kernel/bpf/bpf_lsm.c

   1 // SPDX-License-Identifier: GPL-2.0
   2
   3 /*
   4  * Copyright (C) 2020 Google LLC.
   5  */
   6
   7 #include <linux/filter.h>
   8 #include <linux/bpf.h>
   9 #include <linux/btf.h>
  10 #include <linux/lsm_hooks.h>
  11 #include <linux/bpf_lsm.h>
  12 #include <linux/kallsyms.h>
  13 #include <linux/bpf_verifier.h>
  14
  15 /* For every LSM hook that allows attachment of BPF programs, declare a nop
  16  * function where a BPF program can be attached.
  17  */
  18 #define LSM_HOOK(RET, DEFAULT, NAME, ...)       \
  19 noinline RET bpf_lsm_##NAME(__VA_ARGS__)        \
  20 {                                               \
  21         return DEFAULT;                         \
  22 }
  23
  24 #include <linux/lsm_hook_defs.h>
  25 #undef LSM_HOOK
  26
  27 #define BPF_LSM_SYM_PREFX  "bpf_lsm_"
  28
  29 int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
  30                         const struct bpf_prog *prog)
  31 {
  32         if (!prog->gpl_compatible) {
  33                 bpf_log(vlog,
  34                         "LSM programs must have a GPL compatible license\n");
  35                 return -EINVAL;
  36         }
  37
  38         if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
  39                     sizeof(BPF_LSM_SYM_PREFX) - 1)) {
  40                 bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
  41                         prog->aux->attach_btf_id, prog->aux->attach_func_name);
  42                 return -EINVAL;
  43         }
  44
  45         return 0;
  46 }
  47
  48 const struct bpf_prog_ops lsm_prog_ops = {
  49 };
  50
  51 const struct bpf_verifier_ops lsm_verifier_ops = {
  52         .get_func_proto = bpf_tracing_func_proto,
  53         .is_valid_access = btf_ctx_access,
  54 };