1
// SPDX-License-Identifier: GPL-2.0
2
/* Copyright (c) 2024 Google LLC. */
3

4
#include <linux/bpf.h>
5
#include <linux/bpf_lsm.h>
6
#include <linux/btf.h>
7
#include <linux/btf_ids.h>
8
#include <linux/dcache.h>
9
#include <linux/fs.h>
10
#include <linux/fsnotify.h>
11
#include <linux/file.h>
12
#include <linux/kernfs.h>
13
#include <linux/mm.h>
14
#include <linux/xattr.h>
15

16
__bpf_kfunc_start_defs();
17

18
/**
19
 * bpf_get_task_exe_file - get a reference on the exe_file struct file member of
20
 *                         the mm_struct that is nested within the supplied
21
 *                         task_struct
22
 * @task: task_struct of which the nested mm_struct exe_file member to get a
23
 * reference on
24
 *
25
 * Get a reference on the exe_file struct file member field of the mm_struct
26
 * nested within the supplied *task*. The referenced file pointer acquired by
27
 * this BPF kfunc must be released using bpf_put_file(). Failing to call
28
 * bpf_put_file() on the returned referenced struct file pointer that has been
29
 * acquired by this BPF kfunc will result in the BPF program being rejected by
30
 * the BPF verifier.
31
 *
32
 * This BPF kfunc may only be called from BPF LSM programs.
33
 *
34
 * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
35
 * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
36
 * directly in kernel context.
37
 *
38
 * Return: A referenced struct file pointer to the exe_file member of the
39
 * mm_struct that is nested within the supplied *task*. On error, NULL is
40
 * returned.
41
 */
42
__bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
43
{
44
	return get_task_exe_file(task);
45
}
46

47
/**
48
 * bpf_put_file - put a reference on the supplied file
49
 * @file: file to put a reference on
50
 *
51
 * Put a reference on the supplied *file*. Only referenced file pointers may be
52
 * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
53
 * any other arbitrary pointer for that matter, will result in the BPF program
54
 * being rejected by the BPF verifier.
55
 *
56
 * This BPF kfunc may only be called from BPF LSM programs.
57
 */
58
__bpf_kfunc void bpf_put_file(struct file *file)
59
{
60
	fput(file);
61
}
62

63
/**
64
 * bpf_path_d_path - resolve the pathname for the supplied path
65
 * @path: path to resolve the pathname for
66
 * @buf: buffer to return the resolved pathname in
67
 * @buf__sz: length of the supplied buffer
68
 *
69
 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
70
 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be
71
 * used in place of bpf_d_path() whenever possible.
72
 *
73
 * This BPF kfunc may only be called from BPF LSM programs.
74
 *
75
 * Return: A positive integer corresponding to the length of the resolved
76
 * pathname in *buf*, including the NUL termination character. On error, a
77
 * negative integer is returned.
78
 */
79
__bpf_kfunc int bpf_path_d_path(const struct path *path, char *buf, size_t buf__sz)
80
{
81
	int len;
82
	char *ret;
83

84
	if (!buf__sz)
85
		return -EINVAL;
86

87
	ret = d_path(path, buf, buf__sz);
88
	if (IS_ERR(ret))
89
		return PTR_ERR(ret);
90

91
	len = buf + buf__sz - ret;
92
	memmove(buf, ret, len);
93
	return len;
94
}
95

96
static bool match_security_bpf_prefix(const char *name__str)
97
{
98
	return !strncmp(name__str, XATTR_NAME_BPF_LSM, XATTR_NAME_BPF_LSM_LEN);
99
}
100

101
static int bpf_xattr_read_permission(const char *name, struct inode *inode)
102
{
103
	if (WARN_ON(!inode))
104
		return -EINVAL;
105

106
	/* Allow reading xattr with user. and security.bpf. prefix */
107
	if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
108
	    !match_security_bpf_prefix(name))
109
		return -EPERM;
110

111
	return inode_permission(&nop_mnt_idmap, inode, MAY_READ);
112
}
113

114
/**
115
 * bpf_get_dentry_xattr - get xattr of a dentry
116
 * @dentry: dentry to get xattr from
117
 * @name__str: name of the xattr
118
 * @value_p: output buffer of the xattr value
119
 *
120
 * Get xattr *name__str* of *dentry* and store the output in *value_ptr*.
121
 *
122
 * For security reasons, only *name__str* with prefixes "user." or
123
 * "security.bpf." are allowed.
124
 *
125
 * Return: length of the xattr value on success, a negative value on error.
126
 */
127
__bpf_kfunc int bpf_get_dentry_xattr(struct dentry *dentry, const char *name__str,
128
				     struct bpf_dynptr *value_p)
129
{
130
	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
131
	struct inode *inode = d_inode(dentry);
132
	u32 value_len;
133
	void *value;
134
	int ret;
135

136
	value_len = __bpf_dynptr_size(value_ptr);
137
	value = __bpf_dynptr_data_rw(value_ptr, value_len);
138
	if (!value)
139
		return -EINVAL;
140

141
	ret = bpf_xattr_read_permission(name__str, inode);
142
	if (ret)
143
		return ret;
144
	return __vfs_getxattr(dentry, inode, name__str, value, value_len);
145
}
146

147
/**
148
 * bpf_get_file_xattr - get xattr of a file
149
 * @file: file to get xattr from
150
 * @name__str: name of the xattr
151
 * @value_p: output buffer of the xattr value
152
 *
153
 * Get xattr *name__str* of *file* and store the output in *value_ptr*.
154
 *
155
 * For security reasons, only *name__str* with prefixes "user." or
156
 * "security.bpf." are allowed.
157
 *
158
 * Return: length of the xattr value on success, a negative value on error.
159
 */
160
__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
161
				   struct bpf_dynptr *value_p)
162
{
163
	struct dentry *dentry;
164

165
	dentry = file_dentry(file);
166
	return bpf_get_dentry_xattr(dentry, name__str, value_p);
167
}
168

169
__bpf_kfunc_end_defs();
170

171
static int bpf_xattr_write_permission(const char *name, struct inode *inode)
172
{
173
	if (WARN_ON(!inode))
174
		return -EINVAL;
175

176
	/* Only allow setting and removing security.bpf. xattrs */
177
	if (!match_security_bpf_prefix(name))
178
		return -EPERM;
179

180
	return inode_permission(&nop_mnt_idmap, inode, MAY_WRITE);
181
}
182

183
/**
184
 * bpf_set_dentry_xattr_locked - set a xattr of a dentry
185
 * @dentry: dentry to get xattr from
186
 * @name__str: name of the xattr
187
 * @value_p: xattr value
188
 * @flags: flags to pass into filesystem operations
189
 *
190
 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
191
 *
192
 * For security reasons, only *name__str* with prefix "security.bpf."
193
 * is allowed.
194
 *
195
 * The caller already locked dentry->d_inode.
196
 *
197
 * Return: 0 on success, a negative value on error.
198
 */
199
int bpf_set_dentry_xattr_locked(struct dentry *dentry, const char *name__str,
200
				const struct bpf_dynptr *value_p, int flags)
201
{
202

203
	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
204
	struct inode *inode = d_inode(dentry);
205
	const void *value;
206
	u32 value_len;
207
	int ret;
208

209
	value_len = __bpf_dynptr_size(value_ptr);
210
	value = __bpf_dynptr_data(value_ptr, value_len);
211
	if (!value)
212
		return -EINVAL;
213

214
	ret = bpf_xattr_write_permission(name__str, inode);
215
	if (ret)
216
		return ret;
217

218
	ret = __vfs_setxattr(&nop_mnt_idmap, dentry, inode, name__str,
219
			     value, value_len, flags);
220
	if (!ret) {
221
		fsnotify_xattr(dentry);
222

223
		/* This xattr is set by BPF LSM, so we do not call
224
		 * security_inode_post_setxattr. Otherwise, we would
225
		 * risk deadlocks by calling back to the same kfunc.
226
		 *
227
		 * This is the same as security_inode_setsecurity().
228
		 */
229
	}
230
	return ret;
231
}
232

233
/**
234
 * bpf_remove_dentry_xattr_locked - remove a xattr of a dentry
235
 * @dentry: dentry to get xattr from
236
 * @name__str: name of the xattr
237
 *
238
 * Rmove xattr *name__str* of *dentry*.
239
 *
240
 * For security reasons, only *name__str* with prefix "security.bpf."
241
 * is allowed.
242
 *
243
 * The caller already locked dentry->d_inode.
244
 *
245
 * Return: 0 on success, a negative value on error.
246
 */
247
int bpf_remove_dentry_xattr_locked(struct dentry *dentry, const char *name__str)
248
{
249
	struct inode *inode = d_inode(dentry);
250
	int ret;
251

252
	ret = bpf_xattr_write_permission(name__str, inode);
253
	if (ret)
254
		return ret;
255

256
	ret = __vfs_removexattr(&nop_mnt_idmap, dentry, name__str);
257
	if (!ret) {
258
		fsnotify_xattr(dentry);
259

260
		/* This xattr is removed by BPF LSM, so we do not call
261
		 * security_inode_post_removexattr. Otherwise, we would
262
		 * risk deadlocks by calling back to the same kfunc.
263
		 */
264
	}
265
	return ret;
266
}
267

268
__bpf_kfunc_start_defs();
269

270
/**
271
 * bpf_set_dentry_xattr - set a xattr of a dentry
272
 * @dentry: dentry to get xattr from
273
 * @name__str: name of the xattr
274
 * @value_p: xattr value
275
 * @flags: flags to pass into filesystem operations
276
 *
277
 * Set xattr *name__str* of *dentry* to the value in *value_ptr*.
278
 *
279
 * For security reasons, only *name__str* with prefix "security.bpf."
280
 * is allowed.
281
 *
282
 * The caller has not locked dentry->d_inode.
283
 *
284
 * Return: 0 on success, a negative value on error.
285
 */
286
__bpf_kfunc int bpf_set_dentry_xattr(struct dentry *dentry, const char *name__str,
287
				     const struct bpf_dynptr *value_p, int flags)
288
{
289
	struct inode *inode = d_inode(dentry);
290
	int ret;
291

292
	inode_lock(inode);
293
	ret = bpf_set_dentry_xattr_locked(dentry, name__str, value_p, flags);
294
	inode_unlock(inode);
295
	return ret;
296
}
297

298
/**
299
 * bpf_remove_dentry_xattr - remove a xattr of a dentry
300
 * @dentry: dentry to get xattr from
301
 * @name__str: name of the xattr
302
 *
303
 * Rmove xattr *name__str* of *dentry*.
304
 *
305
 * For security reasons, only *name__str* with prefix "security.bpf."
306
 * is allowed.
307
 *
308
 * The caller has not locked dentry->d_inode.
309
 *
310
 * Return: 0 on success, a negative value on error.
311
 */
312
__bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name__str)
313
{
314
	struct inode *inode = d_inode(dentry);
315
	int ret;
316

317
	inode_lock(inode);
318
	ret = bpf_remove_dentry_xattr_locked(dentry, name__str);
319
	inode_unlock(inode);
320
	return ret;
321
}
322

323
#ifdef CONFIG_CGROUPS
324
/**
325
 * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
326
 * @cgroup: cgroup to get xattr from
327
 * @name__str: name of the xattr
328
 * @value_p: output buffer of the xattr value
329
 *
330
 * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.
331
 *
332
 * For security reasons, only *name__str* with prefix "user." is allowed.
333
 *
334
 * Return: length of the xattr value on success, a negative value on error.
335
 */
336
__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
337
					struct bpf_dynptr *value_p)
338
{
339
	struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
340
	u32 value_len;
341
	void *value;
342

343
	/* Only allow reading "user.*" xattrs */
344
	if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
345
		return -EPERM;
346

347
	value_len = __bpf_dynptr_size(value_ptr);
348
	value = __bpf_dynptr_data_rw(value_ptr, value_len);
349
	if (!value)
350
		return -EINVAL;
351

352
	return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);
353
}
354
#endif /* CONFIG_CGROUPS */
355

356
__bpf_kfunc_end_defs();
357

358
BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
359
BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL)
360
BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
361
BTF_ID_FLAGS(func, bpf_path_d_path)
362
BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE)
363
BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
364
BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE)
365
BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE)
366
BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
367

368
static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
369
{
370
	if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
371
	    prog->type == BPF_PROG_TYPE_LSM)
372
		return 0;
373
	return -EACCES;
374
}
375

376
/* bpf_[set|remove]_dentry_xattr.* hooks have KF_SLEEPABLE, so they are only
377
 * available to sleepable hooks with dentry arguments.
378
 *
379
 * Setting and removing xattr requires exclusive lock on dentry->d_inode.
380
 * Some hooks already locked d_inode, while some hooks have not locked
381
 * d_inode. Therefore, we need different kfuncs for different hooks.
382
 * Specifically, hooks in the following list (d_inode_locked_hooks)
383
 * should call bpf_[set|remove]_dentry_xattr_locked; while other hooks
384
 * should call bpf_[set|remove]_dentry_xattr.
385
 */
386
BTF_SET_START(d_inode_locked_hooks)
387
BTF_ID(func, bpf_lsm_inode_post_removexattr)
388
BTF_ID(func, bpf_lsm_inode_post_setattr)
389
BTF_ID(func, bpf_lsm_inode_post_setxattr)
390
BTF_ID(func, bpf_lsm_inode_removexattr)
391
BTF_ID(func, bpf_lsm_inode_rmdir)
392
BTF_ID(func, bpf_lsm_inode_setattr)
393
BTF_ID(func, bpf_lsm_inode_setxattr)
394
BTF_ID(func, bpf_lsm_inode_unlink)
395
#ifdef CONFIG_SECURITY_PATH
396
BTF_ID(func, bpf_lsm_path_unlink)
397
BTF_ID(func, bpf_lsm_path_rmdir)
398
#endif /* CONFIG_SECURITY_PATH */
399
BTF_SET_END(d_inode_locked_hooks)
400

401
bool bpf_lsm_has_d_inode_locked(const struct bpf_prog *prog)
402
{
403
	return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_id);
404
}
405

406
static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
407
	.owner = THIS_MODULE,
408
	.set = &bpf_fs_kfunc_set_ids,
409
	.filter = bpf_fs_kfuncs_filter,
410
};
411

412
static int __init bpf_fs_kfuncs_init(void)
413
{
414
	return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
415
}
416

417
late_initcall(bpf_fs_kfuncs_init);
418

419