kernel/bpf/bpf_lsm.c

   1 // SPDX-License-Identifier: GPL-2.0
   2
   3 /*
   4  * Copyright (C) 2020 Google LLC.
   5  */
   6
   7 #include <linux/filter.h>
   8 #include <linux/bpf.h>
   9 #include <linux/btf.h>
  10 #include <linux/lsm_hooks.h>
  11 #include <linux/bpf_lsm.h>
  12 #include <linux/kallsyms.h>
  13 #include <linux/bpf_verifier.h>
  14 #include <net/bpf_sk_storage.h>
  15 #include <linux/bpf_local_storage.h>
  16
  17 /* For every LSM hook that allows attachment of BPF programs, declare a nop
  18  * function where a BPF program can be attached.
  19  */
  20 #define LSM_HOOK(RET, DEFAULT, NAME, ...)       \
  21 noinline RET bpf_lsm_##NAME(__VA_ARGS__)        \
  22 {                                               \
  23         return DEFAULT;                         \
  24 }
  25
  26 #include <linux/lsm_hook_defs.h>
  27 #undef LSM_HOOK
  28
  29 #define BPF_LSM_SYM_PREFX  "bpf_lsm_"
  30
  31 int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
  32                         const struct bpf_prog *prog)
  33 {
  34         if (!prog->gpl_compatible) {
  35                 bpf_log(vlog,
  36                         "LSM programs must have a GPL compatible license\n");
  37                 return -EINVAL;
  38         }
  39
  40         if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
  41                     sizeof(BPF_LSM_SYM_PREFX) - 1)) {
  42                 bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
  43                         prog->aux->attach_btf_id, prog->aux->attach_func_name);
  44                 return -EINVAL;
  45         }
  46
  47         return 0;
  48 }
  49
  50 static const struct bpf_func_proto *
  51 bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  52 {
  53         switch (func_id) {
  54         case BPF_FUNC_inode_storage_get:
  55                 return &bpf_inode_storage_get_proto;
  56         case BPF_FUNC_inode_storage_delete:
  57                 return &bpf_inode_storage_delete_proto;
  58         case BPF_FUNC_sk_storage_get:
  59                 return &bpf_sk_storage_get_proto;
  60         case BPF_FUNC_sk_storage_delete:
  61                 return &bpf_sk_storage_delete_proto;
  62         default:
  63                 return tracing_prog_func_proto(func_id, prog);
  64         }
  65 }
  66
  67 const struct bpf_prog_ops lsm_prog_ops = {
  68 };
  69
  70 const struct bpf_verifier_ops lsm_verifier_ops = {
  71         .get_func_proto = bpf_lsm_func_proto,
  72         .is_valid_access = btf_ctx_access,
  73 };