From: Florent Revest <revest@chromium.org>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
kpsingh@chromium.org, revest@google.com,
linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper
Date: Thu, 26 Nov 2020 17:57:47 +0100 [thread overview]
Message-ID: <20201126165748.1748417-1-revest@google.com> (raw)
This helper exposes the kallsyms_lookup function to eBPF tracing
programs. This can be used to retrieve the name of the symbol at an
address. For example, when hooking into nf_register_net_hook, one can
audit the name of the registered netfilter hook and potentially also
the name of the module in which the symbol is located.
Signed-off-by: Florent Revest <revest@google.com>
---
include/uapi/linux/bpf.h | 16 +++++++++++++
kernel/trace/bpf_trace.c | 41 ++++++++++++++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 16 +++++++++++++
3 files changed, 73 insertions(+)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index c3458ec1f30a..670998635eac 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3817,6 +3817,21 @@ union bpf_attr {
* The **hash_algo** is returned on success,
* **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if
* invalid arguments are passed.
+ *
+ * long bpf_kallsyms_lookup(u64 address, char *symbol, u32 symbol_size, char *module, u32 module_size)
+ * Description
+ * Uses kallsyms to write the name of the symbol at *address*
+ * into *symbol* of size *symbol_sz*. This is guaranteed to be
+ * zero terminated.
+ * If the symbol is in a module, up to *module_size* bytes of
+ * the module name is written in *module*. This is also
+ * guaranteed to be zero-terminated. Note: a module name
+ * is always shorter than 64 bytes.
+ * Return
+ * On success, the strictly positive length of the full symbol
+ * name, If this is greater than *symbol_size*, the written
+ * symbol is truncated.
+ * On error, a negative value.
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -3981,6 +3996,7 @@ union bpf_attr {
FN(bprm_opts_set), \
FN(ktime_get_coarse_ns), \
FN(ima_inode_hash), \
+ FN(kallsyms_lookup), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index d255bc9b2bfa..9d86e20c2b13 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -17,6 +17,7 @@
#include <linux/error-injection.h>
#include <linux/btf_ids.h>
#include <linux/bpf_lsm.h>
+#include <linux/kallsyms.h>
#include <net/bpf_sk_storage.h>
@@ -1260,6 +1261,44 @@ const struct bpf_func_proto bpf_snprintf_btf_proto = {
.arg5_type = ARG_ANYTHING,
};
+BPF_CALL_5(bpf_kallsyms_lookup, u64, address, char *, symbol, u32, symbol_size,
+ char *, module, u32, module_size)
+{
+ char buffer[KSYM_SYMBOL_LEN];
+ unsigned long offset, size;
+ const char *name;
+ char *modname;
+ long ret;
+
+ name = kallsyms_lookup(address, &size, &offset, &modname, buffer);
+ if (!name)
+ return -EINVAL;
+
+ ret = strlen(name) + 1;
+ if (symbol_size) {
+ strncpy(symbol, name, symbol_size);
+ symbol[symbol_size - 1] = '\0';
+ }
+
+ if (modname && module_size) {
+ strncpy(module, modname, module_size);
+ module[module_size - 1] = '\0';
+ }
+
+ return ret;
+}
+
+const struct bpf_func_proto bpf_kallsyms_lookup_proto = {
+ .func = bpf_kallsyms_lookup,
+ .gpl_only = false,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_ANYTHING,
+ .arg2_type = ARG_PTR_TO_MEM,
+ .arg3_type = ARG_CONST_SIZE,
+ .arg4_type = ARG_PTR_TO_MEM,
+ .arg5_type = ARG_CONST_SIZE,
+};
+
const struct bpf_func_proto *
bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
@@ -1356,6 +1395,8 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_per_cpu_ptr_proto;
case BPF_FUNC_bpf_this_cpu_ptr:
return &bpf_this_cpu_ptr_proto;
+ case BPF_FUNC_kallsyms_lookup:
+ return &bpf_kallsyms_lookup_proto;
default:
return NULL;
}
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index c3458ec1f30a..670998635eac 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -3817,6 +3817,21 @@ union bpf_attr {
* The **hash_algo** is returned on success,
* **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if
* invalid arguments are passed.
+ *
+ * long bpf_kallsyms_lookup(u64 address, char *symbol, u32 symbol_size, char *module, u32 module_size)
+ * Description
+ * Uses kallsyms to write the name of the symbol at *address*
+ * into *symbol* of size *symbol_sz*. This is guaranteed to be
+ * zero terminated.
+ * If the symbol is in a module, up to *module_size* bytes of
+ * the module name is written in *module*. This is also
+ * guaranteed to be zero-terminated. Note: a module name
+ * is always shorter than 64 bytes.
+ * Return
+ * On success, the strictly positive length of the full symbol
+ * name, If this is greater than *symbol_size*, the written
+ * symbol is truncated.
+ * On error, a negative value.
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -3981,6 +3996,7 @@ union bpf_attr {
FN(bprm_opts_set), \
FN(ktime_get_coarse_ns), \
FN(ima_inode_hash), \
+ FN(kallsyms_lookup), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
--
2.29.2.454.gaff20da3a2-goog
next reply other threads:[~2020-11-26 16:59 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-26 16:57 Florent Revest [this message]
2020-11-26 16:57 ` [PATCH bpf-next 2/2] selftests/bpf: Add bpf_kallsyms_lookup test Florent Revest
2020-12-02 0:57 ` Andrii Nakryiko
2020-11-27 2:32 ` [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper KP Singh
2020-11-27 9:25 ` Florent Revest
2020-11-27 9:27 ` Florent Revest
2020-11-27 7:35 ` Yonghong Song
2020-11-27 9:20 ` Florent Revest
2020-11-27 11:20 ` KP Singh
2020-11-27 16:09 ` Yonghong Song
2020-12-02 0:55 ` Andrii Nakryiko
2020-12-02 20:32 ` Florent Revest
2020-12-02 21:18 ` Alexei Starovoitov
2020-12-11 14:40 ` Florent Revest
2020-12-14 6:47 ` Yonghong Song
2020-12-17 15:31 ` Florent Revest
2020-12-17 17:26 ` Yonghong Song
2020-12-18 3:20 ` Alexei Starovoitov
2020-12-18 4:39 ` Yonghong Song
2020-12-18 18:53 ` Andrii Nakryiko
2020-12-18 20:36 ` Alexei Starovoitov
2020-12-18 20:47 ` Andrii Nakryiko
2020-12-22 20:38 ` Florent Revest
2020-12-22 20:52 ` Florent Revest
2020-12-22 14:18 ` Christoph Hellwig
2020-12-22 20:17 ` Florent Revest
2020-12-23 7:50 ` Christoph Hellwig
2020-12-02 0:47 ` Andrii Nakryiko
2020-11-27 17:20 ` kernel test robot
2020-11-27 17:20 ` [RFC PATCH] bpf: bpf_kallsyms_lookup_proto can be static kernel test robot
2020-11-29 1:07 ` [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper Alexei Starovoitov
2020-11-30 16:23 ` Florent Revest
2020-12-01 2:41 ` Alexei Starovoitov
2020-12-01 20:25 ` Florent Revest
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201126165748.1748417-1-revest@google.com \
--to=revest@chromium.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=revest@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox