lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Mar 2022 11:16:41 -0700 From: Stanislav Fomichev <sdf@...gle.com> To: netdev@...r.kernel.org, bpf@...r.kernel.org Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org, Stanislav Fomichev <sdf@...gle.com> Subject: [PATCH bpf-next 4/7] bpf: allow writing to a subset of sock fields from lsm progtype For now, allow only the obvious ones, like sk_priority and sk_mark. Signed-off-by: Stanislav Fomichev <sdf@...gle.com> --- kernel/bpf/bpf_lsm.c | 58 +++++++++++++++++++++++++++++++++++++++++++ kernel/bpf/verifier.c | 3 ++- 2 files changed, 60 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 9cc2f0bf78f1..86e2ec2ce7fd 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -332,7 +332,65 @@ bool bpf_lsm_is_sleepable_hook(u32 btf_id) const struct bpf_prog_ops lsm_prog_ops = { }; +static int lsm_btf_struct_access(struct bpf_verifier_log *log, + const struct btf *btf, + const struct btf_type *t, int off, + int size, enum bpf_access_type atype, + u32 *next_btf_id, + enum bpf_type_flag *flag) +{ + const struct btf_type *sock_type; + struct btf *btf_vmlinux; + s32 type_id; + size_t end; + + if (atype == BPF_READ) + return btf_struct_access(log, btf, t, off, size, atype, next_btf_id, + flag); + + btf_vmlinux = bpf_get_btf_vmlinux(); + if (!btf_vmlinux) { + bpf_log(log, "no vmlinux btf\n"); + return -EOPNOTSUPP; + } + + type_id = btf_find_by_name_kind(btf_vmlinux, "sock", BTF_KIND_STRUCT); + if (type_id < 0) { + bpf_log(log, "'struct sock' not found in vmlinux btf\n"); + return -EINVAL; + } + + sock_type = btf_type_by_id(btf_vmlinux, type_id); + + if (t != sock_type) { + bpf_log(log, "only 'struct sock' writes are supported\n"); + return -EACCES; + } + + switch (off) { + case bpf_ctx_range(struct sock, sk_priority): + end = offsetofend(struct sock, sk_priority); + break; + case bpf_ctx_range(struct sock, sk_mark): + end = offsetofend(struct sock, sk_mark); + break; + default: + bpf_log(log, "no write support to 'struct sock' at off %d\n", off); + return -EACCES; + } + + if (off + size > end) { + bpf_log(log, + "write access at off %d with size %d beyond the member of 'struct sock' ended at %zu\n", + off, size, end); + return -EACCES; + } + + return NOT_INIT; +} + const struct bpf_verifier_ops lsm_verifier_ops = { .get_func_proto = bpf_lsm_func_proto, .is_valid_access = btf_ctx_access, + .btf_struct_access = lsm_btf_struct_access, }; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 1d2f2e7babb2..d42ee0033755 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12843,7 +12843,8 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) insn->code = BPF_LDX | BPF_PROBE_MEM | BPF_SIZE((insn)->code); env->prog->aux->num_exentries++; - } else if (resolve_prog_type(env->prog) != BPF_PROG_TYPE_STRUCT_OPS) { + } else if (resolve_prog_type(env->prog) != BPF_PROG_TYPE_STRUCT_OPS && + resolve_prog_type(env->prog) != BPF_PROG_TYPE_LSM) { verbose(env, "Writes through BTF pointers are not allowed\n"); return -EINVAL; } -- 2.35.1.1021.g381101b075-goog
Powered by blists - more mailing lists