1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2024 Google LLC. */ 3 4 #include <linux/bpf.h> 5 #include <linux/bpf_lsm.h> 6 #include <linux/btf.h> 7 #include <linux/btf_ids.h> 8 #include <linux/dcache.h> 9 #include <linux/fs.h> 10 #include <linux/fsnotify.h> 11 #include <linux/file.h> 12 #include <linux/kernfs.h> 13 #include <linux/mm.h> 14 #include <linux/xattr.h> 15 16 __bpf_kfunc_start_defs(); 17 18 /** 19 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of 20 * the mm_struct that is nested within the supplied 21 * task_struct 22 * @task: task_struct of which the nested mm_struct exe_file member to get a 23 * reference on 24 * 25 * Get a reference on the exe_file struct file member field of the mm_struct 26 * nested within the supplied *task*. The referenced file pointer acquired by 27 * this BPF kfunc must be released using bpf_put_file(). Failing to call 28 * bpf_put_file() on the returned referenced struct file pointer that has been 29 * acquired by this BPF kfunc will result in the BPF program being rejected by 30 * the BPF verifier. 31 * 32 * This BPF kfunc may only be called from BPF LSM programs. 33 * 34 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling 35 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file() 36 * directly in kernel context. 37 * 38 * Return: A referenced struct file pointer to the exe_file member of the 39 * mm_struct that is nested within the supplied *task*. On error, NULL is 40 * returned. 41 */ 42 __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task) 43 { 44 return get_task_exe_file(task); 45 } 46 47 /** 48 * bpf_put_file - put a reference on the supplied file 49 * @file: file to put a reference on 50 * 51 * Put a reference on the supplied *file*. Only referenced file pointers may be 52 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or 53 * any other arbitrary pointer for that matter, will result in the BPF program 54 * being rejected by the BPF verifier. 55 * 56 * This BPF kfunc may only be called from BPF LSM programs. 57 */ 58 __bpf_kfunc void bpf_put_file(struct file *file) 59 { 60 fput(file); 61 } 62 63 /** 64 * bpf_path_d_path - resolve the pathname for the supplied path 65 * @path: path to resolve the pathname for 66 * @buf: buffer to return the resolved pathname in 67 * @buf__sz: length of the supplied buffer 68 * 69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF 70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be 71 * used in place of bpf_d_path() whenever possible. 72 * 73 * This BPF kfunc may only be called from BPF LSM programs. 74 * 75 * Return: A positive integer corresponding to the length of the resolved 76 * pathname in *buf*, including the NUL termination character. On error, a 77 * negative integer is returned. 78 */ 79 __bpf_kfunc int bpf_path_d_path(const struct path *path, char *buf, size_t buf__sz) 80 { 81 int len; 82 char *ret; 83 84 if (!buf__sz) 85 return -EINVAL; 86 87 ret = d_path(path, buf, buf__sz); 88 if (IS_ERR(ret)) 89 return PTR_ERR(ret); 90 91 len = buf + buf__sz - ret; 92 memmove(buf, ret, len); 93 return len; 94 } 95 96 static bool match_security_bpf_prefix(const char *name__str) 97 { 98 return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN); 99 } 100 101 static int bpf_xattr_read_permission(const char *name, struct inode *inode) 102 { 103 if (!inode) 104 return -EINVAL; 105 106 /* Allow reading xattr with user. and security.bpf. prefix */ 107 if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && 108 !match_security_bpf_prefix(name)) 109 return -EPERM; 110 111 return inode_permission(&nop_mnt_idmap, inode, MAY_READ); 112 } 113 114 /** 115 * bpf_get_dentry_xattr - get xattr of a dentry 116 * @dentry: dentry to get xattr from 117 * @name__str: name of the xattr 118 * @value_p: output buffer of the xattr value 119 * 120 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*. 121 * 122 * For security reasons, only *name__str* with prefixes "user." or 123 * "security.bpf." are allowed. 124 * 125 * Return: length of the xattr value on success, a negative value on error. 126 */ 127 __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str, 128 struct bpf_dynptr *value_p) 129 { 130 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 131 struct inode *inode = d_inode(dentry); 132 u32 value_len; 133 void *value; 134 int ret; 135 136 value_len = __bpf_dynptr_size(value_ptr); 137 value = __bpf_dynptr_data_rw(value_ptr, value_len); 138 if (!value) 139 return -EINVAL; 140 141 ret = bpf_xattr_read_permission(name__str, inode); 142 if (ret) 143 return ret; 144 return __vfs_getxattr(dentry, inode, name__str, value, value_len); 145 } 146 147 /** 148 * bpf_get_file_xattr - get xattr of a file 149 * @file: file to get xattr from 150 * @name__str: name of the xattr 151 * @value_p: output buffer of the xattr value 152 * 153 * Get xattr *name__str* of *file* and store the output in *value_ptr*. 154 * 155 * For security reasons, only *name__str* with prefixes "user." or 156 * "security.bpf." are allowed. 157 * 158 * Return: length of the xattr value on success, a negative value on error. 159 */ 160 __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str, 161 struct bpf_dynptr *value_p) 162 { 163 struct dentry *dentry; 164 165 dentry = file_dentry(file); 166 return bpf_get_dentry_xattr(dentry, name__str, value_p); 167 } 168 169 __bpf_kfunc_end_defs(); 170 171 static int bpf_xattr_write_permission(const char *name, struct inode *inode) 172 { 173 if (!inode) 174 return -EINVAL; 175 176 /* Only allow setting and removing security.bpf. xattrs */ 177 if (!match_security_bpf_prefix(name)) 178 return -EPERM; 179 180 return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE); 181 } 182 183 /** 184 * bpf_set_dentry_xattr_locked - set a xattr of a dentry 185 * @dentry: dentry to get xattr from 186 * @name__str: name of the xattr 187 * @value_p: xattr value 188 * @flags: flags to pass into filesystem operations 189 * 190 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 191 * 192 * For security reasons, only *name__str* with prefix "security.bpf." 193 * is allowed. 194 * 195 * The caller already locked dentry->d_inode. 196 * 197 * Return: 0 on success, a negative value on error. 198 */ 199 int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str, 200 const struct bpf_dynptr *value_p, int flags) 201 { 202 203 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 204 struct inode *inode = d_inode(dentry); 205 const void *value; 206 u32 value_len; 207 int ret; 208 209 value_len = __bpf_dynptr_size(value_ptr); 210 value = __bpf_dynptr_data(value_ptr, value_len); 211 if (!value) 212 return -EINVAL; 213 214 ret = bpf_xattr_write_permission(name__str, inode); 215 if (ret) 216 return ret; 217 218 ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str, 219 value, value_len, flags); 220 if (!ret) { 221 fsnotify_xattr(dentry); 222 223 /* This xattr is set by BPF LSM, so we do not call 224 * security_inode_post_setxattr. Otherwise, we would 225 * risk deadlocks by calling back to the same kfunc. 226 * 227 * This is the same as security_inode_setsecurity(). 228 */ 229 } 230 return ret; 231 } 232 233 /** 234 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry 235 * @dentry: dentry to get xattr from 236 * @name__str: name of the xattr 237 * 238 * Rmove xattr *name__str* of *dentry*. 239 * 240 * For security reasons, only *name__str* with prefix "security.bpf." 241 * is allowed. 242 * 243 * The caller already locked dentry->d_inode. 244 * 245 * Return: 0 on success, a negative value on error. 246 */ 247 int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str) 248 { 249 struct inode *inode = d_inode(dentry); 250 int ret; 251 252 ret = bpf_xattr_write_permission(name__str, inode); 253 if (ret) 254 return ret; 255 256 ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str); 257 if (!ret) { 258 fsnotify_xattr(dentry); 259 260 /* This xattr is removed by BPF LSM, so we do not call 261 * security_inode_post_removexattr. Otherwise, we would 262 * risk deadlocks by calling back to the same kfunc. 263 */ 264 } 265 return ret; 266 } 267 268 __bpf_kfunc_start_defs(); 269 270 /** 271 * bpf_set_dentry_xattr - set a xattr of a dentry 272 * @dentry: dentry to get xattr from 273 * @name__str: name of the xattr 274 * @value_p: xattr value 275 * @flags: flags to pass into filesystem operations 276 * 277 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 278 * 279 * For security reasons, only *name__str* with prefix "security.bpf." 280 * is allowed. 281 * 282 * The caller has not locked dentry->d_inode. 283 * 284 * Return: 0 on success, a negative value on error. 285 */ 286 __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str, 287 const struct bpf_dynptr *value_p, int flags) 288 { 289 struct inode *inode = d_inode(dentry); 290 int ret; 291 292 if (!inode) 293 return -EINVAL; 294 295 inode_lock(inode); 296 ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags); 297 inode_unlock(inode); 298 return ret; 299 } 300 301 /** 302 * bpf_remove_dentry_xattr - remove a xattr of a dentry 303 * @dentry: dentry to get xattr from 304 * @name__str: name of the xattr 305 * 306 * Rmove xattr *name__str* of *dentry*. 307 * 308 * For security reasons, only *name__str* with prefix "security.bpf." 309 * is allowed. 310 * 311 * The caller has not locked dentry->d_inode. 312 * 313 * Return: 0 on success, a negative value on error. 314 */ 315 __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str) 316 { 317 struct inode *inode = d_inode(dentry); 318 int ret; 319 320 if (!inode) 321 return -EINVAL; 322 323 inode_lock(inode); 324 ret = bpf_remove_dentry_xattr_locked(dentry, name__str); 325 inode_unlock(inode); 326 return ret; 327 } 328 329 #ifdef CONFIG_CGROUPS 330 /** 331 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs 332 * @cgroup: cgroup to get xattr from 333 * @name__str: name of the xattr 334 * @value_p: output buffer of the xattr value 335 * 336 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*. 337 * 338 * For security reasons, only *name__str* with prefix "user." is allowed. 339 * 340 * Return: length of the xattr value on success, a negative value on error. 341 */ 342 __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str, 343 struct bpf_dynptr *value_p) 344 { 345 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 346 u32 value_len; 347 void *value; 348 349 /* Only allow reading "user.*" xattrs */ 350 if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) 351 return -EPERM; 352 353 value_len = __bpf_dynptr_size(value_ptr); 354 value = __bpf_dynptr_data_rw(value_ptr, value_len); 355 if (!value) 356 return -EINVAL; 357 358 return kernfs_xattr_get(cgroup->kn, name__str, value, value_len); 359 } 360 #endif /* CONFIG_CGROUPS */ 361 362 /** 363 * bpf_real_inode - get the real inode backing a dentry 364 * @dentry: dentry to resolve 365 * 366 * If the dentry is on a union/overlay filesystem, return the underlying, real 367 * inode that hosts the data. Otherwise return the inode attached to the 368 * dentry itself. 369 * 370 * Return: The real inode backing the dentry, or NULL for a negative dentry. 371 */ 372 __bpf_kfunc struct inode *bpf_real_inode(struct dentry *dentry) 373 { 374 return d_real_inode(dentry); 375 } 376 377 __bpf_kfunc_end_defs(); 378 379 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) 380 BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL) 381 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE) 382 BTF_ID_FLAGS(func, bpf_path_d_path) 383 BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE) 384 BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE) 385 BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE) 386 BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE) 387 BTF_ID_FLAGS(func, bpf_real_inode, KF_SLEEPABLE | KF_RET_NULL) 388 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) 389 390 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) 391 { 392 if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) || 393 prog->type == BPF_PROG_TYPE_LSM) 394 return 0; 395 return -EACCES; 396 } 397 398 /* bpf_[set|remove]_dentry_xattr.* hooks have KF_SLEEPABLE, so they are only 399 * available to sleepable hooks with dentry arguments. 400 * 401 * Setting and removing xattr requires exclusive lock on dentry->d_inode. 402 * Some hooks already locked d_inode, while some hooks have not locked 403 * d_inode. Therefore, we need different kfuncs for different hooks. 404 * Specifically, hooks in the following list (d_inode_locked_hooks) 405 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks 406 * should call bpf_[set|remove]_dentry_xattr. 407 */ 408 BTF_SET_START(d_inode_locked_hooks) 409 BTF_ID(func, bpf_lsm_inode_post_removexattr) 410 BTF_ID(func, bpf_lsm_inode_post_setattr) 411 BTF_ID(func, bpf_lsm_inode_post_setxattr) 412 BTF_ID(func, bpf_lsm_inode_removexattr) 413 BTF_ID(func, bpf_lsm_inode_rmdir) 414 BTF_ID(func, bpf_lsm_inode_setattr) 415 BTF_ID(func, bpf_lsm_inode_setxattr) 416 BTF_ID(func, bpf_lsm_inode_unlink) 417 #ifdef CONFIG_SECURITY_PATH 418 BTF_ID(func, bpf_lsm_path_unlink) 419 BTF_ID(func, bpf_lsm_path_rmdir) 420 #endif /* CONFIG_SECURITY_PATH */ 421 BTF_SET_END(d_inode_locked_hooks) 422 423 bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog) 424 { 425 return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id); 426 } 427 428 static const struct btf_kfunc_id_set bpf_fs_kfunc_set = { 429 .owner = THIS_MODULE, 430 .set = &bpf_fs_kfunc_set_ids, 431 .filter = bpf_fs_kfuncs_filter, 432 }; 433 434 static int __init bpf_fs_kfuncs_init(void) 435 { 436 return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set); 437 } 438 439 late_initcall(bpf_fs_kfuncs_init); 440