From: Andrii Nakryiko <andrii@kernel.org>
To: bpf@vger.kernel.org, netdev@vger.kernel.org, paul@paul-moore.com,
brauner@kernel.org
Cc: torvalds@linux-foundation.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, kernel-team@meta.com
Subject: [PATCH v2 bpf-next 11/30] bpf,lsm: add BPF token LSM hooks
Date: Tue, 23 Jan 2024 18:21:08 -0800 [thread overview]
Message-ID: <20240124022127.2379740-12-andrii@kernel.org> (raw)
In-Reply-To: <20240124022127.2379740-1-andrii@kernel.org>
Wire up bpf_token_create and bpf_token_free LSM hooks, which allow to
allocate LSM security blob (we add `void *security` field to struct
bpf_token for that), but also control who can instantiate BPF token.
This follows existing pattern for BPF map and BPF prog.
Also add security_bpf_token_allow_cmd() and security_bpf_token_capable()
LSM hooks that allow LSM implementation to control and negate (if
necessary) BPF token's delegation of a specific bpf_cmd and capability,
respectively.
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
include/linux/bpf.h | 3 ++
include/linux/lsm_hook_defs.h | 5 +++
include/linux/security.h | 25 +++++++++++++++
kernel/bpf/bpf_lsm.c | 4 +++
kernel/bpf/token.c | 12 ++++++-
security/security.c | 60 +++++++++++++++++++++++++++++++++++
6 files changed, 108 insertions(+), 1 deletion(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 1b556c74f43f..2a184a847381 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1634,6 +1634,9 @@ struct bpf_token {
u64 allowed_maps;
u64 allowed_progs;
u64 allowed_attachs;
+#ifdef CONFIG_SECURITY
+ void *security;
+#endif
};
struct bpf_struct_ops_value;
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 1be4d3ca6efb..cd6fbc7af3f8 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -410,6 +410,11 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_map_free, struct bpf_map *map)
LSM_HOOK(int, 0, bpf_prog_load, struct bpf_prog *prog, union bpf_attr *attr,
struct bpf_token *token)
LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free, struct bpf_prog *prog)
+LSM_HOOK(int, 0, bpf_token_create, struct bpf_token *token, union bpf_attr *attr,
+ struct path *path)
+LSM_HOOK(void, LSM_RET_VOID, bpf_token_free, struct bpf_token *token)
+LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd)
+LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
#endif /* CONFIG_BPF_SYSCALL */
LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
diff --git a/include/linux/security.h b/include/linux/security.h
index 83fcdc974116..15804af54f37 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -32,6 +32,7 @@
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/sockptr.h>
+#include <linux/bpf.h>
#include <uapi/linux/lsm.h>
struct linux_binprm;
@@ -2075,6 +2076,11 @@ extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
struct bpf_token *token);
extern void security_bpf_prog_free(struct bpf_prog *prog);
+extern int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
+ struct path *path);
+extern void security_bpf_token_free(struct bpf_token *token);
+extern int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd);
+extern int security_bpf_token_capable(const struct bpf_token *token, int cap);
#else
static inline int security_bpf(int cmd, union bpf_attr *attr,
unsigned int size)
@@ -2109,6 +2115,25 @@ static inline int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *
static inline void security_bpf_prog_free(struct bpf_prog *prog)
{ }
+
+static inline int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
+ struct path *path)
+{
+ return 0;
+}
+
+static inline void security_bpf_token_free(struct bpf_token *token)
+{ }
+
+static inline int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
+{
+ return 0;
+}
+
+static inline int security_bpf_token_capable(const struct bpf_token *token, int cap)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_BPF_SYSCALL */
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 76976908b302..63b4dc495125 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -265,6 +265,10 @@ BTF_ID(func, bpf_lsm_bpf_map_free)
BTF_ID(func, bpf_lsm_bpf_prog)
BTF_ID(func, bpf_lsm_bpf_prog_load)
BTF_ID(func, bpf_lsm_bpf_prog_free)
+BTF_ID(func, bpf_lsm_bpf_token_create)
+BTF_ID(func, bpf_lsm_bpf_token_free)
+BTF_ID(func, bpf_lsm_bpf_token_cmd)
+BTF_ID(func, bpf_lsm_bpf_token_capable)
BTF_ID(func, bpf_lsm_bprm_check_security)
BTF_ID(func, bpf_lsm_bprm_committed_creds)
BTF_ID(func, bpf_lsm_bprm_committing_creds)
diff --git a/kernel/bpf/token.c b/kernel/bpf/token.c
index c13c73788d8c..64c568f47f69 100644
--- a/kernel/bpf/token.c
+++ b/kernel/bpf/token.c
@@ -7,6 +7,7 @@
#include <linux/idr.h>
#include <linux/namei.h>
#include <linux/user_namespace.h>
+#include <linux/security.h>
static bool bpf_ns_capable(struct user_namespace *ns, int cap)
{
@@ -21,6 +22,8 @@ bool bpf_token_capable(const struct bpf_token *token, int cap)
userns = token ? token->userns : &init_user_ns;
if (!bpf_ns_capable(userns, cap))
return false;
+ if (token && security_bpf_token_capable(token, cap) < 0)
+ return false;
return true;
}
@@ -31,6 +34,7 @@ void bpf_token_inc(struct bpf_token *token)
static void bpf_token_free(struct bpf_token *token)
{
+ security_bpf_token_free(token);
put_user_ns(token->userns);
kfree(token);
}
@@ -193,6 +197,10 @@ int bpf_token_create(union bpf_attr *attr)
token->allowed_progs = mnt_opts->delegate_progs;
token->allowed_attachs = mnt_opts->delegate_attachs;
+ err = security_bpf_token_create(token, attr, &path);
+ if (err)
+ goto out_token;
+
fd = get_unused_fd_flags(O_CLOEXEC);
if (fd < 0) {
err = fd;
@@ -237,7 +245,9 @@ bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
{
if (!token)
return false;
- return token->allowed_cmds & (1ULL << cmd);
+ if (!(token->allowed_cmds & (1ULL << cmd)))
+ return false;
+ return security_bpf_token_cmd(token, cmd) == 0;
}
bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type)
diff --git a/security/security.c b/security/security.c
index 26fcab35b6cd..73e009e3d937 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5444,6 +5444,55 @@ int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
return call_int_hook(bpf_prog_load, 0, prog, attr, token);
}
+/**
+ * security_bpf_token_create() - Check if creating of BPF token is allowed
+ * @token: BPF token object
+ * @attr: BPF syscall attributes used to create BPF token
+ * @path: path pointing to BPF FS mount point from which BPF token is created
+ *
+ * Do a check when the kernel instantiates a new BPF token object from BPF FS
+ * instance. This is also the point where LSM blob can be allocated for LSMs.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
+ struct path *path)
+{
+ return call_int_hook(bpf_token_create, 0, token, attr, path);
+}
+
+/**
+ * security_bpf_token_cmd() - Check if BPF token is allowed to delegate
+ * requested BPF syscall command
+ * @token: BPF token object
+ * @cmd: BPF syscall command requested to be delegated by BPF token
+ *
+ * Do a check when the kernel decides whether provided BPF token should allow
+ * delegation of requested BPF syscall command.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
+{
+ return call_int_hook(bpf_token_cmd, 0, token, cmd);
+}
+
+/**
+ * security_bpf_token_capable() - Check if BPF token is allowed to delegate
+ * requested BPF-related capability
+ * @token: BPF token object
+ * @cap: capabilities requested to be delegated by BPF token
+ *
+ * Do a check when the kernel decides whether provided BPF token should allow
+ * delegation of requested BPF-related capabilities.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_bpf_token_capable(const struct bpf_token *token, int cap)
+{
+ return call_int_hook(bpf_token_capable, 0, token, cap);
+}
+
/**
* security_bpf_map_free() - Free a bpf map's LSM blob
* @map: bpf map
@@ -5465,6 +5514,17 @@ void security_bpf_prog_free(struct bpf_prog *prog)
{
call_void_hook(bpf_prog_free, prog);
}
+
+/**
+ * security_bpf_token_free() - Free a BPF token's LSM blob
+ * @token: BPF token struct
+ *
+ * Clean up the security information stored inside BPF token.
+ */
+void security_bpf_token_free(struct bpf_token *token)
+{
+ call_void_hook(bpf_token_free, token);
+}
#endif /* CONFIG_BPF_SYSCALL */
/**
--
2.34.1
next prev parent reply other threads:[~2024-01-24 2:22 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 2:20 [PATCH v2 bpf-next 00/30] BPF token Andrii Nakryiko
2024-01-24 2:20 ` [PATCH v2 bpf-next 01/30] bpf: align CAP_NET_ADMIN checks with bpf_capable() approach Andrii Nakryiko
2024-01-24 2:20 ` [PATCH v2 bpf-next 02/30] bpf: add BPF token delegation mount options to BPF FS Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 03/30] bpf: introduce BPF token object Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 04/30] bpf: add BPF token support to BPF_MAP_CREATE command Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 05/30] bpf: add BPF token support to BPF_BTF_LOAD command Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 06/30] bpf: add BPF token support to BPF_PROG_LOAD command Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 07/30] bpf: take into account BPF token when fetching helper protos Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 08/30] bpf: consistently use BPF token throughout BPF verifier logic Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 09/30] bpf,lsm: refactor bpf_prog_alloc/bpf_prog_free LSM hooks Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 10/30] bpf,lsm: refactor bpf_map_alloc/bpf_map_free " Andrii Nakryiko
2024-01-24 2:21 ` Andrii Nakryiko [this message]
2024-01-24 2:21 ` [PATCH v2 bpf-next 12/30] libbpf: add bpf_token_create() API Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 13/30] libbpf: add BPF token support to bpf_map_create() API Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 14/30] libbpf: add BPF token support to bpf_btf_load() API Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 15/30] libbpf: add BPF token support to bpf_prog_load() API Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 16/30] selftests/bpf: add BPF token-enabled tests Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 17/30] bpf,selinux: allocate bpf_security_struct per BPF token Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 18/30] bpf: fail BPF_TOKEN_CREATE if no delegation option was set on BPF FS Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 19/30] bpf: support symbolic BPF FS delegation mount options Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 20/30] selftests/bpf: utilize string values for delegate_xxx " Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 21/30] libbpf: split feature detectors definitions from cached results Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 22/30] libbpf: further decouple feature checking logic from bpf_object Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 23/30] libbpf: move feature detection code into its own file Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 24/30] libbpf: wire up token_fd into feature probing logic Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 25/30] libbpf: wire up BPF token support at BPF object level Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 26/30] selftests/bpf: add BPF object loading tests with explicit token passing Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 27/30] selftests/bpf: add tests for BPF object load with implicit token Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 28/30] libbpf: support BPF token path setting through LIBBPF_BPF_TOKEN_PATH envvar Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 29/30] selftests/bpf: add tests for " Andrii Nakryiko
2024-01-24 2:21 ` [PATCH v2 bpf-next 30/30] selftests/bpf: incorporate LSM policy to token-based tests Andrii Nakryiko
2024-01-25 0:10 ` [PATCH v2 bpf-next 00/30] BPF token patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240124022127.2379740-12-andrii@kernel.org \
--to=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=kernel-team@meta.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.