fs/bpf_fs_kfuncs.c at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / fs / bpf_fs_kfuncs.c
at master 13 kB view raw
  1// SPDX-License-Identifier: GPL-2.0
  2/* Copyright (c) 2024 Google LLC. */
  3
  4#include <linux/bpf.h>
  5#include <linux/bpf_lsm.h>
  6#include <linux/btf.h>
  7#include <linux/btf_ids.h>
  8#include <linux/dcache.h>
  9#include <linux/fs.h>
 10#include <linux/fsnotify.h>
 11#include <linux/file.h>
 12#include <linux/kernfs.h>
 13#include <linux/mm.h>
 14#include <linux/xattr.h>
 15
 16__bpf_kfunc_start_defs();
 17
 18/**
 19 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of
 20 *                         the mm_struct that is nested within the supplied
 21 *                         task_struct
 22 * @task: task_struct of which the nested mm_struct exe_file member to get a
 23 * reference on
 24 *
 25 * Get a reference on the exe_file struct file member field of the mm_struct
 26 * nested within the supplied *task*. The referenced file pointer acquired by
 27 * this BPF kfunc must be released using bpf_put_file(). Failing to call
 28 * bpf_put_file() on the returned referenced struct file pointer that has been
 29 * acquired by this BPF kfunc will result in the BPF program being rejected by
 30 * the BPF verifier.
 31 *
 32 * This BPF kfunc may only be called from BPF LSM programs.
 33 *
 34 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
 35 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
 36 * directly in kernel context.
 37 *
 38 * Return: A referenced struct file pointer to the exe_file member of the
 39 * mm_struct that is nested within the supplied *task*. On error, NULL is
 40 * returned.
 41 */
 42__bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
 43{
 44	return get_task_exe_file(task);
 45}
 46
 47/**
 48 * bpf_put_file - put a reference on the supplied file
 49 * @file: file to put a reference on
 50 *
 51 * Put a reference on the supplied *file*. Only referenced file pointers may be
 52 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
 53 * any other arbitrary pointer for that matter, will result in the BPF program
 54 * being rejected by the BPF verifier.
 55 *
 56 * This BPF kfunc may only be called from BPF LSM programs.
 57 */
 58__bpf_kfunc void bpf_put_file(struct file *file)
 59{
 60	fput(file);
 61}
 62
 63/**
 64 * bpf_path_d_path - resolve the pathname for the supplied path
 65 * @path: path to resolve the pathname for
 66 * @buf: buffer to return the resolved pathname in
 67 * @buf__sz: length of the supplied buffer
 68 *
 69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
 70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be
 71 * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
 72 * semantics, meaning that the supplied *path* must itself hold a valid
 73 * reference, or else the BPF program will be outright rejected by the BPF
 74 * verifier.
 75 *
 76 * This BPF kfunc may only be called from BPF LSM programs.
 77 *
 78 * Return: A positive integer corresponding to the length of the resolved
 79 * pathname in *buf*, including the NUL termination character. On error, a
 80 * negative integer is returned.
 81 */
 82__bpf_kfunc int bpf_path_d_path(const struct path *path, char *buf, size_t buf__sz)
 83{
 84	int len;
 85	char *ret;
 86
 87	if (!buf__sz)
 88		return -EINVAL;
 89
 90	ret = d_path(path, buf, buf__sz);
 91	if (IS_ERR(ret))
 92		return PTR_ERR(ret);
 93
 94	len = buf + buf__sz - ret;
 95	memmove(buf, ret, len);
 96	return len;
 97}
 98
 99static bool match_security_bpf_prefix(const char *name__str)
100{
101	return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
102}
103
104static int bpf_xattr_read_permission(const char *name, struct inode *inode)
105{
106	if (WARN_ON(!inode))
107		return -EINVAL;
108
109	/* Allow reading xattr with user. and security.bpf. prefix */
110	if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
111	    !match_security_bpf_prefix(name))
112		return -EPERM;
113
114	return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
115}
116
117/**
118 * bpf_get_dentry_xattr - get xattr of a dentry
119 * @dentry: dentry to get xattr from
120 * @name__str: name of the xattr
121 * @value_p: output buffer of the xattr value
122 *
123 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*.
124 *
125 * For security reasons, only *name__str* with prefixes "user." or
126 * "security.bpf." are allowed.
127 *
128 * Return: length of the xattr value on success, a negative value on error.
129 */
130__bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,
131				     struct bpf_dynptr *value_p)
132{
133	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
134	struct inode *inode = d_inode(dentry);
135	u32 value_len;
136	void *value;
137	int ret;
138
139	value_len = __bpf_dynptr_size(value_ptr);
140	value = __bpf_dynptr_data_rw(value_ptr, value_len);
141	if (!value)
142		return -EINVAL;
143
144	ret = bpf_xattr_read_permission(name__str, inode);
145	if (ret)
146		return ret;
147	return __vfs_getxattr(dentry, inode, name__str, value, value_len);
148}
149
150/**
151 * bpf_get_file_xattr - get xattr of a file
152 * @file: file to get xattr from
153 * @name__str: name of the xattr
154 * @value_p: output buffer of the xattr value
155 *
156 * Get xattr *name__str* of *file* and store the output in *value_ptr*.
157 *
158 * For security reasons, only *name__str* with prefixes "user." or
159 * "security.bpf." are allowed.
160 *
161 * Return: length of the xattr value on success, a negative value on error.
162 */
163__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
164				   struct bpf_dynptr *value_p)
165{
166	struct dentry *dentry;
167
168	dentry = file_dentry(file);
169	return bpf_get_dentry_xattr(dentry, name__str, value_p);
170}
171
172__bpf_kfunc_end_defs();
173
174static int bpf_xattr_write_permission(const char *name, struct inode *inode)
175{
176	if (WARN_ON(!inode))
177		return -EINVAL;
178
179	/* Only allow setting and removing security.bpf. xattrs */
180	if (!match_security_bpf_prefix(name))
181		return -EPERM;
182
183	return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
184}
185
186/**
187 * bpf_set_dentry_xattr_locked - set a xattr of a dentry
188 * @dentry: dentry to get xattr from
189 * @name__str: name of the xattr
190 * @value_p: xattr value
191 * @flags: flags to pass into filesystem operations
192 *
193 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
194 *
195 * For security reasons, only *name__str* with prefix "security.bpf."
196 * is allowed.
197 *
198 * The caller already locked dentry->d_inode.
199 *
200 * Return: 0 on success, a negative value on error.
201 */
202int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,
203				const struct bpf_dynptr *value_p, int flags)
204{
205
206	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
207	struct inode *inode = d_inode(dentry);
208	const void *value;
209	u32 value_len;
210	int ret;
211
212	value_len = __bpf_dynptr_size(value_ptr);
213	value = __bpf_dynptr_data(value_ptr, value_len);
214	if (!value)
215		return -EINVAL;
216
217	ret = bpf_xattr_write_permission(name__str, inode);
218	if (ret)
219		return ret;
220
221	ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
222			     value, value_len, flags);
223	if (!ret) {
224		fsnotify_xattr(dentry);
225
226		/* This xattr is set by BPF LSM, so we do not call
227		 * security_inode_post_setxattr. Otherwise, we would
228		 * risk deadlocks by calling back to the same kfunc.
229		 *
230		 * This is the same as security_inode_setsecurity().
231		 */
232	}
233	return ret;
234}
235
236/**
237 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
238 * @dentry: dentry to get xattr from
239 * @name__str: name of the xattr
240 *
241 * Rmove xattr *name__str* of *dentry*.
242 *
243 * For security reasons, only *name__str* with prefix "security.bpf."
244 * is allowed.
245 *
246 * The caller already locked dentry->d_inode.
247 *
248 * Return: 0 on success, a negative value on error.
249 */
250int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)
251{
252	struct inode *inode = d_inode(dentry);
253	int ret;
254
255	ret = bpf_xattr_write_permission(name__str, inode);
256	if (ret)
257		return ret;
258
259	ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
260	if (!ret) {
261		fsnotify_xattr(dentry);
262
263		/* This xattr is removed by BPF LSM, so we do not call
264		 * security_inode_post_removexattr. Otherwise, we would
265		 * risk deadlocks by calling back to the same kfunc.
266		 */
267	}
268	return ret;
269}
270
271__bpf_kfunc_start_defs();
272
273/**
274 * bpf_set_dentry_xattr - set a xattr of a dentry
275 * @dentry: dentry to get xattr from
276 * @name__str: name of the xattr
277 * @value_p: xattr value
278 * @flags: flags to pass into filesystem operations
279 *
280 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
281 *
282 * For security reasons, only *name__str* with prefix "security.bpf."
283 * is allowed.
284 *
285 * The caller has not locked dentry->d_inode.
286 *
287 * Return: 0 on success, a negative value on error.
288 */
289__bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,
290				     const struct bpf_dynptr *value_p, int flags)
291{
292	struct inode *inode = d_inode(dentry);
293	int ret;
294
295	inode_lock(inode);
296	ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
297	inode_unlock(inode);
298	return ret;
299}
300
301/**
302 * bpf_remove_dentry_xattr - remove a xattr of a dentry
303 * @dentry: dentry to get xattr from
304 * @name__str: name of the xattr
305 *
306 * Rmove xattr *name__str* of *dentry*.
307 *
308 * For security reasons, only *name__str* with prefix "security.bpf."
309 * is allowed.
310 *
311 * The caller has not locked dentry->d_inode.
312 *
313 * Return: 0 on success, a negative value on error.
314 */
315__bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)
316{
317	struct inode *inode = d_inode(dentry);
318	int ret;
319
320	inode_lock(inode);
321	ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
322	inode_unlock(inode);
323	return ret;
324}
325
326#ifdef CONFIG_CGROUPS
327/**
328 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
329 * @cgroup: cgroup to get xattr from
330 * @name__str: name of the xattr
331 * @value_p: output buffer of the xattr value
332 *
333 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.
334 *
335 * For security reasons, only *name__str* with prefix "user." is allowed.
336 *
337 * Return: length of the xattr value on success, a negative value on error.
338 */
339__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
340					struct bpf_dynptr *value_p)
341{
342	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
343	u32 value_len;
344	void *value;
345
346	/* Only allow reading "user.*" xattrs */
347	if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
348		return -EPERM;
349
350	value_len = __bpf_dynptr_size(value_ptr);
351	value = __bpf_dynptr_data_rw(value_ptr, value_len);
352	if (!value)
353		return -EINVAL;
354
355	return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);
356}
357#endif /* CONFIG_CGROUPS */
358
359__bpf_kfunc_end_defs();
360
361BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
362BTF_ID_FLAGS(func, bpf_get_task_exe_file,
363	     KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
364BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
365BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
366BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
367BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
368BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
369BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
370BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
371
372static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
373{
374	if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
375	    prog->type == BPF_PROG_TYPE_LSM)
376		return 0;
377	return -EACCES;
378}
379
380/* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and
381 * KF_SLEEPABLE, so they are only available to sleepable hooks with
382 * dentry arguments.
383 *
384 * Setting and removing xattr requires exclusive lock on dentry->d_inode.
385 * Some hooks already locked d_inode, while some hooks have not locked
386 * d_inode. Therefore, we need different kfuncs for different hooks.
387 * Specifically, hooks in the following list (d_inode_locked_hooks)
388 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks
389 * should call bpf_[set|remove]_dentry_xattr.
390 */
391BTF_SET_START(d_inode_locked_hooks)
392BTF_ID(func, bpf_lsm_inode_post_removexattr)
393BTF_ID(func, bpf_lsm_inode_post_setattr)
394BTF_ID(func, bpf_lsm_inode_post_setxattr)
395BTF_ID(func, bpf_lsm_inode_removexattr)
396BTF_ID(func, bpf_lsm_inode_rmdir)
397BTF_ID(func, bpf_lsm_inode_setattr)
398BTF_ID(func, bpf_lsm_inode_setxattr)
399BTF_ID(func, bpf_lsm_inode_unlink)
400#ifdef CONFIG_SECURITY_PATH
401BTF_ID(func, bpf_lsm_path_unlink)
402BTF_ID(func, bpf_lsm_path_rmdir)
403#endif /* CONFIG_SECURITY_PATH */
404BTF_SET_END(d_inode_locked_hooks)
405
406bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
407{
408	return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);
409}
410
411static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
412	.owner = THIS_MODULE,
413	.set = &bpf_fs_kfunc_set_ids,
414	.filter = bpf_fs_kfuncs_filter,
415};
416
417static int __init bpf_fs_kfuncs_init(void)
418{
419	return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
420}
421
422late_initcall(bpf_fs_kfuncs_init);