xref: /linux/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c (revision c532de5a67a70f8533d495f8f2aaa9a0491c3ad0) 
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2024 Google LLC. */
3 
4 #include <vmlinux.h>
5 #include <bpf/bpf_helpers.h>
6 #include <bpf/bpf_tracing.h>
7 #include <linux/limits.h>
8 
9 #include "bpf_misc.h"
10 #include "bpf_experimental.h"
11 
12 static char buf[PATH_MAX];
13 
14 SEC("lsm.s/file_open")
15 __failure __msg("Possibly NULL pointer passed to trusted arg0")
16 int BPF_PROG(get_task_exe_file_kfunc_null)
17 {
18 	struct file *acquired;
19 
20 	/* Can't pass a NULL pointer to bpf_get_task_exe_file(). */
21 	acquired = bpf_get_task_exe_file(NULL);
22 	if (!acquired)
23 		return 0;
24 
25 	bpf_put_file(acquired);
26 	return 0;
27 }
28 
29 SEC("lsm.s/inode_getxattr")
30 __failure __msg("arg#0 pointer type STRUCT task_struct must point to scalar, or struct with scalar")
31 int BPF_PROG(get_task_exe_file_kfunc_fp)
32 {
33 	u64 x;
34 	struct file *acquired;
35 	struct task_struct *task;
36 
37 	task = (struct task_struct *)&x;
38 	/* Can't pass random frame pointer to bpf_get_task_exe_file(). */
39 	acquired = bpf_get_task_exe_file(task);
40 	if (!acquired)
41 		return 0;
42 
43 	bpf_put_file(acquired);
44 	return 0;
45 }
46 
47 SEC("lsm.s/file_open")
48 __failure __msg("R1 must be referenced or trusted")
49 int BPF_PROG(get_task_exe_file_kfunc_untrusted)
50 {
51 	struct file *acquired;
52 	struct task_struct *parent;
53 
54 	/* Walking a trusted struct task_struct returned from
55 	 * bpf_get_current_task_btf() yields an untrusted pointer.
56 	 */
57 	parent = bpf_get_current_task_btf()->parent;
58 	/* Can't pass untrusted pointer to bpf_get_task_exe_file(). */
59 	acquired = bpf_get_task_exe_file(parent);
60 	if (!acquired)
61 		return 0;
62 
63 	bpf_put_file(acquired);
64 	return 0;
65 }
66 
67 SEC("lsm.s/file_open")
68 __failure __msg("Unreleased reference")
69 int BPF_PROG(get_task_exe_file_kfunc_unreleased)
70 {
71 	struct file *acquired;
72 
73 	acquired = bpf_get_task_exe_file(bpf_get_current_task_btf());
74 	if (!acquired)
75 		return 0;
76 
77 	/* Acquired but never released. */
78 	return 0;
79 }
80 
81 SEC("lsm.s/file_open")
82 __failure __msg("release kernel function bpf_put_file expects")
83 int BPF_PROG(put_file_kfunc_unacquired, struct file *file)
84 {
85 	/* Can't release an unacquired pointer. */
86 	bpf_put_file(file);
87 	return 0;
88 }
89 
90 SEC("lsm.s/file_open")
91 __failure __msg("Possibly NULL pointer passed to trusted arg0")
92 int BPF_PROG(path_d_path_kfunc_null)
93 {
94 	/* Can't pass NULL value to bpf_path_d_path() kfunc. */
95 	bpf_path_d_path(NULL, buf, sizeof(buf));
96 	return 0;
97 }
98 
99 SEC("lsm.s/task_alloc")
100 __failure __msg("R1 must be referenced or trusted")
101 int BPF_PROG(path_d_path_kfunc_untrusted_from_argument, struct task_struct *task)
102 {
103 	struct path *root;
104 
105 	/* Walking a trusted argument typically yields an untrusted
106 	 * pointer. This is one example of that.
107 	 */
108 	root = &task->fs->root;
109 	bpf_path_d_path(root, buf, sizeof(buf));
110 	return 0;
111 }
112 
113 SEC("lsm.s/file_open")
114 __failure __msg("R1 must be referenced or trusted")
115 int BPF_PROG(path_d_path_kfunc_untrusted_from_current)
116 {
117 	struct path *pwd;
118 	struct task_struct *current;
119 
120 	current = bpf_get_current_task_btf();
121 	/* Walking a trusted pointer returned from bpf_get_current_task_btf()
122 	 * yields an untrusted pointer.
123 	 */
124 	pwd = &current->fs->pwd;
125 	bpf_path_d_path(pwd, buf, sizeof(buf));
126 	return 0;
127 }
128 
129 SEC("lsm.s/file_open")
130 __failure __msg("kernel function bpf_path_d_path args#0 expected pointer to STRUCT path but R1 has a pointer to STRUCT file")
131 int BPF_PROG(path_d_path_kfunc_type_mismatch, struct file *file)
132 {
133 	bpf_path_d_path((struct path *)&file->f_task_work, buf, sizeof(buf));
134 	return 0;
135 }
136 
137 SEC("lsm.s/file_open")
138 __failure __msg("invalid access to map value, value_size=4096 off=0 size=8192")
139 int BPF_PROG(path_d_path_kfunc_invalid_buf_sz, struct file *file)
140 {
141 	/* bpf_path_d_path() enforces a constraint on the buffer size supplied
142 	 * by the BPF LSM program via the __sz annotation. buf here is set to
143 	 * PATH_MAX, so let's ensure that the BPF verifier rejects BPF_PROG_LOAD
144 	 * attempts if the supplied size and the actual size of the buffer
145 	 * mismatches.
146 	 */
147 	bpf_path_d_path(&file->f_path, buf, PATH_MAX * 2);
148 	return 0;
149 }
150 
151 SEC("fentry/vfs_open")
152 __failure __msg("calling kernel function bpf_path_d_path is not allowed")
153 int BPF_PROG(path_d_path_kfunc_non_lsm, struct path *path, struct file *f)
154 {
155 	/* Calling bpf_path_d_path() from a non-LSM BPF program isn't permitted.
156 	 */
157 	bpf_path_d_path(path, buf, sizeof(buf));
158 	return 0;
159 }
160 
161 char _license[] SEC("license") = "GPL";
162