// SPDX-License-Identifier: GPL-2.0 /* * Copyright (C) 2020 Google LLC. */ #include <linux/filter.h> #include <linux/bpf.h> #include <linux/btf.h> #include <linux/binfmts.h> #include <linux/lsm_hooks.h> #include <linux/bpf_lsm.h> #include <linux/kallsyms.h> #include <linux/bpf_verifier.h> #include <net/bpf_sk_storage.h> #include <linux/bpf_local_storage.h> #include <linux/btf_ids.h> #include <linux/ima.h> #include <linux/bpf-cgroup.h> /* For every LSM hook that allows attachment of BPF programs, declare a nop * function where a BPF program can be attached. */ #define LSM_HOOK … #include <linux/lsm_hook_defs.h> #undef LSM_HOOK #define LSM_HOOK … BTF_SET_START(bpf_lsm_hooks) #include <linux/lsm_hook_defs.h> #undef LSM_HOOK BTF_SET_END(…) /* List of LSM hooks that should operate on 'current' cgroup regardless * of function signature. */ BTF_SET_START(bpf_lsm_current_hooks) /* operate on freshly allocated sk without any cgroup association */ #ifdef CONFIG_SECURITY_NETWORK BTF_ID(…) BTF_ID(…) #endif BTF_SET_END(…) /* List of LSM hooks that trigger while the socket is properly locked. */ BTF_SET_START(bpf_lsm_locked_sockopt_hooks) #ifdef CONFIG_SECURITY_NETWORK BTF_ID(…) BTF_ID(…) BTF_ID(…) #endif BTF_SET_END(…) /* List of LSM hooks that trigger while the socket is _not_ locked, * but it's ok to call bpf_{g,s}etsockopt because the socket is still * in the early init phase. */ BTF_SET_START(bpf_lsm_unlocked_sockopt_hooks) #ifdef CONFIG_SECURITY_NETWORK BTF_ID(…) BTF_ID(…) #endif BTF_SET_END(…) #ifdef CONFIG_CGROUP_BPF void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog, bpf_func_t *bpf_func) { … } #endif int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, const struct bpf_prog *prog) { … } /* Mask for all the currently supported BPRM option flags */ #define BPF_F_BRPM_OPTS_MASK … BPF_CALL_2(bpf_bprm_opts_set, struct linux_binprm *, bprm, u64, flags) { … } BTF_ID_LIST_SINGLE(bpf_bprm_opts_set_btf_ids, struct, linux_binprm) static const struct bpf_func_proto bpf_bprm_opts_set_proto = …; BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size) { … } static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog) { … } BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode) static const struct bpf_func_proto bpf_ima_inode_hash_proto = …; BPF_CALL_3(bpf_ima_file_hash, struct file *, file, void *, dst, u32, size) { … } BTF_ID_LIST_SINGLE(bpf_ima_file_hash_btf_ids, struct, file) static const struct bpf_func_proto bpf_ima_file_hash_proto = …; BPF_CALL_1(bpf_get_attach_cookie, void *, ctx) { … } static const struct bpf_func_proto bpf_get_attach_cookie_proto = …; static const struct bpf_func_proto * bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { … } /* The set of hooks which are called without pagefaults disabled and are allowed * to "sleep" and thus can be used for sleepable BPF programs. */ BTF_SET_START(sleepable_lsm_hooks) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) #ifdef CONFIG_SECURITY_PATH BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) #endif /* CONFIG_SECURITY_PATH */ #ifdef CONFIG_KEYS BTF_ID(…) #endif /* CONFIG_KEYS */ BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) #ifdef CONFIG_SECURITY_NETWORK BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) #endif /* CONFIG_SECURITY_NETWORK */ BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_SET_END(…) BTF_SET_START(untrusted_lsm_hooks) BTF_ID(…) BTF_ID(…) BTF_ID(…) BTF_ID(…) #ifdef CONFIG_SECURITY_NETWORK BTF_ID(…) BTF_ID(…) #endif /* CONFIG_SECURITY_NETWORK */ BTF_ID(…) BTF_SET_END(…) bool bpf_lsm_is_sleepable_hook(u32 btf_id) { … } bool bpf_lsm_is_trusted(const struct bpf_prog *prog) { … } const struct bpf_prog_ops lsm_prog_ops = …; const struct bpf_verifier_ops lsm_verifier_ops = …;
Codebase Browser
linux