On 9/10/19 12:55 PM, KP Singh wrote: > From: KP Singh <kpsingh@xxxxxxxxxx> > > A user space program can attach an eBPF program by: > > hook_fd = open("/sys/kernel/security/krsi/process_execution", O_RDWR) > prog_fd = bpf(BPF_PROG_LOAD, ...) > bpf(BPF_PROG_ATTACH, hook_fd, prog_fd) > > When such an attach call is received, the attachment logic looks up the > dentry and appends the program to the bpf_prog_array. > > The BPF programs are stored in a bpf_prog_array and writes to the array > are guarded by a mutex. The eBPF programs are executed as a part of the > LSM hook they are attached to. If any of the eBPF programs return > an error (-ENOPERM) the action represented by the hook is denied. > > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> > --- > include/linux/krsi.h | 18 ++++++ > kernel/bpf/syscall.c | 3 +- > security/krsi/include/krsi_init.h | 51 +++++++++++++++ > security/krsi/krsi.c | 13 +++- > security/krsi/krsi_fs.c | 28 ++++++++ > security/krsi/ops.c | 102 ++++++++++++++++++++++++++++++ > 6 files changed, 213 insertions(+), 2 deletions(-) > create mode 100644 include/linux/krsi.h > > diff --git a/include/linux/krsi.h b/include/linux/krsi.h > new file mode 100644 > index 000000000000..c7d1790d0c1f > --- /dev/null > +++ b/include/linux/krsi.h > @@ -0,0 +1,18 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > + > +#ifndef _KRSI_H > +#define _KRSI_H > + > +#include <linux/bpf.h> > + > +#ifdef CONFIG_SECURITY_KRSI > +int krsi_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog); > +#else > +static inline int krsi_prog_attach(const union bpf_attr *attr, > + struct bpf_prog *prog) > +{ > + return -EINVAL; > +} > +#endif /* CONFIG_SECURITY_KRSI */ > + > +#endif /* _KRSI_H */ > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index f38a539f7e67..ab063ed84258 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -4,6 +4,7 @@ > #include <linux/bpf.h> > #include <linux/bpf_trace.h> > #include <linux/bpf_lirc.h> > +#include <linux/krsi.h> > #include <linux/btf.h> > #include <linux/syscalls.h> > #include <linux/slab.h> > @@ -1950,7 +1951,7 @@ static int bpf_prog_attach(const union bpf_attr *attr) > ret = lirc_prog_attach(attr, prog); > break; > case BPF_PROG_TYPE_KRSI: > - ret = -EINVAL; > + ret = krsi_prog_attach(attr, prog); > break; > case BPF_PROG_TYPE_FLOW_DISSECTOR: > ret = skb_flow_dissector_bpf_prog_attach(attr, prog); > diff --git a/security/krsi/include/krsi_init.h b/security/krsi/include/krsi_init.h > index 68755182a031..4e17ecacd4ed 100644 > --- a/security/krsi/include/krsi_init.h > +++ b/security/krsi/include/krsi_init.h > @@ -5,12 +5,29 @@ > > #include "krsi_fs.h" > > +#include <linux/binfmts.h> > + > enum krsi_hook_type { > PROCESS_EXECUTION, > __MAX_KRSI_HOOK_TYPE, /* delimiter */ > }; > > extern int krsi_fs_initialized; > + > +struct krsi_bprm_ctx { > + struct linux_binprm *bprm; > +}; > + > +/* > + * krsi_ctx is the context that is passed to all KRSI eBPF > + * programs. > + */ > +struct krsi_ctx { > + union { > + struct krsi_bprm_ctx bprm_ctx; > + }; > +}; > + > /* > * The LSM creates one file per hook. > * > @@ -33,10 +50,44 @@ struct krsi_hook { > * The dentry of the file created in securityfs. > */ > struct dentry *h_dentry; > + /* > + * The mutex must be held when updating the progs attached to the hook. > + */ > + struct mutex mutex; > + /* > + * The eBPF programs that are attached to this hook. > + */ > + struct bpf_prog_array __rcu *progs; > }; > > extern struct krsi_hook krsi_hooks_list[]; > > +static inline int krsi_run_progs(enum krsi_hook_type t, struct krsi_ctx *ctx) > +{ > + struct bpf_prog_array_item *item; > + struct bpf_prog *prog; > + struct krsi_hook *h = &krsi_hooks_list[t]; > + int ret, retval = 0; Reverse christmas tree style? > + > + preempt_disable(); Do we need preempt_disable() here? > + rcu_read_lock(); > + > + item = rcu_dereference(h->progs)->items; > + while ((prog = READ_ONCE(item->prog))) { > + ret = BPF_PROG_RUN(prog, ctx); > + if (ret < 0) { > + retval = ret; > + goto out; > + } > + item++; > + } > + > +out: > + rcu_read_unlock(); > + preempt_enable(); > + return IS_ENABLED(CONFIG_SECURITY_KRSI_ENFORCE) ? retval : 0; > +} > + > #define krsi_for_each_hook(hook) \ > for ((hook) = &krsi_hooks_list[0]; \ > (hook) < &krsi_hooks_list[__MAX_KRSI_HOOK_TYPE]; \ > diff --git a/security/krsi/krsi.c b/security/krsi/krsi.c > index 77d7e2f91172..d3a4a361c192 100644 > --- a/security/krsi/krsi.c > +++ b/security/krsi/krsi.c > @@ -1,6 +1,9 @@ > // SPDX-License-Identifier: GPL-2.0 > > #include <linux/lsm_hooks.h> > +#include <linux/filter.h> > +#include <linux/bpf.h> > +#include <linux/binfmts.h> > > #include "krsi_init.h" > > @@ -16,7 +19,15 @@ struct krsi_hook krsi_hooks_list[] = { > > static int krsi_process_execution(struct linux_binprm *bprm) > { > - return 0; > + int ret; > + struct krsi_ctx ctx; > + > + ctx.bprm_ctx = (struct krsi_bprm_ctx) { > + .bprm = bprm, > + }; > + > + ret = krsi_run_progs(PROCESS_EXECUTION, &ctx); > + return ret; > } > > static struct security_hook_list krsi_hooks[] __lsm_ro_after_init = { > diff --git a/security/krsi/krsi_fs.c b/security/krsi/krsi_fs.c > index 604f826cee5c..3ba18b52ce85 100644 > --- a/security/krsi/krsi_fs.c > +++ b/security/krsi/krsi_fs.c > @@ -5,6 +5,8 @@ > #include <linux/file.h> > #include <linux/fs.h> > #include <linux/types.h> > +#include <linux/filter.h> > +#include <linux/bpf.h> > #include <linux/security.h> > > #include "krsi_fs.h" > @@ -27,12 +29,29 @@ bool is_krsi_hook_file(struct file *f) > > static void __init krsi_free_hook(struct krsi_hook *h) > { > + struct bpf_prog_array_item *item; > + /* > + * This function is __init so we are guarranteed that there will be > + * no concurrent access. > + */ > + struct bpf_prog_array *progs = rcu_dereference_raw(h->progs); > + > + if (progs) { bpf_prog_array itself should never be null? > + item = progs->items; > + while (item->prog) { > + bpf_prog_put(item->prog); > + item++; > + } > + bpf_prog_array_free(progs); > + } > + > securityfs_remove(h->h_dentry); > h->h_dentry = NULL; > } > > static int __init krsi_init_hook(struct krsi_hook *h, struct dentry *parent) > { > + struct bpf_prog_array __rcu *progs; > struct dentry *h_dentry; > int ret; > > @@ -41,6 +60,15 @@ static int __init krsi_init_hook(struct krsi_hook *h, struct dentry *parent) > > if (IS_ERR(h_dentry)) > return PTR_ERR(h_dentry); > + > + mutex_init(&h->mutex); > + progs = bpf_prog_array_alloc(0, GFP_KERNEL); > + if (!progs) { > + ret = -ENOMEM; > + goto error; > + } > + > + RCU_INIT_POINTER(h->progs, progs); > h_dentry->d_fsdata = h; > h->h_dentry = h_dentry; > return 0; > diff --git a/security/krsi/ops.c b/security/krsi/ops.c > index f2de3bd9621e..cf4d06189aa1 100644 > --- a/security/krsi/ops.c > +++ b/security/krsi/ops.c > @@ -1,10 +1,112 @@ > // SPDX-License-Identifier: GPL-2.0 > > +#include <linux/err.h> > +#include <linux/types.h> > #include <linux/filter.h> > #include <linux/bpf.h> > +#include <linux/security.h> > +#include <linux/krsi.h> > + > +#include "krsi_init.h" > +#include "krsi_fs.h" > + > +extern struct krsi_hook krsi_hooks_list[]; > + > +static struct krsi_hook *get_hook_from_fd(int fd) > +{ > + struct fd f = fdget(fd); > + struct krsi_hook *h; > + int ret; > + > + if (!f.file) { > + ret = -EBADF; > + goto error; > + } > + > + if (!is_krsi_hook_file(f.file)) { > + ret = -EINVAL; > + goto error; > + } > + > + /* > + * The securityfs dentry never disappears, so we don't need to take a > + * reference to it. > + */ > + h = file_dentry(f.file)->d_fsdata; > + if (WARN_ON(!h)) { > + ret = -EINVAL; > + goto error; > + } > + fdput(f); > + return h; > + > +error: > + fdput(f); > + return ERR_PTR(ret); > +} > + > +int krsi_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog) > +{ > + struct bpf_prog_array *old_array; > + struct bpf_prog_array *new_array; > + struct krsi_hook *h; > + int ret = 0; > + > + h = get_hook_from_fd(attr->target_fd); > + if (IS_ERR(h)) > + return PTR_ERR(h); > + > + mutex_lock(&h->mutex); > + old_array = rcu_dereference_protected(h->progs, > + lockdep_is_held(&h->mutex)); > + > + ret = bpf_prog_array_copy(old_array, NULL, prog, &new_array); > + if (ret < 0) { > + ret = -ENOMEM; > + goto unlock; > + } > + > + rcu_assign_pointer(h->progs, new_array); > + bpf_prog_array_free(old_array); > + > +unlock: > + mutex_unlock(&h->mutex); > + return ret; > +} > > const struct bpf_prog_ops krsi_prog_ops = { > }; > > +static bool krsi_prog_is_valid_access(int off, int size, > + enum bpf_access_type type, > + const struct bpf_prog *prog, > + struct bpf_insn_access_aux *info) > +{ > + /* > + * KRSI is conservative about any direct access in eBPF to > + * prevent the users from depending on the internals of the kernel and > + * aims at providing a rich eco-system of safe eBPF helpers as an API > + * for accessing relevant information from the context. > + */ > + return false; > +} > + > +static const struct bpf_func_proto *krsi_prog_func_proto(enum bpf_func_id > + func_id, > + const struct bpf_prog > + *prog) > +{ > + switch (func_id) { > + case BPF_FUNC_map_lookup_elem: > + return &bpf_map_lookup_elem_proto; > + case BPF_FUNC_get_current_pid_tgid: > + return &bpf_get_current_pid_tgid_proto; > + default: > + return NULL; > + } > +} > + > const struct bpf_verifier_ops krsi_verifier_ops = { > + .get_func_proto = krsi_prog_func_proto, > + .is_valid_access = krsi_prog_is_valid_access, > }; >