From patchwork Fri Jul 26 08:56:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Bobrowski X-Patchwork-Id: 13742514 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E0BD176FA7 for ; Fri, 26 Jul 2024 08:56:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984174; cv=none; b=RdPlFq1BQUm0rjGAPDlBThw0sBfXuC1Ao39poNBJ68rtEHN8v75W3oPsEI34J6F24olH5AqmIkTZHybHkG+bdZp0Babj1o7nIg0dFj2eyxpP1SeXtVx/9xIZt+K3/rD4Zq1GY3vjU5nBp83d0y3daTdQy74EW4GqLe0zSxioNwE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984174; c=relaxed/simple; bh=SYeM9jCzVVTE5g2DV4B2udUtCEGGnEOgB8F5kKycibA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=VJzY+b4R8wphJbh478+kOd5pgUkHFj8ILlYgTv7FUzRuILrVJv7poriMtJWlPG4Jwqcqn17Tf0QAHNsyZKsZRSdbfwYFkR5QyDUXrB4YTFmcd5N+ajLqD7WYXbJi2J578O6mmY3rjdA0BUFKQ7dssg9UVTqHuEn4v6yKM6Kpk1A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Gt+XWdrr; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Gt+XWdrr" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-66af35f84a3so51984587b3.1 for ; Fri, 26 Jul 2024 01:56:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721984172; x=1722588972; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=DY88XCeUY3/6r+6OUV4QM/dNqQSBTZ9XU/Qu6D0C8Ys=; b=Gt+XWdrr56MZcMiq6hJbOOWd9efpTKmUZQbZVvEYLQEeT/D8Qy9TkKl0yZNZ7rViv+ nFsgLBh5FOmjZLdIyRSrKmTCL7TS9cm18Cbcm0tKBhhaDgQ2u0GOpLMDoJDIUgD3GZ+a iLlwGcIotwwHysL9Uyx5a6xEhGlcn9VwlsBLW8sh0xbGKwyujMbOXslY8O98j/zZOlJi YFO1vRNJkeH7pWlA6ym5c9O4Xba6XiYGxn6HOa5vbpHFos+9psWjPjMqFl6wifXaMLCW GcMoKTFBRh+ZAa/EGAMlrzNIAPZ14xW/Y0Z1WjlWhYXk5Zyst7TzC3ufdJT0cety9xqi Sj/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721984172; x=1722588972; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DY88XCeUY3/6r+6OUV4QM/dNqQSBTZ9XU/Qu6D0C8Ys=; b=b3+Co/TcOHcUVt+9PIaztkYp6wFIjHuMOYW2FLHHgxjRNwjdrfvy21wt1K3lPG+LVd 6fzhoF5kUbqoYWU8i3aY3++lLuwVJGAf+osyhqdVZoV1E3AmKKSu2t3KO0YPCDhdskmr Y/WHP4fO+9IkA/U3nw+75tXuqvT4IHlxrnjXz7K8C1RUbiyIcf4hQ6EhCHm1kIY+AGrl csR5dJ86IsDU5VCg+I2JjI0sSkPG5S1sd1ojJ5hwkWf+++08g0nmQnB34nLuJWmGVTK2 2M9fMxvk+XZK79hmUgm0zBIHYK75R7Ek1LwuT4L2GXzT1LvnXY/RfWCqlbQJMDc6LOi2 zbkQ== X-Forwarded-Encrypted: i=1; AJvYcCWq3SqEojUegR56HdaAeGaAs7A5gMPpaYblyc7M85Ln5M9de0Orm7B1NDKqxG+HvISIbX4b6OapKyZI92eYSx+RaIEKRO3UImKorEfPOA== X-Gm-Message-State: AOJu0YySwwDTYGoigzGcLYSnJ5wLnGqvPSMdBFs14WbmLbpk44h0/JpD Cg/uI4Rv/TBdxsGbxy2AQbize+ZSC9ARuGxRIbe39z28gpm7iJaK7krZoNP2Xl8PlAMFTotLPI1 mT+O22cHclrhAba3aIe8snuIQusYpuA== X-Google-Smtp-Source: AGHT+IGPCQfz5GgesjOv02pQevyMK1biadk5YbpA88Jjx/jL8lt/jfRwOt3uI+52VN+2UJhYlL0D5yWOf8MUn9AVjwbV X-Received: from mattbobrowski.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:c5c]) (user=mattbobrowski job=sendgmr) by 2002:a05:690c:660f:b0:66b:fb2f:1b7 with SMTP id 00721157ae682-675b8ce267fmr1406287b3.6.1721984172031; Fri, 26 Jul 2024 01:56:12 -0700 (PDT) Date: Fri, 26 Jul 2024 08:56:02 +0000 In-Reply-To: <20240726085604.2369469-1-mattbobrowski@google.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240726085604.2369469-1-mattbobrowski@google.com> X-Mailer: git-send-email 2.46.0.rc1.232.g9752f9e123-goog Message-ID: <20240726085604.2369469-2-mattbobrowski@google.com> Subject: [PATCH v3 bpf-next 1/3] bpf: introduce new VFS based BPF kfuncs From: Matt Bobrowski To: bpf@vger.kernel.org Cc: ast@kernel.org, kpsingh@kernel.org, andrii@kernel.org, jannh@google.com, brauner@kernel.org, linux-fsdevel@vger.kernel.org, jolsa@kernel.org, daniel@iogearbox.net, memxor@gmail.com, Matt Bobrowski Add a new variant of bpf_d_path() named bpf_path_d_path() which takes the form of a BPF kfunc and enforces KF_TRUSTED_ARGS semantics onto its arguments. This new d_path() based BPF kfunc variant is intended to address the legacy bpf_d_path() BPF helper's susceptibility to memory corruption issues [0, 1, 2] by ensuring to only operate on supplied arguments which are deemed trusted by the BPF verifier. Typically, this means that only pointers to a struct path which have been referenced counted may be supplied. In addition to the new bpf_path_d_path() BPF kfunc, we also add a KF_ACQUIRE based BPF kfunc bpf_get_task_exe_file() and KF_RELEASE counterpart BPF kfunc bpf_put_file(). This is so that the new bpf_path_d_path() BPF kfunc can be used more flexibility from within the context of a BPF LSM program. It's rather common to ascertain the backing executable file for the calling process by performing the following walk current->mm->exe_file while instrumenting a given operation from the context of the BPF LSM program. However, walking current->mm->exe_file directly is never deemed to be OK, and doing so from both inside and outside of BPF LSM program context should be considered as a bug. Using bpf_get_task_exe_file() and in turn bpf_put_file() will allow BPF LSM programs to reliably get and put references to current->mm->exe_file. As of now, all the newly introduced BPF kfuncs within this patch are limited to sleepable BPF LSM program types. Therefore, they may only be called when a BPF LSM program is attached to one of the listed attachment points defined within the sleepable_lsm_hooks BTF ID set. [0] https://lore.kernel.org/bpf/CAG48ez0ppjcT=QxU-jtCUfb5xQb3mLr=5FcwddF_VKfEBPs_Dg@mail.gmail.com/ [1] https://lore.kernel.org/bpf/20230606181714.532998-1-jolsa@kernel.org/ [2] https://lore.kernel.org/bpf/20220219113744.1852259-1-memxor@gmail.com/ Signed-off-by: Matt Bobrowski --- fs/Makefile | 1 + fs/bpf_fs_kfuncs.c | 133 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 fs/bpf_fs_kfuncs.c diff --git a/fs/Makefile b/fs/Makefile index 6ecc9b0a53f2..61679fd587b7 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -129,3 +129,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ obj-$(CONFIG_EROFS_FS) += erofs/ obj-$(CONFIG_VBOXSF_FS) += vboxsf/ obj-$(CONFIG_ZONEFS_FS) += zonefs/ +obj-$(CONFIG_BPF_LSM) += bpf_fs_kfuncs.o diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c new file mode 100644 index 000000000000..3813e2a83313 --- /dev/null +++ b/fs/bpf_fs_kfuncs.c @@ -0,0 +1,133 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2024 Google LLC. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +__bpf_kfunc_start_defs(); +/** + * bpf_get_task_exe_file - get a reference on the exe_file struct file member of + * the mm_struct that is nested within the supplied + * task_struct + * @task: task_struct of which the nested mm_struct exe_file member to get a + * reference on + * + * Get a reference on the exe_file struct file member field of the mm_struct + * nested within the supplied *task*. The referenced file pointer acquired by + * this BPF kfunc must be released using bpf_put_file(). Failing to call + * bpf_put_file() on the returned referenced struct file pointer that has been + * acquired by this BPF kfunc will result in the BPF program being rejected by + * the BPF verifier. + * + * This BPF kfunc may only be called from sleepable BPF LSM programs. + * + * Internally, this BPF kfunc leans on get_task_exe_file(), such that calling + * bpf_get_task_exe_file() would be analogous to calling get_task_exe_file() + * directly in kernel context. + * + * Return: A referenced struct file pointer to the exe_file member of the + * mm_struct that is nested within the supplied *task*. On error, NULL is + * returned. + */ +__bpf_kfunc struct file *bpf_get_task_exe_file(struct task_struct *task) +{ + return get_task_exe_file(task); +} + +/** + * bpf_put_file - put a reference on the supplied file + * @file: file to put a reference on + * + * Put a reference on the supplied *file*. Only referenced file pointers may be + * passed to this BPF kfunc. Attempting to pass an unreferenced file pointer, or + * any other arbitrary pointer for that matter, will result in the BPF program + * being rejected by the BPF verifier. + * + * This BPF kfunc may only be called from sleepable BPF LSM programs. Though + * fput() can be called from IRQ context, we're enforcing sleepability here. + */ +__bpf_kfunc void bpf_put_file(struct file *file) +{ + fput(file); +} + +/** + * bpf_path_d_path - resolve the pathname for the supplied path + * @path: path to resolve the pathname for + * @buf: buffer to return the resolved pathname in + * @buf__sz: length of the supplied buffer + * + * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF + * kfunc is the safer variant of the legacy bpf_d_path() helper and should be + * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS + * semantics, meaning that the supplied *path* must itself hold a valid + * reference, or else the BPF program will be outright rejected by the BPF + * verifier. + * + * This BPF kfunc may only be called from sleepable BPF LSM programs. + * + * Return: A positive integer corresponding to the length of the resolved + * pathname in *buf*, including the NUL termination character. On error, a + * negative integer is returned. + */ +__bpf_kfunc int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz) +{ + int len; + char *ret; + + if (buf__sz <= 0) + return -EINVAL; + + /* Usually, d_path() will never involuntarily put the calling thread to + * sleep. However, there could be exceptions to this as d_op->d_dname() + * has free rein over what it wants to do. Additionally, given that this + * new d_path() based BPF kfunc enforces KF_TRUSTED_ARGS, it'll likely + * only ever be called alongside or in similar contexts, to other + * supporting BPF kfuncs that may end up being put to sleep. + */ + ret = d_path(path, buf, buf__sz); + if (IS_ERR(ret)) + return PTR_ERR(ret); + + len = buf + buf__sz - ret; + memmove(buf, ret, len); + return len; +} +__bpf_kfunc_end_defs(); + +BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) +BTF_ID_FLAGS(func, bpf_get_task_exe_file, + KF_ACQUIRE | KF_TRUSTED_ARGS | KF_SLEEPABLE | KF_RET_NULL) +BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE | KF_SLEEPABLE) +BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS | KF_SLEEPABLE) +BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) + +static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) +{ + if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) || + prog->type == BPF_PROG_TYPE_LSM) + return 0; + return -EACCES; +} + +static const struct btf_kfunc_id_set bpf_fs_kfunc_set = { + .owner = THIS_MODULE, + .set = &bpf_fs_kfunc_set_ids, + .filter = bpf_fs_kfuncs_filter, +}; + +static int __init bpf_fs_kfuncs_init(void) +{ + return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set); +} + +late_initcall(bpf_fs_kfuncs_init); From patchwork Fri Jul 26 08:56:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Bobrowski X-Patchwork-Id: 13742515 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D59D176FA7 for ; Fri, 26 Jul 2024 08:56:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984179; cv=none; b=NCF6guBFHG+PxRoV/G2eyyEMW52FZAs6gMdHdmS2wH5CJPND8RGpLM91Su56LpZa7mch30Ggdjb3HEW29boI7qx49nc6Dme7b247lMouAAUGQfU94GeXa4wgNP2SePknNfwyyc64D/g6lHLCjgLkJRNEIyrVoyEm8PMxhpmkoBw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984179; c=relaxed/simple; bh=KUfooIJ8skAH2DfD1RUDOkI/ajVCinML9YKoUVSKDUs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=jV+PnPDkusQPtKvPYI95u8ZvkcvyqnNdzKB0Uts3O9G35ewJmCGRaoHi3LlNcMTlVVkJWzkxYfS0fqa8LIQfx1whC2CkhA4aUktUSiR9LOK3QAA53EIt8sUG2DYELa/spykaejgZx1P9pZlB8IfXuvc365yiTE1aNENq+dV9sIo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=LswBZDZ7; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LswBZDZ7" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5a54b18f730so1556244a12.1 for ; Fri, 26 Jul 2024 01:56:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721984175; x=1722588975; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=lFbFIVHkPK2UqrN7rh36uBgPf7D38onpRqNoKGRGQDE=; b=LswBZDZ7eiT22FZDpfP/bRV6sicNKd0N9Ocp9kmX6GsfW4SFKpmUvUzmRP5JyWtY+B WiEsXdyITO8M6FanGP0LbCPbi5zHtgybxW9lcnAK9z1fUT51KAHMDz4D9XFzWnsfpL5J ik2gH6ccYLamwoaCCpXtQkyh972qaX682CBLOCg5L2YsR+YBNa0lLTj4b/ZTJjvAGFPd DBnvyLScgi8/QhUZJNe1+ZFSzIcXFK6bSGKgZ/SSLBgPVapOjC05Zelylrr3PbvwJ95N pqyUpZ3LeNRVNNhz/TABn+74OwjBRgwK1Q2X/8dkKL+0dYpL0+yGXu1u5PxQ6uj3A6Mh j6Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721984175; x=1722588975; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lFbFIVHkPK2UqrN7rh36uBgPf7D38onpRqNoKGRGQDE=; b=WzW1469Ji5XvzKZiU+4rbK23Uq9VpanzTh7MbXxzAwxqFHFWML3sd9hpbQMBJGyow2 eDzpeVC931b1itleJ/z/uF133j/IuoIl3weFv6rVeQWIEHobu1bocCCLDVY/uRgndeYo AA5YwXCF/tHFQV1WVDi/zTADg3ugeHOhPY22OtXGbTFakiu4MiNULIGDwIE8c7MI2d3+ N+S1Xu2EnLnLZPtwpxRvFMmndvkLl/IgDoKGAovD3050W8JbREawFskJ5EgC7B57EbNE sRKue2+K9/DFBrakCWwbM6DY6jhIkyz2eVFV9WxMNdzgXMrzq6rBamKSwQZxXcY6A5ZP uE8A== X-Forwarded-Encrypted: i=1; AJvYcCWQtm05v+nUSTi2HojJ0gxB6haQv5U4tYwYE6/ML3t4BNmhxxONiTsLcZP7/FmhJL+rixImvQdUQY/ZwtcG/yIlGLBNZL6QcaLuEYl4Jw== X-Gm-Message-State: AOJu0Yw026B1Ooo5a40pySKSLVrTz5TZmLNqpKjzFLY4mnAaYFAW+ORC mwygIbBqw6T3Wm5Z989qWcwJWIU4oMdXA6CMAdJ2eimG1THGqxx83l5AcxcsoySp+6pSza9WnSK KrSlfQol5DoCOmgQCWvGQ16T7hyB5bA== X-Google-Smtp-Source: AGHT+IEkJGTzmnbtX/ixGr/hdKtkig38/dfMGXy0WgZqI8VKGsQHO8XjGv/hY9dxS2ifKQWVC4K45hZRzUwZR10NqTHE X-Received: from mattbobrowski.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:c5c]) (user=mattbobrowski job=sendgmr) by 2002:aa7:c499:0:b0:57d:4bd0:388c with SMTP id 4fb4d7f45d1cf-5ac2bfdad17mr3974a12.3.1721984174608; Fri, 26 Jul 2024 01:56:14 -0700 (PDT) Date: Fri, 26 Jul 2024 08:56:03 +0000 In-Reply-To: <20240726085604.2369469-1-mattbobrowski@google.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240726085604.2369469-1-mattbobrowski@google.com> X-Mailer: git-send-email 2.46.0.rc1.232.g9752f9e123-goog Message-ID: <20240726085604.2369469-3-mattbobrowski@google.com> Subject: [PATCH v3 bpf-next 2/3] selftests/bpf: add negative tests for new VFS based BPF kfuncs From: Matt Bobrowski To: bpf@vger.kernel.org Cc: ast@kernel.org, kpsingh@kernel.org, andrii@kernel.org, jannh@google.com, brauner@kernel.org, linux-fsdevel@vger.kernel.org, jolsa@kernel.org, daniel@iogearbox.net, memxor@gmail.com, Matt Bobrowski Add a bunch of negative selftests responsible for asserting that the BPF verifier successfully rejects a BPF program load when the underlying BPF program misuses one of the newly introduced VFS based BPF kfuncs. The following VFS based BPF kfuncs are extensively tested within this new selftest: * struct file *bpf_get_task_exe_file(struct task_struct *); * void bpf_put_file(struct file *); * int bpf_path_d_path(struct path *, char *, size_t); Signed-off-by: Matt Bobrowski Acked-by: Song Liu --- .../testing/selftests/bpf/bpf_experimental.h | 26 +++ .../selftests/bpf/prog_tests/verifier.c | 2 + .../selftests/bpf/progs/verifier_vfs_reject.c | 196 ++++++++++++++++++ 3 files changed, 224 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/verifier_vfs_reject.c diff --git a/tools/testing/selftests/bpf/bpf_experimental.h b/tools/testing/selftests/bpf/bpf_experimental.h index 828556cdc2f0..8a1ed62b4ed1 100644 --- a/tools/testing/selftests/bpf/bpf_experimental.h +++ b/tools/testing/selftests/bpf/bpf_experimental.h @@ -195,6 +195,32 @@ extern void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it) __ksym; */ extern void bpf_throw(u64 cookie) __ksym; +/* Description + * Acquire a reference on the exe_file member field belonging to the + * mm_struct that is nested within the supplied task_struct. The supplied + * task_struct must be trusted/referenced. + * Returns + * A referenced file pointer pointing to the exe_file member field of the + * mm_struct nested in the supplied task_struct, or NULL. + */ +extern struct file *bpf_get_task_exe_file(struct task_struct *task) __ksym; + +/* Description + * Release a reference on the supplied file. The supplied file must be + * trusted/referenced. + */ +extern void bpf_put_file(struct file *file) __ksym; + +/* Description + * Resolve a pathname for the supplied path and store it in the supplied + * buffer. The supplied path must be trusted/referenced. + * Returns + * A positive integer corresponding to the length of the resolved pathname, + * including the NULL termination character, stored in the supplied + * buffer. On error, a negative integer is returned. + */ +extern int bpf_path_d_path(struct path *path, char *buf, size_t buf__sz) __ksym; + /* This macro must be used to mark the exception callback corresponding to the * main program. For example: * diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c index 67a49d12472c..14d74ba2188e 100644 --- a/tools/testing/selftests/bpf/prog_tests/verifier.c +++ b/tools/testing/selftests/bpf/prog_tests/verifier.c @@ -85,6 +85,7 @@ #include "verifier_value_or_null.skel.h" #include "verifier_value_ptr_arith.skel.h" #include "verifier_var_off.skel.h" +#include "verifier_vfs_reject.skel.h" #include "verifier_xadd.skel.h" #include "verifier_xdp.skel.h" #include "verifier_xdp_direct_packet_access.skel.h" @@ -205,6 +206,7 @@ void test_verifier_value(void) { RUN(verifier_value); } void test_verifier_value_illegal_alu(void) { RUN(verifier_value_illegal_alu); } void test_verifier_value_or_null(void) { RUN(verifier_value_or_null); } void test_verifier_var_off(void) { RUN(verifier_var_off); } +void test_verifier_vfs_reject(void) { RUN(verifier_vfs_reject); } void test_verifier_xadd(void) { RUN(verifier_xadd); } void test_verifier_xdp(void) { RUN(verifier_xdp); } void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); } diff --git a/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c b/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c new file mode 100644 index 000000000000..27666a8ef78a --- /dev/null +++ b/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c @@ -0,0 +1,196 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2024 Google LLC. */ + +#include +#include +#include +#include + +#include "bpf_misc.h" +#include "bpf_experimental.h" + +static char buf[PATH_MAX]; + +SEC("lsm.s/file_open") +__failure __msg("Possibly NULL pointer passed to trusted arg0") +int BPF_PROG(get_task_exe_file_kfunc_null) +{ + struct file *acquired; + + /* Can't pass a NULL pointer to bpf_get_task_exe_file(). */ + acquired = bpf_get_task_exe_file(NULL); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/inode_getxattr") +__failure __msg("arg#0 pointer type STRUCT task_struct must point to scalar, or struct with scalar") +int BPF_PROG(get_task_exe_file_kfunc_fp) +{ + u64 x; + struct file *acquired; + struct task_struct *fp; + + fp = (struct task_struct *)&x; + /* Can't pass random frame pointer to bpf_get_task_exe_file(). */ + acquired = bpf_get_task_exe_file(fp); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("R1 must be referenced or trusted") +int BPF_PROG(get_task_exe_file_kfunc_untrusted) +{ + struct file *acquired; + struct task_struct *parent; + + /* Walking a trusted struct task_struct returned from + * bpf_get_current_task_btf() yields an untrusted pointer. + */ + parent = bpf_get_current_task_btf()->parent; + /* Can't pass untrusted pointer to bpf_get_task_exe_file(). */ + acquired = bpf_get_task_exe_file(parent); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("Unreleased reference") +int BPF_PROG(get_task_exe_file_kfunc_unreleased) +{ + struct file *acquired; + + acquired = bpf_get_task_exe_file(bpf_get_current_task_btf()); + if (!acquired) + return 0; + + /* Acquired but never released. */ + return 0; +} + +SEC("lsm/file_open") +__failure __msg("program must be sleepable to call sleepable kfunc bpf_get_task_exe_file") +int BPF_PROG(put_file_kfunc_not_sleepable, struct file *file) +{ + struct file *acquired; + + /* Can't call bpf_get_task_file() from non-sleepable BPF LSM program + * types. + */ + acquired = bpf_get_task_exe_file(bpf_get_current_task_btf()); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("release kernel function bpf_put_file expects") +int BPF_PROG(put_file_kfunc_unacquired, struct file *file) +{ + /* Can't release an unacquired pointer. */ + bpf_put_file(file); + return 0; +} + +SEC("tp_btf/task_newtask") +__failure __msg("calling kernel function bpf_get_task_exe_file is not allowed") +int BPF_PROG(get_task_exe_file_kfunc_not_lsm_prog, struct task_struct *task) +{ + struct file *acquired; + + /* bpf_get_task_exe_file() can only be called from a sleepable BPF LSM + * program type. + */ + acquired = bpf_get_task_exe_file(bpf_get_current_task_btf()); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("Possibly NULL pointer passed to trusted arg0") +int BPF_PROG(path_d_path_kfunc_null) +{ + /* Can't pass NULL value to bpf_path_d_path() kfunc. */ + bpf_path_d_path(NULL, buf, sizeof(buf)); + return 0; +} + +SEC("fentry/vfs_open") +__failure __msg("calling kernel function bpf_path_d_path is not allowed") +int BPF_PROG(path_d_path_kfunc_non_lsm, struct path *path, struct file *f) +{ + /* Calling bpf_path_d_path() from a non-sleepable and non-LSM + * BPF program isn't permitted. + */ + bpf_path_d_path(path, buf, sizeof(buf)); + return 0; +} + +SEC("lsm.s/task_alloc") +__failure __msg("R1 must be referenced or trusted") +int BPF_PROG(path_d_path_kfunc_untrusted_from_argument, struct task_struct *task) +{ + struct path *root; + + /* Walking a trusted argument typically yields an untrusted + * pointer. This is one example of that. + */ + root = &task->fs->root; + bpf_path_d_path(root, buf, sizeof(buf)); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("R1 must be referenced or trusted") +int BPF_PROG(path_d_path_kfunc_untrusted_from_current) +{ + struct path *pwd; + struct task_struct *current; + + current = bpf_get_current_task_btf(); + /* Walking a trusted pointer returned from bpf_get_current_task_btf() + * yields an untrusted pointer. + */ + pwd = ¤t->fs->pwd; + bpf_path_d_path(pwd, buf, sizeof(buf)); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("kernel function bpf_path_d_path args#0 expected pointer to STRUCT path but R1 has a pointer to STRUCT file") +int BPF_PROG(path_d_path_kfunc_type_mismatch, struct file *file) +{ + bpf_path_d_path((struct path *)&file->f_task_work, buf, sizeof(buf)); + return 0; +} + +SEC("lsm.s/file_open") +__failure __msg("invalid access to map value, value_size=4096 off=0 size=8192") +int BPF_PROG(path_d_path_kfunc_invalid_buf_sz, struct file *file) +{ + /* bpf_path_d_path() enforces a constraint on the buffer size supplied + * by the BPF LSM program via the __sz annotation. buf here is set to + * PATH_MAX, so let's ensure that the BPF verifier rejects BPF_PROG_LOAD + * attempts if the supplied size and the actual size of the buffer + * mismatches. + */ + bpf_path_d_path(&file->f_path, buf, PATH_MAX * 2); + return 0; +} + +char _license[] SEC("license") = "GPL"; From patchwork Fri Jul 26 08:56:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Bobrowski X-Patchwork-Id: 13742516 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2190178372 for ; Fri, 26 Jul 2024 08:56:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984180; cv=none; b=G0hfxReNQ2zZwNp2A3yAkr+4d2OzqRNLTKVFJG1cKdprxAhAAHqihsqqFLC6w48Hur2aiDiE2gUpXihVVxtRYveeZJU94tiQo1GCFptJwf7vYWT17Vn+U99oSZIuQ533KoO8TOvm+sbK7bsC/liA7XgYTjhOWurS10VHJddQxO4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721984180; c=relaxed/simple; bh=RVNBSjBqgj/6y6lyrajxl/PVAJAWndjeKfyDpCSBkrk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HDlHwqpR7ZRj4mmt+toGJ8WMC8XQSJW17Mx1VlhxeZtZlo4PRtrpMtJ2DXKKia9ADJxRqsiUpwFdVrVuvR8PNtW/vepfGK/q7SqRRylEWq/qy4IFYo7/Ngy0Oyrv6jWfhAdwviD0O/dILb7PhxnIx9pWQkm5WraM0lk1EvOSSgU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=hnRxFj6M; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--mattbobrowski.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hnRxFj6M" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a7ab4817f34so117810766b.2 for ; Fri, 26 Jul 2024 01:56:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721984177; x=1722588977; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Jq0OZln+RUILnwIv9j4pYi6OZYhyhT/7v/9YG1LoiO8=; b=hnRxFj6My/DXT+4GsAq3gK+TNKdReXX3ubhjEz1RdoyTv7ByOgblsI2DHXBu3HGnwg mzuiTUY4SoiigrkSX7aFFiGU8iAg6ufP2quITkFtPNz2/FIfPdGzh/AmaOgA2q9P4f4F ptz9PVHvnakRWxtLhkTwFyjj0zXd1ZJmmNQTcj3H67a3lnE8BBA83eQFrb+e4fGMC3ye kbw/mqdeHQx1IBXiI6WRW3MoiocpgZkf+zmwt3MMOJ3XEx8JYbOVrcNLwVd110ANOAQY c6Re/1PtAI4Lt9BlSU0xZWpFnThr2bkhs+Ka39JUZNYGdTV48xgUFUsJHh57q+wKUoLw vLtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721984177; x=1722588977; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Jq0OZln+RUILnwIv9j4pYi6OZYhyhT/7v/9YG1LoiO8=; b=uVWifEKenzRdIFxYDcluizQRTk2OBa+AF1DlPXQmGwEChdvTVtkMOgx7b7shTnwg7S MVv4BGD4AxmWmsAH5jI3tMvH694BG0DB3ty5ULWthb67VpMBVAp5KHlLRx9z/U564Zdb 6YjTHNCI8yKH8m4zLG1X/z/rhUxFtYof4a2p32jYKJsN0JNQFOq6GmKkI2oTQwQc6+4v uJazpDTCjKVNSfiF1eQLooWlUrnlG6LfBtA0l1yx0KlDhHwWI3vsXz9K2awOUbspo8Lx 008x6agJIbxW9fg36hMMYl+2Mn9RUnXmxLWGUWktp5TALPxc099Apmbatd3cdbmyrRp/ rphw== X-Forwarded-Encrypted: i=1; AJvYcCUv0eMmxDZ+Vz8727ox7eNCEkz8UpEgTv6xka3uNpxsAIxshaD2pQQvxrYQJH1N2cxfGkzALNxB791WRMRhGnypx1gB+yBZb1jhrVfKqw== X-Gm-Message-State: AOJu0YwMJsWhYL9h004nkZU+Zg+ZVHiAdOyqzpaDhLNMSaScsQgaz78i pR35Dprw6XSZC9RwUnQUTBwPofr03u/11P5Kzh3dq2WL804ZOcMMM/PNtnFIj3NG6ZsUHD1a2Ea fYXVIyd0S7Ik6NPwYXxcXAIL/0YGC3g== X-Google-Smtp-Source: AGHT+IHAPnfPb4bZn0X4tZTpS1hqhadVq0TkVqX4dUZ4IJNrsF6esqiID4ehBuzvYaUqjmC6OwhuMKTDj7nC6SF2K4pu X-Received: from mattbobrowski.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:c5c]) (user=mattbobrowski job=sendgmr) by 2002:a17:906:3c55:b0:a7a:8d9b:14e6 with SMTP id a640c23a62f3a-a7ac527d38emr328966b.9.1721984177226; Fri, 26 Jul 2024 01:56:17 -0700 (PDT) Date: Fri, 26 Jul 2024 08:56:04 +0000 In-Reply-To: <20240726085604.2369469-1-mattbobrowski@google.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240726085604.2369469-1-mattbobrowski@google.com> X-Mailer: git-send-email 2.46.0.rc1.232.g9752f9e123-goog Message-ID: <20240726085604.2369469-4-mattbobrowski@google.com> Subject: [PATCH v3 bpf-next 3/3] selftests/bpf: add positive tests for new VFS based BPF kfuncs From: Matt Bobrowski To: bpf@vger.kernel.org Cc: ast@kernel.org, kpsingh@kernel.org, andrii@kernel.org, jannh@google.com, brauner@kernel.org, linux-fsdevel@vger.kernel.org, jolsa@kernel.org, daniel@iogearbox.net, memxor@gmail.com, Matt Bobrowski Add a bunch of positive selftests which extensively cover the various contexts and parameters in which the new VFS based BPF kfuncs may be used from. Again, the following VFS based BPF kfuncs are thoroughly tested within this new selftest: * struct file *bpf_get_task_exe_file(struct task_struct *); * void bpf_put_file(struct file *); * int bpf_path_d_path(struct path *, char *, size_t); Signed-off-by: Matt Bobrowski Acked-by: Song Liu --- .../selftests/bpf/prog_tests/verifier.c | 2 + .../selftests/bpf/progs/verifier_vfs_accept.c | 71 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/verifier_vfs_accept.c diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c index 14d74ba2188e..f8f546eba488 100644 --- a/tools/testing/selftests/bpf/prog_tests/verifier.c +++ b/tools/testing/selftests/bpf/prog_tests/verifier.c @@ -85,6 +85,7 @@ #include "verifier_value_or_null.skel.h" #include "verifier_value_ptr_arith.skel.h" #include "verifier_var_off.skel.h" +#include "verifier_vfs_accept.skel.h" #include "verifier_vfs_reject.skel.h" #include "verifier_xadd.skel.h" #include "verifier_xdp.skel.h" @@ -206,6 +207,7 @@ void test_verifier_value(void) { RUN(verifier_value); } void test_verifier_value_illegal_alu(void) { RUN(verifier_value_illegal_alu); } void test_verifier_value_or_null(void) { RUN(verifier_value_or_null); } void test_verifier_var_off(void) { RUN(verifier_var_off); } +void test_verifier_vfs_accept(void) { RUN(verifier_vfs_accept); } void test_verifier_vfs_reject(void) { RUN(verifier_vfs_reject); } void test_verifier_xadd(void) { RUN(verifier_xadd); } void test_verifier_xdp(void) { RUN(verifier_xdp); } diff --git a/tools/testing/selftests/bpf/progs/verifier_vfs_accept.c b/tools/testing/selftests/bpf/progs/verifier_vfs_accept.c new file mode 100644 index 000000000000..55deb96a4421 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/verifier_vfs_accept.c @@ -0,0 +1,71 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2024 Google LLC. */ + +#include +#include +#include + +#include "bpf_misc.h" +#include "bpf_experimental.h" + +static char buf[64]; + +SEC("lsm.s/file_open") +__success +int BPF_PROG(get_task_exe_file_and_put_kfunc_from_current) +{ + struct file *acquired; + + acquired = bpf_get_task_exe_file(bpf_get_current_task_btf()); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/task_alloc") +__success +int BPF_PROG(get_task_exe_file_and_put_kfunc_from_argument, + struct task_struct *task) +{ + struct file *acquired; + + acquired = bpf_get_task_exe_file(task); + if (!acquired) + return 0; + + bpf_put_file(acquired); + return 0; +} + +SEC("lsm.s/inode_getattr") +__success +int BPF_PROG(path_d_path_from_path_argument, struct path *path) +{ + int ret; + + ret = bpf_path_d_path(path, buf, sizeof(buf)); + __sink(ret); + return 0; +} + +SEC("lsm.s/file_open") +__success +int BPF_PROG(path_d_path_from_file_argument, struct file *file) +{ + int ret; + struct path *path; + + /* The f_path member is a path which is embedded directly within a + * file. Therefore, a pointer to such embedded members are still + * recognized by the BPF verifier as being PTR_TRUSTED as it's + * essentially PTR_TRUSTED w/ a non-zero fixed offset. + */ + path = &file->f_path; + ret = bpf_path_d_path(path, buf, sizeof(buf)); + __sink(ret); + return 0; +} + +char _license[] SEC("license") = "GPL";