1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Copyright (C) 2020 Google LLC. 5 */ 6 7 #include <linux/filter.h> 8 #include <linux/bpf.h> 9 #include <linux/btf.h> 10 #include <linux/lsm_hooks.h> 11 #include <linux/bpf_lsm.h> 12 #include <linux/kallsyms.h> 13 #include <linux/bpf_verifier.h> 14 #include <net/bpf_sk_storage.h> 15 #include <linux/bpf_local_storage.h> 16 17 /* For every LSM hook that allows attachment of BPF programs, declare a nop 18 * function where a BPF program can be attached. 19 */ 20 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 21 noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ 22 { \ 23 return DEFAULT; \ 24 } 25 26 #include <linux/lsm_hook_defs.h> 27 #undef LSM_HOOK 28 29 #define BPF_LSM_SYM_PREFX "bpf_lsm_" 30 31 int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, 32 const struct bpf_prog *prog) 33 { 34 if (!prog->gpl_compatible) { 35 bpf_log(vlog, 36 "LSM programs must have a GPL compatible license\n"); 37 return -EINVAL; 38 } 39 40 if (strncmp(BPF_LSM_SYM_PREFX, prog->aux->attach_func_name, 41 sizeof(BPF_LSM_SYM_PREFX) - 1)) { 42 bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n", 43 prog->aux->attach_btf_id, prog->aux->attach_func_name); 44 return -EINVAL; 45 } 46 47 return 0; 48 } 49 50 static const struct bpf_func_proto * 51 bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 52 { 53 switch (func_id) { 54 case BPF_FUNC_inode_storage_get: 55 return &bpf_inode_storage_get_proto; 56 case BPF_FUNC_inode_storage_delete: 57 return &bpf_inode_storage_delete_proto; 58 case BPF_FUNC_sk_storage_get: 59 return &bpf_sk_storage_get_proto; 60 case BPF_FUNC_sk_storage_delete: 61 return &bpf_sk_storage_delete_proto; 62 default: 63 return tracing_prog_func_proto(func_id, prog); 64 } 65 } 66 67 const struct bpf_prog_ops lsm_prog_ops = { 68 }; 69 70 const struct bpf_verifier_ops lsm_verifier_ops = { 71 .get_func_proto = bpf_lsm_func_proto, 72 .is_valid_access = btf_ctx_access, 73 }; 74