[PATCH v5 2/5] bpf: Add bpf_lookup_user_key() and bpf_key_put() helpers
From: Roberto Sassu
Date: Tue Jun 21 2022 - 12:39:08 EST
Add the bpf_lookup_user_key() and bpf_key_put() helpers, to respectively
search a key with a given serial, and release the reference count of the
found key.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
include/uapi/linux/bpf.h | 16 ++++++++++++
kernel/bpf/bpf_lsm.c | 46 ++++++++++++++++++++++++++++++++++
kernel/bpf/verifier.c | 6 +++--
scripts/bpf_doc.py | 2 ++
tools/include/uapi/linux/bpf.h | 16 ++++++++++++
5 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index e81362891596..7bbcf2cd105d 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -5325,6 +5325,20 @@ union bpf_attr {
* **-EACCES** if the SYN cookie is not valid.
*
* **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
+ *
+ * struct key *bpf_lookup_user_key(u32 serial, unsigned long flags)
+ * Description
+ * Search a key with a given *serial* and the provided *flags*, and
+ * increment the reference count of the key.
+ * Return
+ * A key pointer if the key is found, a NULL pointer otherwise.
+ *
+ * void bpf_key_put(struct key *key)
+ * Description
+ * Decrement the reference count of the key obtained with the
+ * bpf_lookup_user_key() helper.
+ * Return
+ * 0
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -5535,6 +5549,8 @@ union bpf_attr {
FN(tcp_raw_gen_syncookie_ipv6), \
FN(tcp_raw_check_syncookie_ipv4), \
FN(tcp_raw_check_syncookie_ipv6), \
+ FN(lookup_user_key), \
+ FN(key_put), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index c1351df9f7ee..bbbf9640f391 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -132,6 +132,46 @@ static const struct bpf_func_proto bpf_get_attach_cookie_proto = {
.arg1_type = ARG_PTR_TO_CTX,
};
+#ifdef CONFIG_KEYS
+BTF_ID_LIST_SINGLE(btf_key_ids, struct, key)
+
+BPF_CALL_2(bpf_lookup_user_key, u32, serial, unsigned long, flags)
+{
+ key_ref_t key_ref;
+
+ key_ref = lookup_user_key(serial, flags, KEY_NEED_SEARCH);
+ if (IS_ERR(key_ref))
+ return (unsigned long)NULL;
+
+ return (unsigned long)key_ref_to_ptr(key_ref);
+}
+
+static const struct bpf_func_proto bpf_lookup_user_key_proto = {
+ .func = bpf_lookup_user_key,
+ .gpl_only = false,
+ .ret_type = RET_PTR_TO_BTF_ID_OR_NULL,
+ .ret_btf_id = &btf_key_ids[0],
+ .arg1_type = ARG_ANYTHING,
+ .arg2_type = ARG_ANYTHING,
+ .allowed = bpf_ima_inode_hash_allowed,
+};
+
+BPF_CALL_1(bpf_key_put, struct key *, key)
+{
+ key_put(key);
+ return 0;
+}
+
+static const struct bpf_func_proto bpf_key_put_proto = {
+ .func = bpf_key_put,
+ .gpl_only = false,
+ .ret_type = RET_VOID,
+ .arg1_type = ARG_PTR_TO_BTF_ID | OBJ_RELEASE,
+ .arg1_btf_id = &btf_key_ids[0],
+ .allowed = bpf_ima_inode_hash_allowed,
+};
+#endif /* CONFIG_KEYS */
+
static const struct bpf_func_proto *
bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
@@ -158,6 +198,12 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return prog->aux->sleepable ? &bpf_ima_file_hash_proto : NULL;
case BPF_FUNC_get_attach_cookie:
return bpf_prog_has_trampoline(prog) ? &bpf_get_attach_cookie_proto : NULL;
+#ifdef CONFIG_KEYS
+ case BPF_FUNC_lookup_user_key:
+ return &bpf_lookup_user_key_proto;
+ case BPF_FUNC_key_put:
+ return &bpf_key_put_proto;
+#endif /* CONFIG_KEYS */
default:
return tracing_prog_func_proto(func_id, prog);
}
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bf72dc511df6..12f06ca649a4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -483,7 +483,8 @@ static bool may_be_acquire_function(enum bpf_func_id func_id)
func_id == BPF_FUNC_sk_lookup_udp ||
func_id == BPF_FUNC_skc_lookup_tcp ||
func_id == BPF_FUNC_map_lookup_elem ||
- func_id == BPF_FUNC_ringbuf_reserve;
+ func_id == BPF_FUNC_ringbuf_reserve ||
+ func_id == BPF_FUNC_lookup_user_key;
}
static bool is_acquire_function(enum bpf_func_id func_id,
@@ -495,7 +496,8 @@ static bool is_acquire_function(enum bpf_func_id func_id,
func_id == BPF_FUNC_sk_lookup_udp ||
func_id == BPF_FUNC_skc_lookup_tcp ||
func_id == BPF_FUNC_ringbuf_reserve ||
- func_id == BPF_FUNC_kptr_xchg)
+ func_id == BPF_FUNC_kptr_xchg ||
+ func_id == BPF_FUNC_lookup_user_key)
return true;
if (func_id == BPF_FUNC_map_lookup_elem &&
diff --git a/scripts/bpf_doc.py b/scripts/bpf_doc.py
index a0ec321469bd..3d5a7ad6f493 100755
--- a/scripts/bpf_doc.py
+++ b/scripts/bpf_doc.py
@@ -637,6 +637,7 @@ class PrinterHelpers(Printer):
'struct bpf_dynptr',
'struct iphdr',
'struct ipv6hdr',
+ 'struct key',
]
known_types = {
'...',
@@ -690,6 +691,7 @@ class PrinterHelpers(Printer):
'struct bpf_dynptr',
'struct iphdr',
'struct ipv6hdr',
+ 'struct key',
}
mapped_types = {
'u8': '__u8',
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index e81362891596..7bbcf2cd105d 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -5325,6 +5325,20 @@ union bpf_attr {
* **-EACCES** if the SYN cookie is not valid.
*
* **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
+ *
+ * struct key *bpf_lookup_user_key(u32 serial, unsigned long flags)
+ * Description
+ * Search a key with a given *serial* and the provided *flags*, and
+ * increment the reference count of the key.
+ * Return
+ * A key pointer if the key is found, a NULL pointer otherwise.
+ *
+ * void bpf_key_put(struct key *key)
+ * Description
+ * Decrement the reference count of the key obtained with the
+ * bpf_lookup_user_key() helper.
+ * Return
+ * 0
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -5535,6 +5549,8 @@ union bpf_attr {
FN(tcp_raw_gen_syncookie_ipv6), \
FN(tcp_raw_check_syncookie_ipv4), \
FN(tcp_raw_check_syncookie_ipv6), \
+ FN(lookup_user_key), \
+ FN(key_put), \
/* */
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
--
2.25.1