Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9b629132 authored by Chenbo Feng's avatar Chenbo Feng
Browse files

UPSTREAM: selinux: bpf: Add selinux check for eBPF syscall operations 



Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processes have the right privileges. The creation
of eBPF object are also checked at the general bpf check hook and new
cmd introduced to eBPF domain can also be checked there.

Signed-off-by: default avatarChenbo Feng <fengc@google.com>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

(cherry-pick from net-next: ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb)
Bug: 30950746
Change-Id: Ifb0cdd4b7d470223b143646b339ba511ac77c156
parent f3ad3766

security/selinux/hooks.c

+111 −0
Original line number Diff line number Diff line
@@ -83,6 +83,7 @@ 
#include <linux/export.h>

#include <linux/msg.h>

#include <linux/shm.h>

#include <linux/bpf.h>



#include "avc.h"

#include "objsec.h"
@@ -6079,6 +6080,106 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) 


#endif



#ifdef CONFIG_BPF_SYSCALL

static int selinux_bpf(int cmd, union bpf_attr *attr,

				     unsigned int size)

{

	u32 sid = current_sid();

	int ret;



	switch (cmd) {

	case BPF_MAP_CREATE:

		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,

				   NULL);

		break;

	case BPF_PROG_LOAD:

		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,

				   NULL);

		break;

	default:

		ret = 0;

		break;

	}



	return ret;

}



static u32 bpf_map_fmode_to_av(fmode_t fmode)

{

	u32 av = 0;



	if (fmode & FMODE_READ)

		av |= BPF__MAP_READ;

	if (fmode & FMODE_WRITE)

		av |= BPF__MAP_WRITE;

	return av;

}



static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)

{

	u32 sid = current_sid();

	struct bpf_security_struct *bpfsec;



	bpfsec = map->security;

	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,

			    bpf_map_fmode_to_av(fmode), NULL);

}



static int selinux_bpf_prog(struct bpf_prog *prog)

{

	u32 sid = current_sid();

	struct bpf_security_struct *bpfsec;



	bpfsec = prog->aux->security;

	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,

			    BPF__PROG_RUN, NULL);

}



static int selinux_bpf_map_alloc(struct bpf_map *map)

{

	struct bpf_security_struct *bpfsec;



	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);

	if (!bpfsec)

		return -ENOMEM;



	bpfsec->sid = current_sid();

	map->security = bpfsec;



	return 0;

}



static void selinux_bpf_map_free(struct bpf_map *map)

{

	struct bpf_security_struct *bpfsec = map->security;



	map->security = NULL;

	kfree(bpfsec);

}



static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)

{

	struct bpf_security_struct *bpfsec;



	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);

	if (!bpfsec)

		return -ENOMEM;



	bpfsec->sid = current_sid();

	aux->security = bpfsec;



	return 0;

}



static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)

{

	struct bpf_security_struct *bpfsec = aux->security;



	aux->security = NULL;

	kfree(bpfsec);

}

#endif



static struct security_hook_list selinux_hooks[] = {

	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),

	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6293,6 +6394,16 @@ static struct security_hook_list selinux_hooks[] = { 
	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),

	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),

#endif



#ifdef CONFIG_BPF_SYSCALL

	LSM_HOOK_INIT(bpf, selinux_bpf),

	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),

	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),

	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),

	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),

	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),

	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),

#endif

};



static __init int selinux_init(void)

security/selinux/include/classmap.h

+2 −0
Original line number Diff line number Diff line
@@ -165,5 +165,7 @@ struct security_class_mapping secclass_map[] = { 
	  { COMMON_CAP_PERMS, NULL } },

	{ "cap2_userns",

	  { COMMON_CAP2_PERMS, NULL } },

	{ "bpf",

	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },

	{ NULL }

  };

security/selinux/include/objsec.h

+4 −0
Original line number Diff line number Diff line
@@ -128,6 +128,10 @@ struct key_security_struct { 
	u32 sid;	/* SID of key */

};



struct bpf_security_struct {

	u32 sid;  /*SID of bpf obj creater*/

};



extern unsigned int selinux_checkreqprot;



#endif /* _SELINUX_OBJSEC_H_ */