Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

KP Singh <kpsingh@xxxxxxxxxxxx> · Tue, 24 Mar 2020 20:00:45 +0100

On 23-Mär 13:18, Andrii Nakryiko wrote:
> On Mon, Mar 23, 2020 at 9:45 AM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> >
> > From: KP Singh <kpsingh@xxxxxxxxxx>
> >
> > JITed BPF programs are dynamically attached to the LSM hooks
> > using BPF trampolines. The trampoline prologue generates code to handle
> > conversion of the signature of the hook to the appropriate BPF context.
> >
> > The allocated trampoline programs are attached to the nop functions
> > initialized as LSM hooks.
> >
> > BPF_PROG_TYPE_LSM programs must have a GPL compatible license and
> > and need CAP_SYS_ADMIN (required for loading eBPF programs).
> >
> > Upon attachment:
> >
> > * A BPF fexit trampoline is used for LSM hooks with a void return type.
> > * A BPF fmod_ret trampoline is used for LSM hooks which return an
> >   int. The attached programs can override the return value of the
> >   bpf LSM hook to indicate a MAC Policy decision.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > Reviewed-by: Brendan Jackman <jackmanb@xxxxxxxxxx>
> > Reviewed-by: Florent Revest <revest@xxxxxxxxxx>
> > ---
> >  include/linux/bpf.h     |  4 ++++
> >  include/linux/bpf_lsm.h | 11 +++++++++++
> >  kernel/bpf/bpf_lsm.c    | 29 +++++++++++++++++++++++++++++
> >  kernel/bpf/btf.c        |  9 ++++++++-
> >  kernel/bpf/syscall.c    | 26 ++++++++++++++++++++++----
> >  kernel/bpf/trampoline.c | 17 +++++++++++++----
> >  kernel/bpf/verifier.c   | 19 +++++++++++++++----
> >  7 files changed, 102 insertions(+), 13 deletions(-)
> >
> 
> [...]
> 
> >
> > +#define BPF_LSM_SYM_PREFX  "bpf_lsm_"
> > +
> > +int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
> > +                       const struct bpf_prog *prog)
> > +{
> > +       /* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks
> > +        */
> > +       if (!capable(CAP_MAC_ADMIN))
> > +               return -EPERM;
> > +
> > +       if (!prog->gpl_compatible) {
> > +               bpf_log(vlog,
> > +                       "LSM programs must have a GPL compatible license\n");
> > +               return -EINVAL;
> > +       }
> > +
> > +       if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
> > +                   strlen(BPF_LSM_SYM_PREFX))) {
> 
> sizeof(BPF_LSM_SYM_PREFIX) - 1?

Thanks, done.

> 
> > +               bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
> > +                       prog->aux->attach_btf_id, prog->aux->attach_func_name);
> > +               return -EINVAL;
> > +       }
> > +
> > +       return 0;
> > +}
> > +
> 
> [...]
> 
> > @@ -2367,10 +2369,24 @@ static int bpf_tracing_prog_attach(struct bpf_prog *prog)
> >         struct file *link_file;
> >         int link_fd, err;
> >
> > -       if (prog->expected_attach_type != BPF_TRACE_FENTRY &&
> > -           prog->expected_attach_type != BPF_TRACE_FEXIT &&
> > -           prog->expected_attach_type != BPF_MODIFY_RETURN &&
> > -           prog->type != BPF_PROG_TYPE_EXT) {
> > +       switch (prog->type) {
> > +       case BPF_PROG_TYPE_TRACING:
> > +               if (prog->expected_attach_type != BPF_TRACE_FENTRY &&
> > +                   prog->expected_attach_type != BPF_TRACE_FEXIT &&
> > +                   prog->expected_attach_type != BPF_MODIFY_RETURN) {
> > +                       err = -EINVAL;
> > +                       goto out_put_prog;
> > +               }
> > +               break;
> > +       case BPF_PROG_TYPE_EXT:
> 
> It looks like an omission that we don't enforce expected_attach_type
> to be 0 here. Should we fix it until it's too late?

Done.

> 
> > +               break;
> > +       case BPF_PROG_TYPE_LSM:
> > +               if (prog->expected_attach_type != BPF_LSM_MAC) {
> > +                       err = -EINVAL;
> > +                       goto out_put_prog;
> > +               }
> > +               break;
> > +       default:
> >                 err = -EINVAL;
> >                 goto out_put_prog;
> >         }
> > @@ -2452,12 +2468,14 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
> >         if (prog->type != BPF_PROG_TYPE_RAW_TRACEPOINT &&
> >             prog->type != BPF_PROG_TYPE_TRACING &&
> >             prog->type != BPF_PROG_TYPE_EXT &&
> > +           prog->type != BPF_PROG_TYPE_LSM &&
> >             prog->type != BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE) {
> >                 err = -EINVAL;
> >                 goto out_put_prog;
> >         }
> >
> >         if (prog->type == BPF_PROG_TYPE_TRACING ||
> > +           prog->type == BPF_PROG_TYPE_LSM ||
> >             prog->type == BPF_PROG_TYPE_EXT) {
> 
> 
> can you please refactor this into a nicer explicit switch instead of
> combination of if/elses?

Done.

- KP

> 
> >                 if (attr->raw_tracepoint.name) {
> >                         /* The attach point for this category of programs
> > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> > index f30bca2a4d01..9be85aa4ec5f 100644
> > --- a/kernel/bpf/trampoline.c
> > +++ b/kernel/bpf/trampoline.c
> > @@ -6,6 +6,7 @@
> >  #include <linux/ftrace.h>
> >  #include <linux/rbtree_latch.h>
> >  #include <linux/perf_event.h>
> > +#include <linux/btf.h>
> >
> 
> [...]