1 // SPDX-License-Identifier: GPL-2.0
4 * Copyright (C) 2020 Google LLC.
7 #include <linux/filter.h>
10 #include <linux/binfmts.h>
11 #include <linux/lsm_hooks.h>
12 #include <linux/bpf_lsm.h>
13 #include <linux/kallsyms.h>
14 #include <net/bpf_sk_storage.h>
15 #include <linux/bpf_local_storage.h>
16 #include <linux/btf_ids.h>
17 #include <linux/ima.h>
18 #include <linux/bpf-cgroup.h>
20 /* For every LSM hook that allows attachment of BPF programs, declare a nop
21 * function where a BPF program can be attached.
23 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
24 noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
29 #include <linux/lsm_hook_defs.h>
32 #define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
33 BTF_SET_START(bpf_lsm_hooks
)
34 #include <linux/lsm_hook_defs.h>
36 BTF_SET_END(bpf_lsm_hooks
)
38 BTF_SET_START(bpf_lsm_disabled_hooks
)
39 BTF_ID(func
, bpf_lsm_vm_enough_memory
)
40 BTF_ID(func
, bpf_lsm_inode_need_killpriv
)
41 BTF_ID(func
, bpf_lsm_inode_getsecurity
)
42 BTF_ID(func
, bpf_lsm_inode_listsecurity
)
43 BTF_ID(func
, bpf_lsm_inode_copy_up_xattr
)
44 BTF_ID(func
, bpf_lsm_getselfattr
)
45 BTF_ID(func
, bpf_lsm_getprocattr
)
46 BTF_ID(func
, bpf_lsm_setprocattr
)
48 BTF_ID(func
, bpf_lsm_key_getsecurity
)
51 BTF_ID(func
, bpf_lsm_audit_rule_match
)
53 BTF_ID(func
, bpf_lsm_ismaclabel
)
54 BTF_SET_END(bpf_lsm_disabled_hooks
)
56 /* List of LSM hooks that should operate on 'current' cgroup regardless
57 * of function signature.
59 BTF_SET_START(bpf_lsm_current_hooks
)
60 /* operate on freshly allocated sk without any cgroup association */
61 #ifdef CONFIG_SECURITY_NETWORK
62 BTF_ID(func
, bpf_lsm_sk_alloc_security
)
63 BTF_ID(func
, bpf_lsm_sk_free_security
)
65 BTF_SET_END(bpf_lsm_current_hooks
)
67 /* List of LSM hooks that trigger while the socket is properly locked.
69 BTF_SET_START(bpf_lsm_locked_sockopt_hooks
)
70 #ifdef CONFIG_SECURITY_NETWORK
71 BTF_ID(func
, bpf_lsm_sock_graft
)
72 BTF_ID(func
, bpf_lsm_inet_csk_clone
)
73 BTF_ID(func
, bpf_lsm_inet_conn_established
)
75 BTF_SET_END(bpf_lsm_locked_sockopt_hooks
)
77 /* List of LSM hooks that trigger while the socket is _not_ locked,
78 * but it's ok to call bpf_{g,s}etsockopt because the socket is still
79 * in the early init phase.
81 BTF_SET_START(bpf_lsm_unlocked_sockopt_hooks
)
82 #ifdef CONFIG_SECURITY_NETWORK
83 BTF_ID(func
, bpf_lsm_socket_post_create
)
84 BTF_ID(func
, bpf_lsm_socket_socketpair
)
86 BTF_SET_END(bpf_lsm_unlocked_sockopt_hooks
)
88 #ifdef CONFIG_CGROUP_BPF
89 void bpf_lsm_find_cgroup_shim(const struct bpf_prog
*prog
,
92 const struct btf_param
*args __maybe_unused
;
94 if (btf_type_vlen(prog
->aux
->attach_func_proto
) < 1 ||
95 btf_id_set_contains(&bpf_lsm_current_hooks
,
96 prog
->aux
->attach_btf_id
)) {
97 *bpf_func
= __cgroup_bpf_run_lsm_current
;
102 args
= btf_params(prog
->aux
->attach_func_proto
);
104 if (args
[0].type
== btf_sock_ids
[BTF_SOCK_TYPE_SOCKET
])
105 *bpf_func
= __cgroup_bpf_run_lsm_socket
;
106 else if (args
[0].type
== btf_sock_ids
[BTF_SOCK_TYPE_SOCK
])
107 *bpf_func
= __cgroup_bpf_run_lsm_sock
;
110 *bpf_func
= __cgroup_bpf_run_lsm_current
;
114 int bpf_lsm_verify_prog(struct bpf_verifier_log
*vlog
,
115 const struct bpf_prog
*prog
)
117 u32 btf_id
= prog
->aux
->attach_btf_id
;
118 const char *func_name
= prog
->aux
->attach_func_name
;
120 if (!prog
->gpl_compatible
) {
122 "LSM programs must have a GPL compatible license\n");
126 if (btf_id_set_contains(&bpf_lsm_disabled_hooks
, btf_id
)) {
127 bpf_log(vlog
, "attach_btf_id %u points to disabled hook %s\n",
132 if (!btf_id_set_contains(&bpf_lsm_hooks
, btf_id
)) {
133 bpf_log(vlog
, "attach_btf_id %u points to wrong type name %s\n",
141 /* Mask for all the currently supported BPRM option flags */
142 #define BPF_F_BRPM_OPTS_MASK BPF_F_BPRM_SECUREEXEC
144 BPF_CALL_2(bpf_bprm_opts_set
, struct linux_binprm
*, bprm
, u64
, flags
)
146 if (flags
& ~BPF_F_BRPM_OPTS_MASK
)
149 bprm
->secureexec
= (flags
& BPF_F_BPRM_SECUREEXEC
);
153 BTF_ID_LIST_SINGLE(bpf_bprm_opts_set_btf_ids
, struct, linux_binprm
)
155 static const struct bpf_func_proto bpf_bprm_opts_set_proto
= {
156 .func
= bpf_bprm_opts_set
,
158 .ret_type
= RET_INTEGER
,
159 .arg1_type
= ARG_PTR_TO_BTF_ID
,
160 .arg1_btf_id
= &bpf_bprm_opts_set_btf_ids
[0],
161 .arg2_type
= ARG_ANYTHING
,
164 BPF_CALL_3(bpf_ima_inode_hash
, struct inode
*, inode
, void *, dst
, u32
, size
)
166 return ima_inode_hash(inode
, dst
, size
);
169 static bool bpf_ima_inode_hash_allowed(const struct bpf_prog
*prog
)
171 return bpf_lsm_is_sleepable_hook(prog
->aux
->attach_btf_id
);
174 BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids
, struct, inode
)
176 static const struct bpf_func_proto bpf_ima_inode_hash_proto
= {
177 .func
= bpf_ima_inode_hash
,
180 .ret_type
= RET_INTEGER
,
181 .arg1_type
= ARG_PTR_TO_BTF_ID
,
182 .arg1_btf_id
= &bpf_ima_inode_hash_btf_ids
[0],
183 .arg2_type
= ARG_PTR_TO_UNINIT_MEM
,
184 .arg3_type
= ARG_CONST_SIZE
,
185 .allowed
= bpf_ima_inode_hash_allowed
,
188 BPF_CALL_3(bpf_ima_file_hash
, struct file
*, file
, void *, dst
, u32
, size
)
190 return ima_file_hash(file
, dst
, size
);
193 BTF_ID_LIST_SINGLE(bpf_ima_file_hash_btf_ids
, struct, file
)
195 static const struct bpf_func_proto bpf_ima_file_hash_proto
= {
196 .func
= bpf_ima_file_hash
,
199 .ret_type
= RET_INTEGER
,
200 .arg1_type
= ARG_PTR_TO_BTF_ID
,
201 .arg1_btf_id
= &bpf_ima_file_hash_btf_ids
[0],
202 .arg2_type
= ARG_PTR_TO_UNINIT_MEM
,
203 .arg3_type
= ARG_CONST_SIZE
,
204 .allowed
= bpf_ima_inode_hash_allowed
,
207 BPF_CALL_1(bpf_get_attach_cookie
, void *, ctx
)
209 struct bpf_trace_run_ctx
*run_ctx
;
211 run_ctx
= container_of(current
->bpf_ctx
, struct bpf_trace_run_ctx
, run_ctx
);
212 return run_ctx
->bpf_cookie
;
215 static const struct bpf_func_proto bpf_get_attach_cookie_proto
= {
216 .func
= bpf_get_attach_cookie
,
218 .ret_type
= RET_INTEGER
,
219 .arg1_type
= ARG_PTR_TO_CTX
,
222 static const struct bpf_func_proto
*
223 bpf_lsm_func_proto(enum bpf_func_id func_id
, const struct bpf_prog
*prog
)
225 const struct bpf_func_proto
*func_proto
;
227 if (prog
->expected_attach_type
== BPF_LSM_CGROUP
) {
228 func_proto
= cgroup_common_func_proto(func_id
, prog
);
234 case BPF_FUNC_inode_storage_get
:
235 return &bpf_inode_storage_get_proto
;
236 case BPF_FUNC_inode_storage_delete
:
237 return &bpf_inode_storage_delete_proto
;
239 case BPF_FUNC_sk_storage_get
:
240 return &bpf_sk_storage_get_proto
;
241 case BPF_FUNC_sk_storage_delete
:
242 return &bpf_sk_storage_delete_proto
;
243 #endif /* CONFIG_NET */
244 case BPF_FUNC_spin_lock
:
245 return &bpf_spin_lock_proto
;
246 case BPF_FUNC_spin_unlock
:
247 return &bpf_spin_unlock_proto
;
248 case BPF_FUNC_bprm_opts_set
:
249 return &bpf_bprm_opts_set_proto
;
250 case BPF_FUNC_ima_inode_hash
:
251 return &bpf_ima_inode_hash_proto
;
252 case BPF_FUNC_ima_file_hash
:
253 return &bpf_ima_file_hash_proto
;
254 case BPF_FUNC_get_attach_cookie
:
255 return bpf_prog_has_trampoline(prog
) ? &bpf_get_attach_cookie_proto
: NULL
;
257 case BPF_FUNC_setsockopt
:
258 if (prog
->expected_attach_type
!= BPF_LSM_CGROUP
)
260 if (btf_id_set_contains(&bpf_lsm_locked_sockopt_hooks
,
261 prog
->aux
->attach_btf_id
))
262 return &bpf_sk_setsockopt_proto
;
263 if (btf_id_set_contains(&bpf_lsm_unlocked_sockopt_hooks
,
264 prog
->aux
->attach_btf_id
))
265 return &bpf_unlocked_sk_setsockopt_proto
;
267 case BPF_FUNC_getsockopt
:
268 if (prog
->expected_attach_type
!= BPF_LSM_CGROUP
)
270 if (btf_id_set_contains(&bpf_lsm_locked_sockopt_hooks
,
271 prog
->aux
->attach_btf_id
))
272 return &bpf_sk_getsockopt_proto
;
273 if (btf_id_set_contains(&bpf_lsm_unlocked_sockopt_hooks
,
274 prog
->aux
->attach_btf_id
))
275 return &bpf_unlocked_sk_getsockopt_proto
;
279 return tracing_prog_func_proto(func_id
, prog
);
283 /* The set of hooks which are called without pagefaults disabled and are allowed
284 * to "sleep" and thus can be used for sleepable BPF programs.
286 BTF_SET_START(sleepable_lsm_hooks
)
287 BTF_ID(func
, bpf_lsm_bpf
)
288 BTF_ID(func
, bpf_lsm_bpf_map
)
289 BTF_ID(func
, bpf_lsm_bpf_map_create
)
290 BTF_ID(func
, bpf_lsm_bpf_map_free
)
291 BTF_ID(func
, bpf_lsm_bpf_prog
)
292 BTF_ID(func
, bpf_lsm_bpf_prog_load
)
293 BTF_ID(func
, bpf_lsm_bpf_prog_free
)
294 BTF_ID(func
, bpf_lsm_bpf_token_create
)
295 BTF_ID(func
, bpf_lsm_bpf_token_free
)
296 BTF_ID(func
, bpf_lsm_bpf_token_cmd
)
297 BTF_ID(func
, bpf_lsm_bpf_token_capable
)
298 BTF_ID(func
, bpf_lsm_bprm_check_security
)
299 BTF_ID(func
, bpf_lsm_bprm_committed_creds
)
300 BTF_ID(func
, bpf_lsm_bprm_committing_creds
)
301 BTF_ID(func
, bpf_lsm_bprm_creds_for_exec
)
302 BTF_ID(func
, bpf_lsm_bprm_creds_from_file
)
303 BTF_ID(func
, bpf_lsm_capget
)
304 BTF_ID(func
, bpf_lsm_capset
)
305 BTF_ID(func
, bpf_lsm_cred_prepare
)
306 BTF_ID(func
, bpf_lsm_file_ioctl
)
307 BTF_ID(func
, bpf_lsm_file_lock
)
308 BTF_ID(func
, bpf_lsm_file_open
)
309 BTF_ID(func
, bpf_lsm_file_post_open
)
310 BTF_ID(func
, bpf_lsm_file_receive
)
312 BTF_ID(func
, bpf_lsm_inode_create
)
313 BTF_ID(func
, bpf_lsm_inode_free_security
)
314 BTF_ID(func
, bpf_lsm_inode_getattr
)
315 BTF_ID(func
, bpf_lsm_inode_getxattr
)
316 BTF_ID(func
, bpf_lsm_inode_mknod
)
317 BTF_ID(func
, bpf_lsm_inode_need_killpriv
)
318 BTF_ID(func
, bpf_lsm_inode_post_setxattr
)
319 BTF_ID(func
, bpf_lsm_inode_readlink
)
320 BTF_ID(func
, bpf_lsm_inode_rename
)
321 BTF_ID(func
, bpf_lsm_inode_rmdir
)
322 BTF_ID(func
, bpf_lsm_inode_setattr
)
323 BTF_ID(func
, bpf_lsm_inode_setxattr
)
324 BTF_ID(func
, bpf_lsm_inode_symlink
)
325 BTF_ID(func
, bpf_lsm_inode_unlink
)
326 BTF_ID(func
, bpf_lsm_kernel_module_request
)
327 BTF_ID(func
, bpf_lsm_kernel_read_file
)
328 BTF_ID(func
, bpf_lsm_kernfs_init_security
)
330 #ifdef CONFIG_SECURITY_PATH
331 BTF_ID(func
, bpf_lsm_path_unlink
)
332 BTF_ID(func
, bpf_lsm_path_mkdir
)
333 BTF_ID(func
, bpf_lsm_path_rmdir
)
334 BTF_ID(func
, bpf_lsm_path_truncate
)
335 BTF_ID(func
, bpf_lsm_path_symlink
)
336 BTF_ID(func
, bpf_lsm_path_link
)
337 BTF_ID(func
, bpf_lsm_path_rename
)
338 BTF_ID(func
, bpf_lsm_path_chmod
)
339 BTF_ID(func
, bpf_lsm_path_chown
)
340 #endif /* CONFIG_SECURITY_PATH */
342 BTF_ID(func
, bpf_lsm_mmap_file
)
343 BTF_ID(func
, bpf_lsm_netlink_send
)
344 BTF_ID(func
, bpf_lsm_path_notify
)
345 BTF_ID(func
, bpf_lsm_release_secctx
)
346 BTF_ID(func
, bpf_lsm_sb_alloc_security
)
347 BTF_ID(func
, bpf_lsm_sb_eat_lsm_opts
)
348 BTF_ID(func
, bpf_lsm_sb_kern_mount
)
349 BTF_ID(func
, bpf_lsm_sb_mount
)
350 BTF_ID(func
, bpf_lsm_sb_remount
)
351 BTF_ID(func
, bpf_lsm_sb_set_mnt_opts
)
352 BTF_ID(func
, bpf_lsm_sb_show_options
)
353 BTF_ID(func
, bpf_lsm_sb_statfs
)
354 BTF_ID(func
, bpf_lsm_sb_umount
)
355 BTF_ID(func
, bpf_lsm_settime
)
357 #ifdef CONFIG_SECURITY_NETWORK
358 BTF_ID(func
, bpf_lsm_inet_conn_established
)
360 BTF_ID(func
, bpf_lsm_socket_accept
)
361 BTF_ID(func
, bpf_lsm_socket_bind
)
362 BTF_ID(func
, bpf_lsm_socket_connect
)
363 BTF_ID(func
, bpf_lsm_socket_create
)
364 BTF_ID(func
, bpf_lsm_socket_getpeername
)
365 BTF_ID(func
, bpf_lsm_socket_getpeersec_dgram
)
366 BTF_ID(func
, bpf_lsm_socket_getsockname
)
367 BTF_ID(func
, bpf_lsm_socket_getsockopt
)
368 BTF_ID(func
, bpf_lsm_socket_listen
)
369 BTF_ID(func
, bpf_lsm_socket_post_create
)
370 BTF_ID(func
, bpf_lsm_socket_recvmsg
)
371 BTF_ID(func
, bpf_lsm_socket_sendmsg
)
372 BTF_ID(func
, bpf_lsm_socket_shutdown
)
373 BTF_ID(func
, bpf_lsm_socket_socketpair
)
374 #endif /* CONFIG_SECURITY_NETWORK */
376 BTF_ID(func
, bpf_lsm_syslog
)
377 BTF_ID(func
, bpf_lsm_task_alloc
)
378 BTF_ID(func
, bpf_lsm_task_prctl
)
379 BTF_ID(func
, bpf_lsm_task_setscheduler
)
380 BTF_ID(func
, bpf_lsm_task_to_inode
)
381 BTF_ID(func
, bpf_lsm_userns_create
)
382 BTF_SET_END(sleepable_lsm_hooks
)
384 BTF_SET_START(untrusted_lsm_hooks
)
385 BTF_ID(func
, bpf_lsm_bpf_map_free
)
386 BTF_ID(func
, bpf_lsm_bpf_prog_free
)
387 BTF_ID(func
, bpf_lsm_file_alloc_security
)
388 BTF_ID(func
, bpf_lsm_file_free_security
)
389 #ifdef CONFIG_SECURITY_NETWORK
390 BTF_ID(func
, bpf_lsm_sk_alloc_security
)
391 BTF_ID(func
, bpf_lsm_sk_free_security
)
392 #endif /* CONFIG_SECURITY_NETWORK */
393 BTF_ID(func
, bpf_lsm_task_free
)
394 BTF_SET_END(untrusted_lsm_hooks
)
396 bool bpf_lsm_is_sleepable_hook(u32 btf_id
)
398 return btf_id_set_contains(&sleepable_lsm_hooks
, btf_id
);
401 bool bpf_lsm_is_trusted(const struct bpf_prog
*prog
)
403 return !btf_id_set_contains(&untrusted_lsm_hooks
, prog
->aux
->attach_btf_id
);
406 const struct bpf_prog_ops lsm_prog_ops
= {
409 const struct bpf_verifier_ops lsm_verifier_ops
= {
410 .get_func_proto
= bpf_lsm_func_proto
,
411 .is_valid_access
= btf_ctx_access
,
414 /* hooks return 0 or 1 */
415 BTF_SET_START(bool_lsm_hooks
)
416 #ifdef CONFIG_SECURITY_NETWORK_XFRM
417 BTF_ID(func
, bpf_lsm_xfrm_state_pol_flow_match
)
420 BTF_ID(func
, bpf_lsm_audit_rule_known
)
422 BTF_ID(func
, bpf_lsm_inode_xattr_skipcap
)
423 BTF_SET_END(bool_lsm_hooks
)
425 int bpf_lsm_get_retval_range(const struct bpf_prog
*prog
,
426 struct bpf_retval_range
*retval_range
)
428 /* no return value range for void hooks */
429 if (!prog
->aux
->attach_func_proto
->type
)
432 if (btf_id_set_contains(&bool_lsm_hooks
, prog
->aux
->attach_btf_id
)) {
433 retval_range
->minval
= 0;
434 retval_range
->maxval
= 1;
436 /* All other available LSM hooks, except task_prctl, return 0
437 * on success and negative error code on failure.
438 * To keep things simple, we only allow bpf progs to return 0
439 * or negative errno for task_prctl too.
441 retval_range
->minval
= -MAX_ERRNO
;
442 retval_range
->maxval
= 0;
