The BPF helper whitelist checking works as follows:
- helper's whitelist is defined as list of functions in file:
kernel/bpf/helpers-whitelist/helper
- at vmlinux linking time, the bpfwl tool reads the whitelist
and translates functions into BTF IDs, which are compiled as
following data section into vmlinux object:
.BTF_whitelist
BTF_whitelist_<helper1>
BTF_whitelist_<helper2>
BTF_whitelist_<helper3>
Each BTF_whitelist_<helperX> data is a sorted array of BTF ids.
- new 'allowed' function is added to 'struct bpf_func_proto',
which is used by verifier code to check (if defined) on whether
the helper is called from allowed function (from whitelist).
Currently it's needed and implemented only for d_path helper,
but it's easy to add for another helper.
Signed-off-by: Jiri Olsa <jolsa@xxxxxxxxxx>
---
include/asm-generic/vmlinux.lds.h | 5 +++++
include/linux/bpf.h | 1 +
kernel/bpf/verifier.c | 5 +++++
kernel/trace/bpf_trace.c | 23 +++++++++++++++++++++++
4 files changed, 34 insertions(+)
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 71e387a5fe90..6f7ca4f36ed7 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -631,6 +631,11 @@
__start_BTF = .; \
*(.BTF) \
__stop_BTF = .; \
+ } \
+ .BTF_whitelist : AT(ADDR(.BTF_whitelist) - LOAD_OFFSET) { \
+ __start_BTF_whitelist_d_path = .; \
+ *(.BTF_whitelist_d_path) \
+ __stop_BTF_whitelist_d_path = .; \
}
#else
#define BTF
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index bc589cdd8c34..ccacf488429f 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -275,6 +275,7 @@ struct bpf_func_proto {
enum bpf_arg_type arg_type[5];
};
int *btf_id; /* BTF ids of arguments */
+ bool (*allowed)(const struct bpf_prog *prog);
};
/* bpf_context is intentionally undefined structure. Pointer to bpf_context is
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b988df5ada20..55995de954a0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4525,6 +4525,11 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
return -EINVAL;
}
+ if (fn->allowed && !fn->allowed(env->prog)) {
+ verbose(env, "helper call is not allowed in probe\n");
+ return -EINVAL;
+ }
+
/* With LD_ABS/IND some JITs save/restore skb from r1. */
changes_data = bpf_helper_changes_pkt_data(fn->func);
if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 3097ab04bdc4..55682d610534 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -13,6 +13,7 @@
#include <linux/kprobes.h>
#include <linux/syscalls.h>
#include <linux/error-injection.h>
+#include <linux/bsearch.h>
#include <asm/tlb.h>
@@ -797,6 +798,27 @@ BPF_CALL_3(bpf_d_path, struct path *, path, char *, buf, u32, sz)
return len;
}
+extern char __weak __start_BTF_whitelist_d_path[];
+extern char __weak __stop_BTF_whitelist_d_path[];
+
+static int btf_id_cmp_func(const void *a, const void *b)
+{
+ const unsigned long *pa = a;
+ const unsigned long *pb = b;
+
+ return *pa - *pb;
+}
+
+static bool bpf_d_path_allowed(const struct bpf_prog *prog)
+{
+ unsigned long *start = (unsigned long *) __start_BTF_whitelist_d_path;
+ unsigned long *stop = (unsigned long *) __stop_BTF_whitelist_d_path;
+ unsigned long id = prog->aux->attach_btf_id;
+
+ return bsearch(&id, start, stop - start, sizeof(unsigned long),
+ btf_id_cmp_func) != NULL;
+}
+
static u32 bpf_d_path_btf_ids[3];
static const struct bpf_func_proto bpf_d_path_proto = {
.func = bpf_d_path,
@@ -806,6 +828,7 @@ static const struct bpf_func_proto bpf_d_path_proto = {
.arg2_type = ARG_PTR_TO_MEM,
.arg3_type = ARG_CONST_SIZE,
.btf_id = bpf_d_path_btf_ids,
+ .allowed = bpf_d_path_allowed,
};
const struct bpf_func_proto *
--
2.25.4
