Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / a254a9da455c171441ab3a76ed8f5d1e9412e15f / . / kernel / bpf / bpf_lsm.c
blob: 9e4ecc99064775bfd3ddf9b98963f2f54ff94485 [file] [log] [blame]
KP Singhfc611f42020-03-29 01:43:49 +0100[diff] [blame]1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Copyright (C) 2020 Google LLC.
5 */
6
7#include <linux/filter.h>
8#include <linux/bpf.h>
9#include <linux/btf.h>
KP Singh3f6719c2020-11-17 23:29:28 +0000[diff] [blame]10#include <linux/binfmts.h>
KP Singh9d3fdea2020-03-29 01:43:51 +0100[diff] [blame]11#include <linux/lsm_hooks.h>
12#include <linux/bpf_lsm.h>
KP Singh9e4e01d2020-03-29 01:43:52 +0100[diff] [blame]13#include <linux/kallsyms.h>
14#include <linux/bpf_verifier.h>
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]15#include <net/bpf_sk_storage.h>
16#include <linux/bpf_local_storage.h>
KP Singh6f64e472020-11-05 23:06:51 +0000[diff] [blame]17#include <linux/btf_ids.h>
KP Singh27672f02020-11-24 15:12:09 +0000[diff] [blame]18#include <linux/ima.h>
KP Singh9d3fdea2020-03-29 01:43:51 +0100[diff] [blame]19
20/* For every LSM hook that allows attachment of BPF programs, declare a nop
21 * function where a BPF program can be attached.
22 */
23#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
24noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
25{ \
26 return DEFAULT; \
27}
28
29#include <linux/lsm_hook_defs.h>
30#undef LSM_HOOK
KP Singhfc611f42020-03-29 01:43:49 +0100[diff] [blame]31
KP Singh6f64e472020-11-05 23:06:51 +0000[diff] [blame]32#define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
33BTF_SET_START(bpf_lsm_hooks)
34#include <linux/lsm_hook_defs.h>
35#undef LSM_HOOK
36BTF_SET_END(bpf_lsm_hooks)
KP Singh9e4e01d2020-03-29 01:43:52 +0100[diff] [blame]37
38int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
39 const struct bpf_prog *prog)
40{
41 if (!prog->gpl_compatible) {
42 bpf_log(vlog,
43 "LSM programs must have a GPL compatible license\n");
44 return -EINVAL;
45 }
46
KP Singh6f64e472020-11-05 23:06:51 +0000[diff] [blame]47 if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) {
KP Singh9e4e01d2020-03-29 01:43:52 +0100[diff] [blame]48 bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
49 prog->aux->attach_btf_id, prog->aux->attach_func_name);
50 return -EINVAL;
51 }
52
53 return 0;
54}
55
KP Singh3f6719c2020-11-17 23:29:28 +0000[diff] [blame]56/* Mask for all the currently supported BPRM option flags */
57#define BPF_F_BRPM_OPTS_MASK BPF_F_BPRM_SECUREEXEC
58
59BPF_CALL_2(bpf_bprm_opts_set, struct linux_binprm *, bprm, u64, flags)
60{
61 if (flags & ~BPF_F_BRPM_OPTS_MASK)
62 return -EINVAL;
63
64 bprm->secureexec = (flags & BPF_F_BPRM_SECUREEXEC);
65 return 0;
66}
67
68BTF_ID_LIST_SINGLE(bpf_bprm_opts_set_btf_ids, struct, linux_binprm)
69
Arnd Bergmanne2c69f32021-03-22 22:51:51 +0100[diff] [blame]70static const struct bpf_func_proto bpf_bprm_opts_set_proto = {
KP Singh3f6719c2020-11-17 23:29:28 +0000[diff] [blame]71 .func = bpf_bprm_opts_set,
72 .gpl_only = false,
73 .ret_type = RET_INTEGER,
74 .arg1_type = ARG_PTR_TO_BTF_ID,
75 .arg1_btf_id = &bpf_bprm_opts_set_btf_ids[0],
76 .arg2_type = ARG_ANYTHING,
77};
78
KP Singh27672f02020-11-24 15:12:09 +0000[diff] [blame]79BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size)
80{
81 return ima_inode_hash(inode, dst, size);
82}
83
84static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
85{
86 return bpf_lsm_is_sleepable_hook(prog->aux->attach_btf_id);
87}
88
89BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)
90
Arnd Bergmanne2c69f32021-03-22 22:51:51 +0100[diff] [blame]91static const struct bpf_func_proto bpf_ima_inode_hash_proto = {
KP Singh27672f02020-11-24 15:12:09 +0000[diff] [blame]92 .func = bpf_ima_inode_hash,
93 .gpl_only = false,
94 .ret_type = RET_INTEGER,
95 .arg1_type = ARG_PTR_TO_BTF_ID,
96 .arg1_btf_id = &bpf_ima_inode_hash_btf_ids[0],
97 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
98 .arg3_type = ARG_CONST_SIZE,
99 .allowed = bpf_ima_inode_hash_allowed,
100};
101
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]102static const struct bpf_func_proto *
103bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
104{
105 switch (func_id) {
106 case BPF_FUNC_inode_storage_get:
107 return &bpf_inode_storage_get_proto;
108 case BPF_FUNC_inode_storage_delete:
109 return &bpf_inode_storage_delete_proto;
Daniel Borkmann5c9d7062021-05-25 20:35:29 +0200[diff] [blame]110#ifdef CONFIG_NET
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]111 case BPF_FUNC_sk_storage_get:
Martin KaFai Lau592a3492020-09-24 17:04:02 -0700[diff] [blame]112 return &bpf_sk_storage_get_proto;
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]113 case BPF_FUNC_sk_storage_delete:
Martin KaFai Lau592a3492020-09-24 17:04:02 -0700[diff] [blame]114 return &bpf_sk_storage_delete_proto;
Daniel Borkmann5c9d7062021-05-25 20:35:29 +0200[diff] [blame]115#endif /* CONFIG_NET */
KP Singh9e7a4d92020-11-06 10:37:39 +0000[diff] [blame]116 case BPF_FUNC_spin_lock:
117 return &bpf_spin_lock_proto;
118 case BPF_FUNC_spin_unlock:
119 return &bpf_spin_unlock_proto;
KP Singh3f6719c2020-11-17 23:29:28 +0000[diff] [blame]120 case BPF_FUNC_bprm_opts_set:
121 return &bpf_bprm_opts_set_proto;
KP Singh27672f02020-11-24 15:12:09 +0000[diff] [blame]122 case BPF_FUNC_ima_inode_hash:
123 return prog->aux->sleepable ? &bpf_ima_inode_hash_proto : NULL;
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]124 default:
125 return tracing_prog_func_proto(func_id, prog);
126 }
127}
128
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]129/* The set of hooks which are called without pagefaults disabled and are allowed
Shuyi Cheng712b78c2021-06-16 10:04:36 +0800[diff] [blame]130 * to "sleep" and thus can be used for sleepable BPF programs.
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]131 */
132BTF_SET_START(sleepable_lsm_hooks)
133BTF_ID(func, bpf_lsm_bpf)
134BTF_ID(func, bpf_lsm_bpf_map)
135BTF_ID(func, bpf_lsm_bpf_map_alloc_security)
136BTF_ID(func, bpf_lsm_bpf_map_free_security)
137BTF_ID(func, bpf_lsm_bpf_prog)
138BTF_ID(func, bpf_lsm_bprm_check_security)
139BTF_ID(func, bpf_lsm_bprm_committed_creds)
140BTF_ID(func, bpf_lsm_bprm_committing_creds)
141BTF_ID(func, bpf_lsm_bprm_creds_for_exec)
142BTF_ID(func, bpf_lsm_bprm_creds_from_file)
143BTF_ID(func, bpf_lsm_capget)
144BTF_ID(func, bpf_lsm_capset)
145BTF_ID(func, bpf_lsm_cred_prepare)
146BTF_ID(func, bpf_lsm_file_ioctl)
147BTF_ID(func, bpf_lsm_file_lock)
148BTF_ID(func, bpf_lsm_file_open)
149BTF_ID(func, bpf_lsm_file_receive)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]150
151#ifdef CONFIG_SECURITY_NETWORK
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]152BTF_ID(func, bpf_lsm_inet_conn_established)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]153#endif /* CONFIG_SECURITY_NETWORK */
154
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]155BTF_ID(func, bpf_lsm_inode_create)
156BTF_ID(func, bpf_lsm_inode_free_security)
157BTF_ID(func, bpf_lsm_inode_getattr)
158BTF_ID(func, bpf_lsm_inode_getxattr)
159BTF_ID(func, bpf_lsm_inode_mknod)
160BTF_ID(func, bpf_lsm_inode_need_killpriv)
161BTF_ID(func, bpf_lsm_inode_post_setxattr)
162BTF_ID(func, bpf_lsm_inode_readlink)
163BTF_ID(func, bpf_lsm_inode_rename)
164BTF_ID(func, bpf_lsm_inode_rmdir)
165BTF_ID(func, bpf_lsm_inode_setattr)
166BTF_ID(func, bpf_lsm_inode_setxattr)
167BTF_ID(func, bpf_lsm_inode_symlink)
168BTF_ID(func, bpf_lsm_inode_unlink)
169BTF_ID(func, bpf_lsm_kernel_module_request)
170BTF_ID(func, bpf_lsm_kernfs_init_security)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]171
172#ifdef CONFIG_KEYS
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]173BTF_ID(func, bpf_lsm_key_free)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]174#endif /* CONFIG_KEYS */
175
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]176BTF_ID(func, bpf_lsm_mmap_file)
177BTF_ID(func, bpf_lsm_netlink_send)
178BTF_ID(func, bpf_lsm_path_notify)
179BTF_ID(func, bpf_lsm_release_secctx)
180BTF_ID(func, bpf_lsm_sb_alloc_security)
181BTF_ID(func, bpf_lsm_sb_eat_lsm_opts)
182BTF_ID(func, bpf_lsm_sb_kern_mount)
183BTF_ID(func, bpf_lsm_sb_mount)
184BTF_ID(func, bpf_lsm_sb_remount)
185BTF_ID(func, bpf_lsm_sb_set_mnt_opts)
186BTF_ID(func, bpf_lsm_sb_show_options)
187BTF_ID(func, bpf_lsm_sb_statfs)
188BTF_ID(func, bpf_lsm_sb_umount)
189BTF_ID(func, bpf_lsm_settime)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]190
191#ifdef CONFIG_SECURITY_NETWORK
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]192BTF_ID(func, bpf_lsm_socket_accept)
193BTF_ID(func, bpf_lsm_socket_bind)
194BTF_ID(func, bpf_lsm_socket_connect)
195BTF_ID(func, bpf_lsm_socket_create)
196BTF_ID(func, bpf_lsm_socket_getpeername)
197BTF_ID(func, bpf_lsm_socket_getpeersec_dgram)
198BTF_ID(func, bpf_lsm_socket_getsockname)
199BTF_ID(func, bpf_lsm_socket_getsockopt)
200BTF_ID(func, bpf_lsm_socket_listen)
201BTF_ID(func, bpf_lsm_socket_post_create)
202BTF_ID(func, bpf_lsm_socket_recvmsg)
203BTF_ID(func, bpf_lsm_socket_sendmsg)
204BTF_ID(func, bpf_lsm_socket_shutdown)
205BTF_ID(func, bpf_lsm_socket_socketpair)
Mikko Ylinen78031382021-01-25 08:39:36 +0200[diff] [blame]206#endif /* CONFIG_SECURITY_NETWORK */
207
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]208BTF_ID(func, bpf_lsm_syslog)
209BTF_ID(func, bpf_lsm_task_alloc)
Alexei Starovoitov63ee9562022-01-24 20:20:51 -0800[diff] [blame]210BTF_ID(func, bpf_lsm_current_getsecid_subj)
Paul Moore4ebd7652021-02-19 14:26:21 -0500[diff] [blame]211BTF_ID(func, bpf_lsm_task_getsecid_obj)
KP Singh423f1612020-11-13 00:59:29 +0000[diff] [blame]212BTF_ID(func, bpf_lsm_task_prctl)
213BTF_ID(func, bpf_lsm_task_setscheduler)
214BTF_ID(func, bpf_lsm_task_to_inode)
215BTF_SET_END(sleepable_lsm_hooks)
216
217bool bpf_lsm_is_sleepable_hook(u32 btf_id)
218{
219 return btf_id_set_contains(&sleepable_lsm_hooks, btf_id);
220}
221
KP Singhfc611f42020-03-29 01:43:49 +0100[diff] [blame]222const struct bpf_prog_ops lsm_prog_ops = {
223};
224
225const struct bpf_verifier_ops lsm_verifier_ops = {
KP Singh30897832020-08-25 20:29:18 +0200[diff] [blame]226 .get_func_proto = bpf_lsm_func_proto,
KP Singhfc611f42020-03-29 01:43:49 +0100[diff] [blame]227 .is_valid_access = btf_ctx_access,
228};