1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
#include "vmlinux.h"
#include <errno.h>
#include <bpf/bpf_tracing.h>
#include "bpf_kfuncs.h"
#include "bpf_misc.h"
char _license[] SEC("license") = "GPL";
__u32 monitored_pid;
const char xattr_foo[] = "security.bpf.foo";
const char xattr_bar[] = "security.bpf.bar";
static const char xattr_selinux[] = "security.selinux";
char value_bar[] = "world";
char read_value[32];
bool set_security_bpf_bar_success;
bool remove_security_bpf_bar_success;
bool set_security_selinux_fail;
bool remove_security_selinux_fail;
char name_buf[32];
static inline bool name_match_foo(const char *name)
{
bpf_probe_read_kernel(name_buf, sizeof(name_buf), name);
return !bpf_strncmp(name_buf, sizeof(xattr_foo), xattr_foo);
}
/* Test bpf_set_dentry_xattr and bpf_remove_dentry_xattr */
SEC("lsm.s/inode_getxattr")
int BPF_PROG(test_inode_getxattr, struct dentry *dentry, char *name)
{
struct bpf_dynptr value_ptr;
__u32 pid;
int ret;
pid = bpf_get_current_pid_tgid() >> 32;
if (pid != monitored_pid)
return 0;
/* Only do the following for security.bpf.foo */
if (!name_match_foo(name))
return 0;
bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);
/* read security.bpf.bar */
ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);
if (ret < 0) {
/* If security.bpf.bar doesn't exist, set it */
bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);
ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
if (!ret)
set_security_bpf_bar_success = true;
ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
if (ret)
set_security_selinux_fail = true;
} else {
/* If security.bpf.bar exists, remove it */
ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
if (!ret)
remove_security_bpf_bar_success = true;
ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
if (ret)
remove_security_selinux_fail = true;
}
return 0;
}
bool locked_set_security_bpf_bar_success;
bool locked_remove_security_bpf_bar_success;
bool locked_set_security_selinux_fail;
bool locked_remove_security_selinux_fail;
/* Test bpf_set_dentry_xattr_locked and bpf_remove_dentry_xattr_locked.
* It not necessary to differentiate the _locked version and the
* not-_locked version in the BPF program. The verifier will fix them up
* properly.
*/
SEC("lsm.s/inode_setxattr")
int BPF_PROG(test_inode_setxattr, struct mnt_idmap *idmap,
struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct bpf_dynptr value_ptr;
__u32 pid;
int ret;
pid = bpf_get_current_pid_tgid() >> 32;
if (pid != monitored_pid)
return 0;
/* Only do the following for security.bpf.foo */
if (!name_match_foo(name))
return 0;
bpf_dynptr_from_mem(read_value, sizeof(read_value), 0, &value_ptr);
/* read security.bpf.bar */
ret = bpf_get_dentry_xattr(dentry, xattr_bar, &value_ptr);
if (ret < 0) {
/* If security.bpf.bar doesn't exist, set it */
bpf_dynptr_from_mem(value_bar, sizeof(value_bar), 0, &value_ptr);
ret = bpf_set_dentry_xattr(dentry, xattr_bar, &value_ptr, 0);
if (!ret)
locked_set_security_bpf_bar_success = true;
ret = bpf_set_dentry_xattr(dentry, xattr_selinux, &value_ptr, 0);
if (ret)
locked_set_security_selinux_fail = true;
} else {
/* If security.bpf.bar exists, remove it */
ret = bpf_remove_dentry_xattr(dentry, xattr_bar);
if (!ret)
locked_remove_security_bpf_bar_success = true;
ret = bpf_remove_dentry_xattr(dentry, xattr_selinux);
if (ret)
locked_remove_security_selinux_fail = true;
}
return 0;
}
|
