From d2eb1c563e0a6fc6549e69f60ab2fc6bf81077ec Mon Sep 17 00:00:00 2001 From: Tamir Duberstein Date: Fri, 3 Oct 2025 11:23:24 -0400 Subject: [PATCH] integration-test: add LSM --- test/integration-ebpf/src/test.rs | 21 +++++++------- test/integration-test/src/tests.rs | 1 + test/integration-test/src/tests/lsm.rs | 40 ++++++++++++++++++++++++++ 3 files changed, 51 insertions(+), 11 deletions(-) create mode 100644 test/integration-test/src/tests/lsm.rs diff --git a/test/integration-ebpf/src/test.rs b/test/integration-ebpf/src/test.rs index b9c4bfdf..708e3888 100644 --- a/test/integration-ebpf/src/test.rs +++ b/test/integration-ebpf/src/test.rs @@ -4,24 +4,18 @@ use aya_ebpf::{ bindings::{bpf_ret_code, xdp_action}, - macros::{flow_dissector, kprobe, kretprobe, tracepoint, uprobe, uretprobe, xdp}, + macros::{flow_dissector, kprobe, kretprobe, lsm, tracepoint, uprobe, uretprobe, xdp}, programs::{ - FlowDissectorContext, ProbeContext, RetProbeContext, TracePointContext, XdpContext, + FlowDissectorContext, LsmContext, ProbeContext, RetProbeContext, TracePointContext, + XdpContext, }, }; #[cfg(not(test))] extern crate ebpf_panic; #[xdp] -fn pass(ctx: XdpContext) -> u32 { - match unsafe { try_pass(ctx) } { - Ok(ret) => ret, - Err(_) => xdp_action::XDP_ABORTED, - } -} - -unsafe fn try_pass(_ctx: XdpContext) -> Result { - Ok(xdp_action::XDP_PASS) +fn pass(_ctx: XdpContext) -> u32 { + xdp_action::XDP_PASS } #[kprobe] @@ -55,3 +49,8 @@ fn test_flow(_ctx: FlowDissectorContext) -> u32 { // Linux kernel for inspiration. bpf_ret_code::BPF_FLOW_DISSECTOR_CONTINUE } + +#[lsm(hook = "file_open")] +fn test_file_open(_ctx: LsmContext) -> i32 { + -1 // Disallow. +} diff --git a/test/integration-test/src/tests.rs b/test/integration-test/src/tests.rs index aafc4f36..b7d4d492 100644 --- a/test/integration-test/src/tests.rs +++ b/test/integration-test/src/tests.rs @@ -8,6 +8,7 @@ mod iter; mod linear_data_structures; mod load; mod log; +mod lsm; mod map_pin; mod raw_tracepoint; mod rbpf; diff --git a/test/integration-test/src/tests/lsm.rs b/test/integration-test/src/tests/lsm.rs new file mode 100644 index 00000000..5b4a1123 --- /dev/null +++ b/test/integration-test/src/tests/lsm.rs @@ -0,0 +1,40 @@ +use assert_matches::assert_matches; +use aya::{ + Btf, Ebpf, + programs::{Lsm, ProgramError, ProgramType}, + sys::SyscallError, + sys::is_program_supported, +}; + +#[test] +fn lsm() { + let btf = Btf::from_sys_fs().unwrap(); + + let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap(); + let prog = bpf.program_mut("test_file_open").unwrap(); + let prog: &mut Lsm = prog.try_into().unwrap(); + prog.load("file_open", &btf).unwrap(); + + assert_matches!(std::fs::File::open("/proc/self/exe"), Ok(_)); + + let link_id = { + let result = prog.attach(); + if !is_program_supported(ProgramType::Lsm).unwrap() { + assert_matches!(result, Err(ProgramError::SyscallError(SyscallError { call, io_error })) => { + assert_eq!(call, "bpf_raw_tracepoint_open"); + assert_eq!(io_error.raw_os_error(), Some(524)); + }); + eprintln!("skipping test - lsm program not supported"); + return; + } + result.unwrap() + }; + + assert_matches!(std::fs::File::open("/proc/self/exe"), Err(e) => assert_eq!( + e.kind(), std::io::ErrorKind::PermissionDenied) + ); + + prog.detach(link_id).unwrap(); + + assert_matches!(std::fs::File::open("/proc/self/exe"), Ok(_)); +}