linux/kernel/bpf/bpf_lsm.c

// SPDX-License-Identifier: GPL-2.0

/*
 * Copyright (C) 2020 Google LLC.
 */

#include <linux/filter.h>
#include <linux/bpf.h>
#include <linux/btf.h>
#include <linux/binfmts.h>
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
#include <linux/kallsyms.h>
#include <net/bpf_sk_storage.h>
#include <linux/bpf_local_storage.h>
#include <linux/btf_ids.h>
#include <linux/ima.h>
#include <linux/bpf-cgroup.h>

/* For every LSM hook that allows attachment of BPF programs, declare a nop
 * function where a BPF program can be attached.
 */
#define LSM_HOOK

#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK

#define LSM_HOOK
BTF_SET_START(bpf_lsm_hooks)
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
BTF_SET_END()

BTF_SET_START(bpf_lsm_disabled_hooks)
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
#ifdef CONFIG_KEYS
BTF_ID()
#endif
#ifdef CONFIG_AUDIT
BTF_ID()
#endif
BTF_ID()
BTF_SET_END()

/* List of LSM hooks that should operate on 'current' cgroup regardless
 * of function signature.
 */
BTF_SET_START(bpf_lsm_current_hooks)
/* operate on freshly allocated sk without any cgroup association */
#ifdef CONFIG_SECURITY_NETWORK
BTF_ID()
BTF_ID()
#endif
BTF_SET_END()

/* List of LSM hooks that trigger while the socket is properly locked.
 */
BTF_SET_START(bpf_lsm_locked_sockopt_hooks)
#ifdef CONFIG_SECURITY_NETWORK
BTF_ID()
BTF_ID()
BTF_ID()
#endif
BTF_SET_END()

/* List of LSM hooks that trigger while the socket is _not_ locked,
 * but it's ok to call bpf_{g,s}etsockopt because the socket is still
 * in the early init phase.
 */
BTF_SET_START(bpf_lsm_unlocked_sockopt_hooks)
#ifdef CONFIG_SECURITY_NETWORK
BTF_ID()
BTF_ID()
#endif
BTF_SET_END()

#ifdef CONFIG_CGROUP_BPF
void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog,
			     bpf_func_t *bpf_func)
{}
#endif

int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
			const struct bpf_prog *prog)
{}

/* Mask for all the currently supported BPRM option flags */
#define BPF_F_BRPM_OPTS_MASK

BPF_CALL_2(bpf_bprm_opts_set, struct linux_binprm *, bprm, u64, flags)
{}

BTF_ID_LIST_SINGLE(bpf_bprm_opts_set_btf_ids, struct, linux_binprm)

static const struct bpf_func_proto bpf_bprm_opts_set_proto =;

BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size)
{}

static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
{}

BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)

static const struct bpf_func_proto bpf_ima_inode_hash_proto =;

BPF_CALL_3(bpf_ima_file_hash, struct file *, file, void *, dst, u32, size)
{}

BTF_ID_LIST_SINGLE(bpf_ima_file_hash_btf_ids, struct, file)

static const struct bpf_func_proto bpf_ima_file_hash_proto =;

BPF_CALL_1(bpf_get_attach_cookie, void *, ctx)
{}

static const struct bpf_func_proto bpf_get_attach_cookie_proto =;

static const struct bpf_func_proto *
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{}

/* The set of hooks which are called without pagefaults disabled and are allowed
 * to "sleep" and thus can be used for sleepable BPF programs.
 */
BTF_SET_START(sleepable_lsm_hooks)
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()

BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()

#ifdef CONFIG_SECURITY_PATH
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
#endif /* CONFIG_SECURITY_PATH */

BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()

#ifdef CONFIG_SECURITY_NETWORK
BTF_ID()

BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
#endif /* CONFIG_SECURITY_NETWORK */

BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
BTF_SET_END()

BTF_SET_START(untrusted_lsm_hooks)
BTF_ID()
BTF_ID()
BTF_ID()
BTF_ID()
#ifdef CONFIG_SECURITY_NETWORK
BTF_ID()
BTF_ID()
#endif /* CONFIG_SECURITY_NETWORK */
BTF_ID()
BTF_SET_END()

bool bpf_lsm_is_sleepable_hook(u32 btf_id)
{}

bool bpf_lsm_is_trusted(const struct bpf_prog *prog)
{}

const struct bpf_prog_ops lsm_prog_ops =;

const struct bpf_verifier_ops lsm_verifier_ops =;

/* hooks return 0 or 1 */
BTF_SET_START(bool_lsm_hooks)
#ifdef CONFIG_SECURITY_NETWORK_XFRM
BTF_ID()
#endif
#ifdef CONFIG_AUDIT
BTF_ID()
#endif
BTF_ID()
BTF_SET_END()

int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
			     struct bpf_retval_range *retval_range)
{}