1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2024 Google LLC. */
3
4 #include <linux/bpf.h>
5 #include <linux/bpf_lsm.h>
6 #include <linux/btf.h>
7 #include <linux/btf_ids.h>
8 #include <linux/dcache.h>
9 #include <linux/fs.h>
10 #include <linux/fsnotify.h>
11 #include <linux/file.h>
12 #include <linux/mm.h>
13 #include <linux/xattr.h>
14
15 __bpf_kfunc_start_defs();
16
17 /**
18 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of
19 * the mm_struct that is nested within the supplied
20 * task_struct
21 * @task: task_struct of which the nested mm_struct exe_file member to get a
22 * reference on
23 *
24 * Get a reference on the exe_file struct file member field of the mm_struct
25 * nested within the supplied *task*. The referenced file pointer acquired by
26 * this BPF kfunc must be released using bpf_put_file(). Failing to call
27 * bpf_put_file() on the returned referenced struct file pointer that has been
28 * acquired by this BPF kfunc will result in the BPF program being rejected by
29 * the BPF verifier.
30 *
31 * This BPF kfunc may only be called from BPF LSM programs.
32 *
33 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
34 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
35 * directly in kernel context.
36 *
37 * Return: A referenced struct file pointer to the exe_file member of the
38 * mm_struct that is nested within the supplied *task*. On error, NULL is
39 * returned.
40 */
bpf_get_task_exe_file(struct task_struct * task)41 __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
42 {
43 return get_task_exe_file(task);
44 }
45
46 /**
47 * bpf_put_file - put a reference on the supplied file
48 * @file: file to put a reference on
49 *
50 * Put a reference on the supplied *file*. Only referenced file pointers may be
51 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
52 * any other arbitrary pointer for that matter, will result in the BPF program
53 * being rejected by the BPF verifier.
54 *
55 * This BPF kfunc may only be called from BPF LSM programs.
56 */
bpf_put_file(struct file * file)57 __bpf_kfunc void bpf_put_file(struct file *file)
58 {
59 fput(file);
60 }
61
62 /**
63 * bpf_path_d_path - resolve the pathname for the supplied path
64 * @path: path to resolve the pathname for
65 * @buf: buffer to return the resolved pathname in
66 * @buf__sz: length of the supplied buffer
67 *
68 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
69 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be
70 * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
71 * semantics, meaning that the supplied *path* must itself hold a valid
72 * reference, or else the BPF program will be outright rejected by the BPF
73 * verifier.
74 *
75 * This BPF kfunc may only be called from BPF LSM programs.
76 *
77 * Return: A positive integer corresponding to the length of the resolved
78 * pathname in *buf*, including the NUL termination character. On error, a
79 * negative integer is returned.
80 */
bpf_path_d_path(struct path * path,char * buf,size_t buf__sz)81 __bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz)
82 {
83 int len;
84 char *ret;
85
86 if (!buf__sz)
87 return -EINVAL;
88
89 ret = d_path(path, buf, buf__sz);
90 if (IS_ERR(ret))
91 return PTR_ERR(ret);
92
93 len = buf + buf__sz - ret;
94 memmove(buf, ret, len);
95 return len;
96 }
97
match_security_bpf_prefix(const char * name__str)98 static bool match_security_bpf_prefix(const char *name__str)
99 {
100 return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
101 }
102
bpf_xattr_read_permission(const char * name,struct inode * inode)103 static int bpf_xattr_read_permission(const char *name, struct inode *inode)
104 {
105 if (WARN_ON(!inode))
106 return -EINVAL;
107
108 /* Allow reading xattr with user. and security.bpf. prefix */
109 if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
110 !match_security_bpf_prefix(name))
111 return -EPERM;
112
113 return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
114 }
115
116 /**
117 * bpf_get_dentry_xattr - get xattr of a dentry
118 * @dentry: dentry to get xattr from
119 * @name__str: name of the xattr
120 * @value_p: output buffer of the xattr value
121 *
122 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*.
123 *
124 * For security reasons, only *name__str* with prefixes "user." or
125 * "security.bpf." are allowed.
126 *
127 * Return: length of the xattr value on success, a negative value on error.
128 */
bpf_get_dentry_xattr(struct dentry * dentry,const char * name__str,struct bpf_dynptr * value_p)129 __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,
130 struct bpf_dynptr *value_p)
131 {
132 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
133 struct inode *inode = d_inode(dentry);
134 u32 value_len;
135 void *value;
136 int ret;
137
138 value_len = __bpf_dynptr_size(value_ptr);
139 value = __bpf_dynptr_data_rw(value_ptr, value_len);
140 if (!value)
141 return -EINVAL;
142
143 ret = bpf_xattr_read_permission(name__str, inode);
144 if (ret)
145 return ret;
146 return __vfs_getxattr(dentry, inode, name__str, value, value_len);
147 }
148
149 /**
150 * bpf_get_file_xattr - get xattr of a file
151 * @file: file to get xattr from
152 * @name__str: name of the xattr
153 * @value_p: output buffer of the xattr value
154 *
155 * Get xattr *name__str* of *file* and store the output in *value_ptr*.
156 *
157 * For security reasons, only *name__str* with prefixes "user." or
158 * "security.bpf." are allowed.
159 *
160 * Return: length of the xattr value on success, a negative value on error.
161 */
bpf_get_file_xattr(struct file * file,const char * name__str,struct bpf_dynptr * value_p)162 __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
163 struct bpf_dynptr *value_p)
164 {
165 struct dentry *dentry;
166
167 dentry = file_dentry(file);
168 return bpf_get_dentry_xattr(dentry, name__str, value_p);
169 }
170
171 __bpf_kfunc_end_defs();
172
bpf_xattr_write_permission(const char * name,struct inode * inode)173 static int bpf_xattr_write_permission(const char *name, struct inode *inode)
174 {
175 if (WARN_ON(!inode))
176 return -EINVAL;
177
178 /* Only allow setting and removing security.bpf. xattrs */
179 if (!match_security_bpf_prefix(name))
180 return -EPERM;
181
182 return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
183 }
184
185 /**
186 * bpf_set_dentry_xattr_locked - set a xattr of a dentry
187 * @dentry: dentry to get xattr from
188 * @name__str: name of the xattr
189 * @value_p: xattr value
190 * @flags: flags to pass into filesystem operations
191 *
192 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
193 *
194 * For security reasons, only *name__str* with prefix "security.bpf."
195 * is allowed.
196 *
197 * The caller already locked dentry->d_inode.
198 *
199 * Return: 0 on success, a negative value on error.
200 */
bpf_set_dentry_xattr_locked(struct dentry * dentry,const char * name__str,const struct bpf_dynptr * value_p,int flags)201 int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,
202 const struct bpf_dynptr *value_p, int flags)
203 {
204
205 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
206 struct inode *inode = d_inode(dentry);
207 const void *value;
208 u32 value_len;
209 int ret;
210
211 value_len = __bpf_dynptr_size(value_ptr);
212 value = __bpf_dynptr_data(value_ptr, value_len);
213 if (!value)
214 return -EINVAL;
215
216 ret = bpf_xattr_write_permission(name__str, inode);
217 if (ret)
218 return ret;
219
220 ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
221 value, value_len, flags);
222 if (!ret) {
223 fsnotify_xattr(dentry);
224
225 /* This xattr is set by BPF LSM, so we do not call
226 * security_inode_post_setxattr. Otherwise, we would
227 * risk deadlocks by calling back to the same kfunc.
228 *
229 * This is the same as security_inode_setsecurity().
230 */
231 }
232 return ret;
233 }
234
235 /**
236 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
237 * @dentry: dentry to get xattr from
238 * @name__str: name of the xattr
239 *
240 * Rmove xattr *name__str* of *dentry*.
241 *
242 * For security reasons, only *name__str* with prefix "security.bpf."
243 * is allowed.
244 *
245 * The caller already locked dentry->d_inode.
246 *
247 * Return: 0 on success, a negative value on error.
248 */
bpf_remove_dentry_xattr_locked(struct dentry * dentry,const char * name__str)249 int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)
250 {
251 struct inode *inode = d_inode(dentry);
252 int ret;
253
254 ret = bpf_xattr_write_permission(name__str, inode);
255 if (ret)
256 return ret;
257
258 ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
259 if (!ret) {
260 fsnotify_xattr(dentry);
261
262 /* This xattr is removed by BPF LSM, so we do not call
263 * security_inode_post_removexattr. Otherwise, we would
264 * risk deadlocks by calling back to the same kfunc.
265 */
266 }
267 return ret;
268 }
269
270 __bpf_kfunc_start_defs();
271
272 /**
273 * bpf_set_dentry_xattr - set a xattr of a dentry
274 * @dentry: dentry to get xattr from
275 * @name__str: name of the xattr
276 * @value_p: xattr value
277 * @flags: flags to pass into filesystem operations
278 *
279 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
280 *
281 * For security reasons, only *name__str* with prefix "security.bpf."
282 * is allowed.
283 *
284 * The caller has not locked dentry->d_inode.
285 *
286 * Return: 0 on success, a negative value on error.
287 */
bpf_set_dentry_xattr(struct dentry * dentry,const char * name__str,const struct bpf_dynptr * value_p,int flags)288 __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,
289 const struct bpf_dynptr *value_p, int flags)
290 {
291 struct inode *inode = d_inode(dentry);
292 int ret;
293
294 inode_lock(inode);
295 ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
296 inode_unlock(inode);
297 return ret;
298 }
299
300 /**
301 * bpf_remove_dentry_xattr - remove a xattr of a dentry
302 * @dentry: dentry to get xattr from
303 * @name__str: name of the xattr
304 *
305 * Rmove xattr *name__str* of *dentry*.
306 *
307 * For security reasons, only *name__str* with prefix "security.bpf."
308 * is allowed.
309 *
310 * The caller has not locked dentry->d_inode.
311 *
312 * Return: 0 on success, a negative value on error.
313 */
bpf_remove_dentry_xattr(struct dentry * dentry,const char * name__str)314 __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)
315 {
316 struct inode *inode = d_inode(dentry);
317 int ret;
318
319 inode_lock(inode);
320 ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
321 inode_unlock(inode);
322 return ret;
323 }
324
325 __bpf_kfunc_end_defs();
326
327 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
328 BTF_ID_FLAGS(func, bpf_get_task_exe_file,
329 KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
BTF_ID_FLAGS(func,bpf_put_file,KF_RELEASE)330 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
331 BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
332 BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
333 BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
334 BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
335 BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
336 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
337
338 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
339 {
340 if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
341 prog->type == BPF_PROG_TYPE_LSM)
342 return 0;
343 return -EACCES;
344 }
345
346 /* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and
347 * KF_SLEEPABLE, so they are only available to sleepable hooks with
348 * dentry arguments.
349 *
350 * Setting and removing xattr requires exclusive lock on dentry->d_inode.
351 * Some hooks already locked d_inode, while some hooks have not locked
352 * d_inode. Therefore, we need different kfuncs for different hooks.
353 * Specifically, hooks in the following list (d_inode_locked_hooks)
354 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks
355 * should call bpf_[set|remove]_dentry_xattr.
356 */
357 BTF_SET_START(d_inode_locked_hooks)
BTF_ID(func,bpf_lsm_inode_post_removexattr)358 BTF_ID(func, bpf_lsm_inode_post_removexattr)
359 BTF_ID(func, bpf_lsm_inode_post_setattr)
360 BTF_ID(func, bpf_lsm_inode_post_setxattr)
361 BTF_ID(func, bpf_lsm_inode_removexattr)
362 BTF_ID(func, bpf_lsm_inode_rmdir)
363 BTF_ID(func, bpf_lsm_inode_setattr)
364 BTF_ID(func, bpf_lsm_inode_setxattr)
365 BTF_ID(func, bpf_lsm_inode_unlink)
366 #ifdef CONFIG_SECURITY_PATH
367 BTF_ID(func, bpf_lsm_path_unlink)
368 BTF_ID(func, bpf_lsm_path_rmdir)
369 #endif /* CONFIG_SECURITY_PATH */
370 BTF_SET_END(d_inode_locked_hooks)
371
372 bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
373 {
374 return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);
375 }
376
377 static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
378 .owner = THIS_MODULE,
379 .set = &bpf_fs_kfunc_set_ids,
380 .filter = bpf_fs_kfuncs_filter,
381 };
382
bpf_fs_kfuncs_init(void)383 static int __init bpf_fs_kfuncs_init(void)
384 {
385 return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
386 }
387
388 late_initcall(bpf_fs_kfuncs_init);
389