bpf_probe_read_str(filename, sizeof(filename), pathname_ptr); + task =3D (struct task_struct *)bpf_get_current_task(); + start_time =3D BPF_CORE_READ(task, start_time); + + bpf_printk("BPF triggered unlinkat by PID: %d, start_time %ld. pathname = =3D %s", + pid, start_time, filename); + + if (monitored_pid =3D=3D pid) + bpf_printk("target pid found"); + + return 0; +} --=20 2.52.0