> The bpf_object__prepare() function internally calls
> bpf_object__probe_loading(),
> which attempts to load SOCKET_FILTER and TRACEPOINT programs to verify the BPF
> environment. Without these permissions in the token, the probe fails and
> causes
> the tests to fail.
> Fix the following test cases by adding SOCKET_FILTER and TRACEPOINT
> permissions:
> - obj_priv_map
> - obj_priv_prog
> - obj_priv_freplace_prog
> - obj_priv_freplace_prog_fail
> - obj_priv_btf_fail
> - obj_priv_btf_success
> - obj_priv_implicit_token
> - obj_priv_implicit_token_envvar
> - obj_priv_prog_kallsyms
> Signed-off-by: Yuan Chen <[email protected]>
The commit message describes adding SOCKET_FILTER and TRACEPOINT
permissions, but the patch also adds bit(BPF_PROG_LOAD) to the
obj_priv_map test and bit(BPF_MAP_TYPE_ARRAY) to obj_priv_btf_success,
obj_priv_implicit_token, and obj_priv_implicit_token_envvar.
Could the commit message be updated to describe these additional changes,
or should they be dropped if they are not needed?
This fixes failing token selftests but does not carry a Fixes: tag. The
tests began depending on the probe permissions once they started routing
through bpf_object__prepare(). Commit a024843d92cc introduced the
bpf_object__prepare() call into prog_tests/token.c. Should this include:
Fixes: a024843d92cc ("selftests/bpf: Test freplace from user namespace")
> diff --git a/tools/testing/selftests/bpf/prog_tests/token.c
> b/tools/testing/selftests/bpf/prog_tests/token.c
> index f2f5d36ae00a..25a76e09a3c9 100644
> --- a/tools/testing/selftests/bpf/prog_tests/token.c
> +++ b/tools/testing/selftests/bpf/prog_tests/token.c
> @@ -1168,8 +1168,13 @@ void serial_test_token(void)
> }
> if (test__start_subtest("obj_priv_map")) {
> struct bpffs_opts opts = {
> - .cmds = bit(BPF_MAP_CREATE),
> + /* BPF_PROG_LOAD is needed for
> bpf_object__probe_loading */
> + .cmds = bit(BPF_MAP_CREATE) | bit(BPF_PROG_LOAD),
> .maps = bit(BPF_MAP_TYPE_QUEUE),
> + /* Allow SOCKET_FILTER and TRACEPOINT for
> bpf_object__probe_loading */
> + .progs = bit(BPF_PROG_TYPE_SOCKET_FILTER) |
> + bit(BPF_PROG_TYPE_TRACEPOINT),
> + .attachs = ~0ULL,
> };
>
> subtest_userns(&opts, userns_obj_priv_map);
The obj_priv_map test is meant to verify a token restricted to
BPF_MAP_CREATE. Widening it with BPF_PROG_LOAD, SOCKET_FILTER, TRACEPOINT
and .attachs = ~0ULL relaxes the very restriction the test was checking.
If bpf_object__probe_loading() aborts the entire object load with -EPERM
under a confined token, is that better handled in libbpf, for example by
treating the probe -EPERM gracefully or skipping the probe for objects
that have no programs, rather than expanding the token privileges in the
test?
This was raised on the v1 posting and does not appear to have been
addressed:
https://lore.kernel.org/bpf/[email protected]/
> @@ -1177,7 +1182,10 @@ void serial_test_token(void)
[ ... ]
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26616379941
