Commit 170a6558 authored by Xu Kuohai's avatar Xu Kuohai Committed by Tengda Wu
Browse files

bpf, lsm: Add disabled BPF LSM hook list 

mainline inclusion
from mainline-v6.12-rc1
commit 21c7063f6d08ab9afa088584939791bee0c177e5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJF
CVE: CVE-2024-47703

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21c7063f6d08ab9afa088584939791bee0c177e5



--------------------------------

Add a disabled hooks list for BPF LSM. progs being attached to the
listed hooks will be rejected by the verifier.

Suggested-by: default avatarKP Singh <kpsingh@kernel.org>
Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20240719110059.797546-2-xukuohai@huaweicloud.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>

Conflicts:
	kernel/bpf/bpf_lsm.c
[Did not backport 69fd337a ("bpf: per-cgroup lsm flavor")]
Signed-off-by: default avatarTengda Wu <wutengda2@huawei.com>
parent cc5e1415

kernel/bpf/bpf_lsm.c

+28 −2
Original line number Diff line number Diff line
@@ -33,18 +33,44 @@ BTF_SET_START(bpf_lsm_hooks) 
#undef LSM_HOOK

BTF_SET_END(bpf_lsm_hooks)



BTF_SET_START(bpf_lsm_disabled_hooks)

BTF_ID(func, bpf_lsm_vm_enough_memory)

BTF_ID(func, bpf_lsm_inode_need_killpriv)

BTF_ID(func, bpf_lsm_inode_getsecurity)

BTF_ID(func, bpf_lsm_inode_listsecurity)

BTF_ID(func, bpf_lsm_inode_copy_up_xattr)

BTF_ID(func, bpf_lsm_getprocattr)

BTF_ID(func, bpf_lsm_setprocattr)

#ifdef CONFIG_KEYS

BTF_ID(func, bpf_lsm_key_getsecurity)

#endif

#ifdef CONFIG_AUDIT

BTF_ID(func, bpf_lsm_audit_rule_match)

#endif

BTF_ID(func, bpf_lsm_ismaclabel)

BTF_SET_END(bpf_lsm_disabled_hooks)



int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,

			const struct bpf_prog *prog)

{

	u32 btf_id = prog->aux->attach_btf_id;

	const char *func_name = prog->aux->attach_func_name;



	if (!prog->gpl_compatible) {

		bpf_log(vlog,

			"LSM programs must have a GPL compatible license\n");

		return -EINVAL;

	}



	if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) {

	if (btf_id_set_contains(&bpf_lsm_disabled_hooks, btf_id)) {

		bpf_log(vlog, "attach_btf_id %u points to disabled hook %s\n",

			btf_id, func_name);

		return -EINVAL;

	}



	if (!btf_id_set_contains(&bpf_lsm_hooks, btf_id)) {

		bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",

			prog->aux->attach_btf_id, prog->aux->attach_func_name);

			btf_id, func_name);

		return -EINVAL;

	}