bpf_fs_kfuncs.c source code [linux/fs/bpf_fs_kfuncs.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/ Copyright (c) 2024 Google LLC. /
3
4	#include <linux/bpf.h>
5	#include <linux/bpf_lsm.h>
6	#include <linux/btf.h>
7	#include <linux/btf_ids.h>
8	#include <linux/dcache.h>
9	#include <linux/fs.h>
10	#include <linux/fsnotify.h>
11	#include <linux/file.h>
12	#include <linux/kernfs.h>
13	#include <linux/mm.h>
14	#include <linux/xattr.h>
15
16	__bpf_kfunc_start_defs();
17
18	/**
19	* bpf_get_task_exe_file - get a reference on the exe_file struct file member of
20	* the mm_struct that is nested within the supplied
21	* task_struct
22	* @task: task_struct of which the nested mm_struct exe_file member to get a
23	* reference on
24	*
25	* Get a reference on the exe_file struct file member field of the mm_struct
26	* nested within the supplied task. The referenced file pointer acquired by
27	* this BPF kfunc must be released using bpf_put_file(). Failing to call
28	* bpf_put_file() on the returned referenced struct file pointer that has been
29	* acquired by this BPF kfunc will result in the BPF program being rejected by
30	* the BPF verifier.
31	*
32	* This BPF kfunc may only be called from BPF LSM programs.
33	*
34	* Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
35	* bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
36	* directly in kernel context.
37	*
38	* Return: A referenced struct file pointer to the exe_file member of the
39	* mm_struct that is nested within the supplied task. On error, NULL is
40	* returned.
41	*/
42	__bpf_kfunc struct file bpf_get_task_exe_file(struct* task_struct *task)
43	{
44	return get_task_exe_file(task);
45	}
46
47	/**
48	* bpf_put_file - put a reference on the supplied file
49	* @file: file to put a reference on
50	*
51	* Put a reference on the supplied file. Only referenced file pointers may be
52	* passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
53	* any other arbitrary pointer for that matter, will result in the BPF program
54	* being rejected by the BPF verifier.
55	*
56	* This BPF kfunc may only be called from BPF LSM programs.
57	*/
58	__bpf_kfunc void bpf_put_file(struct file *file)
59	{
60	fput(file);
61	}
62
63	/**
64	* bpf_path_d_path - resolve the pathname for the supplied path
65	* @path: path to resolve the pathname for
66	* @buf: buffer to return the resolved pathname in
67	* @buf__sz: length of the supplied buffer
68	*
69	* Resolve the pathname for the supplied path and store it in buf. This BPF
70	* kfunc is the safer variant of the legacy bpf_d_path() helper and should be
71	* used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
72	* semantics, meaning that the supplied path must itself hold a valid
73	* reference, or else the BPF program will be outright rejected by the BPF
74	* verifier.
75	*
76	* This BPF kfunc may only be called from BPF LSM programs.
77	*
78	* Return: A positive integer corresponding to the length of the resolved
79	* pathname in buf, including the NUL termination character. On error, a
80	* negative integer is returned.
81	*/
82	__bpf_kfunc int bpf_path_d_path(const struct path path, char* *buf, size_t buf__sz)
83	{
84	int len;
85	char *ret;
86
87	if (!buf__sz)
88	return -EINVAL;
89
90	ret = d_path(path, buf, buf__sz);
91	if (IS_ERR(ptr: ret))
92	return PTR_ERR(ptr: ret);
93
94	len = buf + buf__sz - ret;
95	memmove(buf, ret, len);
96	return len;
97	}
98
99	static bool match_security_bpf_prefix(const char *name__str)
100	{
101	return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
102	}
103
104	static int bpf_xattr_read_permission(const char name, struct* inode *inode)
105	{
106	if (WARN_ON(!inode))
107	return -EINVAL;
108
109	/ Allow reading xattr with user. and security.bpf. prefix /
110	if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
111	!match_security_bpf_prefix(name__str: name))
112	return -EPERM;
113
114	return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
115	}
116
117	/**
118	* bpf_get_dentry_xattr - get xattr of a dentry
119	* @dentry: dentry to get xattr from
120	* @name__str: name of the xattr
121	* @value_p: output buffer of the xattr value
122	*
123	* Get xattr name__str of dentry and store the output in value_ptr.
124	*
125	* For security reasons, only name__str with prefixes "user." or
126	* "security.bpf." are allowed.
127	*
128	* Return: length of the xattr value on success, a negative value on error.
129	*/
130	__bpf_kfunc int bpf_get_dentry_xattr(struct dentry dentry, const* char *name__str,
131	struct bpf_dynptr *value_p)
132	{
133	struct bpf_dynptr_kern value_ptr = (struct* bpf_dynptr_kern *)value_p;
134	struct inode *inode = d_inode(dentry);
135	u32 value_len;
136	void *value;
137	int ret;
138
139	value_len = __bpf_dynptr_size(ptr: value_ptr);
140	value = __bpf_dynptr_data_rw(ptr: value_ptr, len: value_len);
141	if (!value)
142	return -EINVAL;
143
144	ret = bpf_xattr_read_permission(name: name__str, inode);
145	if (ret)
146	return ret;
147	return __vfs_getxattr(dentry, inode, name__str, value, value_len);
148	}
149
150	/**
151	* bpf_get_file_xattr - get xattr of a file
152	* @file: file to get xattr from
153	* @name__str: name of the xattr
154	* @value_p: output buffer of the xattr value
155	*
156	* Get xattr name__str of file and store the output in value_ptr.
157	*
158	* For security reasons, only name__str with prefixes "user." or
159	* "security.bpf." are allowed.
160	*
161	* Return: length of the xattr value on success, a negative value on error.
162	*/
163	__bpf_kfunc int bpf_get_file_xattr(struct file file, const* char *name__str,
164	struct bpf_dynptr *value_p)
165	{
166	struct dentry *dentry;
167
168	dentry = file_dentry(file);
169	return bpf_get_dentry_xattr(dentry, name__str, value_p);
170	}
171
172	__bpf_kfunc_end_defs();
173
174	static int bpf_xattr_write_permission(const char name, struct* inode *inode)
175	{
176	if (WARN_ON(!inode))
177	return -EINVAL;
178
179	/ Only allow setting and removing security.bpf. xattrs /
180	if (!match_security_bpf_prefix(name__str: name))
181	return -EPERM;
182
183	return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
184	}
185
186	/**
187	* bpf_set_dentry_xattr_locked - set a xattr of a dentry
188	* @dentry: dentry to get xattr from
189	* @name__str: name of the xattr
190	* @value_p: xattr value
191	* @flags: flags to pass into filesystem operations
192	*
193	* Set xattr name__str of dentry to the value in value_ptr.
194	*
195	* For security reasons, only name__str with prefix "security.bpf."
196	* is allowed.
197	*
198	* The caller already locked dentry->d_inode.
199	*
200	* Return: 0 on success, a negative value on error.
201	*/
202	int bpf_set_dentry_xattr_locked(struct dentry dentry, const* char *name__str,
203	const struct bpf_dynptr value_p, int* flags)
204	{
205
206	struct bpf_dynptr_kern value_ptr = (struct* bpf_dynptr_kern *)value_p;
207	struct inode *inode = d_inode(dentry);
208	const void *value;
209	u32 value_len;
210	int ret;
211
212	value_len = __bpf_dynptr_size(ptr: value_ptr);
213	value = __bpf_dynptr_data(ptr: value_ptr, len: value_len);
214	if (!value)
215	return -EINVAL;
216
217	ret = bpf_xattr_write_permission(name: name__str, inode);
218	if (ret)
219	return ret;
220
221	ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
222	value, value_len, flags);
223	if (!ret) {
224	fsnotify_xattr(dentry);
225
226	/ This xattr is set by BPF LSM, so we do not call*
227	* security_inode_post_setxattr. Otherwise, we would
228	* risk deadlocks by calling back to the same kfunc.
229	*
230	* This is the same as security_inode_setsecurity().
231	*/
232	}
233	return ret;
234	}
235
236	/**
237	* bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
238	* @dentry: dentry to get xattr from
239	* @name__str: name of the xattr
240	*
241	* Rmove xattr name__str of dentry.
242	*
243	* For security reasons, only name__str with prefix "security.bpf."
244	* is allowed.
245	*
246	* The caller already locked dentry->d_inode.
247	*
248	* Return: 0 on success, a negative value on error.
249	*/
250	int bpf_remove_dentry_xattr_locked(struct dentry dentry, const* char *name__str)
251	{
252	struct inode *inode = d_inode(dentry);
253	int ret;
254
255	ret = bpf_xattr_write_permission(name: name__str, inode);
256	if (ret)
257	return ret;
258
259	ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
260	if (!ret) {
261	fsnotify_xattr(dentry);
262
263	/ This xattr is removed by BPF LSM, so we do not call*
264	* security_inode_post_removexattr. Otherwise, we would
265	* risk deadlocks by calling back to the same kfunc.
266	*/
267	}
268	return ret;
269	}
270
271	__bpf_kfunc_start_defs();
272
273	/**
274	* bpf_set_dentry_xattr - set a xattr of a dentry
275	* @dentry: dentry to get xattr from
276	* @name__str: name of the xattr
277	* @value_p: xattr value
278	* @flags: flags to pass into filesystem operations
279	*
280	* Set xattr name__str of dentry to the value in value_ptr.
281	*
282	* For security reasons, only name__str with prefix "security.bpf."
283	* is allowed.
284	*
285	* The caller has not locked dentry->d_inode.
286	*
287	* Return: 0 on success, a negative value on error.
288	*/
289	__bpf_kfunc int bpf_set_dentry_xattr(struct dentry dentry, const* char *name__str,
290	const struct bpf_dynptr value_p, int* flags)
291	{
292	struct inode *inode = d_inode(dentry);
293	int ret;
294
295	inode_lock(inode);
296	ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
297	inode_unlock(inode);
298	return ret;
299	}
300
301	/**
302	* bpf_remove_dentry_xattr - remove a xattr of a dentry
303	* @dentry: dentry to get xattr from
304	* @name__str: name of the xattr
305	*
306	* Rmove xattr name__str of dentry.
307	*
308	* For security reasons, only name__str with prefix "security.bpf."
309	* is allowed.
310	*
311	* The caller has not locked dentry->d_inode.
312	*
313	* Return: 0 on success, a negative value on error.
314	*/
315	__bpf_kfunc int bpf_remove_dentry_xattr(struct dentry dentry, const* char *name__str)
316	{
317	struct inode *inode = d_inode(dentry);
318	int ret;
319
320	inode_lock(inode);
321	ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
322	inode_unlock(inode);
323	return ret;
324	}
325
326	#ifdef CONFIG_CGROUPS
327	/**
328	* bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
329	* @cgroup: cgroup to get xattr from
330	* @name__str: name of the xattr
331	* @value_p: output buffer of the xattr value
332	*
333	* Get xattr name__str of cgroup and store the output in value_ptr.
334	*
335	* For security reasons, only name__str with prefix "user." is allowed.
336	*
337	* Return: length of the xattr value on success, a negative value on error.
338	*/
339	__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup cgroup, const* char *name__str,
340	struct bpf_dynptr *value_p)
341	{
342	struct bpf_dynptr_kern value_ptr = (struct* bpf_dynptr_kern *)value_p;
343	u32 value_len;
344	void *value;
345
346	/ Only allow reading "user." xattrs /*
347	if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
348	return -EPERM;
349
350	value_len = __bpf_dynptr_size(ptr: value_ptr);
351	value = __bpf_dynptr_data_rw(ptr: value_ptr, len: value_len);
352	if (!value)
353	return -EINVAL;
354
355	return kernfs_xattr_get(kn: cgroup->kn, name: name__str, value, size: value_len);
356	}
357	#endif /* CONFIG_CGROUPS */
358
359	__bpf_kfunc_end_defs();
360
361	BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
362	BTF_ID_FLAGS(func, bpf_get_task_exe_file,
363	KF_ACQUIRE \| KF_TRUSTED_ARGS \| KF_RET_NULL)
364	BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
365	BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
366	BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE \| KF_TRUSTED_ARGS)
367	BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE \| KF_TRUSTED_ARGS)
368	BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE \| KF_TRUSTED_ARGS)
369	BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE \| KF_TRUSTED_ARGS)
370	BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
371
372	static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
373	{
374	if (!btf_id_set8_contains(set: &bpf_fs_kfunc_set_ids, id: kfunc_id) \|\|
375	prog->type == BPF_PROG_TYPE_LSM)
376	return `0`;
377	return -EACCES;
378	}
379
380	/ bpf_[set\|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and*
381	* KF_SLEEPABLE, so they are only available to sleepable hooks with
382	* dentry arguments.
383	*
384	* Setting and removing xattr requires exclusive lock on dentry->d_inode.
385	* Some hooks already locked d_inode, while some hooks have not locked
386	* d_inode. Therefore, we need different kfuncs for different hooks.
387	* Specifically, hooks in the following list (d_inode_locked_hooks)
388	* should call bpf_[set\|remove]_dentry_xattr_locked; while other hooks
389	* should call bpf_[set\|remove]_dentry_xattr.
390	*/
391	BTF_SET_START(d_inode_locked_hooks)
392	BTF_ID(func, bpf_lsm_inode_post_removexattr)
393	BTF_ID(func, bpf_lsm_inode_post_setattr)
394	BTF_ID(func, bpf_lsm_inode_post_setxattr)
395	BTF_ID(func, bpf_lsm_inode_removexattr)
396	BTF_ID(func, bpf_lsm_inode_rmdir)
397	BTF_ID(func, bpf_lsm_inode_setattr)
398	BTF_ID(func, bpf_lsm_inode_setxattr)
399	BTF_ID(func, bpf_lsm_inode_unlink)
400	#ifdef CONFIG_SECURITY_PATH
401	BTF_ID(func, bpf_lsm_path_unlink)
402	BTF_ID(func, bpf_lsm_path_rmdir)
403	#endif /* CONFIG_SECURITY_PATH */
404	BTF_SET_END(d_inode_locked_hooks)
405
406	bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
407	{
408	return btf_id_set_contains(set: &d_inode_locked_hooks, id: prog->aux->attach_btf_id);
409	}
410
411	static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
412	.owner = THIS_MODULE,
413	.set = &bpf_fs_kfunc_set_ids,
414	.filter = bpf_fs_kfuncs_filter,
415	};
416
417	static int __init bpf_fs_kfuncs_init(void)
418	{
419	return register_btf_kfunc_id_set(prog_type: BPF_PROG_TYPE_LSM, s: &bpf_fs_kfunc_set);
420	}
421
422	late_initcall(bpf_fs_kfuncs_init);
423

source code of linux/fs/bpf_fs_kfuncs.c