Commit 591fe988 authored by Daniel Borkmann's avatar Daniel Borkmann Committed by Alexei Starovoitov
Browse files

bpf: add program side {rd, wr}only support for maps 



This work adds two new map creation flags BPF_F_RDONLY_PROG
and BPF_F_WRONLY_PROG in order to allow for read-only or
write-only BPF maps from a BPF program side.

Today we have BPF_F_RDONLY and BPF_F_WRONLY, but this only
applies to system call side, meaning the BPF program has full
read/write access to the map as usual while bpf(2) calls with
map fd can either only read or write into the map depending
on the flags. BPF_F_RDONLY_PROG and BPF_F_WRONLY_PROG allows
for the exact opposite such that verifier is going to reject
program loads if write into a read-only map or a read into a
write-only map is detected. For read-only map case also some
helpers are forbidden for programs that would alter the map
state such as map deletion, update, etc. As opposed to the two
BPF_F_RDONLY / BPF_F_WRONLY flags, BPF_F_RDONLY_PROG as well
as BPF_F_WRONLY_PROG really do correspond to the map lifetime.

We've enabled this generic map extension to various non-special
maps holding normal user data: array, hash, lru, lpm, local
storage, queue and stack. Further generic map types could be
followed up in future depending on use-case. Main use case
here is to forbid writes into .rodata map values from verifier
side.

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent be70bcd5

include/linux/bpf.h

+29 −0
Original line number Diff line number Diff line
@@ -430,6 +430,35 @@ struct bpf_array { 
#define BPF_COMPLEXITY_LIMIT_INSNS      1000000 /* yes. 1M insns */

#define MAX_TAIL_CALL_CNT 32



#define BPF_F_ACCESS_MASK	(BPF_F_RDONLY |		\

				 BPF_F_RDONLY_PROG |	\

				 BPF_F_WRONLY |		\

				 BPF_F_WRONLY_PROG)



#define BPF_MAP_CAN_READ	BIT(0)

#define BPF_MAP_CAN_WRITE	BIT(1)



static inline u32 bpf_map_flags_to_cap(struct bpf_map *map)

{

	u32 access_flags = map->map_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG);



	/* Combination of BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG is

	 * not possible.

	 */

	if (access_flags & BPF_F_RDONLY_PROG)

		return BPF_MAP_CAN_READ;

	else if (access_flags & BPF_F_WRONLY_PROG)

		return BPF_MAP_CAN_WRITE;

	else

		return BPF_MAP_CAN_READ | BPF_MAP_CAN_WRITE;

}



static inline bool bpf_map_flags_access_ok(u32 access_flags)

{

	return (access_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG)) !=

	       (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG);

}



struct bpf_event_entry {

	struct perf_event *event;

	struct file *perf_file;

include/uapi/linux/bpf.h

+5 −1
Original line number Diff line number Diff line
@@ -294,7 +294,7 @@ enum bpf_attach_type { 


#define BPF_OBJ_NAME_LEN 16U



/* Flags for accessing BPF object */

/* Flags for accessing BPF object from syscall side. */

#define BPF_F_RDONLY		(1U << 3)

#define BPF_F_WRONLY		(1U << 4)
@@ -304,6 +304,10 @@ enum bpf_attach_type { 
/* Zero-initialize hash function seed. This should only be used for testing. */

#define BPF_F_ZERO_SEED		(1U << 6)



/* Flags for accessing BPF object from program side. */

#define BPF_F_RDONLY_PROG	(1U << 7)

#define BPF_F_WRONLY_PROG	(1U << 8)



/* flags for BPF_PROG_QUERY */

#define BPF_F_QUERY_EFFECTIVE	(1U << 0)

kernel/bpf/arraymap.c

+5 −1
Original line number Diff line number Diff line
@@ -22,7 +22,7 @@ 
#include "map_in_map.h"



#define ARRAY_CREATE_FLAG_MASK \

	(BPF_F_NUMA_NODE | BPF_F_RDONLY | BPF_F_WRONLY)

	(BPF_F_NUMA_NODE | BPF_F_ACCESS_MASK)



static void bpf_array_free_percpu(struct bpf_array *array)

{
@@ -63,6 +63,7 @@ int array_map_alloc_check(union bpf_attr *attr) 
	if (attr->max_entries == 0 || attr->key_size != 4 ||

	    attr->value_size == 0 ||

	    attr->map_flags & ~ARRAY_CREATE_FLAG_MASK ||

	    !bpf_map_flags_access_ok(attr->map_flags) ||

	    (percpu && numa_node != NUMA_NO_NODE))

		return -EINVAL;
@@ -472,6 +473,9 @@ static int fd_array_map_alloc_check(union bpf_attr *attr) 
	/* only file descriptors can be stored in this type of map */

	if (attr->value_size != sizeof(u32))

		return -EINVAL;

	/* Program read-only/write-only not supported for special maps yet. */

	if (attr->map_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG))

		return -EINVAL;

	return array_map_alloc_check(attr);

}

kernel/bpf/hashtab.c

+3 −3
Original line number Diff line number Diff line
@@ -23,7 +23,7 @@ 


#define HTAB_CREATE_FLAG_MASK						\

	(BPF_F_NO_PREALLOC | BPF_F_NO_COMMON_LRU | BPF_F_NUMA_NODE |	\

	 BPF_F_RDONLY | BPF_F_WRONLY | BPF_F_ZERO_SEED)

	 BPF_F_ACCESS_MASK | BPF_F_ZERO_SEED)



struct bucket {

	struct hlist_nulls_head head;
@@ -262,8 +262,8 @@ static int htab_map_alloc_check(union bpf_attr *attr) 
		/* Guard against local DoS, and discourage production use. */

		return -EPERM;



	if (attr->map_flags & ~HTAB_CREATE_FLAG_MASK)

		/* reserved bits should not be used */

	if (attr->map_flags & ~HTAB_CREATE_FLAG_MASK ||

	    !bpf_map_flags_access_ok(attr->map_flags))

		return -EINVAL;



	if (!lru && percpu_lru)

kernel/bpf/local_storage.c

+3 −3
Original line number Diff line number Diff line
@@ -14,7 +14,7 @@ DEFINE_PER_CPU(struct bpf_cgroup_storage*, bpf_cgroup_storage[MAX_BPF_CGROUP_STO 
#ifdef CONFIG_CGROUP_BPF



#define LOCAL_STORAGE_CREATE_FLAG_MASK					\

	(BPF_F_NUMA_NODE | BPF_F_RDONLY | BPF_F_WRONLY)

	(BPF_F_NUMA_NODE | BPF_F_ACCESS_MASK)



struct bpf_cgroup_storage_map {

	struct bpf_map map;
@@ -282,8 +282,8 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr) 
	if (attr->value_size > PAGE_SIZE)

		return ERR_PTR(-E2BIG);



	if (attr->map_flags & ~LOCAL_STORAGE_CREATE_FLAG_MASK)

		/* reserved bits should not be used */

	if (attr->map_flags & ~LOCAL_STORAGE_CREATE_FLAG_MASK ||

	    !bpf_map_flags_access_ok(attr->map_flags))

		return ERR_PTR(-EINVAL);



	if (attr->max_entries)

CRA Git | Maintained and supported by SUSTech CRA and CCSE