On Mon, Oct 23, 2023 at 8:14 AM Song Liu <song@xxxxxxxxxx> wrote:
>
> This kfunc can be used to read xattr of a file. To avoid recursion, only
> allow calling this kfunc from LSM hooks.
I think this needs a bit more explanation in the commit message (some
details on what it could be used for, we can explain the use case
about persistent LSM policy and LSM signatures with FSVerity). I know
you add a selftest but some more details in the commit message would
help.
What about adding the KF_TRUSTED_ARGS for the kfunc?
>
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> ---
> kernel/trace/bpf_trace.c | 56 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 56 insertions(+)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 43ed45a83ee2..4178d0e339d3 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -24,6 +24,7 @@
> #include <linux/key.h>
> #include <linux/verification.h>
> #include <linux/namei.h>
> +#include <linux/fileattr.h>
>
> #include <net/bpf_sk_storage.h>
>
> @@ -1436,6 +1437,61 @@ static int __init bpf_key_sig_kfuncs_init(void)
> late_initcall(bpf_key_sig_kfuncs_init);
> #endif /* CONFIG_KEYS */
>
> +/* filesystem kfuncs */
> +__diag_push();
> +__diag_ignore_all("-Wmissing-prototypes",
> + "kfuncs which will be used in BPF programs");
> +
> +/**
> + * bpf_get_file_xattr - get xattr of a file
> + * @file: file to get xattr from
> + * @name__const_str: name of the xattr
> + * @value_ptr: output buffer of the xattr value
> + *
> + * Get xattr *name__const_str* of *file* and store the output in *value_ptr*.
> + *
> + * Return: 0 on success, a negative value on error.
> + */
> +__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__const_str,
> + struct bpf_dynptr_kern *value_ptr)
> +{
> + struct dentry *dentry;
> + void *value;
> +
> + value = bpf_dynptr_slice_rdwr(value_ptr, 0, NULL, 0);
> + if (IS_ERR_OR_NULL(value))
> + return PTR_ERR(value);
> +
> + dentry = file_dentry(file);
> + return __vfs_getxattr(dentry, dentry->d_inode, name__const_str,
> + value, __bpf_dynptr_size(value_ptr));
> +}
> +
> +__diag_pop();
> +
> +static int bpf_get_file_xattr_filter(const struct bpf_prog *prog, u32 kfunc_id)
> +{
> + /* Only allow to attach from LSM hooks, to avoid recursion */
> + return prog->type != BPF_PROG_TYPE_LSM ? -EACCES : 0;
> +}
> +
> +BTF_SET8_START(fs_kfunc_set)
> +BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
> +BTF_SET8_END(fs_kfunc_set)
> +
> +const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
> + .owner = THIS_MODULE,
> + .set = &fs_kfunc_set,
> + .filter = bpf_get_file_xattr_filter,
> +};
> +
> +static int __init bpf_fs_kfuncs_init(void)
> +{
> + return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
> +}
> +
> +late_initcall(bpf_fs_kfuncs_init);
> +
> static const struct bpf_func_proto *
> bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> {
> --
> 2.34.1
>
>
