[linux.git] / kernel / bpf / token.c

#include <linux/bpf.h>
#include <linux/vmalloc.h>
#include <linux/fdtable.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/kernel.h>
#include <linux/idr.h>
#include <linux/namei.h>
#include <linux/user_namespace.h>
#include <linux/security.h>

static bool bpf_ns_capable(struct user_namespace *ns, int cap)
{
	return ns_capable(ns, cap) || (cap != CAP_SYS_ADMIN && ns_capable(ns, CAP_SYS_ADMIN));
}

bool bpf_token_capable(const struct bpf_token *token, int cap)
{
	struct user_namespace *userns;

	/* BPF token allows ns_capable() level of capabilities */
	userns = token ? token->userns : &init_user_ns;
	if (!bpf_ns_capable(userns, cap))
		return false;
	if (token && security_bpf_token_capable(token, cap) < 0)
		return false;
	return true;
}

void bpf_token_inc(struct bpf_token *token)
{
	atomic64_inc(&token->refcnt);
}

static void bpf_token_free(struct bpf_token *token)
{
	security_bpf_token_free(token);
	put_user_ns(token->userns);
	kfree(token);
}

static void bpf_token_put_deferred(struct work_struct *work)
{
	struct bpf_token *token = container_of(work, struct bpf_token, work);

	bpf_token_free(token);
}

void bpf_token_put(struct bpf_token *token)
{
	if (!token)
		return;

	if (!atomic64_dec_and_test(&token->refcnt))
		return;

	INIT_WORK(&token->work, bpf_token_put_deferred);
	schedule_work(&token->work);
}

static int bpf_token_release(struct inode *inode, struct file *filp)
{
	struct bpf_token *token = filp->private_data;

	bpf_token_put(token);
	return 0;
}

static void bpf_token_show_fdinfo(struct seq_file *m, struct file *filp)
{
	struct bpf_token *token = filp->private_data;
	u64 mask;

	BUILD_BUG_ON(__MAX_BPF_CMD >= 64);
	mask = BIT_ULL(__MAX_BPF_CMD) - 1;
	if ((token->allowed_cmds & mask) == mask)
		seq_printf(m, "allowed_cmds:\tany\n");
	else
		seq_printf(m, "allowed_cmds:\t0x%llx\n", token->allowed_cmds);

	BUILD_BUG_ON(__MAX_BPF_MAP_TYPE >= 64);
	mask = BIT_ULL(__MAX_BPF_MAP_TYPE) - 1;
	if ((token->allowed_maps & mask) == mask)
		seq_printf(m, "allowed_maps:\tany\n");
	else
		seq_printf(m, "allowed_maps:\t0x%llx\n", token->allowed_maps);

	BUILD_BUG_ON(__MAX_BPF_PROG_TYPE >= 64);
	mask = BIT_ULL(__MAX_BPF_PROG_TYPE) - 1;
	if ((token->allowed_progs & mask) == mask)
		seq_printf(m, "allowed_progs:\tany\n");
	else
		seq_printf(m, "allowed_progs:\t0x%llx\n", token->allowed_progs);

	BUILD_BUG_ON(__MAX_BPF_ATTACH_TYPE >= 64);
	mask = BIT_ULL(__MAX_BPF_ATTACH_TYPE) - 1;
	if ((token->allowed_attachs & mask) == mask)
		seq_printf(m, "allowed_attachs:\tany\n");
	else
		seq_printf(m, "allowed_attachs:\t0x%llx\n", token->allowed_attachs);
}

#define BPF_TOKEN_INODE_NAME "bpf-token"

static const struct inode_operations bpf_token_iops = { };

static const struct file_operations bpf_token_fops = {
	.release	= bpf_token_release,
	.show_fdinfo	= bpf_token_show_fdinfo,
};

int bpf_token_create(union bpf_attr *attr)
{
	struct bpf_mount_opts *mnt_opts;
	struct bpf_token *token = NULL;
	struct user_namespace *userns;
	struct inode *inode;
	struct file *file;
	struct path path;
	struct fd f;
	umode_t mode;
	int err, fd;

	f = fdget(attr->token_create.bpffs_fd);
	if (!f.file)
		return -EBADF;

	path = f.file->f_path;
	path_get(&path);
	fdput(f);

	if (path.dentry != path.mnt->mnt_sb->s_root) {
		err = -EINVAL;
		goto out_path;
	}
	if (path.mnt->mnt_sb->s_op != &bpf_super_ops) {
		err = -EINVAL;
		goto out_path;
	}
	err = path_permission(&path, MAY_ACCESS);
	if (err)
		goto out_path;

	userns = path.dentry->d_sb->s_user_ns;
	/*
	 * Enforce that creators of BPF tokens are in the same user
	 * namespace as the BPF FS instance. This makes reasoning about
	 * permissions a lot easier and we can always relax this later.
	 */
	if (current_user_ns() != userns) {
		err = -EPERM;
		goto out_path;
	}
	if (!ns_capable(userns, CAP_BPF)) {
		err = -EPERM;
		goto out_path;
	}

	/* Creating BPF token in init_user_ns doesn't make much sense. */
	if (current_user_ns() == &init_user_ns) {
		err = -EOPNOTSUPP;
		goto out_path;
	}

	mnt_opts = path.dentry->d_sb->s_fs_info;
	if (mnt_opts->delegate_cmds == 0 &&
	    mnt_opts->delegate_maps == 0 &&
	    mnt_opts->delegate_progs == 0 &&
	    mnt_opts->delegate_attachs == 0) {
		err = -ENOENT; /* no BPF token delegation is set up */
		goto out_path;
	}

	mode = S_IFREG | ((S_IRUSR | S_IWUSR) & ~current_umask());
	inode = bpf_get_inode(path.mnt->mnt_sb, NULL, mode);
	if (IS_ERR(inode)) {
		err = PTR_ERR(inode);
		goto out_path;
	}

	inode->i_op = &bpf_token_iops;
	inode->i_fop = &bpf_token_fops;
	clear_nlink(inode); /* make sure it is unlinked */

	file = alloc_file_pseudo(inode, path.mnt, BPF_TOKEN_INODE_NAME, O_RDWR, &bpf_token_fops);
	if (IS_ERR(file)) {
		iput(inode);
		err = PTR_ERR(file);
		goto out_path;
	}

	token = kzalloc(sizeof(*token), GFP_USER);
	if (!token) {
		err = -ENOMEM;
		goto out_file;
	}

	atomic64_set(&token->refcnt, 1);

	/* remember bpffs owning userns for future ns_capable() checks */
	token->userns = get_user_ns(userns);

	token->allowed_cmds = mnt_opts->delegate_cmds;
	token->allowed_maps = mnt_opts->delegate_maps;
	token->allowed_progs = mnt_opts->delegate_progs;
	token->allowed_attachs = mnt_opts->delegate_attachs;

	err = security_bpf_token_create(token, attr, &path);
	if (err)
		goto out_token;

	fd = get_unused_fd_flags(O_CLOEXEC);
	if (fd < 0) {
		err = fd;
		goto out_token;
	}

	file->private_data = token;
	fd_install(fd, file);

	path_put(&path);
	return fd;

out_token:
	bpf_token_free(token);
out_file:
	fput(file);
out_path:
	path_put(&path);
	return err;
}

struct bpf_token *bpf_token_get_from_fd(u32 ufd)
{
	struct fd f = fdget(ufd);
	struct bpf_token *token;

	if (!f.file)
		return ERR_PTR(-EBADF);
	if (f.file->f_op != &bpf_token_fops) {
		fdput(f);
		return ERR_PTR(-EINVAL);
	}

	token = f.file->private_data;
	bpf_token_inc(token);
	fdput(f);

	return token;
}

bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
{
	if (!token)
		return false;
	if (!(token->allowed_cmds & BIT_ULL(cmd)))
		return false;
	return security_bpf_token_cmd(token, cmd) == 0;
}

bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type)
{
	if (!token || type >= __MAX_BPF_MAP_TYPE)
		return false;

	return token->allowed_maps & BIT_ULL(type);
}

bool bpf_token_allow_prog_type(const struct bpf_token *token,
			       enum bpf_prog_type prog_type,
			       enum bpf_attach_type attach_type)
{
	if (!token || prog_type >= __MAX_BPF_PROG_TYPE || attach_type >= __MAX_BPF_ATTACH_TYPE)
		return false;

	return (token->allowed_progs & BIT_ULL(prog_type)) &&
	       (token->allowed_attachs & BIT_ULL(attach_type));
}
Commit	Line	Data
35f96de0 AN	1	#include <linux/bpf.h>
	2	#include <linux/vmalloc.h>
	3	#include <linux/fdtable.h>
	4	#include <linux/file.h>
	5	#include <linux/fs.h>
	6	#include <linux/kernel.h>
	7	#include <linux/idr.h>
	8	#include <linux/namei.h>
	9	#include <linux/user_namespace.h>
f568a3d4	10	#include <linux/security.h>
35f96de0 AN	11
	12	static bool bpf_ns_capable(struct user_namespace *ns, int cap)
	13	{
	14	return ns_capable(ns, cap) \|\| (cap != CAP_SYS_ADMIN && ns_capable(ns, CAP_SYS_ADMIN));
	15	}
	16
	17	bool bpf_token_capable(const struct bpf_token *token, int cap)
	18	{
	19	struct user_namespace *userns;
	20
	21	/* BPF token allows ns_capable() level of capabilities */
	22	userns = token ? token->userns : &init_user_ns;
	23	if (!bpf_ns_capable(userns, cap))
	24	return false;
f568a3d4 AN	25	if (token && security_bpf_token_capable(token, cap) < 0)
f568a3d4 AN	26	return false;
35f96de0 AN	27	return true;
	28	}
	29
	30	void bpf_token_inc(struct bpf_token *token)
	31	{
	32	atomic64_inc(&token->refcnt);
	33	}
	34
	35	static void bpf_token_free(struct bpf_token *token)
	36	{
f568a3d4	37	security_bpf_token_free(token);
35f96de0 AN	38	put_user_ns(token->userns);
	39	kfree(token);
	40	}
	41
	42	static void bpf_token_put_deferred(struct work_struct *work)
	43	{
	44	struct bpf_token *token = container_of(work, struct bpf_token, work);
	45
	46	bpf_token_free(token);
	47	}
	48
	49	void bpf_token_put(struct bpf_token *token)
	50	{
	51	if (!token)
	52	return;
	53
	54	if (!atomic64_dec_and_test(&token->refcnt))
	55	return;
	56
	57	INIT_WORK(&token->work, bpf_token_put_deferred);
	58	schedule_work(&token->work);
	59	}
	60
	61	static int bpf_token_release(struct inode inode, struct file filp)
	62	{
	63	struct bpf_token *token = filp->private_data;
	64
	65	bpf_token_put(token);
	66	return 0;
	67	}
	68
	69	static void bpf_token_show_fdinfo(struct seq_file m, struct file filp)
	70	{
	71	struct bpf_token *token = filp->private_data;
	72	u64 mask;
	73
	74	BUILD_BUG_ON(__MAX_BPF_CMD >= 64);
6668e818	75	mask = BIT_ULL(__MAX_BPF_CMD) - 1;
35f96de0 AN	76	if ((token->allowed_cmds & mask) == mask)
	77	seq_printf(m, "allowed_cmds:\tany\n");
	78	else
	79	seq_printf(m, "allowed_cmds:\t0x%llx\n", token->allowed_cmds);
a177fc2b AN	80
a177fc2b AN	81	BUILD_BUG_ON(__MAX_BPF_MAP_TYPE >= 64);
6668e818	82	mask = BIT_ULL(__MAX_BPF_MAP_TYPE) - 1;
a177fc2b AN	83	if ((token->allowed_maps & mask) == mask)
	84	seq_printf(m, "allowed_maps:\tany\n");
	85	else
	86	seq_printf(m, "allowed_maps:\t0x%llx\n", token->allowed_maps);
caf8f28e AN	87
caf8f28e AN	88	BUILD_BUG_ON(__MAX_BPF_PROG_TYPE >= 64);
6668e818	89	mask = BIT_ULL(__MAX_BPF_PROG_TYPE) - 1;
caf8f28e AN	90	if ((token->allowed_progs & mask) == mask)
	91	seq_printf(m, "allowed_progs:\tany\n");
	92	else
	93	seq_printf(m, "allowed_progs:\t0x%llx\n", token->allowed_progs);
	94
	95	BUILD_BUG_ON(__MAX_BPF_ATTACH_TYPE >= 64);
6668e818	96	mask = BIT_ULL(__MAX_BPF_ATTACH_TYPE) - 1;
caf8f28e AN	97	if ((token->allowed_attachs & mask) == mask)
	98	seq_printf(m, "allowed_attachs:\tany\n");
	99	else
	100	seq_printf(m, "allowed_attachs:\t0x%llx\n", token->allowed_attachs);
35f96de0 AN	101	}
	102
	103	#define BPF_TOKEN_INODE_NAME "bpf-token"
	104
	105	static const struct inode_operations bpf_token_iops = { };
	106
	107	static const struct file_operations bpf_token_fops = {
	108	.release = bpf_token_release,
	109	.show_fdinfo = bpf_token_show_fdinfo,
	110	};
	111
	112	int bpf_token_create(union bpf_attr *attr)
	113	{
	114	struct bpf_mount_opts *mnt_opts;
	115	struct bpf_token *token = NULL;
	116	struct user_namespace *userns;
	117	struct inode *inode;
	118	struct file *file;
	119	struct path path;
	120	struct fd f;
	121	umode_t mode;
	122	int err, fd;
	123
	124	f = fdget(attr->token_create.bpffs_fd);
	125	if (!f.file)
	126	return -EBADF;
	127
	128	path = f.file->f_path;
	129	path_get(&path);
	130	fdput(f);
	131
	132	if (path.dentry != path.mnt->mnt_sb->s_root) {
	133	err = -EINVAL;
	134	goto out_path;
	135	}
	136	if (path.mnt->mnt_sb->s_op != &bpf_super_ops) {
	137	err = -EINVAL;
	138	goto out_path;
	139	}
	140	err = path_permission(&path, MAY_ACCESS);
	141	if (err)
	142	goto out_path;
	143
	144	userns = path.dentry->d_sb->s_user_ns;
	145	/*
	146	* Enforce that creators of BPF tokens are in the same user
	147	* namespace as the BPF FS instance. This makes reasoning about
	148	* permissions a lot easier and we can always relax this later.
	149	*/
	150	if (current_user_ns() != userns) {
	151	err = -EPERM;
	152	goto out_path;
	153	}
	154	if (!ns_capable(userns, CAP_BPF)) {
	155	err = -EPERM;
	156	goto out_path;
	157	}
	158
	159	/* Creating BPF token in init_user_ns doesn't make much sense. */
	160	if (current_user_ns() == &init_user_ns) {
	161	err = -EOPNOTSUPP;
	162	goto out_path;
	163	}
	164
aeaa97b0 AN	165	mnt_opts = path.dentry->d_sb->s_fs_info;
	166	if (mnt_opts->delegate_cmds == 0 &&
	167	mnt_opts->delegate_maps == 0 &&
	168	mnt_opts->delegate_progs == 0 &&
	169	mnt_opts->delegate_attachs == 0) {
	170	err = -ENOENT; /* no BPF token delegation is set up */
	171	goto out_path;
	172	}
	173
35f96de0 AN	174	mode = S_IFREG \| ((S_IRUSR \| S_IWUSR) & ~current_umask());
	175	inode = bpf_get_inode(path.mnt->mnt_sb, NULL, mode);
	176	if (IS_ERR(inode)) {
	177	err = PTR_ERR(inode);
	178	goto out_path;
	179	}
	180
	181	inode->i_op = &bpf_token_iops;
	182	inode->i_fop = &bpf_token_fops;
	183	clear_nlink(inode); /* make sure it is unlinked */
	184
	185	file = alloc_file_pseudo(inode, path.mnt, BPF_TOKEN_INODE_NAME, O_RDWR, &bpf_token_fops);
	186	if (IS_ERR(file)) {
	187	iput(inode);
	188	err = PTR_ERR(file);
	189	goto out_path;
	190	}
	191
	192	token = kzalloc(sizeof(*token), GFP_USER);
	193	if (!token) {
	194	err = -ENOMEM;
	195	goto out_file;
	196	}
	197
	198	atomic64_set(&token->refcnt, 1);
	199
	200	/* remember bpffs owning userns for future ns_capable() checks */
	201	token->userns = get_user_ns(userns);
	202
35f96de0	203	token->allowed_cmds = mnt_opts->delegate_cmds;
a177fc2b	204	token->allowed_maps = mnt_opts->delegate_maps;
caf8f28e AN	205	token->allowed_progs = mnt_opts->delegate_progs;
caf8f28e AN	206	token->allowed_attachs = mnt_opts->delegate_attachs;
35f96de0	207
f568a3d4 AN	208	err = security_bpf_token_create(token, attr, &path);
	209	if (err)
	210	goto out_token;
	211
35f96de0 AN	212	fd = get_unused_fd_flags(O_CLOEXEC);
	213	if (fd < 0) {
	214	err = fd;
	215	goto out_token;
	216	}
	217
	218	file->private_data = token;
	219	fd_install(fd, file);
	220
	221	path_put(&path);
	222	return fd;
	223
	224	out_token:
	225	bpf_token_free(token);
	226	out_file:
	227	fput(file);
	228	out_path:
	229	path_put(&path);
	230	return err;
	231	}
	232
	233	struct bpf_token *bpf_token_get_from_fd(u32 ufd)
	234	{
	235	struct fd f = fdget(ufd);
	236	struct bpf_token *token;
	237
	238	if (!f.file)
	239	return ERR_PTR(-EBADF);
	240	if (f.file->f_op != &bpf_token_fops) {
	241	fdput(f);
	242	return ERR_PTR(-EINVAL);
	243	}
	244
	245	token = f.file->private_data;
	246	bpf_token_inc(token);
	247	fdput(f);
	248
	249	return token;
	250	}
	251
	252	bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
	253	{
	254	if (!token)
	255	return false;
6668e818	256	if (!(token->allowed_cmds & BIT_ULL(cmd)))
f568a3d4 AN	257	return false;
f568a3d4 AN	258	return security_bpf_token_cmd(token, cmd) == 0;
35f96de0	259	}
a177fc2b AN	260
	261	bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type)
	262	{
	263	if (!token \|\| type >= __MAX_BPF_MAP_TYPE)
	264	return false;
	265
6668e818	266	return token->allowed_maps & BIT_ULL(type);
a177fc2b	267	}
caf8f28e AN	268
	269	bool bpf_token_allow_prog_type(const struct bpf_token *token,
	270	enum bpf_prog_type prog_type,
	271	enum bpf_attach_type attach_type)
	272	{
	273	if (!token \|\| prog_type >= __MAX_BPF_PROG_TYPE \|\| attach_type >= __MAX_BPF_ATTACH_TYPE)
	274	return false;
	275
6668e818 HW	276	return (token->allowed_progs & BIT_ULL(prog_type)) &&
6668e818 HW	277	(token->allowed_attachs & BIT_ULL(attach_type));
caf8f28e	278	}