bpf_fs_kfuncs.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417
  1. // SPDX-License-Identifier: GPL-2.0
  2. /* Copyright (c) 2024 Google LLC. */
  3. #include <linux/bpf.h>
  4. #include <linux/bpf_lsm.h>
  5. #include <linux/btf.h>
  6. #include <linux/btf_ids.h>
  7. #include <linux/dcache.h>
  8. #include <linux/fs.h>
  9. #include <linux/fsnotify.h>
  10. #include <linux/file.h>
  11. #include <linux/kernfs.h>
  12. #include <linux/mm.h>
  13. #include <linux/xattr.h>
  14. __bpf_kfunc_start_defs();
  15. /**
  16. * bpf_get_task_exe_file - get a reference on the exe_file struct file member of
  17. * the mm_struct that is nested within the supplied
  18. * task_struct
  19. * @task: task_struct of which the nested mm_struct exe_file member to get a
  20. * reference on
  21. *
  22. * Get a reference on the exe_file struct file member field of the mm_struct
  23. * nested within the supplied *task*. The referenced file pointer acquired by
  24. * this BPF kfunc must be released using bpf_put_file(). Failing to call
  25. * bpf_put_file() on the returned referenced struct file pointer that has been
  26. * acquired by this BPF kfunc will result in the BPF program being rejected by
  27. * the BPF verifier.
  28. *
  29. * This BPF kfunc may only be called from BPF LSM programs.
  30. *
  31. * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
  32. * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
  33. * directly in kernel context.
  34. *
  35. * Return: A referenced struct file pointer to the exe_file member of the
  36. * mm_struct that is nested within the supplied *task*. On error, NULL is
  37. * returned.
  38. */
  39. __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
  40. {
  41. return get_task_exe_file(task);
  42. }
  43. /**
  44. * bpf_put_file - put a reference on the supplied file
  45. * @file: file to put a reference on
  46. *
  47. * Put a reference on the supplied *file*. Only referenced file pointers may be
  48. * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
  49. * any other arbitrary pointer for that matter, will result in the BPF program
  50. * being rejected by the BPF verifier.
  51. *
  52. * This BPF kfunc may only be called from BPF LSM programs.
  53. */
  54. __bpf_kfunc void bpf_put_file(struct file *file)
  55. {
  56. fput(file);
  57. }
  58. /**
  59. * bpf_path_d_path - resolve the pathname for the supplied path
  60. * @path: path to resolve the pathname for
  61. * @buf: buffer to return the resolved pathname in
  62. * @buf__sz: length of the supplied buffer
  63. *
  64. * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
  65. * kfunc is the safer variant of the legacy bpf_d_path() helper and should be
  66. * used in place of bpf_d_path() whenever possible.
  67. *
  68. * This BPF kfunc may only be called from BPF LSM programs.
  69. *
  70. * Return: A positive integer corresponding to the length of the resolved
  71. * pathname in *buf*, including the NUL termination character. On error, a
  72. * negative integer is returned.
  73. */
  74. __bpf_kfunc int bpf_path_d_path(const struct path *path, char *buf, size_t buf__sz)
  75. {
  76. int len;
  77. char *ret;
  78. if (!buf__sz)
  79. return -EINVAL;
  80. ret = d_path(path, buf, buf__sz);
  81. if (IS_ERR(ret))
  82. return PTR_ERR(ret);
  83. len = buf + buf__sz - ret;
  84. memmove(buf, ret, len);
  85. return len;
  86. }
  87. static bool match_security_bpf_prefix(const char *name__str)
  88. {
  89. return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
  90. }
  91. static int bpf_xattr_read_permission(const char *name, struct inode *inode)
  92. {
  93. if (WARN_ON(!inode))
  94. return -EINVAL;
  95. /* Allow reading xattr with user. and security.bpf. prefix */
  96. if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
  97. !match_security_bpf_prefix(name))
  98. return -EPERM;
  99. return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
  100. }
  101. /**
  102. * bpf_get_dentry_xattr - get xattr of a dentry
  103. * @dentry: dentry to get xattr from
  104. * @name__str: name of the xattr
  105. * @value_p: output buffer of the xattr value
  106. *
  107. * Get xattr *name__str* of *dentry* and store the output in *value_ptr*.
  108. *
  109. * For security reasons, only *name__str* with prefixes "user." or
  110. * "security.bpf." are allowed.
  111. *
  112. * Return: length of the xattr value on success, a negative value on error.
  113. */
  114. __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,
  115. struct bpf_dynptr *value_p)
  116. {
  117. struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
  118. struct inode *inode = d_inode(dentry);
  119. u32 value_len;
  120. void *value;
  121. int ret;
  122. value_len = __bpf_dynptr_size(value_ptr);
  123. value = __bpf_dynptr_data_rw(value_ptr, value_len);
  124. if (!value)
  125. return -EINVAL;
  126. ret = bpf_xattr_read_permission(name__str, inode);
  127. if (ret)
  128. return ret;
  129. return __vfs_getxattr(dentry, inode, name__str, value, value_len);
  130. }
  131. /**
  132. * bpf_get_file_xattr - get xattr of a file
  133. * @file: file to get xattr from
  134. * @name__str: name of the xattr
  135. * @value_p: output buffer of the xattr value
  136. *
  137. * Get xattr *name__str* of *file* and store the output in *value_ptr*.
  138. *
  139. * For security reasons, only *name__str* with prefixes "user." or
  140. * "security.bpf." are allowed.
  141. *
  142. * Return: length of the xattr value on success, a negative value on error.
  143. */
  144. __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
  145. struct bpf_dynptr *value_p)
  146. {
  147. struct dentry *dentry;
  148. dentry = file_dentry(file);
  149. return bpf_get_dentry_xattr(dentry, name__str, value_p);
  150. }
  151. __bpf_kfunc_end_defs();
  152. static int bpf_xattr_write_permission(const char *name, struct inode *inode)
  153. {
  154. if (WARN_ON(!inode))
  155. return -EINVAL;
  156. /* Only allow setting and removing security.bpf. xattrs */
  157. if (!match_security_bpf_prefix(name))
  158. return -EPERM;
  159. return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
  160. }
  161. /**
  162. * bpf_set_dentry_xattr_locked - set a xattr of a dentry
  163. * @dentry: dentry to get xattr from
  164. * @name__str: name of the xattr
  165. * @value_p: xattr value
  166. * @flags: flags to pass into filesystem operations
  167. *
  168. * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
  169. *
  170. * For security reasons, only *name__str* with prefix "security.bpf."
  171. * is allowed.
  172. *
  173. * The caller already locked dentry->d_inode.
  174. *
  175. * Return: 0 on success, a negative value on error.
  176. */
  177. int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,
  178. const struct bpf_dynptr *value_p, int flags)
  179. {
  180. struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
  181. struct inode *inode = d_inode(dentry);
  182. const void *value;
  183. u32 value_len;
  184. int ret;
  185. value_len = __bpf_dynptr_size(value_ptr);
  186. value = __bpf_dynptr_data(value_ptr, value_len);
  187. if (!value)
  188. return -EINVAL;
  189. ret = bpf_xattr_write_permission(name__str, inode);
  190. if (ret)
  191. return ret;
  192. ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
  193. value, value_len, flags);
  194. if (!ret) {
  195. fsnotify_xattr(dentry);
  196. /* This xattr is set by BPF LSM, so we do not call
  197. * security_inode_post_setxattr. Otherwise, we would
  198. * risk deadlocks by calling back to the same kfunc.
  199. *
  200. * This is the same as security_inode_setsecurity().
  201. */
  202. }
  203. return ret;
  204. }
  205. /**
  206. * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
  207. * @dentry: dentry to get xattr from
  208. * @name__str: name of the xattr
  209. *
  210. * Rmove xattr *name__str* of *dentry*.
  211. *
  212. * For security reasons, only *name__str* with prefix "security.bpf."
  213. * is allowed.
  214. *
  215. * The caller already locked dentry->d_inode.
  216. *
  217. * Return: 0 on success, a negative value on error.
  218. */
  219. int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)
  220. {
  221. struct inode *inode = d_inode(dentry);
  222. int ret;
  223. ret = bpf_xattr_write_permission(name__str, inode);
  224. if (ret)
  225. return ret;
  226. ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
  227. if (!ret) {
  228. fsnotify_xattr(dentry);
  229. /* This xattr is removed by BPF LSM, so we do not call
  230. * security_inode_post_removexattr. Otherwise, we would
  231. * risk deadlocks by calling back to the same kfunc.
  232. */
  233. }
  234. return ret;
  235. }
  236. __bpf_kfunc_start_defs();
  237. /**
  238. * bpf_set_dentry_xattr - set a xattr of a dentry
  239. * @dentry: dentry to get xattr from
  240. * @name__str: name of the xattr
  241. * @value_p: xattr value
  242. * @flags: flags to pass into filesystem operations
  243. *
  244. * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
  245. *
  246. * For security reasons, only *name__str* with prefix "security.bpf."
  247. * is allowed.
  248. *
  249. * The caller has not locked dentry->d_inode.
  250. *
  251. * Return: 0 on success, a negative value on error.
  252. */
  253. __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,
  254. const struct bpf_dynptr *value_p, int flags)
  255. {
  256. struct inode *inode = d_inode(dentry);
  257. int ret;
  258. inode_lock(inode);
  259. ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
  260. inode_unlock(inode);
  261. return ret;
  262. }
  263. /**
  264. * bpf_remove_dentry_xattr - remove a xattr of a dentry
  265. * @dentry: dentry to get xattr from
  266. * @name__str: name of the xattr
  267. *
  268. * Rmove xattr *name__str* of *dentry*.
  269. *
  270. * For security reasons, only *name__str* with prefix "security.bpf."
  271. * is allowed.
  272. *
  273. * The caller has not locked dentry->d_inode.
  274. *
  275. * Return: 0 on success, a negative value on error.
  276. */
  277. __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)
  278. {
  279. struct inode *inode = d_inode(dentry);
  280. int ret;
  281. inode_lock(inode);
  282. ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
  283. inode_unlock(inode);
  284. return ret;
  285. }
  286. #ifdef CONFIG_CGROUPS
  287. /**
  288. * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
  289. * @cgroup: cgroup to get xattr from
  290. * @name__str: name of the xattr
  291. * @value_p: output buffer of the xattr value
  292. *
  293. * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.
  294. *
  295. * For security reasons, only *name__str* with prefix "user." is allowed.
  296. *
  297. * Return: length of the xattr value on success, a negative value on error.
  298. */
  299. __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
  300. struct bpf_dynptr *value_p)
  301. {
  302. struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
  303. u32 value_len;
  304. void *value;
  305. /* Only allow reading "user.*" xattrs */
  306. if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
  307. return -EPERM;
  308. value_len = __bpf_dynptr_size(value_ptr);
  309. value = __bpf_dynptr_data_rw(value_ptr, value_len);
  310. if (!value)
  311. return -EINVAL;
  312. return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);
  313. }
  314. #endif /* CONFIG_CGROUPS */
  315. __bpf_kfunc_end_defs();
  316. BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
  317. BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL)
  318. BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
  319. BTF_ID_FLAGS(func, bpf_path_d_path)
  320. BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE)
  321. BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
  322. BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE)
  323. BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE)
  324. BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
  325. static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
  326. {
  327. if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
  328. prog->type == BPF_PROG_TYPE_LSM)
  329. return 0;
  330. return -EACCES;
  331. }
  332. /* bpf_[set|remove]_dentry_xattr.* hooks have KF_SLEEPABLE, so they are only
  333. * available to sleepable hooks with dentry arguments.
  334. *
  335. * Setting and removing xattr requires exclusive lock on dentry->d_inode.
  336. * Some hooks already locked d_inode, while some hooks have not locked
  337. * d_inode. Therefore, we need different kfuncs for different hooks.
  338. * Specifically, hooks in the following list (d_inode_locked_hooks)
  339. * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks
  340. * should call bpf_[set|remove]_dentry_xattr.
  341. */
  342. BTF_SET_START(d_inode_locked_hooks)
  343. BTF_ID(func, bpf_lsm_inode_post_removexattr)
  344. BTF_ID(func, bpf_lsm_inode_post_setattr)
  345. BTF_ID(func, bpf_lsm_inode_post_setxattr)
  346. BTF_ID(func, bpf_lsm_inode_removexattr)
  347. BTF_ID(func, bpf_lsm_inode_rmdir)
  348. BTF_ID(func, bpf_lsm_inode_setattr)
  349. BTF_ID(func, bpf_lsm_inode_setxattr)
  350. BTF_ID(func, bpf_lsm_inode_unlink)
  351. #ifdef CONFIG_SECURITY_PATH
  352. BTF_ID(func, bpf_lsm_path_unlink)
  353. BTF_ID(func, bpf_lsm_path_rmdir)
  354. #endif /* CONFIG_SECURITY_PATH */
  355. BTF_SET_END(d_inode_locked_hooks)
  356. bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
  357. {
  358. return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);
  359. }
  360. static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
  361. .owner = THIS_MODULE,
  362. .set = &bpf_fs_kfunc_set_ids,
  363. .filter = bpf_fs_kfuncs_filter,
  364. };
  365. static int __init bpf_fs_kfuncs_init(void)
  366. {
  367. return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
  368. }
  369. late_initcall(bpf_fs_kfuncs_init);