mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-24 12:44:11 +08:00
4cf1bc1f10
Similar to bpf_local_storage for sockets and inodes add local storage for task_struct. The life-cycle of storage is managed with the life-cycle of the task_struct. i.e. the storage is destroyed along with the owning task with a callback to the bpf_task_storage_free from the task_free LSM hook. The BPF LSM allocates an __rcu pointer to the bpf_local_storage in the security blob which are now stackable and can co-exist with other LSMs. The userspace map operations can be done by using a pid fd as a key passed to the lookup, update and delete operations. Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Song Liu <songliubraving@fb.com> Acked-by: Martin KaFai Lau <kafai@fb.com> Link: https://lore.kernel.org/bpf/20201106103747.2780972-3-kpsingh@chromium.org
82 lines
2.0 KiB
C
82 lines
2.0 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
/*
|
|
* Copyright (C) 2020 Google LLC.
|
|
*/
|
|
|
|
#include <linux/filter.h>
|
|
#include <linux/bpf.h>
|
|
#include <linux/btf.h>
|
|
#include <linux/lsm_hooks.h>
|
|
#include <linux/bpf_lsm.h>
|
|
#include <linux/kallsyms.h>
|
|
#include <linux/bpf_verifier.h>
|
|
#include <net/bpf_sk_storage.h>
|
|
#include <linux/bpf_local_storage.h>
|
|
|
|
/* For every LSM hook that allows attachment of BPF programs, declare a nop
|
|
* function where a BPF program can be attached.
|
|
*/
|
|
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
|
|
noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
|
|
{ \
|
|
return DEFAULT; \
|
|
}
|
|
|
|
#include <linux/lsm_hook_defs.h>
|
|
#undef LSM_HOOK
|
|
|
|
#define BPF_LSM_SYM_PREFX "bpf_lsm_"
|
|
|
|
int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
|
|
const struct bpf_prog *prog)
|
|
{
|
|
if (!prog->gpl_compatible) {
|
|
bpf_log(vlog,
|
|
"LSM programs must have a GPL compatible license\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name,
|
|
sizeof(BPF_LSM_SYM_PREFX) - 1)) {
|
|
bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
|
|
prog->aux->attach_btf_id, prog->aux->attach_func_name);
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct bpf_func_proto *
|
|
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
|
|
{
|
|
switch (func_id) {
|
|
case BPF_FUNC_inode_storage_get:
|
|
return &bpf_inode_storage_get_proto;
|
|
case BPF_FUNC_inode_storage_delete:
|
|
return &bpf_inode_storage_delete_proto;
|
|
case BPF_FUNC_sk_storage_get:
|
|
return &bpf_sk_storage_get_proto;
|
|
case BPF_FUNC_sk_storage_delete:
|
|
return &bpf_sk_storage_delete_proto;
|
|
case BPF_FUNC_spin_lock:
|
|
return &bpf_spin_lock_proto;
|
|
case BPF_FUNC_spin_unlock:
|
|
return &bpf_spin_unlock_proto;
|
|
case BPF_FUNC_task_storage_get:
|
|
return &bpf_task_storage_get_proto;
|
|
case BPF_FUNC_task_storage_delete:
|
|
return &bpf_task_storage_delete_proto;
|
|
default:
|
|
return tracing_prog_func_proto(func_id, prog);
|
|
}
|
|
}
|
|
|
|
const struct bpf_prog_ops lsm_prog_ops = {
|
|
};
|
|
|
|
const struct bpf_verifier_ops lsm_verifier_ops = {
|
|
.get_func_proto = bpf_lsm_func_proto,
|
|
.is_valid_access = btf_ctx_access,
|
|
};
|