// SPDX-License-Identifier: GPL-2.0 /* Copyright (c) 2022 Red hat */ #include "hid_bpf_helpers.h" char _license[] SEC("license") = "GPL"; struct attach_prog_args { int prog_fd; unsigned int hid; int retval; int insert_head; }; __u64 callback_check = 52; __u64 callback2_check = 52; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); if (!rw_data) return 0; /* EPERM check */ callback_check = rw_data[1]; rw_data[2] = rw_data[1] + 5; return hid_ctx->size; } SEC(".struct_ops.link") struct hid_bpf_ops first_event = { .hid_device_event = (void *)hid_first_event, .hid_id = 2, }; int __hid_subprog_first_event(struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); if (!rw_data) return 0; /* EPERM check */ rw_data[2] = rw_data[1] + 5; return hid_ctx->size; } SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_subprog_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { return __hid_subprog_first_event(hid_ctx, type); } SEC(".struct_ops.link") struct hid_bpf_ops subprog_first_event = { .hid_device_event = (void *)hid_subprog_first_event, .hid_id = 2, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_second_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); if (!rw_data) return 0; /* EPERM check */ rw_data[3] = rw_data[2] + 5; return hid_ctx->size; } SEC(".struct_ops.link") struct hid_bpf_ops second_event = { .hid_device_event = (void *)hid_second_event, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_change_report_id, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); if (!rw_data) return 0; /* EPERM check */ rw_data[0] = 2; return 9; } SEC(".struct_ops.link") struct hid_bpf_ops change_report_id = { .hid_device_event = (void *)hid_change_report_id, }; struct hid_hw_request_syscall_args { /* data needs to come at offset 0 so we can use it in calls */ __u8 data[10]; unsigned int hid; int retval; size_t size; enum hid_report_type type; __u8 request_type; }; SEC("syscall") int hid_user_raw_request(struct hid_hw_request_syscall_args *args) { struct hid_bpf_ctx *ctx; const size_t size = args->size; int i, ret = 0; if (size > sizeof(args->data)) return -7; /* -E2BIG */ ctx = hid_bpf_allocate_context(args->hid); if (!ctx) return -1; /* EPERM check */ ret = hid_bpf_hw_request(ctx, args->data, size, args->type, args->request_type); args->retval = ret; hid_bpf_release_context(ctx); return 0; } SEC("syscall") int hid_user_output_report(struct hid_hw_request_syscall_args *args) { struct hid_bpf_ctx *ctx; const size_t size = args->size; int i, ret = 0; if (size > sizeof(args->data)) return -7; /* -E2BIG */ ctx = hid_bpf_allocate_context(args->hid); if (!ctx) return -1; /* EPERM check */ ret = hid_bpf_hw_output_report(ctx, args->data, size); args->retval = ret; hid_bpf_release_context(ctx); return 0; } SEC("syscall") int hid_user_input_report(struct hid_hw_request_syscall_args *args) { struct hid_bpf_ctx *ctx; const size_t size = args->size; int i, ret = 0; if (size > sizeof(args->data)) return -7; /* -E2BIG */ ctx = hid_bpf_allocate_context(args->hid); if (!ctx) return -1; /* EPERM check */ ret = hid_bpf_input_report(ctx, HID_INPUT_REPORT, args->data, size); args->retval = ret; hid_bpf_release_context(ctx); return 0; } static const __u8 rdesc[] = { 0x05, 0x01, /* USAGE_PAGE (Generic Desktop) */ 0x09, 0x32, /* USAGE (Z) */ 0x95, 0x01, /* REPORT_COUNT (1) */ 0x81, 0x06, /* INPUT (Data,Var,Rel) */ 0x06, 0x00, 0xff, /* Usage Page (Vendor Defined Page 1) */ 0x19, 0x01, /* USAGE_MINIMUM (1) */ 0x29, 0x03, /* USAGE_MAXIMUM (3) */ 0x15, 0x00, /* LOGICAL_MINIMUM (0) */ 0x25, 0x01, /* LOGICAL_MAXIMUM (1) */ 0x95, 0x03, /* REPORT_COUNT (3) */ 0x75, 0x01, /* REPORT_SIZE (1) */ 0x91, 0x02, /* Output (Data,Var,Abs) */ 0x95, 0x01, /* REPORT_COUNT (1) */ 0x75, 0x05, /* REPORT_SIZE (5) */ 0x91, 0x01, /* Output (Cnst,Var,Abs) */ 0x06, 0x00, 0xff, /* Usage Page (Vendor Defined Page 1) */ 0x19, 0x06, /* USAGE_MINIMUM (6) */ 0x29, 0x08, /* USAGE_MAXIMUM (8) */ 0x15, 0x00, /* LOGICAL_MINIMUM (0) */ 0x25, 0x01, /* LOGICAL_MAXIMUM (1) */ 0x95, 0x03, /* REPORT_COUNT (3) */ 0x75, 0x01, /* REPORT_SIZE (1) */ 0xb1, 0x02, /* Feature (Data,Var,Abs) */ 0x95, 0x01, /* REPORT_COUNT (1) */ 0x75, 0x05, /* REPORT_SIZE (5) */ 0x91, 0x01, /* Output (Cnst,Var,Abs) */ 0xc0, /* END_COLLECTION */ 0xc0, /* END_COLLECTION */ }; /* * the following program is marked as sleepable (struct_ops.s). * This is not strictly mandatory but is a nice test for * sleepable struct_ops */ SEC("?struct_ops.s/hid_rdesc_fixup") int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hid_ctx) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4096 /* size */); if (!data) return 0; /* EPERM check */ callback2_check = data[4]; /* insert rdesc at offset 73 */ __builtin_memcpy(&data[73], rdesc, sizeof(rdesc)); /* Change Usage Vendor globally */ data[4] = 0x42; return sizeof(rdesc) + 73; } SEC(".struct_ops.link") struct hid_bpf_ops rdesc_fixup = { .hid_rdesc_fixup = (void *)hid_rdesc_fixup, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); if (!data) return 0; /* EPERM check */ /* we need to be run first */ if (data[2] || data[3]) return -1; data[1] = 1; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_insert1 = { .hid_device_event = (void *)hid_test_insert1, .flags = BPF_F_BEFORE, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_insert2, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); if (!data) return 0; /* EPERM check */ /* after insert0 and before insert2 */ if (!data[1] || data[3]) return -1; data[2] = 2; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_insert2 = { .hid_device_event = (void *)hid_test_insert2, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_insert3, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); if (!data) return 0; /* EPERM check */ /* at the end */ if (!data[1] || !data[2]) return -1; data[3] = 3; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_insert3 = { .hid_device_event = (void *)hid_test_insert3, }; SEC("?struct_ops/hid_hw_request") int BPF_PROG(hid_test_filter_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) { return -20; } SEC(".struct_ops.link") struct hid_bpf_ops test_filter_raw_request = { .hid_hw_request = (void *)hid_test_filter_raw_request, }; static struct file *current_file; SEC("fentry/hidraw_open") int BPF_PROG(hidraw_open, struct inode *inode, struct file *file) { current_file = file; return 0; } SEC("?struct_ops.s/hid_hw_request") int BPF_PROG(hid_test_hidraw_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) { __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); int ret; if (!data) return 0; /* EPERM check */ /* check if the incoming request comes from our hidraw operation */ if (source == (__u64)current_file) { data[0] = reportnum; ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype); if (ret != 2) return -1; data[0] = reportnum + 1; data[1] = reportnum + 2; data[2] = reportnum + 3; return 3; } return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_hidraw_raw_request = { .hid_hw_request = (void *)hid_test_hidraw_raw_request, }; SEC("?struct_ops.s/hid_hw_request") int BPF_PROG(hid_test_infinite_loop_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) { __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); int ret; if (!data) return 0; /* EPERM check */ /* always forward the request as-is to the device, hid-bpf should prevent * infinite loops. */ data[0] = reportnum; ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype); if (ret == 2) return 3; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_infinite_loop_raw_request = { .hid_hw_request = (void *)hid_test_infinite_loop_raw_request, }; SEC("?struct_ops/hid_hw_output_report") int BPF_PROG(hid_test_filter_output_report, struct hid_bpf_ctx *hctx, unsigned char reportnum, enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) { return -25; } SEC(".struct_ops.link") struct hid_bpf_ops test_filter_output_report = { .hid_hw_output_report = (void *)hid_test_filter_output_report, }; SEC("?struct_ops.s/hid_hw_output_report") int BPF_PROG(hid_test_hidraw_output_report, struct hid_bpf_ctx *hctx, __u64 source) { __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); int ret; if (!data) return 0; /* EPERM check */ /* check if the incoming request comes from our hidraw operation */ if (source == (__u64)current_file) return hid_bpf_hw_output_report(hctx, data, 2); return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_hidraw_output_report = { .hid_hw_output_report = (void *)hid_test_hidraw_output_report, }; SEC("?struct_ops.s/hid_hw_output_report") int BPF_PROG(hid_test_infinite_loop_output_report, struct hid_bpf_ctx *hctx, __u64 source) { __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); int ret; if (!data) return 0; /* EPERM check */ /* always forward the request as-is to the device, hid-bpf should prevent * infinite loops. */ ret = hid_bpf_hw_output_report(hctx, data, 2); if (ret == 2) return 2; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_infinite_loop_output_report = { .hid_hw_output_report = (void *)hid_test_infinite_loop_output_report, }; struct elem { struct bpf_wq work; }; struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1); __type(key, int); __type(value, struct elem); } hmap SEC(".maps"); static int wq_cb_sleepable(void *map, int *key, struct bpf_wq *work) { __u8 buf[9] = {2, 3, 4, 5, 6, 7, 8, 9, 10}; struct hid_bpf_ctx *hid_ctx; hid_ctx = hid_bpf_allocate_context(*key); if (!hid_ctx) return 0; /* EPERM check */ hid_bpf_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf)); hid_bpf_release_context(hid_ctx); return 0; } static int test_inject_input_report_callback(int *key) { struct elem init = {}, *val; struct bpf_wq *wq; if (bpf_map_update_elem(&hmap, key, &init, 0)) return -1; val = bpf_map_lookup_elem(&hmap, key); if (!val) return -2; wq = &val->work; if (bpf_wq_init(wq, &hmap, 0) != 0) return -3; if (bpf_wq_set_callback(wq, wq_cb_sleepable, 0)) return -4; if (bpf_wq_start(wq, 0)) return -5; return 0; } SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_multiply_events_wq, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */); int hid = hid_ctx->hid->id; int ret; if (!data) return 0; /* EPERM check */ if (data[0] != 1) return 0; ret = test_inject_input_report_callback(&hid); if (ret) return ret; data[1] += 5; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_multiply_events_wq = { .hid_device_event = (void *)hid_test_multiply_events_wq, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_multiply_events, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) { __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */); __u8 buf[9]; int ret; if (!data) return 0; /* EPERM check */ if (data[0] != 1) return 0; /* * we have to use an intermediate buffer as hid_bpf_input_report * will memset data to \0 */ __builtin_memcpy(buf, data, sizeof(buf)); buf[0] = 2; buf[1] += 5; ret = hid_bpf_try_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf)); if (ret < 0) return ret; /* * In real world we should reset the original buffer as data might be garbage now, * but it actually now has the content of 'buf' */ data[1] += 5; return 9; } SEC(".struct_ops.link") struct hid_bpf_ops test_multiply_events = { .hid_device_event = (void *)hid_test_multiply_events, }; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_infinite_loop_input_report, struct hid_bpf_ctx *hctx, enum hid_report_type report_type, __u64 source) { __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 6 /* size */); __u8 buf[6]; if (!data) return 0; /* EPERM check */ /* * we have to use an intermediate buffer as hid_bpf_input_report * will memset data to \0 */ __builtin_memcpy(buf, data, sizeof(buf)); /* always forward the request as-is to the device, hid-bpf should prevent * infinite loops. * the return value is ignored so the event is passing to userspace. */ hid_bpf_try_input_report(hctx, report_type, buf, sizeof(buf)); /* each time we process the event, we increment by one data[1]: * after each successful call to hid_bpf_try_input_report, buf * has been memcopied into data by the kernel. */ data[1] += 1; return 0; } SEC(".struct_ops.link") struct hid_bpf_ops test_infinite_loop_input_report = { .hid_device_event = (void *)hid_test_infinite_loop_input_report, };