Commit 174b1694 authored by Roberto Sassu's avatar Roberto Sassu Committed by Alexei Starovoitov
Browse files

bpf-lsm: Introduce new helper bpf_ima_file_hash() 



ima_file_hash() has been modified to calculate the measurement of a file on
demand, if it has not been already performed by IMA or the measurement is
not fresh. For compatibility reasons, ima_inode_hash() remains unchanged.

Keep the same approach in eBPF and introduce the new helper
bpf_ima_file_hash() to take advantage of the modified behavior of
ima_file_hash().

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220302111404.193900-4-roberto.sassu@huawei.com
parent 280fe836

include/uapi/linux/bpf.h

+11 −0
Original line number Diff line number Diff line
@@ -5119,6 +5119,16 @@ union bpf_attr { 
 *		0 on success.

 *		**-EINVAL** for invalid input

 *		**-EOPNOTSUPP** for unsupported protocol

 *

 * long bpf_ima_file_hash(struct file *file, void *dst, u32 size)

 *	Description

 *		Returns a calculated IMA hash of the *file*.

 *		If the hash is larger than *size*, then only *size*

 *		bytes will be copied to *dst*

 *	Return

 *		The **hash_algo** is returned on success,

 *		**-EOPNOTSUP** if the hash calculation failed or **-EINVAL** if

 *		invalid arguments are passed.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\
@@ -5314,6 +5324,7 @@ union bpf_attr { 
	FN(xdp_store_bytes),		\

	FN(copy_from_user_task),	\

	FN(skb_set_tstamp),		\

	FN(ima_file_hash),		\

	/* */



/* integer value in 'imm' field of BPF_CALL instruction selects which helper

kernel/bpf/bpf_lsm.c

+20 −0
Original line number Diff line number Diff line
@@ -99,6 +99,24 @@ static const struct bpf_func_proto bpf_ima_inode_hash_proto = { 
	.allowed	= bpf_ima_inode_hash_allowed,

};



BPF_CALL_3(bpf_ima_file_hash, struct file *, file, void *, dst, u32, size)

{

	return ima_file_hash(file, dst, size);

}



BTF_ID_LIST_SINGLE(bpf_ima_file_hash_btf_ids, struct, file)



static const struct bpf_func_proto bpf_ima_file_hash_proto = {

	.func		= bpf_ima_file_hash,

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_BTF_ID,

	.arg1_btf_id	= &bpf_ima_file_hash_btf_ids[0],

	.arg2_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg3_type	= ARG_CONST_SIZE,

	.allowed	= bpf_ima_inode_hash_allowed,

};



static const struct bpf_func_proto *

bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)

{
@@ -121,6 +139,8 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 
		return &bpf_bprm_opts_set_proto;

	case BPF_FUNC_ima_inode_hash:

		return prog->aux->sleepable ? &bpf_ima_inode_hash_proto : NULL;

	case BPF_FUNC_ima_file_hash:

		return prog->aux->sleepable ? &bpf_ima_file_hash_proto : NULL;

	default:

		return tracing_prog_func_proto(func_id, prog);

	}

tools/include/uapi/linux/bpf.h

+11 −0
Original line number Diff line number Diff line
@@ -5119,6 +5119,16 @@ union bpf_attr { 
 *		0 on success.

 *		**-EINVAL** for invalid input

 *		**-EOPNOTSUPP** for unsupported protocol

 *

 * long bpf_ima_file_hash(struct file *file, void *dst, u32 size)

 *	Description

 *		Returns a calculated IMA hash of the *file*.

 *		If the hash is larger than *size*, then only *size*

 *		bytes will be copied to *dst*

 *	Return

 *		The **hash_algo** is returned on success,

 *		**-EOPNOTSUP** if the hash calculation failed or **-EINVAL** if

 *		invalid arguments are passed.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\
@@ -5314,6 +5324,7 @@ union bpf_attr { 
	FN(xdp_store_bytes),		\

	FN(copy_from_user_task),	\

	FN(skb_set_tstamp),		\

	FN(ima_file_hash),		\

	/* */



/* integer value in 'imm' field of BPF_CALL instruction selects which helper