From: Yonghong Song <yhs@fb.com>
To: KP Singh <kpsingh@chromium.org>, James Morris <jmorris@namei.org>,
<linux-kernel@vger.kernel.org>, <bpf@vger.kernel.org>,
<linux-security-module@vger.kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode
Date: Fri, 20 Nov 2020 09:47:26 -0800 [thread overview]
Message-ID: <a9336dd5-df17-85d9-7c63-d8ab4b74b459@fb.com> (raw)
In-Reply-To: <20201120131708.3237864-2-kpsingh@chromium.org>
On 11/20/20 5:17 AM, KP Singh wrote:
> From: KP Singh <kpsingh@google.com>
>
> Provide a wrapper function to get the IMA hash of an inode. This helper
> is useful in fingerprinting files (e.g executables on execution) and
> using these fingerprints in detections like an executable unlinking
> itself.
>
> Since the ima_inode_hash can sleep, it's only allowed for sleepable
> LSM hooks.
>
> Signed-off-by: KP Singh <kpsingh@google.com>
> ---
> include/uapi/linux/bpf.h | 11 +++++++++++
> kernel/bpf/bpf_lsm.c | 26 ++++++++++++++++++++++++++
> scripts/bpf_helpers_doc.py | 1 +
> tools/include/uapi/linux/bpf.h | 11 +++++++++++
> 4 files changed, 49 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 3ca6146f001a..dd5b8622bb89 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -3807,6 +3807,16 @@ union bpf_attr {
> * See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
> * Return
> * Current *ktime*.
> + *
> + * long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size)
> + * Description
> + * Returns the stored IMA hash of the *inode* (if it's avaialable).
> + * If the hash is larger than *size*, then only *size*
> + * bytes will be copied to *dst*
> + * Return > + * The **hash_algo** of is returned on success,
of => if?
> + * **-EOPNOTSUP** if IMA is disabled and **-EINVAL** if
and => or
> + * invalid arguments are passed.
> */
> #define __BPF_FUNC_MAPPER(FN) \
> FN(unspec), \
> @@ -3970,6 +3980,7 @@ union bpf_attr {
> FN(get_current_task_btf), \
> FN(bprm_opts_set), \
> FN(ktime_get_coarse_ns), \
> + FN(ima_inode_hash), \
> /* */
>
> /* integer value in 'imm' field of BPF_CALL instruction selects which helper
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index b4f27a874092..51c36f61339e 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -15,6 +15,7 @@
> #include <net/bpf_sk_storage.h>
> #include <linux/bpf_local_storage.h>
> #include <linux/btf_ids.h>
> +#include <linux/ima.h>
>
> /* For every LSM hook that allows attachment of BPF programs, declare a nop
> * function where a BPF program can be attached.
> @@ -75,6 +76,29 @@ const static struct bpf_func_proto bpf_bprm_opts_set_proto = {
> .arg2_type = ARG_ANYTHING,
> };
>
> +BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size)
> +{
> + return ima_inode_hash(inode, dst, size);
> +}
> +
> +static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
> +{
> + return bpf_lsm_is_sleepable_hook(prog->aux->attach_btf_id);
> +}
> +
> +BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)
> +
> +const static struct bpf_func_proto bpf_ima_inode_hash_proto = {
> + .func = bpf_ima_inode_hash,
> + .gpl_only = false,
> + .ret_type = RET_INTEGER,
> + .arg1_type = ARG_PTR_TO_BTF_ID,
> + .arg1_btf_id = &bpf_ima_inode_hash_btf_ids[0],
> + .arg2_type = ARG_PTR_TO_UNINIT_MEM,
> + .arg3_type = ARG_CONST_SIZE_OR_ZERO,
I know ARG_CONST_SIZE_OR_ZERO provides some flexibility and may
make verifier easier to verify programs. But beyond that did
you see any real use case user will pass a zero size buf to
get hash value?
> + .allowed = bpf_ima_inode_hash_allowed,
> +};
> +
> static const struct bpf_func_proto *
> bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> {
> @@ -97,6 +121,8 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> return &bpf_task_storage_delete_proto;
> case BPF_FUNC_bprm_opts_set:
> return &bpf_bprm_opts_set_proto;
> + case BPF_FUNC_ima_inode_hash:
> + return &bpf_ima_inode_hash_proto;
> default:
> return tracing_prog_func_proto(func_id, prog);
> }
> diff --git a/scripts/bpf_helpers_doc.py b/scripts/bpf_helpers_doc.py
> index add7fcb32dcd..cb16687acb66 100755
> --- a/scripts/bpf_helpers_doc.py
> +++ b/scripts/bpf_helpers_doc.py
> @@ -430,6 +430,7 @@ class PrinterHelpers(Printer):
> 'struct tcp_request_sock',
> 'struct udp6_sock',
> 'struct task_struct',
> + 'struct inode',
>
> 'struct __sk_buff',
> 'struct sk_msg_md',
> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> index 3ca6146f001a..dd5b8622bb89 100644
> --- a/tools/include/uapi/linux/bpf.h
> +++ b/tools/include/uapi/linux/bpf.h
> @@ -3807,6 +3807,16 @@ union bpf_attr {
> * See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
> * Return
> * Current *ktime*.
> + *
> + * long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size)
> + * Description
> + * Returns the stored IMA hash of the *inode* (if it's avaialable).
> + * If the hash is larger than *size*, then only *size*
> + * bytes will be copied to *dst*
> + * Return
> + * The **hash_algo** of is returned on success,
of => if?
> + * **-EOPNOTSUP** if IMA is disabled and **-EINVAL** if
and => or.
> + * invalid arguments are passed.
> */
> #define __BPF_FUNC_MAPPER(FN) \
> FN(unspec), \
> @@ -3970,6 +3980,7 @@ union bpf_attr {
> FN(get_current_task_btf), \
> FN(bprm_opts_set), \
> FN(ktime_get_coarse_ns), \
> + FN(ima_inode_hash), \
> /* */
>
> /* integer value in 'imm' field of BPF_CALL instruction selects which helper
>
next prev parent reply other threads:[~2020-11-20 17:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-20 13:17 [PATCH bpf-next 1/3] ima: Implement ima_inode_hash KP Singh
2020-11-20 13:17 ` [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode KP Singh
2020-11-20 17:47 ` Yonghong Song [this message]
2020-11-21 0:14 ` KP Singh
2020-11-24 4:02 ` Alexei Starovoitov
2020-11-24 11:04 ` KP Singh
2020-11-24 15:01 ` KP Singh
2020-11-20 13:17 ` [PATCH bpf-next 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash KP Singh
2020-11-20 18:11 ` Yonghong Song
2020-11-21 0:20 ` KP Singh
2020-11-20 17:32 ` [PATCH bpf-next 1/3] ima: Implement ima_inode_hash Yonghong Song
2020-11-21 0:08 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9336dd5-df17-85d9-7c63-d8ab4b74b459@fb.com \
--to=yhs@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=revest@chromium.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.