1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2024 Google LLC. */
3
4 #include <linux/bpf.h>
5 #include <linux/bpf_lsm.h>
6 #include <linux/btf.h>
7 #include <linux/btf_ids.h>
8 #include <linux/dcache.h>
9 #include <linux/fs.h>
10 #include <linux/fsnotify.h>
11 #include <linux/file.h>
12 #include <linux/kernfs.h>
13 #include <linux/mm.h>
14 #include <linux/xattr.h>
15
16 __bpf_kfunc_start_defs();
17
18 /**
19 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of
20 * the mm_struct that is nested within the supplied
21 * task_struct
22 * @task: task_struct of which the nested mm_struct exe_file member to get a
23 * reference on
24 *
25 * Get a reference on the exe_file struct file member field of the mm_struct
26 * nested within the supplied *task*. The referenced file pointer acquired by
27 * this BPF kfunc must be released using bpf_put_file(). Failing to call
28 * bpf_put_file() on the returned referenced struct file pointer that has been
29 * acquired by this BPF kfunc will result in the BPF program being rejected by
30 * the BPF verifier.
31 *
32 * This BPF kfunc may only be called from BPF LSM programs.
33 *
34 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
35 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
36 * directly in kernel context.
37 *
38 * Return: A referenced struct file pointer to the exe_file member of the
39 * mm_struct that is nested within the supplied *task*. On error, NULL is
40 * returned.
41 */
bpf_get_task_exe_file(struct task_struct * task)42 __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
43 {
44 return get_task_exe_file(task);
45 }
46
47 /**
48 * bpf_put_file - put a reference on the supplied file
49 * @file: file to put a reference on
50 *
51 * Put a reference on the supplied *file*. Only referenced file pointers may be
52 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
53 * any other arbitrary pointer for that matter, will result in the BPF program
54 * being rejected by the BPF verifier.
55 *
56 * This BPF kfunc may only be called from BPF LSM programs.
57 */
bpf_put_file(struct file * file)58 __bpf_kfunc void bpf_put_file(struct file *file)
59 {
60 fput(file);
61 }
62
63 /**
64 * bpf_path_d_path - resolve the pathname for the supplied path
65 * @path: path to resolve the pathname for
66 * @buf: buffer to return the resolved pathname in
67 * @buf__sz: length of the supplied buffer
68 *
69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be
71 * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
72 * semantics, meaning that the supplied *path* must itself hold a valid
73 * reference, or else the BPF program will be outright rejected by the BPF
74 * verifier.
75 *
76 * This BPF kfunc may only be called from BPF LSM programs.
77 *
78 * Return: A positive integer corresponding to the length of the resolved
79 * pathname in *buf*, including the NUL termination character. On error, a
80 * negative integer is returned.
81 */
bpf_path_d_path(struct path * path,char * buf,size_t buf__sz)82 __bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz)
83 {
84 int len;
85 char *ret;
86
87 if (!buf__sz)
88 return -EINVAL;
89
90 ret = d_path(path, buf, buf__sz);
91 if (IS_ERR(ret))
92 return PTR_ERR(ret);
93
94 len = buf + buf__sz - ret;
95 memmove(buf, ret, len);
96 return len;
97 }
98
match_security_bpf_prefix(const char * name__str)99 static bool match_security_bpf_prefix(const char *name__str)
100 {
101 return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
102 }
103
bpf_xattr_read_permission(const char * name,struct inode * inode)104 static int bpf_xattr_read_permission(const char *name, struct inode *inode)
105 {
106 if (WARN_ON(!inode))
107 return -EINVAL;
108
109 /* Allow reading xattr with user. and security.bpf. prefix */
110 if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
111 !match_security_bpf_prefix(name))
112 return -EPERM;
113
114 return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
115 }
116
117 /**
118 * bpf_get_dentry_xattr - get xattr of a dentry
119 * @dentry: dentry to get xattr from
120 * @name__str: name of the xattr
121 * @value_p: output buffer of the xattr value
122 *
123 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*.
124 *
125 * For security reasons, only *name__str* with prefixes "user." or
126 * "security.bpf." are allowed.
127 *
128 * Return: length of the xattr value on success, a negative value on error.
129 */
bpf_get_dentry_xattr(struct dentry * dentry,const char * name__str,struct bpf_dynptr * value_p)130 __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,
131 struct bpf_dynptr *value_p)
132 {
133 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
134 struct inode *inode = d_inode(dentry);
135 u32 value_len;
136 void *value;
137 int ret;
138
139 value_len = __bpf_dynptr_size(value_ptr);
140 value = __bpf_dynptr_data_rw(value_ptr, value_len);
141 if (!value)
142 return -EINVAL;
143
144 ret = bpf_xattr_read_permission(name__str, inode);
145 if (ret)
146 return ret;
147 return __vfs_getxattr(dentry, inode, name__str, value, value_len);
148 }
149
150 /**
151 * bpf_get_file_xattr - get xattr of a file
152 * @file: file to get xattr from
153 * @name__str: name of the xattr
154 * @value_p: output buffer of the xattr value
155 *
156 * Get xattr *name__str* of *file* and store the output in *value_ptr*.
157 *
158 * For security reasons, only *name__str* with prefixes "user." or
159 * "security.bpf." are allowed.
160 *
161 * Return: length of the xattr value on success, a negative value on error.
162 */
bpf_get_file_xattr(struct file * file,const char * name__str,struct bpf_dynptr * value_p)163 __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
164 struct bpf_dynptr *value_p)
165 {
166 struct dentry *dentry;
167
168 dentry = file_dentry(file);
169 return bpf_get_dentry_xattr(dentry, name__str, value_p);
170 }
171
172 __bpf_kfunc_end_defs();
173
bpf_xattr_write_permission(const char * name,struct inode * inode)174 static int bpf_xattr_write_permission(const char *name, struct inode *inode)
175 {
176 if (WARN_ON(!inode))
177 return -EINVAL;
178
179 /* Only allow setting and removing security.bpf. xattrs */
180 if (!match_security_bpf_prefix(name))
181 return -EPERM;
182
183 return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
184 }
185
186 /**
187 * bpf_set_dentry_xattr_locked - set a xattr of a dentry
188 * @dentry: dentry to get xattr from
189 * @name__str: name of the xattr
190 * @value_p: xattr value
191 * @flags: flags to pass into filesystem operations
192 *
193 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
194 *
195 * For security reasons, only *name__str* with prefix "security.bpf."
196 * is allowed.
197 *
198 * The caller already locked dentry->d_inode.
199 *
200 * Return: 0 on success, a negative value on error.
201 */
bpf_set_dentry_xattr_locked(struct dentry * dentry,const char * name__str,const struct bpf_dynptr * value_p,int flags)202 int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,
203 const struct bpf_dynptr *value_p, int flags)
204 {
205
206 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
207 struct inode *inode = d_inode(dentry);
208 const void *value;
209 u32 value_len;
210 int ret;
211
212 value_len = __bpf_dynptr_size(value_ptr);
213 value = __bpf_dynptr_data(value_ptr, value_len);
214 if (!value)
215 return -EINVAL;
216
217 ret = bpf_xattr_write_permission(name__str, inode);
218 if (ret)
219 return ret;
220
221 ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
222 value, value_len, flags);
223 if (!ret) {
224 fsnotify_xattr(dentry);
225
226 /* This xattr is set by BPF LSM, so we do not call
227 * security_inode_post_setxattr. Otherwise, we would
228 * risk deadlocks by calling back to the same kfunc.
229 *
230 * This is the same as security_inode_setsecurity().
231 */
232 }
233 return ret;
234 }
235
236 /**
237 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
238 * @dentry: dentry to get xattr from
239 * @name__str: name of the xattr
240 *
241 * Rmove xattr *name__str* of *dentry*.
242 *
243 * For security reasons, only *name__str* with prefix "security.bpf."
244 * is allowed.
245 *
246 * The caller already locked dentry->d_inode.
247 *
248 * Return: 0 on success, a negative value on error.
249 */
bpf_remove_dentry_xattr_locked(struct dentry * dentry,const char * name__str)250 int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)
251 {
252 struct inode *inode = d_inode(dentry);
253 int ret;
254
255 ret = bpf_xattr_write_permission(name__str, inode);
256 if (ret)
257 return ret;
258
259 ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
260 if (!ret) {
261 fsnotify_xattr(dentry);
262
263 /* This xattr is removed by BPF LSM, so we do not call
264 * security_inode_post_removexattr. Otherwise, we would
265 * risk deadlocks by calling back to the same kfunc.
266 */
267 }
268 return ret;
269 }
270
271 __bpf_kfunc_start_defs();
272
273 /**
274 * bpf_set_dentry_xattr - set a xattr of a dentry
275 * @dentry: dentry to get xattr from
276 * @name__str: name of the xattr
277 * @value_p: xattr value
278 * @flags: flags to pass into filesystem operations
279 *
280 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
281 *
282 * For security reasons, only *name__str* with prefix "security.bpf."
283 * is allowed.
284 *
285 * The caller has not locked dentry->d_inode.
286 *
287 * Return: 0 on success, a negative value on error.
288 */
bpf_set_dentry_xattr(struct dentry * dentry,const char * name__str,const struct bpf_dynptr * value_p,int flags)289 __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,
290 const struct bpf_dynptr *value_p, int flags)
291 {
292 struct inode *inode = d_inode(dentry);
293 int ret;
294
295 inode_lock(inode);
296 ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
297 inode_unlock(inode);
298 return ret;
299 }
300
301 /**
302 * bpf_remove_dentry_xattr - remove a xattr of a dentry
303 * @dentry: dentry to get xattr from
304 * @name__str: name of the xattr
305 *
306 * Rmove xattr *name__str* of *dentry*.
307 *
308 * For security reasons, only *name__str* with prefix "security.bpf."
309 * is allowed.
310 *
311 * The caller has not locked dentry->d_inode.
312 *
313 * Return: 0 on success, a negative value on error.
314 */
bpf_remove_dentry_xattr(struct dentry * dentry,const char * name__str)315 __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)
316 {
317 struct inode *inode = d_inode(dentry);
318 int ret;
319
320 inode_lock(inode);
321 ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
322 inode_unlock(inode);
323 return ret;
324 }
325
326 #ifdef CONFIG_CGROUPS
327 /**
328 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
329 * @cgroup: cgroup to get xattr from
330 * @name__str: name of the xattr
331 * @value_p: output buffer of the xattr value
332 *
333 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.
334 *
335 * For security reasons, only *name__str* with prefix "user." is allowed.
336 *
337 * Return: length of the xattr value on success, a negative value on error.
338 */
bpf_cgroup_read_xattr(struct cgroup * cgroup,const char * name__str,struct bpf_dynptr * value_p)339 __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
340 struct bpf_dynptr *value_p)
341 {
342 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
343 u32 value_len;
344 void *value;
345
346 /* Only allow reading "user.*" xattrs */
347 if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
348 return -EPERM;
349
350 value_len = __bpf_dynptr_size(value_ptr);
351 value = __bpf_dynptr_data_rw(value_ptr, value_len);
352 if (!value)
353 return -EINVAL;
354
355 return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);
356 }
357 #endif /* CONFIG_CGROUPS */
358
359 __bpf_kfunc_end_defs();
360
361 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
362 BTF_ID_FLAGS(func, bpf_get_task_exe_file,
363 KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
BTF_ID_FLAGS(func,bpf_put_file,KF_RELEASE)364 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
365 BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
366 BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
367 BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
368 BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
369 BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
370 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
371
372 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
373 {
374 if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
375 prog->type == BPF_PROG_TYPE_LSM)
376 return 0;
377 return -EACCES;
378 }
379
380 /* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and
381 * KF_SLEEPABLE, so they are only available to sleepable hooks with
382 * dentry arguments.
383 *
384 * Setting and removing xattr requires exclusive lock on dentry->d_inode.
385 * Some hooks already locked d_inode, while some hooks have not locked
386 * d_inode. Therefore, we need different kfuncs for different hooks.
387 * Specifically, hooks in the following list (d_inode_locked_hooks)
388 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks
389 * should call bpf_[set|remove]_dentry_xattr.
390 */
391 BTF_SET_START(d_inode_locked_hooks)
BTF_ID(func,bpf_lsm_inode_post_removexattr)392 BTF_ID(func, bpf_lsm_inode_post_removexattr)
393 BTF_ID(func, bpf_lsm_inode_post_setattr)
394 BTF_ID(func, bpf_lsm_inode_post_setxattr)
395 BTF_ID(func, bpf_lsm_inode_removexattr)
396 BTF_ID(func, bpf_lsm_inode_rmdir)
397 BTF_ID(func, bpf_lsm_inode_setattr)
398 BTF_ID(func, bpf_lsm_inode_setxattr)
399 BTF_ID(func, bpf_lsm_inode_unlink)
400 #ifdef CONFIG_SECURITY_PATH
401 BTF_ID(func, bpf_lsm_path_unlink)
402 BTF_ID(func, bpf_lsm_path_rmdir)
403 #endif /* CONFIG_SECURITY_PATH */
404 BTF_SET_END(d_inode_locked_hooks)
405
406 bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
407 {
408 return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);
409 }
410
411 static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
412 .owner = THIS_MODULE,
413 .set = &bpf_fs_kfunc_set_ids,
414 .filter = bpf_fs_kfuncs_filter,
415 };
416
bpf_fs_kfuncs_init(void)417 static int __init bpf_fs_kfuncs_init(void)
418 {
419 return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
420 }
421
422 late_initcall(bpf_fs_kfuncs_init);
423