Commit 5e43f899 authored by Andrey Ignatov's avatar Andrey Ignatov Committed by Daniel Borkmann
Browse files

bpf: Check attach type at prog load time 

== The problem ==

There are use-cases when a program of some type can be attached to
multiple attach points and those attach points must have different
permissions to access context or to call helpers.

E.g. context structure may have fields for both IPv4 and IPv6 but it
doesn't make sense to read from / write to IPv6 field when attach point
is somewhere in IPv4 stack.

Same applies to BPF-helpers: it may make sense to call some helper from
some attach point, but not from other for same prog type.

== The solution ==

Introduce `expected_attach_type` field in in `struct bpf_attr` for
`BPF_PROG_LOAD` command. If scenario described in "The problem" section
is the case for some prog type, the field will be checked twice:

1) At load time prog type is checked to see if attach type for it must
   be known to validate program permissions correctly. Prog will be
   rejected with EINVAL if it's the case and `expected_attach_type` is
   not specified or has invalid value.

2) At attach time `attach_type` is compared with `expected_attach_type`,
   if prog type requires to have one, and, if they differ, attach will
   be rejected with EINVAL.

The `expected_attach_type` is now available as part of `struct bpf_prog`
in both `bpf_verifier_ops->is_valid_access()` and
`bpf_verifier_ops->get_func_proto()` () and can be used to check context
accesses and calls to helpers correspondingly.

Initially the idea was discussed by Alexei Starovoitov <ast@fb.com> and
Daniel Borkmann <daniel@iogearbox.net> here:
https://marc.info/?l=linux-netdev&m=152107378717201&w=2



Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent 807ae7da

include/linux/bpf.h

+4 −1
Original line number Original line Diff line number Diff line
@@ -208,12 +208,15 @@ struct bpf_prog_ops { 




struct bpf_verifier_ops {

struct bpf_verifier_ops {

	/* return eBPF function prototype for verification */

	/* return eBPF function prototype for verification */

	const struct bpf_func_proto *(*get_func_proto)(enum bpf_func_id func_id);

	const struct bpf_func_proto *

	(*get_func_proto)(enum bpf_func_id func_id,

			  const struct bpf_prog *prog);





	/* return true if 'size' wide access at offset 'off' within bpf_context

	/* return true if 'size' wide access at offset 'off' within bpf_context

	 * with 'type' (read or write) is allowed

	 * with 'type' (read or write) is allowed

	 */

	 */

	bool (*is_valid_access)(int off, int size, enum bpf_access_type type,

	bool (*is_valid_access)(int off, int size, enum bpf_access_type type,

				const struct bpf_prog *prog,

				struct bpf_insn_access_aux *info);

				struct bpf_insn_access_aux *info);

	int (*gen_prologue)(struct bpf_insn *insn, bool direct_write,

	int (*gen_prologue)(struct bpf_insn *insn, bool direct_write,

			    const struct bpf_prog *prog);

			    const struct bpf_prog *prog);

include/linux/filter.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -469,6 +469,7 @@ struct bpf_prog { 
				is_func:1,	/* program is a bpf function */

				is_func:1,	/* program is a bpf function */

				kprobe_override:1; /* Do we override a kprobe? */

				kprobe_override:1; /* Do we override a kprobe? */

	enum bpf_prog_type	type;		/* Type of BPF program */

	enum bpf_prog_type	type;		/* Type of BPF program */

	enum bpf_attach_type	expected_attach_type; /* For some prog types */

	u32			len;		/* Number of filter blocks */

	u32			len;		/* Number of filter blocks */

	u32			jited_len;	/* Size of jited insns in bytes */

	u32			jited_len;	/* Size of jited insns in bytes */

	u8			tag[BPF_TAG_SIZE];

	u8			tag[BPF_TAG_SIZE];

include/uapi/linux/bpf.h

+5 −0
Original line number Original line Diff line number Diff line
@@ -296,6 +296,11 @@ union bpf_attr { 
		__u32		prog_flags;

		__u32		prog_flags;

		char		prog_name[BPF_OBJ_NAME_LEN];

		char		prog_name[BPF_OBJ_NAME_LEN];

		__u32		prog_ifindex;	/* ifindex of netdev to prep for */

		__u32		prog_ifindex;	/* ifindex of netdev to prep for */

		/* For some prog types expected attach type must be known at

		 * load time to verify attach type specific parts of prog

		 * (context accesses, allowed helpers, etc).

		 */

		__u32		expected_attach_type;

	};

	};





	struct { /* anonymous struct used by BPF_OBJ_* commands */

	struct { /* anonymous struct used by BPF_OBJ_* commands */

kernel/bpf/cgroup.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -545,7 +545,7 @@ int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, 
EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);

EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);





static const struct bpf_func_proto *

static const struct bpf_func_proto *

cgroup_dev_func_proto(enum bpf_func_id func_id)

cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)

{

{

	switch (func_id) {

	switch (func_id) {

	case BPF_FUNC_map_lookup_elem:

	case BPF_FUNC_map_lookup_elem:
@@ -566,6 +566,7 @@ cgroup_dev_func_proto(enum bpf_func_id func_id) 




static bool cgroup_dev_is_valid_access(int off, int size,

static bool cgroup_dev_is_valid_access(int off, int size,

				       enum bpf_access_type type,

				       enum bpf_access_type type,

				       const struct bpf_prog *prog,

				       struct bpf_insn_access_aux *info)

				       struct bpf_insn_access_aux *info)

{

{

	const int size_default = sizeof(__u32);

	const int size_default = sizeof(__u32);

kernel/bpf/syscall.c

+30 −1
Original line number Original line Diff line number Diff line
@@ -1171,8 +1171,27 @@ struct bpf_prog *bpf_prog_get_type_dev(u32 ufd, enum bpf_prog_type type, 
}

}

EXPORT_SYMBOL_GPL(bpf_prog_get_type_dev);

EXPORT_SYMBOL_GPL(bpf_prog_get_type_dev);





static int

bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type,

				enum bpf_attach_type expected_attach_type)

{

	/* There are currently no prog types that require specifying

	 * attach_type at load time.

	 */

	return 0;

}



static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,

					     enum bpf_attach_type attach_type)

{

	/* There are currently no prog types that require specifying

	 * attach_type at load time.

	 */

	return 0;

}



/* last field in 'union bpf_attr' used by this command */

/* last field in 'union bpf_attr' used by this command */

#define	BPF_PROG_LOAD_LAST_FIELD prog_ifindex

#define	BPF_PROG_LOAD_LAST_FIELD expected_attach_type





static int bpf_prog_load(union bpf_attr *attr)

static int bpf_prog_load(union bpf_attr *attr)

{

{
@@ -1209,11 +1228,16 @@ static int bpf_prog_load(union bpf_attr *attr) 
	    !capable(CAP_SYS_ADMIN))

	    !capable(CAP_SYS_ADMIN))

		return -EPERM;

		return -EPERM;





	if (bpf_prog_load_check_attach_type(type, attr->expected_attach_type))

		return -EINVAL;



	/* plain bpf_prog allocation */

	/* plain bpf_prog allocation */

	prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);

	prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);

	if (!prog)

	if (!prog)

		return -ENOMEM;

		return -ENOMEM;





	prog->expected_attach_type = attr->expected_attach_type;



	prog->aux->offload_requested = !!attr->prog_ifindex;

	prog->aux->offload_requested = !!attr->prog_ifindex;





	err = security_bpf_prog_alloc(prog->aux);

	err = security_bpf_prog_alloc(prog->aux);
@@ -1474,6 +1498,11 @@ static int bpf_prog_attach(const union bpf_attr *attr) 
	if (IS_ERR(prog))

	if (IS_ERR(prog))

		return PTR_ERR(prog);

		return PTR_ERR(prog);





	if (bpf_prog_attach_check_attach_type(prog, attr->attach_type)) {

		bpf_prog_put(prog);

		return -EINVAL;

	}



	cgrp = cgroup_get_from_fd(attr->target_fd);

	cgrp = cgroup_get_from_fd(attr->target_fd);

	if (IS_ERR(cgrp)) {

	if (IS_ERR(cgrp)) {

		bpf_prog_put(prog);

		bpf_prog_put(prog);

CRA Git | Maintained and supported by SUSTech CRA and CCSE