// SPDX-License-Identifier: GPL-2.01/* Copyright (c) 2024 Google LLC. */23#include <linux/bpf.h>4#include <linux/bpf_lsm.h>5#include <linux/btf.h>6#include <linux/btf_ids.h>7#include <linux/dcache.h>8#include <linux/fs.h>9#include <linux/fsnotify.h>10#include <linux/file.h>11#include <linux/kernfs.h>12#include <linux/mm.h>13#include <linux/xattr.h>1415__bpf_kfunc_start_defs();1617/**18* bpf_get_task_exe_file - get a reference on the exe_file struct file member of19* the mm_struct that is nested within the supplied20* task_struct21* @task: task_struct of which the nested mm_struct exe_file member to get a22* reference on23*24* Get a reference on the exe_file struct file member field of the mm_struct25* nested within the supplied *task*. The referenced file pointer acquired by26* this BPF kfunc must be released using bpf_put_file(). Failing to call27* bpf_put_file() on the returned referenced struct file pointer that has been28* acquired by this BPF kfunc will result in the BPF program being rejected by29* the BPF verifier.30*31* This BPF kfunc may only be called from BPF LSM programs.32*33* Internally, this BPF kfunc leans on get_task_exe_file(), such that calling34* bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()35* directly in kernel context.36*37* Return: A referenced struct file pointer to the exe_file member of the38* mm_struct that is nested within the supplied *task*. On error, NULL is39* returned.40*/41__bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)42{43return get_task_exe_file(task);44}4546/**47* bpf_put_file - put a reference on the supplied file48* @file: file to put a reference on49*50* Put a reference on the supplied *file*. Only referenced file pointers may be51* passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or52* any other arbitrary pointer for that matter, will result in the BPF program53* being rejected by the BPF verifier.54*55* This BPF kfunc may only be called from BPF LSM programs.56*/57__bpf_kfunc void bpf_put_file(struct file *file)58{59fput(file);60}6162/**63* bpf_path_d_path - resolve the pathname for the supplied path64* @path: path to resolve the pathname for65* @buf: buffer to return the resolved pathname in66* @buf__sz: length of the supplied buffer67*68* Resolve the pathname for the supplied *path* and store it in *buf*. This BPF69* kfunc is the safer variant of the legacy bpf_d_path() helper and should be70* used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS71* semantics, meaning that the supplied *path* must itself hold a valid72* reference, or else the BPF program will be outright rejected by the BPF73* verifier.74*75* This BPF kfunc may only be called from BPF LSM programs.76*77* Return: A positive integer corresponding to the length of the resolved78* pathname in *buf*, including the NUL termination character. On error, a79* negative integer is returned.80*/81__bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz)82{83int len;84char *ret;8586if (!buf__sz)87return -EINVAL;8889ret = d_path(path, buf, buf__sz);90if (IS_ERR(ret))91return PTR_ERR(ret);9293len = buf + buf__sz - ret;94memmove(buf, ret, len);95return len;96}9798static bool match_security_bpf_prefix(const char *name__str)99{100return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);101}102103static int bpf_xattr_read_permission(const char *name, struct inode *inode)104{105if (WARN_ON(!inode))106return -EINVAL;107108/* Allow reading xattr with user. and security.bpf. prefix */109if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&110!match_security_bpf_prefix(name))111return -EPERM;112113return inode_permission(&nop_mnt_idmap, inode, MAY_READ);114}115116/**117* bpf_get_dentry_xattr - get xattr of a dentry118* @dentry: dentry to get xattr from119* @name__str: name of the xattr120* @value_p: output buffer of the xattr value121*122* Get xattr *name__str* of *dentry* and store the output in *value_ptr*.123*124* For security reasons, only *name__str* with prefixes "user." or125* "security.bpf." are allowed.126*127* Return: length of the xattr value on success, a negative value on error.128*/129__bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,130struct bpf_dynptr *value_p)131{132struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;133struct inode *inode = d_inode(dentry);134u32 value_len;135void *value;136int ret;137138value_len = __bpf_dynptr_size(value_ptr);139value = __bpf_dynptr_data_rw(value_ptr, value_len);140if (!value)141return -EINVAL;142143ret = bpf_xattr_read_permission(name__str, inode);144if (ret)145return ret;146return __vfs_getxattr(dentry, inode, name__str, value, value_len);147}148149/**150* bpf_get_file_xattr - get xattr of a file151* @file: file to get xattr from152* @name__str: name of the xattr153* @value_p: output buffer of the xattr value154*155* Get xattr *name__str* of *file* and store the output in *value_ptr*.156*157* For security reasons, only *name__str* with prefixes "user." or158* "security.bpf." are allowed.159*160* Return: length of the xattr value on success, a negative value on error.161*/162__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,163struct bpf_dynptr *value_p)164{165struct dentry *dentry;166167dentry = file_dentry(file);168return bpf_get_dentry_xattr(dentry, name__str, value_p);169}170171__bpf_kfunc_end_defs();172173static int bpf_xattr_write_permission(const char *name, struct inode *inode)174{175if (WARN_ON(!inode))176return -EINVAL;177178/* Only allow setting and removing security.bpf. xattrs */179if (!match_security_bpf_prefix(name))180return -EPERM;181182return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);183}184185/**186* bpf_set_dentry_xattr_locked - set a xattr of a dentry187* @dentry: dentry to get xattr from188* @name__str: name of the xattr189* @value_p: xattr value190* @flags: flags to pass into filesystem operations191*192* Set xattr *name__str* of *dentry* to the value in *value_ptr*.193*194* For security reasons, only *name__str* with prefix "security.bpf."195* is allowed.196*197* The caller already locked dentry->d_inode.198*199* Return: 0 on success, a negative value on error.200*/201int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,202const struct bpf_dynptr *value_p, int flags)203{204205struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;206struct inode *inode = d_inode(dentry);207const void *value;208u32 value_len;209int ret;210211value_len = __bpf_dynptr_size(value_ptr);212value = __bpf_dynptr_data(value_ptr, value_len);213if (!value)214return -EINVAL;215216ret = bpf_xattr_write_permission(name__str, inode);217if (ret)218return ret;219220ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,221value, value_len, flags);222if (!ret) {223fsnotify_xattr(dentry);224225/* This xattr is set by BPF LSM, so we do not call226* security_inode_post_setxattr. Otherwise, we would227* risk deadlocks by calling back to the same kfunc.228*229* This is the same as security_inode_setsecurity().230*/231}232return ret;233}234235/**236* bpf_remove_dentry_xattr_locked - remove a xattr of a dentry237* @dentry: dentry to get xattr from238* @name__str: name of the xattr239*240* Rmove xattr *name__str* of *dentry*.241*242* For security reasons, only *name__str* with prefix "security.bpf."243* is allowed.244*245* The caller already locked dentry->d_inode.246*247* Return: 0 on success, a negative value on error.248*/249int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)250{251struct inode *inode = d_inode(dentry);252int ret;253254ret = bpf_xattr_write_permission(name__str, inode);255if (ret)256return ret;257258ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);259if (!ret) {260fsnotify_xattr(dentry);261262/* This xattr is removed by BPF LSM, so we do not call263* security_inode_post_removexattr. Otherwise, we would264* risk deadlocks by calling back to the same kfunc.265*/266}267return ret;268}269270__bpf_kfunc_start_defs();271272/**273* bpf_set_dentry_xattr - set a xattr of a dentry274* @dentry: dentry to get xattr from275* @name__str: name of the xattr276* @value_p: xattr value277* @flags: flags to pass into filesystem operations278*279* Set xattr *name__str* of *dentry* to the value in *value_ptr*.280*281* For security reasons, only *name__str* with prefix "security.bpf."282* is allowed.283*284* The caller has not locked dentry->d_inode.285*286* Return: 0 on success, a negative value on error.287*/288__bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,289const struct bpf_dynptr *value_p, int flags)290{291struct inode *inode = d_inode(dentry);292int ret;293294inode_lock(inode);295ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);296inode_unlock(inode);297return ret;298}299300/**301* bpf_remove_dentry_xattr - remove a xattr of a dentry302* @dentry: dentry to get xattr from303* @name__str: name of the xattr304*305* Rmove xattr *name__str* of *dentry*.306*307* For security reasons, only *name__str* with prefix "security.bpf."308* is allowed.309*310* The caller has not locked dentry->d_inode.311*312* Return: 0 on success, a negative value on error.313*/314__bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)315{316struct inode *inode = d_inode(dentry);317int ret;318319inode_lock(inode);320ret = bpf_remove_dentry_xattr_locked(dentry, name__str);321inode_unlock(inode);322return ret;323}324325#ifdef CONFIG_CGROUPS326/**327* bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs328* @cgroup: cgroup to get xattr from329* @name__str: name of the xattr330* @value_p: output buffer of the xattr value331*332* Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.333*334* For security reasons, only *name__str* with prefix "user." is allowed.335*336* Return: length of the xattr value on success, a negative value on error.337*/338__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,339struct bpf_dynptr *value_p)340{341struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;342u32 value_len;343void *value;344345/* Only allow reading "user.*" xattrs */346if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))347return -EPERM;348349value_len = __bpf_dynptr_size(value_ptr);350value = __bpf_dynptr_data_rw(value_ptr, value_len);351if (!value)352return -EINVAL;353354return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);355}356#endif /* CONFIG_CGROUPS */357358__bpf_kfunc_end_defs();359360BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)361BTF_ID_FLAGS(func, bpf_get_task_exe_file,362KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)363BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)364BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)365BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)366BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)367BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)368BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)369BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)370371static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)372{373if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||374prog->type == BPF_PROG_TYPE_LSM)375return 0;376return -EACCES;377}378379/* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and380* KF_SLEEPABLE, so they are only available to sleepable hooks with381* dentry arguments.382*383* Setting and removing xattr requires exclusive lock on dentry->d_inode.384* Some hooks already locked d_inode, while some hooks have not locked385* d_inode. Therefore, we need different kfuncs for different hooks.386* Specifically, hooks in the following list (d_inode_locked_hooks)387* should call bpf_[set|remove]_dentry_xattr_locked; while other hooks388* should call bpf_[set|remove]_dentry_xattr.389*/390BTF_SET_START(d_inode_locked_hooks)391BTF_ID(func, bpf_lsm_inode_post_removexattr)392BTF_ID(func, bpf_lsm_inode_post_setattr)393BTF_ID(func, bpf_lsm_inode_post_setxattr)394BTF_ID(func, bpf_lsm_inode_removexattr)395BTF_ID(func, bpf_lsm_inode_rmdir)396BTF_ID(func, bpf_lsm_inode_setattr)397BTF_ID(func, bpf_lsm_inode_setxattr)398BTF_ID(func, bpf_lsm_inode_unlink)399#ifdef CONFIG_SECURITY_PATH400BTF_ID(func, bpf_lsm_path_unlink)401BTF_ID(func, bpf_lsm_path_rmdir)402#endif /* CONFIG_SECURITY_PATH */403BTF_SET_END(d_inode_locked_hooks)404405bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)406{407return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);408}409410static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {411.owner = THIS_MODULE,412.set = &bpf_fs_kfunc_set_ids,413.filter = bpf_fs_kfuncs_filter,414};415416static int __init bpf_fs_kfuncs_init(void)417{418return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);419}420421late_initcall(bpf_fs_kfuncs_init);422423424