From: Jiri Olsa <jolsa@kernel.org>
To: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
Martin KaFai Lau <kafai@fb.com>, David Miller <davem@redhat.com>,
John Fastabend <john.fastabend@gmail.com>,
Wenbo Zhang <ethercflow@gmail.com>,
KP Singh <kpsingh@chromium.org>, Andrii Nakryiko <andriin@fb.com>,
Brendan Gregg <bgregg@netflix.com>,
Florent Revest <revest@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 08/11] bpf: Add BTF whitelist support
Date: Tue, 16 Jun 2020 12:05:09 +0200 [thread overview]
Message-ID: <20200616100512.2168860-9-jolsa@kernel.org> (raw)
In-Reply-To: <20200616100512.2168860-1-jolsa@kernel.org>
Adding support to define 'whitelist' of BTF IDs, which is
also sorted.
Following defines sorted list of BTF IDs that is accessible
within kernel code as btf_whitelist_d_path and its count is
in btf_whitelist_d_path_cnt variable.
extern int btf_whitelist_d_path[];
extern int btf_whitelist_d_path_cnt;
BTF_WHITELIST_ENTRY(btf_whitelist_d_path)
BTF_ID(func, vfs_truncate)
BTF_ID(func, vfs_fallocate)
BTF_ID(func, dentry_open)
BTF_ID(func, vfs_getattr)
BTF_ID(func, filp_close)
BTF_WHITELIST_END(btf_whitelist_d_path)
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
include/linux/bpf.h | 3 +++
kernel/bpf/btf.c | 13 +++++++++++++
kernel/bpf/btf_ids.h | 38 ++++++++++++++++++++++++++++++++++++++
kernel/bpf/verifier.c | 5 +++++
4 files changed, 59 insertions(+)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index e98c113a5d27..a94e85c2ec50 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -283,6 +283,7 @@ struct bpf_func_proto {
enum bpf_arg_type arg_type[5];
};
int *btf_id; /* BTF ids of arguments */
+ bool (*allowed)(const struct bpf_prog *prog);
};
/* bpf_context is intentionally undefined structure. Pointer to bpf_context is
@@ -1745,6 +1746,8 @@ enum bpf_text_poke_type {
int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
void *addr1, void *addr2);
+bool btf_whitelist_search(int id, int list[], int cnt);
+
extern int bpf_skb_output_btf_ids[];
extern int bpf_seq_printf_btf_ids[];
extern int bpf_seq_write_btf_ids[];
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 6924180a19c4..feda74d232c5 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -20,6 +20,7 @@
#include <linux/btf.h>
#include <linux/skmsg.h>
#include <linux/perf_event.h>
+#include <linux/bsearch.h>
#include <net/sock.h>
/* BTF (BPF Type Format) is the meta data format which describes
@@ -4669,3 +4670,15 @@ u32 btf_id(const struct btf *btf)
{
return btf->id;
}
+
+static int btf_id_cmp_func(const void *a, const void *b)
+{
+ const int *pa = a, *pb = b;
+
+ return *pa - *pb;
+}
+
+bool btf_whitelist_search(int id, int list[], int cnt)
+{
+ return bsearch(&id, list, cnt, sizeof(int), btf_id_cmp_func) != NULL;
+}
diff --git a/kernel/bpf/btf_ids.h b/kernel/bpf/btf_ids.h
index 68aa5c38a37f..a90c09faa515 100644
--- a/kernel/bpf/btf_ids.h
+++ b/kernel/bpf/btf_ids.h
@@ -67,4 +67,42 @@ asm( \
#name ":; \n" \
".popsection; \n");
+
+/*
+ * The BTF_WHITELIST_ENTRY/END macros pair defines sorted
+ * list of BTF IDs plus its members count, with following
+ * layout:
+ *
+ * BTF_WHITELIST_ENTRY(list2)
+ * BTF_ID(type1, name1)
+ * BTF_ID(type2, name2)
+ * BTF_WHITELIST_END(list)
+ *
+ * __BTF_ID__sort__list:
+ * list2_cnt:
+ * .zero 4
+ * list2:
+ * __BTF_ID__type1__name1__3:
+ * .zero 4
+ * __BTF_ID__type2__name2__4:
+ * .zero 4
+ *
+ */
+#define BTF_WHITELIST_ENTRY(name) \
+asm( \
+".pushsection " SECTION ",\"a\"; \n" \
+".global __BTF_ID__sort__" #name "; \n" \
+"__BTF_ID__sort__" #name ":; \n" \
+".global " #name "_cnt; \n" \
+#name "_cnt:; \n" \
+".zero 4 \n" \
+".popsection; \n"); \
+BTF_ID_LIST(name)
+
+#define BTF_WHITELIST_END(name) \
+asm( \
+".pushsection " SECTION ",\"a\"; \n" \
+".size __BTF_ID__sort__" #name ", .-" #name " \n" \
+".popsection; \n");
+
#endif
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bee3da2cd945..5a9a6fd72907 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4633,6 +4633,11 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
return -EINVAL;
}
+ if (fn->allowed && !fn->allowed(env->prog)) {
+ verbose(env, "helper call is not allowed in probe\n");
+ return -EINVAL;
+ }
+
/* With LD_ABS/IND some JITs save/restore skb from r1. */
changes_data = bpf_helper_changes_pkt_data(fn->func);
if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
--
2.25.4
next prev parent reply other threads:[~2020-06-16 10:06 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 10:05 [PATCHv3 0/9] bpf: Add d_path helper Jiri Olsa
2020-06-16 10:05 ` [PATCH 01/11] bpf: Add btfid tool to resolve BTF IDs in ELF object Jiri Olsa
2020-06-19 0:38 ` Andrii Nakryiko
2020-06-19 13:03 ` Jiri Olsa
2020-06-19 18:12 ` Andrii Nakryiko
2020-06-22 8:59 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 02/11] bpf: Compile btfid tool at kernel compilation start Jiri Olsa
2020-06-18 20:40 ` John Fastabend
2020-06-18 21:17 ` John Fastabend
2020-06-19 13:23 ` Jiri Olsa
2020-06-19 0:40 ` Andrii Nakryiko
2020-06-19 0:47 ` Arnaldo Carvalho de Melo
2020-06-19 2:08 ` Alexei Starovoitov
2020-06-19 3:51 ` Andrii Nakryiko
2020-06-16 10:05 ` [PATCH 03/11] bpf: Add btf_ids object Jiri Olsa
2020-06-19 0:56 ` Andrii Nakryiko
2020-06-19 1:06 ` Andrii Nakryiko
2020-06-19 13:16 ` Jiri Olsa
2020-06-19 13:13 ` Jiri Olsa
2020-06-19 18:15 ` Andrii Nakryiko
2020-06-19 1:02 ` Andrii Nakryiko
2020-06-19 13:05 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 04/11] bpf: Resolve BTF IDs in vmlinux image Jiri Olsa
2020-06-16 10:05 ` [PATCH 05/11] bpf: Remove btf_id helpers resolving Jiri Olsa
2020-06-19 1:10 ` Andrii Nakryiko
2020-06-19 13:18 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 06/11] bpf: Do not pass enum bpf_access_type to btf_struct_access Jiri Olsa
2020-06-19 3:58 ` Andrii Nakryiko
2020-06-19 13:23 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 07/11] bpf: Allow nested BTF object to be refferenced by BTF object + offset Jiri Olsa
2020-06-16 10:05 ` Jiri Olsa [this message]
2020-06-19 4:29 ` [PATCH 08/11] bpf: Add BTF whitelist support Andrii Nakryiko
2020-06-19 13:29 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 09/11] bpf: Add d_path helper Jiri Olsa
2020-06-19 4:35 ` Andrii Nakryiko
2020-06-19 13:31 ` Jiri Olsa
2020-06-19 18:25 ` Andrii Nakryiko
2020-06-22 9:02 ` Jiri Olsa
2020-06-22 19:18 ` Andrii Nakryiko
2020-06-23 10:02 ` Jiri Olsa
2020-06-23 18:58 ` Andrii Nakryiko
2020-06-23 20:14 ` Jiri Olsa
2020-06-23 20:17 ` Andrii Nakryiko
2020-06-16 10:05 ` [PATCH 10/11] selftests/bpf: Add verifier test for " Jiri Olsa
2020-06-19 4:38 ` Andrii Nakryiko
2020-06-19 13:32 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 11/11] selftests/bpf: Add " Jiri Olsa
2020-06-19 4:44 ` Andrii Nakryiko
2020-06-19 13:34 ` Jiri Olsa
2020-06-18 20:57 ` [PATCHv3 0/9] bpf: Add " John Fastabend
2020-06-19 12:35 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200616100512.2168860-9-jolsa@kernel.org \
--to=jolsa@kernel.org \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bgregg@netflix.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=ethercflow@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=songliubraving@fb.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.