[v10,bpf-next,4/9] bpf: Add kfunc bpf_get_file_xattr

Message ID	20231103214535.2674059-5-song@kernel.org (mailing list archive)
State	Superseded
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48B4923776; Fri, 3 Nov 2023 21:46:19 +0000 (UTC) From: Song Liu <song@kernel.org> To: bpf@vger.kernel.org, fsverity@lists.linux.dev Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, kernel-team@meta.com, ebiggers@kernel.org, tytso@mit.edu, roberto.sassu@huaweicloud.com, kpsingh@kernel.org, vadfed@meta.com, Song Liu <song@kernel.org> Subject: [PATCH v10 bpf-next 4/9] bpf: Add kfunc bpf_get_file_xattr Date: Fri, 3 Nov 2023 14:45:30 -0700 Message-Id: <20231103214535.2674059-5-song@kernel.org> In-Reply-To: <20231103214535.2674059-1-song@kernel.org> References: <20231103214535.2674059-1-song@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	bpf: File verification with LSM and fsverity \| expand [v10,bpf-next,0/9] bpf: File verification with LSM and fsverity [v10,bpf-next,1/9] bpf: Add __bpf_dynptr_data* for in kernel use [v10,bpf-next,2/9] bpf: Factor out helper check_reg_const_str() [v10,bpf-next,3/9] bpf: Introduce KF_ARG_PTR_TO_CONST_STR [v10,bpf-next,4/9] bpf: Add kfunc bpf_get_file_xattr [v10,bpf-next,5/9] bpf, fsverity: Add kfunc bpf_get_fsverity_digest [v10,bpf-next,6/9] Documentation/bpf: Add documentation for filesystem kfuncs [v10,bpf-next,7/9] selftests/bpf: Sort config in alphabetic order [v10,bpf-next,8/9] selftests/bpf: Add tests for filesystem kfuncs [v10,bpf-next,9/9] selftests/bpf: Add test that uses fsverity and xattr to sign a file

Message ID

20231103214535.2674059-5-song@kernel.org (mailing list archive)

State

Superseded

Headers

From: Song Liu <song@kernel.org>
To: bpf@vger.kernel.org,
	fsverity@lists.linux.dev
Cc: ast@kernel.org,
	daniel@iogearbox.net,
	andrii@kernel.org,
	martin.lau@kernel.org,
	kernel-team@meta.com,
	ebiggers@kernel.org,
	tytso@mit.edu,
	roberto.sassu@huaweicloud.com,
	kpsingh@kernel.org,
	vadfed@meta.com,
	Song Liu <song@kernel.org>
Subject: [PATCH v10 bpf-next 4/9] bpf: Add kfunc bpf_get_file_xattr
Date: Fri,  3 Nov 2023 14:45:30 -0700
Message-Id: <20231103214535.2674059-5-song@kernel.org>
In-Reply-To: <20231103214535.2674059-1-song@kernel.org>
References: <20231103214535.2674059-1-song@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

bpf: File verification with LSM and fsverity | expand

Commit Message

Song Liu Nov. 3, 2023, 9:45 p.m. UTC

It is common practice for security solutions to store tags/labels in
xattrs. To implement similar functionalities in BPF LSM, add new kfunc
bpf_get_file_xattr().

The first use case of bpf_get_file_xattr() is to implement file
verifications with asymmetric keys. Specificially, security applications
could use fsverity for file hashes and use xattr to store file signatures.
(kfunc for fsverity hash will be added in a separate commit.)

Currently, only xattrs with "user." prefix can be read with kfunc
bpf_get_file_xattr(). As use cases evolve, we may add a dedicated prefix
for bpf_get_file_xattr().

To avoid recursion, bpf_get_file_xattr can be only called from LSM hooks.

Signed-off-by: Song Liu <song@kernel.org>
---
 kernel/trace/bpf_trace.c | 64 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

Comments

Andrii Nakryiko Nov. 3, 2023, 10:10 p.m. UTC | #1

On Fri, Nov 3, 2023 at 2:46 PM Song Liu <song@kernel.org> wrote:
>
> It is common practice for security solutions to store tags/labels in
> xattrs. To implement similar functionalities in BPF LSM, add new kfunc
> bpf_get_file_xattr().
>
> The first use case of bpf_get_file_xattr() is to implement file
> verifications with asymmetric keys. Specificially, security applications
> could use fsverity for file hashes and use xattr to store file signatures.
> (kfunc for fsverity hash will be added in a separate commit.)
>
> Currently, only xattrs with "user." prefix can be read with kfunc
> bpf_get_file_xattr(). As use cases evolve, we may add a dedicated prefix
> for bpf_get_file_xattr().
>
> To avoid recursion, bpf_get_file_xattr can be only called from LSM hooks.
>
> Signed-off-by: Song Liu <song@kernel.org>
> ---
>  kernel/trace/bpf_trace.c | 64 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 64 insertions(+)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index bfe6fb83e8d0..82eaa099053b 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -24,6 +24,7 @@
>  #include <linux/key.h>
>  #include <linux/verification.h>
>  #include <linux/namei.h>
> +#include <linux/fileattr.h>
>
>  #include <net/bpf_sk_storage.h>
>
> @@ -1431,6 +1432,69 @@ static int __init bpf_key_sig_kfuncs_init(void)
>  late_initcall(bpf_key_sig_kfuncs_init);
>  #endif /* CONFIG_KEYS */
>
> +/* filesystem kfuncs */
> +__diag_push();
> +__diag_ignore_all("-Wmissing-prototypes",
> +                 "kfuncs which will be used in BPF programs");
> +

please use __bpf_kfunc_{start,end}_defs macros, from [0]

  [0] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=391145ba2acc

> +/**
> + * bpf_get_file_xattr - get xattr of a file
> + * @file: file to get xattr from
> + * @name__str: name of the xattr
> + * @value_ptr: output buffer of the xattr value
> + *
> + * Get xattr *name__str* of *file* and store the output in *value_ptr*.
> + *
> + * For security reasons, only *name__str* with prefix "user." is allowed.
> + *
> + * Return: 0 on success, a negative value on error.
> + */
> +__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
> +                                  struct bpf_dynptr_kern *value_ptr)
> +{
> +       struct dentry *dentry;
> +       void *value;
> +
> +       if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
> +               return -EPERM;
> +
> +       value = __bpf_dynptr_data_rw(value_ptr, __bpf_dynptr_size(value_ptr));
> +       if (!value)
> +               return -EINVAL;
> +
> +       dentry = file_dentry(file);
> +       return __vfs_getxattr(dentry, dentry->d_inode, name__str,
> +                             value, __bpf_dynptr_size(value_ptr));

nit: probably cleaner to get size once into local variable and use
that throughout

> +}
> +
> +__diag_pop();
> +
> +BTF_SET8_START(fs_kfunc_set_ids)
> +BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> +BTF_SET8_END(fs_kfunc_set_ids)
> +
> +static int bpf_get_file_xattr_filter(const struct bpf_prog *prog, u32 kfunc_id)
> +{
> +       if (!btf_id_set8_contains(&fs_kfunc_set_ids, kfunc_id))
> +               return 0;
> +
> +       /* Only allow to attach from LSM hooks, to avoid recursion */
> +       return prog->type != BPF_PROG_TYPE_LSM ? -EACCES : 0;
> +}
> +
> +const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
> +       .owner = THIS_MODULE,
> +       .set = &fs_kfunc_set_ids,
> +       .filter = bpf_get_file_xattr_filter,
> +};
> +
> +static int __init bpf_fs_kfuncs_init(void)
> +{
> +       return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
> +}
> +
> +late_initcall(bpf_fs_kfuncs_init);
> +
>  static const struct bpf_func_proto *
>  bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>  {
> --
> 2.34.1
>

Song Liu Nov. 3, 2023, 10:30 p.m. UTC | #2

On Fri, Nov 3, 2023 at 3:10 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> On Fri, Nov 3, 2023 at 2:46 PM Song Liu <song@kernel.org> wrote:
> >
> > It is common practice for security solutions to store tags/labels in
> > xattrs. To implement similar functionalities in BPF LSM, add new kfunc
> > bpf_get_file_xattr().
> >
> > The first use case of bpf_get_file_xattr() is to implement file
> > verifications with asymmetric keys. Specificially, security applications
> > could use fsverity for file hashes and use xattr to store file signatures.
> > (kfunc for fsverity hash will be added in a separate commit.)
> >
> > Currently, only xattrs with "user." prefix can be read with kfunc
> > bpf_get_file_xattr(). As use cases evolve, we may add a dedicated prefix
> > for bpf_get_file_xattr().
> >
> > To avoid recursion, bpf_get_file_xattr can be only called from LSM hooks.
> >
> > Signed-off-by: Song Liu <song@kernel.org>
> > ---
> >  kernel/trace/bpf_trace.c | 64 ++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 64 insertions(+)
> >
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index bfe6fb83e8d0..82eaa099053b 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -24,6 +24,7 @@
> >  #include <linux/key.h>
> >  #include <linux/verification.h>
> >  #include <linux/namei.h>
> > +#include <linux/fileattr.h>
> >
> >  #include <net/bpf_sk_storage.h>
> >
> > @@ -1431,6 +1432,69 @@ static int __init bpf_key_sig_kfuncs_init(void)
> >  late_initcall(bpf_key_sig_kfuncs_init);
> >  #endif /* CONFIG_KEYS */
> >
> > +/* filesystem kfuncs */
> > +__diag_push();
> > +__diag_ignore_all("-Wmissing-prototypes",
> > +                 "kfuncs which will be used in BPF programs");
> > +
>
> please use __bpf_kfunc_{start,end}_defs macros, from [0]
>
>   [0] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=391145ba2acc

Nice! I was thinking about the same issue (-Wmissing-declarations).

But this patch is not pulled into bpf-next yet (only in bpf). How about we keep
__diag_ignore_all() etc for now?

Thanks,
Song

Song Liu Nov. 3, 2023, 10:38 p.m. UTC | #3

On Fri, Nov 3, 2023 at 3:30 PM Song Liu <song@kernel.org> wrote:
>
> On Fri, Nov 3, 2023 at 3:10 PM Andrii Nakryiko
> <andrii.nakryiko@gmail.com> wrote:
> >
> > On Fri, Nov 3, 2023 at 2:46 PM Song Liu <song@kernel.org> wrote:
> > >
> > > It is common practice for security solutions to store tags/labels in
> > > xattrs. To implement similar functionalities in BPF LSM, add new kfunc
> > > bpf_get_file_xattr().
> > >
> > > The first use case of bpf_get_file_xattr() is to implement file
> > > verifications with asymmetric keys. Specificially, security applications
> > > could use fsverity for file hashes and use xattr to store file signatures.
> > > (kfunc for fsverity hash will be added in a separate commit.)
> > >
> > > Currently, only xattrs with "user." prefix can be read with kfunc
> > > bpf_get_file_xattr(). As use cases evolve, we may add a dedicated prefix
> > > for bpf_get_file_xattr().
> > >
> > > To avoid recursion, bpf_get_file_xattr can be only called from LSM hooks.
> > >
> > > Signed-off-by: Song Liu <song@kernel.org>
> > > ---
> > >  kernel/trace/bpf_trace.c | 64 ++++++++++++++++++++++++++++++++++++++++
> > >  1 file changed, 64 insertions(+)
> > >
> > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > > index bfe6fb83e8d0..82eaa099053b 100644
> > > --- a/kernel/trace/bpf_trace.c
> > > +++ b/kernel/trace/bpf_trace.c
> > > @@ -24,6 +24,7 @@
> > >  #include <linux/key.h>
> > >  #include <linux/verification.h>
> > >  #include <linux/namei.h>
> > > +#include <linux/fileattr.h>
> > >
> > >  #include <net/bpf_sk_storage.h>
> > >
> > > @@ -1431,6 +1432,69 @@ static int __init bpf_key_sig_kfuncs_init(void)
> > >  late_initcall(bpf_key_sig_kfuncs_init);
> > >  #endif /* CONFIG_KEYS */
> > >
> > > +/* filesystem kfuncs */
> > > +__diag_push();
> > > +__diag_ignore_all("-Wmissing-prototypes",
> > > +                 "kfuncs which will be used in BPF programs");
> > > +
> >
> > please use __bpf_kfunc_{start,end}_defs macros, from [0]
> >
> >   [0] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=391145ba2acc
>
> Nice! I was thinking about the same issue (-Wmissing-declarations).
>
> But this patch is not pulled into bpf-next yet (only in bpf). How about we keep
> __diag_ignore_all() etc for now?

I will add __diag_ignore_all("-Wmissing-declarations",) so it is
equivalent to the marcos.

Thanks,
Song

Andrii Nakryiko Nov. 3, 2023, 10:53 p.m. UTC | #4

On Fri, Nov 3, 2023 at 3:38 PM Song Liu <song@kernel.org> wrote:
>
> On Fri, Nov 3, 2023 at 3:30 PM Song Liu <song@kernel.org> wrote:
> >
> > On Fri, Nov 3, 2023 at 3:10 PM Andrii Nakryiko
> > <andrii.nakryiko@gmail.com> wrote:
> > >
> > > On Fri, Nov 3, 2023 at 2:46 PM Song Liu <song@kernel.org> wrote:
> > > >
> > > > It is common practice for security solutions to store tags/labels in
> > > > xattrs. To implement similar functionalities in BPF LSM, add new kfunc
> > > > bpf_get_file_xattr().
> > > >
> > > > The first use case of bpf_get_file_xattr() is to implement file
> > > > verifications with asymmetric keys. Specificially, security applications
> > > > could use fsverity for file hashes and use xattr to store file signatures.
> > > > (kfunc for fsverity hash will be added in a separate commit.)
> > > >
> > > > Currently, only xattrs with "user." prefix can be read with kfunc
> > > > bpf_get_file_xattr(). As use cases evolve, we may add a dedicated prefix
> > > > for bpf_get_file_xattr().
> > > >
> > > > To avoid recursion, bpf_get_file_xattr can be only called from LSM hooks.
> > > >
> > > > Signed-off-by: Song Liu <song@kernel.org>
> > > > ---
> > > >  kernel/trace/bpf_trace.c | 64 ++++++++++++++++++++++++++++++++++++++++
> > > >  1 file changed, 64 insertions(+)
> > > >
> > > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > > > index bfe6fb83e8d0..82eaa099053b 100644
> > > > --- a/kernel/trace/bpf_trace.c
> > > > +++ b/kernel/trace/bpf_trace.c
> > > > @@ -24,6 +24,7 @@
> > > >  #include <linux/key.h>
> > > >  #include <linux/verification.h>
> > > >  #include <linux/namei.h>
> > > > +#include <linux/fileattr.h>
> > > >
> > > >  #include <net/bpf_sk_storage.h>
> > > >
> > > > @@ -1431,6 +1432,69 @@ static int __init bpf_key_sig_kfuncs_init(void)
> > > >  late_initcall(bpf_key_sig_kfuncs_init);
> > > >  #endif /* CONFIG_KEYS */
> > > >
> > > > +/* filesystem kfuncs */
> > > > +__diag_push();
> > > > +__diag_ignore_all("-Wmissing-prototypes",
> > > > +                 "kfuncs which will be used in BPF programs");
> > > > +
> > >
> > > please use __bpf_kfunc_{start,end}_defs macros, from [0]
> > >
> > >   [0] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=391145ba2acc
> >
> > Nice! I was thinking about the same issue (-Wmissing-declarations).
> >
> > But this patch is not pulled into bpf-next yet (only in bpf). How about we keep
> > __diag_ignore_all() etc for now?
>
> I will add __diag_ignore_all("-Wmissing-declarations",) so it is
> equivalent to the marcos.

Ah, it's bpf tree, not bpf-next, I see. Ok, we'll have to leave it as
is for now and then clean up later.

>
> Thanks,
> Song

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index bfe6fb83e8d0..82eaa099053b 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -24,6 +24,7 @@ 
 #include <linux/key.h>
 #include <linux/verification.h>
 #include <linux/namei.h>
+#include <linux/fileattr.h>
 
 #include <net/bpf_sk_storage.h>
 
@@ -1431,6 +1432,69 @@  static int __init bpf_key_sig_kfuncs_init(void)
 late_initcall(bpf_key_sig_kfuncs_init);
 #endif /* CONFIG_KEYS */
 
+/* filesystem kfuncs */
+__diag_push();
+__diag_ignore_all("-Wmissing-prototypes",
+		  "kfuncs which will be used in BPF programs");
+
+/**
+ * bpf_get_file_xattr - get xattr of a file
+ * @file: file to get xattr from
+ * @name__str: name of the xattr
+ * @value_ptr: output buffer of the xattr value
+ *
+ * Get xattr *name__str* of *file* and store the output in *value_ptr*.
+ *
+ * For security reasons, only *name__str* with prefix "user." is allowed.
+ *
+ * Return: 0 on success, a negative value on error.
+ */
+__bpf_kfunc int bpf_get_file_xattr(struct file *file, const char *name__str,
+				   struct bpf_dynptr_kern *value_ptr)
+{
+	struct dentry *dentry;
+	void *value;
+
+	if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+		return -EPERM;
+
+	value = __bpf_dynptr_data_rw(value_ptr, __bpf_dynptr_size(value_ptr));
+	if (!value)
+		return -EINVAL;
+
+	dentry = file_dentry(file);
+	return __vfs_getxattr(dentry, dentry->d_inode, name__str,
+			      value, __bpf_dynptr_size(value_ptr));
+}
+
+__diag_pop();
+
+BTF_SET8_START(fs_kfunc_set_ids)
+BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_SET8_END(fs_kfunc_set_ids)
+
+static int bpf_get_file_xattr_filter(const struct bpf_prog *prog, u32 kfunc_id)
+{
+	if (!btf_id_set8_contains(&fs_kfunc_set_ids, kfunc_id))
+		return 0;
+
+	/* Only allow to attach from LSM hooks, to avoid recursion */
+	return prog->type != BPF_PROG_TYPE_LSM ? -EACCES : 0;
+}
+
+const struct btf_kfunc_id_set bpf_fs_kfunc_set = {
+	.owner = THIS_MODULE,
+	.set = &fs_kfunc_set_ids,
+	.filter = bpf_get_file_xattr_filter,
+};
+
+static int __init bpf_fs_kfuncs_init(void)
+{
+	return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set);
+}
+
+late_initcall(bpf_fs_kfuncs_init);
+
 static const struct bpf_func_proto *
 bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 {

[v10,bpf-next,4/9] bpf: Add kfunc bpf_get_file_xattr

Commit Message

Comments

Patch