[PATCH bpf-next 3/5] bpf, lsm: Add function to read lsm hook return value range
Xu Kuohai
xukuohai at huaweicloud.com
Sat Mar 16 12:23:57 UTC 2024
From: Xu Kuohai <xukuohai at huawei.com>
Add function to read lsm hook return value range. The following patch
will use this information to check lsm hook return values in bpf
verifier.
Signed-off-by: Xu Kuohai <xukuohai at huawei.com>
---
include/linux/bpf_lsm.h | 8 ++++++
kernel/bpf/bpf_lsm.c | 56 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
index 1de7ece5d36d..e51c042abf43 100644
--- a/include/linux/bpf_lsm.h
+++ b/include/linux/bpf_lsm.h
@@ -9,6 +9,7 @@
#include <linux/sched.h>
#include <linux/bpf.h>
+#include <linux/bpf_verifier.h>
#include <linux/lsm_hooks.h>
#ifdef CONFIG_BPF_LSM
@@ -45,6 +46,8 @@ void bpf_inode_storage_free(struct inode *inode);
void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog, bpf_func_t *bpf_func);
+int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
+ struct bpf_retval_range *range);
#else /* !CONFIG_BPF_LSM */
static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)
@@ -78,6 +81,11 @@ static inline void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog,
{
}
+static inline int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
+ struct bpf_retval_range *range)
+{
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_BPF_LSM */
#endif /* _LINUX_BPF_LSM_H */
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index ee9d1a795334..7b4611fd3a37 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -11,7 +11,6 @@
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
#include <linux/kallsyms.h>
-#include <linux/bpf_verifier.h>
#include <net/bpf_sk_storage.h>
#include <linux/bpf_local_storage.h>
#include <linux/btf_ids.h>
@@ -40,6 +39,31 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
#undef LSM_RET_INT
#undef LSM_RET_VOID
+struct lsm_retval_desc {
+ unsigned long func_addr;
+ int minval;
+ int maxval;
+};
+
+#define LSM_RET_INT_ERRNO -MAX_ERRNO, 0
+#define LSM_RET_INT_ANY INT_MIN, INT_MAX
+#define LSM_RET_INT(defval, range_desc) LSM_RET_INT_##range_desc
+
+#define LSM_HOOK_RETVAL_int(NAME, ...) \
+{ (unsigned long)&bpf_lsm_##NAME, __VA_ARGS__ },
+
+#define LSM_HOOK_RETVAL_void(NAME, ...)
+
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+LSM_HOOK_RETVAL_##RET(NAME, DEFAULT)
+
+static struct lsm_retval_desc lsm_retvalues[] = {
+#include <linux/lsm_hook_defs.h>
+};
+#undef LSM_HOOK
+#undef LSM_RET_INT
+#undef LSM_RET_VOID
+
#define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
BTF_SET_START(bpf_lsm_hooks)
#include <linux/lsm_hook_defs.h>
@@ -399,3 +423,33 @@ const struct bpf_verifier_ops lsm_verifier_ops = {
.get_func_proto = bpf_lsm_func_proto,
.is_valid_access = btf_ctx_access,
};
+
+static struct lsm_retval_desc *find_retval_desc(const char *func_name)
+{
+ unsigned long addr;
+ struct lsm_retval_desc *desc;
+
+ addr = kallsyms_lookup_name(func_name);
+ for (unsigned int i = 0U; i < ARRAY_SIZE(lsm_retvalues); i++) {
+ desc = &lsm_retvalues[i];
+ if (addr == desc->func_addr)
+ return desc;
+ }
+
+ return NULL;
+}
+
+int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
+ struct bpf_retval_range *retval_range)
+{
+ struct lsm_retval_desc *desc;
+
+ desc = find_retval_desc(prog->aux->attach_func_name);
+ if (desc == NULL)
+ return -ENODEV;
+
+ retval_range->minval = desc->minval;
+ retval_range->maxval = desc->maxval;
+
+ return 0;
+}
--
2.30.2
More information about the Linux-security-module-archive
mailing list