Commit 6e083ab0 authored by Alexei Starovoitov's avatar Alexei Starovoitov

Merge branch 'bpf-introduce-new-vfs-based-bpf-kfuncs'

Matt Bobrowski says:

====================
bpf: introduce new VFS based BPF kfuncs

G'day!

A respin based off v3, which can be found here [0]. Original
motivations for introducing this suite of BPF kfuncs can be found here
[1].

The primary difference in this version of the patch series is that the
suite of VFS related BPF kfuncs added can be used from both sleepable
and non-sleepable BPF LSM program types. IOW, the KF_SLEEPABLE
annotation has been removed from all of them.

Changes sinve v3:

* KF_SLEEPABLE annotation has been dropped from all newly introduced
  VFS related BPF kfuncs. This includes bpf_get_task_exe_file(),
  bpf_put_file(), and bpf_path_d_path(). Both negative and positive
  selftests backing these new BPF kfuncs have also been updated
  accordingly.

* buf__sz conditional in bpf_path_d_path() has been updated from
  buf__sz <= 0, to !buf__sz.

* Syntax issues as reported so here [2] have been corrected.

[0] https://lore.kernel.org/bpf/20240726085604.2369469-1-mattbobrowski@google.com/
[1] https://lore.kernel.org/bpf/cover.1708377880.git.mattbobrowski@google.com/#t
[2] https://netdev.bots.linux.dev/static/nipa/874023/13742510/checkpatch/stdout
====================

Link: https://lore.kernel.org/r/20240731110833.1834742-1-mattbobrowski@google.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 3d650ab5 2b399b9b
...@@ -129,3 +129,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ ...@@ -129,3 +129,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/
obj-$(CONFIG_EROFS_FS) += erofs/ obj-$(CONFIG_EROFS_FS) += erofs/
obj-$(CONFIG_VBOXSF_FS) += vboxsf/ obj-$(CONFIG_VBOXSF_FS) += vboxsf/
obj-$(CONFIG_ZONEFS_FS) += zonefs/ obj-$(CONFIG_ZONEFS_FS) += zonefs/
obj-$(CONFIG_BPF_LSM) += bpf_fs_kfuncs.o
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2024 Google LLC. */
#include <linux/bpf.h>
#include <linux/btf.h>
#include <linux/btf_ids.h>
#include <linux/dcache.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/mm.h>
__bpf_kfunc_start_defs();
/**
* bpf_get_task_exe_file - get a reference on the exe_file struct file member of
* the mm_struct that is nested within the supplied
* task_struct
* @task: task_struct of which the nested mm_struct exe_file member to get a
* reference on
*
* Get a reference on the exe_file struct file member field of the mm_struct
* nested within the supplied *task*. The referenced file pointer acquired by
* this BPF kfunc must be released using bpf_put_file(). Failing to call
* bpf_put_file() on the returned referenced struct file pointer that has been
* acquired by this BPF kfunc will result in the BPF program being rejected by
* the BPF verifier.
*
* This BPF kfunc may only be called from BPF LSM programs.
*
* Internally, this BPF kfunc leans on get_task_exe_file(), such that calling
* bpf_get_task_exe_file() would be analogous to calling get_task_exe_file()
* directly in kernel context.
*
* Return: A referenced struct file pointer to the exe_file member of the
* mm_struct that is nested within the supplied *task*. On error, NULL is
* returned.
*/
__bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task)
{
return get_task_exe_file(task);
}
/**
* bpf_put_file - put a reference on the supplied file
* @file: file to put a reference on
*
* Put a reference on the supplied *file*. Only referenced file pointers may be
* passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or
* any other arbitrary pointer for that matter, will result in the BPF program
* being rejected by the BPF verifier.
*
* This BPF kfunc may only be called from BPF LSM programs.
*/
__bpf_kfunc void bpf_put_file(struct file *file)
{
fput(file);
}
/**
* bpf_path_d_path - resolve the pathname for the supplied path
* @path: path to resolve the pathname for
* @buf: buffer to return the resolved pathname in
* @buf__sz: length of the supplied buffer
*
* Resolve the pathname for the supplied *path* and store it in *buf*. This BPF
* kfunc is the safer variant of the legacy bpf_d_path() helper and should be
* used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
* semantics, meaning that the supplied *path* must itself hold a valid
* reference, or else the BPF program will be outright rejected by the BPF
* verifier.
*
* This BPF kfunc may only be called from BPF LSM programs.
*
* Return: A positive integer corresponding to the length of the resolved
* pathname in *buf*, including the NUL termination character. On error, a
* negative integer is returned.
*/
__bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz)
{
int len;
char *ret;
if (!buf__sz)
return -EINVAL;
ret = d_path(path, buf, buf__sz);
if (IS_ERR(ret))
return PTR_ERR(ret);
len = buf + buf__sz - ret;
memmove(buf, ret, len);
return len;
}
__bpf_kfunc_end_defs();
BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
BTF_ID_FLAGS(func, bpf_get_task_exe_file,
KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
{
if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) ||
prog->type == BPF_PROG_TYPE_LSM)
return 0;
return -EACCES;
}
static const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
.owner = THIS_MODULE,
.set = &bpf_fs_kfunc_set_ids,
.filter = bpf_fs_kfuncs_filter,
};
static int __init bpf_fs_kfuncs_init(void)
{
return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
}
late_initcall(bpf_fs_kfuncs_init);
...@@ -195,6 +195,32 @@ extern void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it) __ksym; ...@@ -195,6 +195,32 @@ extern void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it) __ksym;
*/ */
extern void bpf_throw(u64 cookie) __ksym; extern void bpf_throw(u64 cookie) __ksym;
/* Description
* Acquire a reference on the exe_file member field belonging to the
* mm_struct that is nested within the supplied task_struct. The supplied
* task_struct must be trusted/referenced.
* Returns
* A referenced file pointer pointing to the exe_file member field of the
* mm_struct nested in the supplied task_struct, or NULL.
*/
extern struct file *bpf_get_task_exe_file(struct task_struct *task) __ksym;
/* Description
* Release a reference on the supplied file. The supplied file must be
* acquired.
*/
extern void bpf_put_file(struct file *file) __ksym;
/* Description
* Resolve a pathname for the supplied path and store it in the supplied
* buffer. The supplied path must be trusted/referenced.
* Returns
* A positive integer corresponding to the length of the resolved pathname,
* including the NULL termination character, stored in the supplied
* buffer. On error, a negative integer is returned.
*/
extern int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz) __ksym;
/* This macro must be used to mark the exception callback corresponding to the /* This macro must be used to mark the exception callback corresponding to the
* main program. For example: * main program. For example:
* *
......
...@@ -85,6 +85,8 @@ ...@@ -85,6 +85,8 @@
#include "verifier_value_or_null.skel.h" #include "verifier_value_or_null.skel.h"
#include "verifier_value_ptr_arith.skel.h" #include "verifier_value_ptr_arith.skel.h"
#include "verifier_var_off.skel.h" #include "verifier_var_off.skel.h"
#include "verifier_vfs_accept.skel.h"
#include "verifier_vfs_reject.skel.h"
#include "verifier_xadd.skel.h" #include "verifier_xadd.skel.h"
#include "verifier_xdp.skel.h" #include "verifier_xdp.skel.h"
#include "verifier_xdp_direct_packet_access.skel.h" #include "verifier_xdp_direct_packet_access.skel.h"
...@@ -205,6 +207,8 @@ void test_verifier_value(void) { RUN(verifier_value); } ...@@ -205,6 +207,8 @@ void test_verifier_value(void) { RUN(verifier_value); }
void test_verifier_value_illegal_alu(void) { RUN(verifier_value_illegal_alu); } void test_verifier_value_illegal_alu(void) { RUN(verifier_value_illegal_alu); }
void test_verifier_value_or_null(void) { RUN(verifier_value_or_null); } void test_verifier_value_or_null(void) { RUN(verifier_value_or_null); }
void test_verifier_var_off(void) { RUN(verifier_var_off); } void test_verifier_var_off(void) { RUN(verifier_var_off); }
void test_verifier_vfs_accept(void) { RUN(verifier_vfs_accept); }
void test_verifier_vfs_reject(void) { RUN(verifier_vfs_reject); }
void test_verifier_xadd(void) { RUN(verifier_xadd); } void test_verifier_xadd(void) { RUN(verifier_xadd); }
void test_verifier_xdp(void) { RUN(verifier_xdp); } void test_verifier_xdp(void) { RUN(verifier_xdp); }
void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); } void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); }
......
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2024 Google LLC. */
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include "bpf_misc.h"
#include "bpf_experimental.h"
static char buf[64];
SEC("lsm.s/file_open")
__success
int BPF_PROG(get_task_exe_file_and_put_kfunc_from_current_sleepable)
{
struct file *acquired;
acquired = bpf_get_task_exe_file(bpf_get_current_task_btf());
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm/file_open")
__success
int BPF_PROG(get_task_exe_file_and_put_kfunc_from_current_non_sleepable, struct file *file)
{
struct file *acquired;
acquired = bpf_get_task_exe_file(bpf_get_current_task_btf());
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm.s/task_alloc")
__success
int BPF_PROG(get_task_exe_file_and_put_kfunc_from_argument,
struct task_struct *task)
{
struct file *acquired;
acquired = bpf_get_task_exe_file(task);
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm.s/inode_getattr")
__success
int BPF_PROG(path_d_path_from_path_argument, struct path *path)
{
int ret;
ret = bpf_path_d_path(path, buf, sizeof(buf));
__sink(ret);
return 0;
}
SEC("lsm.s/file_open")
__success
int BPF_PROG(path_d_path_from_file_argument, struct file *file)
{
int ret;
struct path *path;
/* The f_path member is a path which is embedded directly within a
* file. Therefore, a pointer to such embedded members are still
* recognized by the BPF verifier as being PTR_TRUSTED as it's
* essentially PTR_TRUSTED w/ a non-zero fixed offset.
*/
path = &file->f_path;
ret = bpf_path_d_path(path, buf, sizeof(buf));
__sink(ret);
return 0;
}
char _license[] SEC("license") = "GPL";
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2024 Google LLC. */
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <linux/limits.h>
#include "bpf_misc.h"
#include "bpf_experimental.h"
static char buf[PATH_MAX];
SEC("lsm.s/file_open")
__failure __msg("Possibly NULL pointer passed to trusted arg0")
int BPF_PROG(get_task_exe_file_kfunc_null)
{
struct file *acquired;
/* Can't pass a NULL pointer to bpf_get_task_exe_file(). */
acquired = bpf_get_task_exe_file(NULL);
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm.s/inode_getxattr")
__failure __msg("arg#0 pointer type STRUCT task_struct must point to scalar, or struct with scalar")
int BPF_PROG(get_task_exe_file_kfunc_fp)
{
u64 x;
struct file *acquired;
struct task_struct *task;
task = (struct task_struct *)&x;
/* Can't pass random frame pointer to bpf_get_task_exe_file(). */
acquired = bpf_get_task_exe_file(task);
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("R1 must be referenced or trusted")
int BPF_PROG(get_task_exe_file_kfunc_untrusted)
{
struct file *acquired;
struct task_struct *parent;
/* Walking a trusted struct task_struct returned from
* bpf_get_current_task_btf() yields an untrusted pointer.
*/
parent = bpf_get_current_task_btf()->parent;
/* Can't pass untrusted pointer to bpf_get_task_exe_file(). */
acquired = bpf_get_task_exe_file(parent);
if (!acquired)
return 0;
bpf_put_file(acquired);
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("Unreleased reference")
int BPF_PROG(get_task_exe_file_kfunc_unreleased)
{
struct file *acquired;
acquired = bpf_get_task_exe_file(bpf_get_current_task_btf());
if (!acquired)
return 0;
/* Acquired but never released. */
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("release kernel function bpf_put_file expects")
int BPF_PROG(put_file_kfunc_unacquired, struct file *file)
{
/* Can't release an unacquired pointer. */
bpf_put_file(file);
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("Possibly NULL pointer passed to trusted arg0")
int BPF_PROG(path_d_path_kfunc_null)
{
/* Can't pass NULL value to bpf_path_d_path() kfunc. */
bpf_path_d_path(NULL, buf, sizeof(buf));
return 0;
}
SEC("lsm.s/task_alloc")
__failure __msg("R1 must be referenced or trusted")
int BPF_PROG(path_d_path_kfunc_untrusted_from_argument, struct task_struct *task)
{
struct path *root;
/* Walking a trusted argument typically yields an untrusted
* pointer. This is one example of that.
*/
root = &task->fs->root;
bpf_path_d_path(root, buf, sizeof(buf));
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("R1 must be referenced or trusted")
int BPF_PROG(path_d_path_kfunc_untrusted_from_current)
{
struct path *pwd;
struct task_struct *current;
current = bpf_get_current_task_btf();
/* Walking a trusted pointer returned from bpf_get_current_task_btf()
* yields an untrusted pointer.
*/
pwd = &current->fs->pwd;
bpf_path_d_path(pwd, buf, sizeof(buf));
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("kernel function bpf_path_d_path args#0 expected pointer to STRUCT path but R1 has a pointer to STRUCT file")
int BPF_PROG(path_d_path_kfunc_type_mismatch, struct file *file)
{
bpf_path_d_path((struct path *)&file->f_task_work, buf, sizeof(buf));
return 0;
}
SEC("lsm.s/file_open")
__failure __msg("invalid access to map value, value_size=4096 off=0 size=8192")
int BPF_PROG(path_d_path_kfunc_invalid_buf_sz, struct file *file)
{
/* bpf_path_d_path() enforces a constraint on the buffer size supplied
* by the BPF LSM program via the __sz annotation. buf here is set to
* PATH_MAX, so let's ensure that the BPF verifier rejects BPF_PROG_LOAD
* attempts if the supplied size and the actual size of the buffer
* mismatches.
*/
bpf_path_d_path(&file->f_path, buf, PATH_MAX * 2);
return 0;
}
SEC("fentry/vfs_open")
__failure __msg("calling kernel function bpf_path_d_path is not allowed")
int BPF_PROG(path_d_path_kfunc_non_lsm, struct path *path, struct file *f)
{
/* Calling bpf_path_d_path() from a non-LSM BPF program isn't permitted.
*/
bpf_path_d_path(path, buf, sizeof(buf));
return 0;
}
char _license[] SEC("license") = "GPL";
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment