[mirror_ubuntu-hirsute-kernel.git] / kernel / bpf / bpf_lsm.c

// SPDX-License-Identifier: GPL-2.0

/*
 * Copyright (C) 2020 Google LLC.
 */

#include <linux/filter.h>
#include <linux/bpf.h>
#include <linux/btf.h>
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
#include <linux/kallsyms.h>
#include <linux/bpf_verifier.h>
#include <net/bpf_sk_storage.h>
#include <linux/bpf_local_storage.h>

/* For every LSM hook that allows attachment of BPF programs, declare a nop
 * function where a BPF program can be attached.
 */
#define LSM_HOOK(RET, DEFAULT, NAME, ...)	\
noinline RET bpf_lsm_##NAME(__VA_ARGS__)	\
{						\
	return DEFAULT;				\
}

#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK

#define BPF_LSM_SYM_PREFX  "bpf_lsm_"

int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
			const struct bpf_prog *prog)
{
	if (!prog->gpl_compatible) {
		bpf_log(vlog,
			"LSM programs must have a GPL compatible license\n");
		return -EINVAL;
	}

	if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
		    sizeof(BPF_LSM_SYM_PREFX) - 1)) {
		bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
			prog->aux->attach_btf_id, prog->aux->attach_func_name);
		return -EINVAL;
	}

	return 0;
}

static const struct bpf_func_proto *
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
	switch (func_id) {
	case BPF_FUNC_inode_storage_get:
		return &bpf_inode_storage_get_proto;
	case BPF_FUNC_inode_storage_delete:
		return &bpf_inode_storage_delete_proto;
	case BPF_FUNC_sk_storage_get:
		return &sk_storage_get_btf_proto;
	case BPF_FUNC_sk_storage_delete:
		return &sk_storage_delete_btf_proto;
	default:
		return tracing_prog_func_proto(func_id, prog);
	}
}

const struct bpf_prog_ops lsm_prog_ops = {
};

const struct bpf_verifier_ops lsm_verifier_ops = {
	.get_func_proto = bpf_lsm_func_proto,
	.is_valid_access = btf_ctx_access,
};
Commit	Line	Data
fc611f47 KS	1	// SPDX-License-Identifier: GPL-2.0
	2
	3	/*
	4	* Copyright (C) 2020 Google LLC.
	5	*/
	6
	7	#include <linux/filter.h>
	8	#include <linux/bpf.h>
	9	#include <linux/btf.h>
9d3fdea7 KS	10	#include <linux/lsm_hooks.h>
9d3fdea7 KS	11	#include <linux/bpf_lsm.h>
9e4e01df KS	12	#include <linux/kallsyms.h>
9e4e01df KS	13	#include <linux/bpf_verifier.h>
30897832 KS	14	#include <net/bpf_sk_storage.h>
30897832 KS	15	#include <linux/bpf_local_storage.h>
9d3fdea7 KS	16
	17	/* For every LSM hook that allows attachment of BPF programs, declare a nop
	18	* function where a BPF program can be attached.
	19	*/
	20	#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
	21	noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
	22	{ \
	23	return DEFAULT; \
	24	}
	25
	26	#include <linux/lsm_hook_defs.h>
	27	#undef LSM_HOOK
fc611f47	28
9e4e01df KS	29	#define BPF_LSM_SYM_PREFX "bpf_lsm_"
	30
	31	int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
	32	const struct bpf_prog *prog)
	33	{
	34	if (!prog->gpl_compatible) {
	35	bpf_log(vlog,
	36	"LSM programs must have a GPL compatible license\n");
	37	return -EINVAL;
	38	}
	39
	40	if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
	41	sizeof(BPF_LSM_SYM_PREFX) - 1)) {
	42	bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
	43	prog->aux->attach_btf_id, prog->aux->attach_func_name);
	44	return -EINVAL;
	45	}
	46
	47	return 0;
	48	}
	49
30897832 KS	50	static const struct bpf_func_proto *
	51	bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
	52	{
	53	switch (func_id) {
	54	case BPF_FUNC_inode_storage_get:
	55	return &bpf_inode_storage_get_proto;
	56	case BPF_FUNC_inode_storage_delete:
	57	return &bpf_inode_storage_delete_proto;
	58	case BPF_FUNC_sk_storage_get:
	59	return &sk_storage_get_btf_proto;
	60	case BPF_FUNC_sk_storage_delete:
	61	return &sk_storage_delete_btf_proto;
	62	default:
	63	return tracing_prog_func_proto(func_id, prog);
	64	}
	65	}
	66
fc611f47 KS	67	const struct bpf_prog_ops lsm_prog_ops = {
	68	};
	69
	70	const struct bpf_verifier_ops lsm_verifier_ops = {
30897832	71	.get_func_proto = bpf_lsm_func_proto,
fc611f47 KS	72	.is_valid_access = btf_ctx_access,
fc611f47 KS	73	};