1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2024 Google LLC. */ 3 4 #include <linux/bpf.h> 5 #include <linux/bpf_lsm.h> 6 #include <linux/btf.h> 7 #include <linux/btf_ids.h> 8 #include <linux/dcache.h> 9 #include <linux/fs.h> 10 #include <linux/fsnotify.h> 11 #include <linux/file.h> 12 #include <linux/kernfs.h> 13 #include <linux/mm.h> 14 #include <linux/xattr.h> 15 16 __bpf_kfunc_start_defs(); 17 18 /** 19 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of 20 * the mm_struct that is nested within the supplied 21 * task_struct 22 * @task: task_struct of which the nested mm_struct exe_file member to get a 23 * reference on 24 * 25 * Get a reference on the exe_file struct file member field of the mm_struct 26 * nested within the supplied *task*. The referenced file pointer acquired by 27 * this BPF kfunc must be released using bpf_put_file(). Failing to call 28 * bpf_put_file() on the returned referenced struct file pointer that has been 29 * acquired by this BPF kfunc will result in the BPF program being rejected by 30 * the BPF verifier. 31 * 32 * This BPF kfunc may only be called from BPF LSM programs. 33 * 34 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling 35 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file() 36 * directly in kernel context. 37 * 38 * Return: A referenced struct file pointer to the exe_file member of the 39 * mm_struct that is nested within the supplied *task*. On error, NULL is 40 * returned. 41 */ 42 __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task) 43 { 44 return get_task_exe_file(task); 45 } 46 47 /** 48 * bpf_put_file - put a reference on the supplied file 49 * @file: file to put a reference on 50 * 51 * Put a reference on the supplied *file*. Only referenced file pointers may be 52 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or 53 * any other arbitrary pointer for that matter, will result in the BPF program 54 * being rejected by the BPF verifier. 55 * 56 * This BPF kfunc may only be called from BPF LSM programs. 57 */ 58 __bpf_kfunc void bpf_put_file(struct file *file) 59 { 60 fput(file); 61 } 62 63 /** 64 * bpf_path_d_path - resolve the pathname for the supplied path 65 * @path: path to resolve the pathname for 66 * @buf: buffer to return the resolved pathname in 67 * @buf__sz: length of the supplied buffer 68 * 69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF 70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be 71 * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS 72 * semantics, meaning that the supplied *path* must itself hold a valid 73 * reference, or else the BPF program will be outright rejected by the BPF 74 * verifier. 75 * 76 * This BPF kfunc may only be called from BPF LSM programs. 77 * 78 * Return: A positive integer corresponding to the length of the resolved 79 * pathname in *buf*, including the NUL termination character. On error, a 80 * negative integer is returned. 81 */ 82 __bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz) 83 { 84 int len; 85 char *ret; 86 87 if (!buf__sz) 88 return -EINVAL; 89 90 ret = d_path(path, buf, buf__sz); 91 if (IS_ERR(ret)) 92 return PTR_ERR(ret); 93 94 len = buf + buf__sz - ret; 95 memmove(buf, ret, len); 96 return len; 97 } 98 99 static bool match_security_bpf_prefix(const char *name__str) 100 { 101 return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN); 102 } 103 104 static int bpf_xattr_read_permission(const char *name, struct inode *inode) 105 { 106 if (WARN_ON(!inode)) 107 return -EINVAL; 108 109 /* Allow reading xattr with user. and security.bpf. prefix */ 110 if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && 111 !match_security_bpf_prefix(name)) 112 return -EPERM; 113 114 return inode_permission(&nop_mnt_idmap, inode, MAY_READ); 115 } 116 117 /** 118 * bpf_get_dentry_xattr - get xattr of a dentry 119 * @dentry: dentry to get xattr from 120 * @name__str: name of the xattr 121 * @value_p: output buffer of the xattr value 122 * 123 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*. 124 * 125 * For security reasons, only *name__str* with prefixes "user." or 126 * "security.bpf." are allowed. 127 * 128 * Return: length of the xattr value on success, a negative value on error. 129 */ 130 __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str, 131 struct bpf_dynptr *value_p) 132 { 133 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 134 struct inode *inode = d_inode(dentry); 135 u32 value_len; 136 void *value; 137 int ret; 138 139 value_len = __bpf_dynptr_size(value_ptr); 140 value = __bpf_dynptr_data_rw(value_ptr, value_len); 141 if (!value) 142 return -EINVAL; 143 144 ret = bpf_xattr_read_permission(name__str, inode); 145 if (ret) 146 return ret; 147 return __vfs_getxattr(dentry, inode, name__str, value, value_len); 148 } 149 150 /** 151 * bpf_get_file_xattr - get xattr of a file 152 * @file: file to get xattr from 153 * @name__str: name of the xattr 154 * @value_p: output buffer of the xattr value 155 * 156 * Get xattr *name__str* of *file* and store the output in *value_ptr*. 157 * 158 * For security reasons, only *name__str* with prefixes "user." or 159 * "security.bpf." are allowed. 160 * 161 * Return: length of the xattr value on success, a negative value on error. 162 */ 163 __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str, 164 struct bpf_dynptr *value_p) 165 { 166 struct dentry *dentry; 167 168 dentry = file_dentry(file); 169 return bpf_get_dentry_xattr(dentry, name__str, value_p); 170 } 171 172 __bpf_kfunc_end_defs(); 173 174 static int bpf_xattr_write_permission(const char *name, struct inode *inode) 175 { 176 if (WARN_ON(!inode)) 177 return -EINVAL; 178 179 /* Only allow setting and removing security.bpf. xattrs */ 180 if (!match_security_bpf_prefix(name)) 181 return -EPERM; 182 183 return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE); 184 } 185 186 /** 187 * bpf_set_dentry_xattr_locked - set a xattr of a dentry 188 * @dentry: dentry to get xattr from 189 * @name__str: name of the xattr 190 * @value_p: xattr value 191 * @flags: flags to pass into filesystem operations 192 * 193 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 194 * 195 * For security reasons, only *name__str* with prefix "security.bpf." 196 * is allowed. 197 * 198 * The caller already locked dentry->d_inode. 199 * 200 * Return: 0 on success, a negative value on error. 201 */ 202 int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str, 203 const struct bpf_dynptr *value_p, int flags) 204 { 205 206 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 207 struct inode *inode = d_inode(dentry); 208 const void *value; 209 u32 value_len; 210 int ret; 211 212 value_len = __bpf_dynptr_size(value_ptr); 213 value = __bpf_dynptr_data(value_ptr, value_len); 214 if (!value) 215 return -EINVAL; 216 217 ret = bpf_xattr_write_permission(name__str, inode); 218 if (ret) 219 return ret; 220 221 ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str, 222 value, value_len, flags); 223 if (!ret) { 224 fsnotify_xattr(dentry); 225 226 /* This xattr is set by BPF LSM, so we do not call 227 * security_inode_post_setxattr. Otherwise, we would 228 * risk deadlocks by calling back to the same kfunc. 229 * 230 * This is the same as security_inode_setsecurity(). 231 */ 232 } 233 return ret; 234 } 235 236 /** 237 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry 238 * @dentry: dentry to get xattr from 239 * @name__str: name of the xattr 240 * 241 * Rmove xattr *name__str* of *dentry*. 242 * 243 * For security reasons, only *name__str* with prefix "security.bpf." 244 * is allowed. 245 * 246 * The caller already locked dentry->d_inode. 247 * 248 * Return: 0 on success, a negative value on error. 249 */ 250 int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str) 251 { 252 struct inode *inode = d_inode(dentry); 253 int ret; 254 255 ret = bpf_xattr_write_permission(name__str, inode); 256 if (ret) 257 return ret; 258 259 ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str); 260 if (!ret) { 261 fsnotify_xattr(dentry); 262 263 /* This xattr is removed by BPF LSM, so we do not call 264 * security_inode_post_removexattr. Otherwise, we would 265 * risk deadlocks by calling back to the same kfunc. 266 */ 267 } 268 return ret; 269 } 270 271 __bpf_kfunc_start_defs(); 272 273 /** 274 * bpf_set_dentry_xattr - set a xattr of a dentry 275 * @dentry: dentry to get xattr from 276 * @name__str: name of the xattr 277 * @value_p: xattr value 278 * @flags: flags to pass into filesystem operations 279 * 280 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 281 * 282 * For security reasons, only *name__str* with prefix "security.bpf." 283 * is allowed. 284 * 285 * The caller has not locked dentry->d_inode. 286 * 287 * Return: 0 on success, a negative value on error. 288 */ 289 __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str, 290 const struct bpf_dynptr *value_p, int flags) 291 { 292 struct inode *inode = d_inode(dentry); 293 int ret; 294 295 inode_lock(inode); 296 ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags); 297 inode_unlock(inode); 298 return ret; 299 } 300 301 /** 302 * bpf_remove_dentry_xattr - remove a xattr of a dentry 303 * @dentry: dentry to get xattr from 304 * @name__str: name of the xattr 305 * 306 * Rmove xattr *name__str* of *dentry*. 307 * 308 * For security reasons, only *name__str* with prefix "security.bpf." 309 * is allowed. 310 * 311 * The caller has not locked dentry->d_inode. 312 * 313 * Return: 0 on success, a negative value on error. 314 */ 315 __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str) 316 { 317 struct inode *inode = d_inode(dentry); 318 int ret; 319 320 inode_lock(inode); 321 ret = bpf_remove_dentry_xattr_locked(dentry, name__str); 322 inode_unlock(inode); 323 return ret; 324 } 325 326 #ifdef CONFIG_CGROUPS 327 /** 328 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs 329 * @cgroup: cgroup to get xattr from 330 * @name__str: name of the xattr 331 * @value_p: output buffer of the xattr value 332 * 333 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*. 334 * 335 * For security reasons, only *name__str* with prefix "user." is allowed. 336 * 337 * Return: length of the xattr value on success, a negative value on error. 338 */ 339 __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str, 340 struct bpf_dynptr *value_p) 341 { 342 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 343 u32 value_len; 344 void *value; 345 346 /* Only allow reading "user.*" xattrs */ 347 if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) 348 return -EPERM; 349 350 value_len = __bpf_dynptr_size(value_ptr); 351 value = __bpf_dynptr_data_rw(value_ptr, value_len); 352 if (!value) 353 return -EINVAL; 354 355 return kernfs_xattr_get(cgroup->kn, name__str, value, value_len); 356 } 357 #endif /* CONFIG_CGROUPS */ 358 359 __bpf_kfunc_end_defs(); 360 361 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) 362 BTF_ID_FLAGS(func, bpf_get_task_exe_file, 363 KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL) 364 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE) 365 BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS) 366 BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 367 BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 368 BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 369 BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 370 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) 371 372 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) 373 { 374 if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) || 375 prog->type == BPF_PROG_TYPE_LSM) 376 return 0; 377 return -EACCES; 378 } 379 380 /* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and 381 * KF_SLEEPABLE, so they are only available to sleepable hooks with 382 * dentry arguments. 383 * 384 * Setting and removing xattr requires exclusive lock on dentry->d_inode. 385 * Some hooks already locked d_inode, while some hooks have not locked 386 * d_inode. Therefore, we need different kfuncs for different hooks. 387 * Specifically, hooks in the following list (d_inode_locked_hooks) 388 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks 389 * should call bpf_[set|remove]_dentry_xattr. 390 */ 391 BTF_SET_START(d_inode_locked_hooks) 392 BTF_ID(func, bpf_lsm_inode_post_removexattr) 393 BTF_ID(func, bpf_lsm_inode_post_setattr) 394 BTF_ID(func, bpf_lsm_inode_post_setxattr) 395 BTF_ID(func, bpf_lsm_inode_removexattr) 396 BTF_ID(func, bpf_lsm_inode_rmdir) 397 BTF_ID(func, bpf_lsm_inode_setattr) 398 BTF_ID(func, bpf_lsm_inode_setxattr) 399 BTF_ID(func, bpf_lsm_inode_unlink) 400 #ifdef CONFIG_SECURITY_PATH 401 BTF_ID(func, bpf_lsm_path_unlink) 402 BTF_ID(func, bpf_lsm_path_rmdir) 403 #endif /* CONFIG_SECURITY_PATH */ 404 BTF_SET_END(d_inode_locked_hooks) 405 406 bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog) 407 { 408 return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id); 409 } 410 411 static const struct btf_kfunc_id_set bpf_fs_kfunc_set = { 412 .owner = THIS_MODULE, 413 .set = &bpf_fs_kfunc_set_ids, 414 .filter = bpf_fs_kfuncs_filter, 415 }; 416 417 static int __init bpf_fs_kfuncs_init(void) 418 { 419 return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set); 420 } 421 422 late_initcall(bpf_fs_kfuncs_init); 423