~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/progs/verifier_vfs_reject.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~ 
  1 // SPDX-License-Identifier: GPL-2.0
  2 /* Copyright (c) 2024 Google LLC. */
  3 
  4 #include <vmlinux.h>
  5 #include <bpf/bpf_helpers.h>
  6 #include <bpf/bpf_tracing.h>
  7 #include <linux/limits.h>
  8 
  9 #include "bpf_misc.h"
 10 #include "bpf_experimental.h"
 11 
 12 static char buf[PATH_MAX];
 13 
 14 SEC("lsm.s/file_open")
 15 __failure __msg("Possibly NULL pointer passed to trusted arg0")
 16 int BPF_PROG(get_task_exe_file_kfunc_null)
 17 {
 18         struct file *acquired;
 19 
 20         /* Can't pass a NULL pointer to bpf_get_task_exe_file(). */
 21         acquired = bpf_get_task_exe_file(NULL);
 22         if (!acquired)
 23                 return 0;
 24 
 25         bpf_put_file(acquired);
 26         return 0;
 27 }
 28 
 29 SEC("lsm.s/inode_getxattr")
 30 __failure __msg("arg#0 pointer type STRUCT task_struct must point to scalar, or struct with scalar")
 31 int BPF_PROG(get_task_exe_file_kfunc_fp)
 32 {
 33         u64 x;
 34         struct file *acquired;
 35         struct task_struct *task;
 36 
 37         task = (struct task_struct *)&x;
 38         /* Can't pass random frame pointer to bpf_get_task_exe_file(). */
 39         acquired = bpf_get_task_exe_file(task);
 40         if (!acquired)
 41                 return 0;
 42 
 43         bpf_put_file(acquired);
 44         return 0;
 45 }
 46 
 47 SEC("lsm.s/file_open")
 48 __failure __msg("R1 must be referenced or trusted")
 49 int BPF_PROG(get_task_exe_file_kfunc_untrusted)
 50 {
 51         struct file *acquired;
 52         struct task_struct *parent;
 53 
 54         /* Walking a trusted struct task_struct returned from
 55          * bpf_get_current_task_btf() yields an untrusted pointer.
 56          */
 57         parent = bpf_get_current_task_btf()->parent;
 58         /* Can't pass untrusted pointer to bpf_get_task_exe_file(). */
 59         acquired = bpf_get_task_exe_file(parent);
 60         if (!acquired)
 61                 return 0;
 62 
 63         bpf_put_file(acquired);
 64         return 0;
 65 }
 66 
 67 SEC("lsm.s/file_open")
 68 __failure __msg("Unreleased reference")
 69 int BPF_PROG(get_task_exe_file_kfunc_unreleased)
 70 {
 71         struct file *acquired;
 72 
 73         acquired = bpf_get_task_exe_file(bpf_get_current_task_btf());
 74         if (!acquired)
 75                 return 0;
 76 
 77         /* Acquired but never released. */
 78         return 0;
 79 }
 80 
 81 SEC("lsm.s/file_open")
 82 __failure __msg("release kernel function bpf_put_file expects")
 83 int BPF_PROG(put_file_kfunc_unacquired, struct file *file)
 84 {
 85         /* Can't release an unacquired pointer. */
 86         bpf_put_file(file);
 87         return 0;
 88 }
 89 
 90 SEC("lsm.s/file_open")
 91 __failure __msg("Possibly NULL pointer passed to trusted arg0")
 92 int BPF_PROG(path_d_path_kfunc_null)
 93 {
 94         /* Can't pass NULL value to bpf_path_d_path() kfunc. */
 95         bpf_path_d_path(NULL, buf, sizeof(buf));
 96         return 0;
 97 }
 98 
 99 SEC("lsm.s/task_alloc")
100 __failure __msg("R1 must be referenced or trusted")
101 int BPF_PROG(path_d_path_kfunc_untrusted_from_argument, struct task_struct *task)
102 {
103         struct path *root;
104 
105         /* Walking a trusted argument typically yields an untrusted
106          * pointer. This is one example of that.
107          */
108         root = &task->fs->root;
109         bpf_path_d_path(root, buf, sizeof(buf));
110         return 0;
111 }
112 
113 SEC("lsm.s/file_open")
114 __failure __msg("R1 must be referenced or trusted")
115 int BPF_PROG(path_d_path_kfunc_untrusted_from_current)
116 {
117         struct path *pwd;
118         struct task_struct *current;
119 
120         current = bpf_get_current_task_btf();
121         /* Walking a trusted pointer returned from bpf_get_current_task_btf()
122          * yields an untrusted pointer.
123          */
124         pwd = &current->fs->pwd;
125         bpf_path_d_path(pwd, buf, sizeof(buf));
126         return 0;
127 }
128 
129 SEC("lsm.s/file_open")
130 __failure __msg("kernel function bpf_path_d_path args#0 expected pointer to STRUCT path but R1 has a pointer to STRUCT file")
131 int BPF_PROG(path_d_path_kfunc_type_mismatch, struct file *file)
132 {
133         bpf_path_d_path((struct path *)&file->f_task_work, buf, sizeof(buf));
134         return 0;
135 }
136 
137 SEC("lsm.s/file_open")
138 __failure __msg("invalid access to map value, value_size=4096 off=0 size=8192")
139 int BPF_PROG(path_d_path_kfunc_invalid_buf_sz, struct file *file)
140 {
141         /* bpf_path_d_path() enforces a constraint on the buffer size supplied
142          * by the BPF LSM program via the __sz annotation. buf here is set to
143          * PATH_MAX, so let's ensure that the BPF verifier rejects BPF_PROG_LOAD
144          * attempts if the supplied size and the actual size of the buffer
145          * mismatches.
146          */
147         bpf_path_d_path(&file->f_path, buf, PATH_MAX * 2);
148         return 0;
149 }
150 
151 SEC("fentry/vfs_open")
152 __failure __msg("calling kernel function bpf_path_d_path is not allowed")
153 int BPF_PROG(path_d_path_kfunc_non_lsm, struct path *path, struct file *f)
154 {
155         /* Calling bpf_path_d_path() from a non-LSM BPF program isn't permitted.
156          */
157         bpf_path_d_path(path, buf, sizeof(buf));
158         return 0;
159 }
160 
161 char _license[] SEC("license") = "GPL";
162
~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~
kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php