1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2024 Google LLC. */ 3 4 #include <linux/bpf.h> 5 #include <linux/bpf_lsm.h> 6 #include <linux/btf.h> 7 #include <linux/btf_ids.h> 8 #include <linux/dcache.h> 9 #include <linux/fs.h> 10 #include <linux/fsnotify.h> 11 #include <linux/file.h> 12 #include <linux/kernfs.h> 13 #include <linux/mm.h> 14 #include <linux/xattr.h> 15 16 __bpf_kfunc_start_defs(); 17 18 /** 19 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of 20 * the mm_struct that is nested within the supplied 21 * task_struct 22 * @task: task_struct of which the nested mm_struct exe_file member to get a 23 * reference on 24 * 25 * Get a reference on the exe_file struct file member field of the mm_struct 26 * nested within the supplied *task*. The referenced file pointer acquired by 27 * this BPF kfunc must be released using bpf_put_file(). Failing to call 28 * bpf_put_file() on the returned referenced struct file pointer that has been 29 * acquired by this BPF kfunc will result in the BPF program being rejected by 30 * the BPF verifier. 31 * 32 * This BPF kfunc may only be called from BPF LSM programs. 33 * 34 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling 35 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file() 36 * directly in kernel context. 37 * 38 * Return: A referenced struct file pointer to the exe_file member of the 39 * mm_struct that is nested within the supplied *task*. On error, NULL is 40 * returned. 41 */ 42 __bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task) 43 { 44 return get_task_exe_file(task); 45 } 46 47 /** 48 * bpf_put_file - put a reference on the supplied file 49 * @file: file to put a reference on 50 * 51 * Put a reference on the supplied *file*. Only referenced file pointers may be 52 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or 53 * any other arbitrary pointer for that matter, will result in the BPF program 54 * being rejected by the BPF verifier. 55 * 56 * This BPF kfunc may only be called from BPF LSM programs. 57 */ 58 __bpf_kfunc void bpf_put_file(struct file *file) 59 { 60 fput(file); 61 } 62 63 /** 64 * bpf_path_d_path - resolve the pathname for the supplied path 65 * @path: path to resolve the pathname for 66 * @buf: buffer to return the resolved pathname in 67 * @buf__sz: length of the supplied buffer 68 * 69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF 70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be 71 * used in place of bpf_d_path() whenever possible. 72 * 73 * This BPF kfunc may only be called from BPF LSM programs. 74 * 75 * Return: A positive integer corresponding to the length of the resolved 76 * pathname in *buf*, including the NUL termination character. On error, a 77 * negative integer is returned. 78 */ 79 __bpf_kfunc int bpf_path_d_path(const struct path *path, char *buf, size_t buf__sz) 80 { 81 int len; 82 char *ret; 83 84 if (!buf__sz) 85 return -EINVAL; 86 87 ret = d_path(path, buf, buf__sz); 88 if (IS_ERR(ret)) 89 return PTR_ERR(ret); 90 91 len = buf + buf__sz - ret; 92 memmove(buf, ret, len); 93 return len; 94 } 95 96 static bool match_security_bpf_prefix(const char *name__str) 97 { 98 return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN); 99 } 100 101 static int bpf_xattr_read_permission(const char *name, struct inode *inode) 102 { 103 if (WARN_ON(!inode)) 104 return -EINVAL; 105 106 /* Allow reading xattr with user. and security.bpf. prefix */ 107 if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && 108 !match_security_bpf_prefix(name)) 109 return -EPERM; 110 111 return inode_permission(&nop_mnt_idmap, inode, MAY_READ); 112 } 113 114 /** 115 * bpf_get_dentry_xattr - get xattr of a dentry 116 * @dentry: dentry to get xattr from 117 * @name__str: name of the xattr 118 * @value_p: output buffer of the xattr value 119 * 120 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*. 121 * 122 * For security reasons, only *name__str* with prefixes "user." or 123 * "security.bpf." are allowed. 124 * 125 * Return: length of the xattr value on success, a negative value on error. 126 */ 127 __bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str, 128 struct bpf_dynptr *value_p) 129 { 130 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 131 struct inode *inode = d_inode(dentry); 132 u32 value_len; 133 void *value; 134 int ret; 135 136 value_len = __bpf_dynptr_size(value_ptr); 137 value = __bpf_dynptr_data_rw(value_ptr, value_len); 138 if (!value) 139 return -EINVAL; 140 141 ret = bpf_xattr_read_permission(name__str, inode); 142 if (ret) 143 return ret; 144 return __vfs_getxattr(dentry, inode, name__str, value, value_len); 145 } 146 147 /** 148 * bpf_get_file_xattr - get xattr of a file 149 * @file: file to get xattr from 150 * @name__str: name of the xattr 151 * @value_p: output buffer of the xattr value 152 * 153 * Get xattr *name__str* of *file* and store the output in *value_ptr*. 154 * 155 * For security reasons, only *name__str* with prefixes "user." or 156 * "security.bpf." are allowed. 157 * 158 * Return: length of the xattr value on success, a negative value on error. 159 */ 160 __bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str, 161 struct bpf_dynptr *value_p) 162 { 163 struct dentry *dentry; 164 165 dentry = file_dentry(file); 166 return bpf_get_dentry_xattr(dentry, name__str, value_p); 167 } 168 169 __bpf_kfunc_end_defs(); 170 171 static int bpf_xattr_write_permission(const char *name, struct inode *inode) 172 { 173 if (WARN_ON(!inode)) 174 return -EINVAL; 175 176 /* Only allow setting and removing security.bpf. xattrs */ 177 if (!match_security_bpf_prefix(name)) 178 return -EPERM; 179 180 return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE); 181 } 182 183 /** 184 * bpf_set_dentry_xattr_locked - set a xattr of a dentry 185 * @dentry: dentry to get xattr from 186 * @name__str: name of the xattr 187 * @value_p: xattr value 188 * @flags: flags to pass into filesystem operations 189 * 190 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 191 * 192 * For security reasons, only *name__str* with prefix "security.bpf." 193 * is allowed. 194 * 195 * The caller already locked dentry->d_inode. 196 * 197 * Return: 0 on success, a negative value on error. 198 */ 199 int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str, 200 const struct bpf_dynptr *value_p, int flags) 201 { 202 203 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 204 struct inode *inode = d_inode(dentry); 205 const void *value; 206 u32 value_len; 207 int ret; 208 209 value_len = __bpf_dynptr_size(value_ptr); 210 value = __bpf_dynptr_data(value_ptr, value_len); 211 if (!value) 212 return -EINVAL; 213 214 ret = bpf_xattr_write_permission(name__str, inode); 215 if (ret) 216 return ret; 217 218 ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str, 219 value, value_len, flags); 220 if (!ret) { 221 fsnotify_xattr(dentry); 222 223 /* This xattr is set by BPF LSM, so we do not call 224 * security_inode_post_setxattr. Otherwise, we would 225 * risk deadlocks by calling back to the same kfunc. 226 * 227 * This is the same as security_inode_setsecurity(). 228 */ 229 } 230 return ret; 231 } 232 233 /** 234 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry 235 * @dentry: dentry to get xattr from 236 * @name__str: name of the xattr 237 * 238 * Rmove xattr *name__str* of *dentry*. 239 * 240 * For security reasons, only *name__str* with prefix "security.bpf." 241 * is allowed. 242 * 243 * The caller already locked dentry->d_inode. 244 * 245 * Return: 0 on success, a negative value on error. 246 */ 247 int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str) 248 { 249 struct inode *inode = d_inode(dentry); 250 int ret; 251 252 ret = bpf_xattr_write_permission(name__str, inode); 253 if (ret) 254 return ret; 255 256 ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str); 257 if (!ret) { 258 fsnotify_xattr(dentry); 259 260 /* This xattr is removed by BPF LSM, so we do not call 261 * security_inode_post_removexattr. Otherwise, we would 262 * risk deadlocks by calling back to the same kfunc. 263 */ 264 } 265 return ret; 266 } 267 268 __bpf_kfunc_start_defs(); 269 270 /** 271 * bpf_set_dentry_xattr - set a xattr of a dentry 272 * @dentry: dentry to get xattr from 273 * @name__str: name of the xattr 274 * @value_p: xattr value 275 * @flags: flags to pass into filesystem operations 276 * 277 * Set xattr *name__str* of *dentry* to the value in *value_ptr*. 278 * 279 * For security reasons, only *name__str* with prefix "security.bpf." 280 * is allowed. 281 * 282 * The caller has not locked dentry->d_inode. 283 * 284 * Return: 0 on success, a negative value on error. 285 */ 286 __bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str, 287 const struct bpf_dynptr *value_p, int flags) 288 { 289 struct inode *inode = d_inode(dentry); 290 int ret; 291 292 inode_lock(inode); 293 ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags); 294 inode_unlock(inode); 295 return ret; 296 } 297 298 /** 299 * bpf_remove_dentry_xattr - remove a xattr of a dentry 300 * @dentry: dentry to get xattr from 301 * @name__str: name of the xattr 302 * 303 * Rmove xattr *name__str* of *dentry*. 304 * 305 * For security reasons, only *name__str* with prefix "security.bpf." 306 * is allowed. 307 * 308 * The caller has not locked dentry->d_inode. 309 * 310 * Return: 0 on success, a negative value on error. 311 */ 312 __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str) 313 { 314 struct inode *inode = d_inode(dentry); 315 int ret; 316 317 inode_lock(inode); 318 ret = bpf_remove_dentry_xattr_locked(dentry, name__str); 319 inode_unlock(inode); 320 return ret; 321 } 322 323 #ifdef CONFIG_CGROUPS 324 /** 325 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs 326 * @cgroup: cgroup to get xattr from 327 * @name__str: name of the xattr 328 * @value_p: output buffer of the xattr value 329 * 330 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*. 331 * 332 * For security reasons, only *name__str* with prefix "user." is allowed. 333 * 334 * Return: length of the xattr value on success, a negative value on error. 335 */ 336 __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str, 337 struct bpf_dynptr *value_p) 338 { 339 struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p; 340 u32 value_len; 341 void *value; 342 343 /* Only allow reading "user.*" xattrs */ 344 if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) 345 return -EPERM; 346 347 value_len = __bpf_dynptr_size(value_ptr); 348 value = __bpf_dynptr_data_rw(value_ptr, value_len); 349 if (!value) 350 return -EINVAL; 351 352 return kernfs_xattr_get(cgroup->kn, name__str, value, value_len); 353 } 354 #endif /* CONFIG_CGROUPS */ 355 356 __bpf_kfunc_end_defs(); 357 358 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) 359 BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL) 360 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE) 361 BTF_ID_FLAGS(func, bpf_path_d_path) 362 BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE) 363 BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE) 364 BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE) 365 BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE) 366 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) 367 368 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) 369 { 370 if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) || 371 prog->type == BPF_PROG_TYPE_LSM) 372 return 0; 373 return -EACCES; 374 } 375 376 /* bpf_[set|remove]_dentry_xattr.* hooks have KF_SLEEPABLE, so they are only 377 * available to sleepable hooks with dentry arguments. 378 * 379 * Setting and removing xattr requires exclusive lock on dentry->d_inode. 380 * Some hooks already locked d_inode, while some hooks have not locked 381 * d_inode. Therefore, we need different kfuncs for different hooks. 382 * Specifically, hooks in the following list (d_inode_locked_hooks) 383 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks 384 * should call bpf_[set|remove]_dentry_xattr. 385 */ 386 BTF_SET_START(d_inode_locked_hooks) 387 BTF_ID(func, bpf_lsm_inode_post_removexattr) 388 BTF_ID(func, bpf_lsm_inode_post_setattr) 389 BTF_ID(func, bpf_lsm_inode_post_setxattr) 390 BTF_ID(func, bpf_lsm_inode_removexattr) 391 BTF_ID(func, bpf_lsm_inode_rmdir) 392 BTF_ID(func, bpf_lsm_inode_setattr) 393 BTF_ID(func, bpf_lsm_inode_setxattr) 394 BTF_ID(func, bpf_lsm_inode_unlink) 395 #ifdef CONFIG_SECURITY_PATH 396 BTF_ID(func, bpf_lsm_path_unlink) 397 BTF_ID(func, bpf_lsm_path_rmdir) 398 #endif /* CONFIG_SECURITY_PATH */ 399 BTF_SET_END(d_inode_locked_hooks) 400 401 bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog) 402 { 403 return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id); 404 } 405 406 static const struct btf_kfunc_id_set bpf_fs_kfunc_set = { 407 .owner = THIS_MODULE, 408 .set = &bpf_fs_kfunc_set_ids, 409 .filter = bpf_fs_kfuncs_filter, 410 }; 411 412 static int __init bpf_fs_kfuncs_init(void) 413 { 414 return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set); 415 } 416 417 late_initcall(bpf_fs_kfuncs_init); 418