From patchwork Mon Aug 29 11:47:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 9303693 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 85B4E607F0 for ; Mon, 29 Aug 2016 11:47:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 75925285E2 for ; Mon, 29 Aug 2016 11:47:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 693FD287B6; Mon, 29 Aug 2016 11:47:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 25DFC285E2 for ; Mon, 29 Aug 2016 11:47:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932977AbcH2Lr2 (ORCPT ); Mon, 29 Aug 2016 07:47:28 -0400 Received: from mail-it0-f50.google.com ([209.85.214.50]:36378 "EHLO mail-it0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932966AbcH2Lr1 (ORCPT ); Mon, 29 Aug 2016 07:47:27 -0400 Received: by mail-it0-f50.google.com with SMTP id e63so97741610ith.1 for ; Mon, 29 Aug 2016 04:47:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=CEZOq0h0oW9cPNXe33tcCobyhLZsIi72h5Opj/06IW0=; b=KzPnIwWBSMHuYMBHH7aYRm3G2MHwfIyRlncM7u9REFfuY/xeRQMtXdxLrEj7bXMZ4/ zOxlcqgPI5EkBsrt70LUDMyvnUuyLkBE4psl0ANj/vOo/MYDlPmmx7M0O3Y3qJmKiUEJ RT0QOMNb7muijqpiMD0tddBCx3v8JIXYCAhQ4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=CEZOq0h0oW9cPNXe33tcCobyhLZsIi72h5Opj/06IW0=; b=VmloeYR80V0RQl6TIMET+EkBKQ3hqmFDBPRb/pndW0MrVt6miZmsKzmFFMvIoe6KjK +lezypF03Dv0PGZFGzUBXNX3VM5yx4rLpPeM8oCq5KrUoBV+GayBCaCIVVmA0D0O7X9T X8jT0OZIOitsyF+npEVjybfX56bJQyPOIqsS0sn4dsXavLup5Uw/v0dG8itahg4DHmYC p/Me3tP/I/09t8K40PDBtJQW4c3QX3DBmmR5DSAh1AYPRehw3vqI00227QBS22oIro7A YLZbsdMXxAn80+YrXauz9k3WyG/VRH0F58EXpMUS3joOFFXdR6ExZLiT8aiAVPBkaOFF K8Jg== X-Gm-Message-State: AE9vXwMN/n5KbVyjAxeJ4tOIS1Pe9Ryn+2c0aLmhSeBzKgG+QQ+MfUmDle0o/W6y1liung== X-Received: by 10.36.111.209 with SMTP id x200mr14485417itb.59.1472471246914; Mon, 29 Aug 2016 04:47:26 -0700 (PDT) Received: from ircssh.c.rugged-nimbus-611.internal (55.145.251.23.bc.googleusercontent.com. [23.251.145.55]) by smtp.gmail.com with ESMTPSA id o186sm4328222itg.15.2016.08.29.04.47.26 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 29 Aug 2016 04:47:26 -0700 (PDT) Date: Mon, 29 Aug 2016 04:47:25 -0700 From: Sargun Dhillon To: netdev@vger.kernel.org Cc: cgroups@vger.kernel.org, linux-security-module@vger.kernel.org, daniel@iogearbox.net, ast@fb.com Subject: [net-next RFC v2 6/9] bpf: Share current_task_under_cgroup helper and expose to Checmate programs Message-ID: <20160829114723.GA20889@ircssh.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This patch exposes the current_task_under_cgroup helper to Checmate programs. It can be used to implement exemptions for certain policies when using Checmate programs by wrapping a pre-compiled policy in a tail call along with this helper. Signed-off-by: Sargun Dhillon --- include/linux/bpf.h | 1 + kernel/bpf/helpers.c | 29 +++++++++++++++++++++++++++++ kernel/trace/bpf_trace.c | 28 ---------------------------- security/checmate/checmate_bpf.c | 2 ++ 4 files changed, 32 insertions(+), 28 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4e1fa57..5c5ed16 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -316,6 +316,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_pop_proto; extern const struct bpf_func_proto bpf_get_stackid_proto; extern const struct bpf_func_proto bpf_get_current_task_proto; extern const struct bpf_func_proto bpf_probe_read_proto; +extern const struct bpf_func_proto bpf_current_task_under_cgroup_proto; /* Shared helpers among cBPF and eBPF. */ void bpf_user_rnd_init_once(void); diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index c439afc..ffaaa4b 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -17,6 +17,7 @@ #include #include #include +#include /* If kernel subsystem is allowing eBPF programs to call this function, * inside its own verifier_ops->get_func_proto() callback it should return @@ -212,6 +213,34 @@ static u64 bpf_probe_read(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) return ret; } +static u64 bpf_current_task_under_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) +{ + struct bpf_map *map = (struct bpf_map *)(long)r1; + struct bpf_array *array = container_of(map, struct bpf_array, map); + struct cgroup *cgrp; + u32 idx = (u32)r2; + + if (unlikely(in_interrupt())) + return -EINVAL; + + if (unlikely(idx >= array->map.max_entries)) + return -E2BIG; + + cgrp = READ_ONCE(array->ptrs[idx]); + if (unlikely(!cgrp)) + return -EAGAIN; + + return task_under_cgroup_hierarchy(current, cgrp); +} + +const struct bpf_func_proto bpf_current_task_under_cgroup_proto = { + .func = bpf_current_task_under_cgroup, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_CONST_MAP_PTR, + .arg2_type = ARG_ANYTHING, +}; + const struct bpf_func_proto bpf_probe_read_proto = { .func = bpf_probe_read, .gpl_only = true, diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index cb96eda..3725df2 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -343,34 +343,6 @@ u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size, return __bpf_perf_event_output(regs, map, flags, &raw); } -static u64 bpf_current_task_under_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) -{ - struct bpf_map *map = (struct bpf_map *)(long)r1; - struct bpf_array *array = container_of(map, struct bpf_array, map); - struct cgroup *cgrp; - u32 idx = (u32)r2; - - if (unlikely(in_interrupt())) - return -EINVAL; - - if (unlikely(idx >= array->map.max_entries)) - return -E2BIG; - - cgrp = READ_ONCE(array->ptrs[idx]); - if (unlikely(!cgrp)) - return -EAGAIN; - - return task_under_cgroup_hierarchy(current, cgrp); -} - -static const struct bpf_func_proto bpf_current_task_under_cgroup_proto = { - .func = bpf_current_task_under_cgroup, - .gpl_only = false, - .ret_type = RET_INTEGER, - .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_ANYTHING, -}; - static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id) { switch (func_id) { diff --git a/security/checmate/checmate_bpf.c b/security/checmate/checmate_bpf.c index 24d6935..37ea609 100644 --- a/security/checmate/checmate_bpf.c +++ b/security/checmate/checmate_bpf.c @@ -91,6 +91,8 @@ checmate_prog_func_proto(enum bpf_func_id func_id) return &bpf_probe_write_user_proto; case BPF_FUNC_trace_printk: return bpf_get_trace_printk_proto(); + case BPF_FUNC_current_task_under_cgroup: + return &bpf_current_task_under_cgroup_proto; default: return NULL; }