bpf: Add a BPF helper for getting the IMA hash of an inode
Provide a wrapper function to get the IMA hash of an inode. This helper is useful in fingerprinting files (e.g executables on execution) and using these fingerprints in detections like an executable unlinking itself. Since the ima_inode_hash can sleep, it's only allowed for sleepable LSM hooks. Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20201124151210.1081188-3-kpsingh@chromium.org
This commit is contained in:
parent
403319be5d
commit
27672f0d28
@ -3807,6 +3807,16 @@ union bpf_attr {
|
|||||||
* See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
|
* See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
|
||||||
* Return
|
* Return
|
||||||
* Current *ktime*.
|
* Current *ktime*.
|
||||||
|
*
|
||||||
|
* long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size)
|
||||||
|
* Description
|
||||||
|
* Returns the stored IMA hash of the *inode* (if it's avaialable).
|
||||||
|
* If the hash is larger than *size*, then only *size*
|
||||||
|
* bytes will be copied to *dst*
|
||||||
|
* Return
|
||||||
|
* The **hash_algo** is returned on success,
|
||||||
|
* **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if
|
||||||
|
* invalid arguments are passed.
|
||||||
*/
|
*/
|
||||||
#define __BPF_FUNC_MAPPER(FN) \
|
#define __BPF_FUNC_MAPPER(FN) \
|
||||||
FN(unspec), \
|
FN(unspec), \
|
||||||
@ -3970,6 +3980,7 @@ union bpf_attr {
|
|||||||
FN(get_current_task_btf), \
|
FN(get_current_task_btf), \
|
||||||
FN(bprm_opts_set), \
|
FN(bprm_opts_set), \
|
||||||
FN(ktime_get_coarse_ns), \
|
FN(ktime_get_coarse_ns), \
|
||||||
|
FN(ima_inode_hash), \
|
||||||
/* */
|
/* */
|
||||||
|
|
||||||
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
|
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
#include <net/bpf_sk_storage.h>
|
#include <net/bpf_sk_storage.h>
|
||||||
#include <linux/bpf_local_storage.h>
|
#include <linux/bpf_local_storage.h>
|
||||||
#include <linux/btf_ids.h>
|
#include <linux/btf_ids.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
|
|
||||||
/* For every LSM hook that allows attachment of BPF programs, declare a nop
|
/* For every LSM hook that allows attachment of BPF programs, declare a nop
|
||||||
* function where a BPF program can be attached.
|
* function where a BPF program can be attached.
|
||||||
@ -75,6 +76,29 @@ const static struct bpf_func_proto bpf_bprm_opts_set_proto = {
|
|||||||
.arg2_type = ARG_ANYTHING,
|
.arg2_type = ARG_ANYTHING,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size)
|
||||||
|
{
|
||||||
|
return ima_inode_hash(inode, dst, size);
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
|
||||||
|
{
|
||||||
|
return bpf_lsm_is_sleepable_hook(prog->aux->attach_btf_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)
|
||||||
|
|
||||||
|
const static struct bpf_func_proto bpf_ima_inode_hash_proto = {
|
||||||
|
.func = bpf_ima_inode_hash,
|
||||||
|
.gpl_only = false,
|
||||||
|
.ret_type = RET_INTEGER,
|
||||||
|
.arg1_type = ARG_PTR_TO_BTF_ID,
|
||||||
|
.arg1_btf_id = &bpf_ima_inode_hash_btf_ids[0],
|
||||||
|
.arg2_type = ARG_PTR_TO_UNINIT_MEM,
|
||||||
|
.arg3_type = ARG_CONST_SIZE,
|
||||||
|
.allowed = bpf_ima_inode_hash_allowed,
|
||||||
|
};
|
||||||
|
|
||||||
static const struct bpf_func_proto *
|
static const struct bpf_func_proto *
|
||||||
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
|
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
|
||||||
{
|
{
|
||||||
@ -97,6 +121,8 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
|
|||||||
return &bpf_task_storage_delete_proto;
|
return &bpf_task_storage_delete_proto;
|
||||||
case BPF_FUNC_bprm_opts_set:
|
case BPF_FUNC_bprm_opts_set:
|
||||||
return &bpf_bprm_opts_set_proto;
|
return &bpf_bprm_opts_set_proto;
|
||||||
|
case BPF_FUNC_ima_inode_hash:
|
||||||
|
return prog->aux->sleepable ? &bpf_ima_inode_hash_proto : NULL;
|
||||||
default:
|
default:
|
||||||
return tracing_prog_func_proto(func_id, prog);
|
return tracing_prog_func_proto(func_id, prog);
|
||||||
}
|
}
|
||||||
|
@ -436,6 +436,7 @@ class PrinterHelpers(Printer):
|
|||||||
'struct xdp_md',
|
'struct xdp_md',
|
||||||
'struct path',
|
'struct path',
|
||||||
'struct btf_ptr',
|
'struct btf_ptr',
|
||||||
|
'struct inode',
|
||||||
]
|
]
|
||||||
known_types = {
|
known_types = {
|
||||||
'...',
|
'...',
|
||||||
@ -480,6 +481,7 @@ class PrinterHelpers(Printer):
|
|||||||
'struct task_struct',
|
'struct task_struct',
|
||||||
'struct path',
|
'struct path',
|
||||||
'struct btf_ptr',
|
'struct btf_ptr',
|
||||||
|
'struct inode',
|
||||||
}
|
}
|
||||||
mapped_types = {
|
mapped_types = {
|
||||||
'u8': '__u8',
|
'u8': '__u8',
|
||||||
|
@ -3807,6 +3807,16 @@ union bpf_attr {
|
|||||||
* See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
|
* See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**)
|
||||||
* Return
|
* Return
|
||||||
* Current *ktime*.
|
* Current *ktime*.
|
||||||
|
*
|
||||||
|
* long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size)
|
||||||
|
* Description
|
||||||
|
* Returns the stored IMA hash of the *inode* (if it's avaialable).
|
||||||
|
* If the hash is larger than *size*, then only *size*
|
||||||
|
* bytes will be copied to *dst*
|
||||||
|
* Return
|
||||||
|
* The **hash_algo** is returned on success,
|
||||||
|
* **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if
|
||||||
|
* invalid arguments are passed.
|
||||||
*/
|
*/
|
||||||
#define __BPF_FUNC_MAPPER(FN) \
|
#define __BPF_FUNC_MAPPER(FN) \
|
||||||
FN(unspec), \
|
FN(unspec), \
|
||||||
@ -3970,6 +3980,7 @@ union bpf_attr {
|
|||||||
FN(get_current_task_btf), \
|
FN(get_current_task_btf), \
|
||||||
FN(bprm_opts_set), \
|
FN(bprm_opts_set), \
|
||||||
FN(ktime_get_coarse_ns), \
|
FN(ktime_get_coarse_ns), \
|
||||||
|
FN(ima_inode_hash), \
|
||||||
/* */
|
/* */
|
||||||
|
|
||||||
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
|
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
|
||||||
|
Loading…
Reference in New Issue
Block a user