1 // SPDX-License-Identifier: GPL-2.0
4 * Copyright (C) 2020 Google LLC.
7 #include <linux/filter.h>
10 #include <linux/lsm_hooks.h>
11 #include <linux/bpf_lsm.h>
12 #include <linux/kallsyms.h>
13 #include <linux/bpf_verifier.h>
14 #include <net/bpf_sk_storage.h>
15 #include <linux/bpf_local_storage.h>
16 #include <linux/btf_ids.h>
18 /* For every LSM hook that allows attachment of BPF programs, declare a nop
19 * function where a BPF program can be attached.
21 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
22 noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
27 #include <linux/lsm_hook_defs.h>
30 #define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
31 BTF_SET_START(bpf_lsm_hooks)
32 #include <linux/lsm_hook_defs.h>
34 BTF_SET_END(bpf_lsm_hooks)
36 int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
37 const struct bpf_prog *prog)
39 if (!prog->gpl_compatible) {
41 "LSM programs must have a GPL compatible license\n");
45 if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) {
46 bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
47 prog->aux->attach_btf_id, prog->aux->attach_func_name);
54 static const struct bpf_func_proto *
55 bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
58 case BPF_FUNC_inode_storage_get:
59 return &bpf_inode_storage_get_proto;
60 case BPF_FUNC_inode_storage_delete:
61 return &bpf_inode_storage_delete_proto;
62 case BPF_FUNC_sk_storage_get:
63 return &bpf_sk_storage_get_proto;
64 case BPF_FUNC_sk_storage_delete:
65 return &bpf_sk_storage_delete_proto;
66 case BPF_FUNC_spin_lock:
67 return &bpf_spin_lock_proto;
68 case BPF_FUNC_spin_unlock:
69 return &bpf_spin_unlock_proto;
70 case BPF_FUNC_task_storage_get:
71 return &bpf_task_storage_get_proto;
72 case BPF_FUNC_task_storage_delete:
73 return &bpf_task_storage_delete_proto;
75 return tracing_prog_func_proto(func_id, prog);
79 /* The set of hooks which are called without pagefaults disabled and are allowed
80 * to "sleep" and thus can be used for sleeable BPF programs.
82 BTF_SET_START(sleepable_lsm_hooks)
83 BTF_ID(func, bpf_lsm_bpf)
84 BTF_ID(func, bpf_lsm_bpf_map)
85 BTF_ID(func, bpf_lsm_bpf_map_alloc_security)
86 BTF_ID(func, bpf_lsm_bpf_map_free_security)
87 BTF_ID(func, bpf_lsm_bpf_prog)
88 BTF_ID(func, bpf_lsm_bprm_check_security)
89 BTF_ID(func, bpf_lsm_bprm_committed_creds)
90 BTF_ID(func, bpf_lsm_bprm_committing_creds)
91 BTF_ID(func, bpf_lsm_bprm_creds_for_exec)
92 BTF_ID(func, bpf_lsm_bprm_creds_from_file)
93 BTF_ID(func, bpf_lsm_capget)
94 BTF_ID(func, bpf_lsm_capset)
95 BTF_ID(func, bpf_lsm_cred_prepare)
96 BTF_ID(func, bpf_lsm_file_ioctl)
97 BTF_ID(func, bpf_lsm_file_lock)
98 BTF_ID(func, bpf_lsm_file_open)
99 BTF_ID(func, bpf_lsm_file_receive)
100 BTF_ID(func, bpf_lsm_inet_conn_established)
101 BTF_ID(func, bpf_lsm_inode_create)
102 BTF_ID(func, bpf_lsm_inode_free_security)
103 BTF_ID(func, bpf_lsm_inode_getattr)
104 BTF_ID(func, bpf_lsm_inode_getxattr)
105 BTF_ID(func, bpf_lsm_inode_mknod)
106 BTF_ID(func, bpf_lsm_inode_need_killpriv)
107 BTF_ID(func, bpf_lsm_inode_post_setxattr)
108 BTF_ID(func, bpf_lsm_inode_readlink)
109 BTF_ID(func, bpf_lsm_inode_rename)
110 BTF_ID(func, bpf_lsm_inode_rmdir)
111 BTF_ID(func, bpf_lsm_inode_setattr)
112 BTF_ID(func, bpf_lsm_inode_setxattr)
113 BTF_ID(func, bpf_lsm_inode_symlink)
114 BTF_ID(func, bpf_lsm_inode_unlink)
115 BTF_ID(func, bpf_lsm_kernel_module_request)
116 BTF_ID(func, bpf_lsm_kernfs_init_security)
117 BTF_ID(func, bpf_lsm_key_free)
118 BTF_ID(func, bpf_lsm_mmap_file)
119 BTF_ID(func, bpf_lsm_netlink_send)
120 BTF_ID(func, bpf_lsm_path_notify)
121 BTF_ID(func, bpf_lsm_release_secctx)
122 BTF_ID(func, bpf_lsm_sb_alloc_security)
123 BTF_ID(func, bpf_lsm_sb_eat_lsm_opts)
124 BTF_ID(func, bpf_lsm_sb_kern_mount)
125 BTF_ID(func, bpf_lsm_sb_mount)
126 BTF_ID(func, bpf_lsm_sb_remount)
127 BTF_ID(func, bpf_lsm_sb_set_mnt_opts)
128 BTF_ID(func, bpf_lsm_sb_show_options)
129 BTF_ID(func, bpf_lsm_sb_statfs)
130 BTF_ID(func, bpf_lsm_sb_umount)
131 BTF_ID(func, bpf_lsm_settime)
132 BTF_ID(func, bpf_lsm_socket_accept)
133 BTF_ID(func, bpf_lsm_socket_bind)
134 BTF_ID(func, bpf_lsm_socket_connect)
135 BTF_ID(func, bpf_lsm_socket_create)
136 BTF_ID(func, bpf_lsm_socket_getpeername)
137 BTF_ID(func, bpf_lsm_socket_getpeersec_dgram)
138 BTF_ID(func, bpf_lsm_socket_getsockname)
139 BTF_ID(func, bpf_lsm_socket_getsockopt)
140 BTF_ID(func, bpf_lsm_socket_listen)
141 BTF_ID(func, bpf_lsm_socket_post_create)
142 BTF_ID(func, bpf_lsm_socket_recvmsg)
143 BTF_ID(func, bpf_lsm_socket_sendmsg)
144 BTF_ID(func, bpf_lsm_socket_shutdown)
145 BTF_ID(func, bpf_lsm_socket_socketpair)
146 BTF_ID(func, bpf_lsm_syslog)
147 BTF_ID(func, bpf_lsm_task_alloc)
148 BTF_ID(func, bpf_lsm_task_getsecid)
149 BTF_ID(func, bpf_lsm_task_prctl)
150 BTF_ID(func, bpf_lsm_task_setscheduler)
151 BTF_ID(func, bpf_lsm_task_to_inode)
152 BTF_SET_END(sleepable_lsm_hooks)
154 bool bpf_lsm_is_sleepable_hook(u32 btf_id)
156 return btf_id_set_contains(&sleepable_lsm_hooks, btf_id);
159 const struct bpf_prog_ops lsm_prog_ops = {
162 const struct bpf_verifier_ops lsm_verifier_ops = {
163 .get_func_proto = bpf_lsm_func_proto,
164 .is_valid_access = btf_ctx_access,