bpf: Add BPF token support to BPF_PROG_LOAD command

#ifdef CONFIG_SECURITY

	void *security;

#endif

	struct bpf_token *token;

	struct bpf_prog_offload *offload;

	struct btf *btf;

	struct bpf_func_info *func_info;

	struct user_namespace *userns;

	u64 allowed_cmds;

	u64 allowed_maps;

	u64 allowed_progs;

	u64 allowed_attachs;

};

struct bpf_struct_ops_value;

bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd);

bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type);

bool bpf_token_allow_prog_type(const struct bpf_token *token,

			       enum bpf_prog_type prog_type,

			       enum bpf_attach_type attach_type);

int bpf_obj_pin_user(u32 ufd, int path_fd, const char __user *pathname);

int bpf_obj_get_user(int path_fd, const char __user *pathname, int flags);

	BPF_PROG_TYPE_SK_LOOKUP,

	BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */

	BPF_PROG_TYPE_NETFILTER,

	__MAX_BPF_PROG_TYPE

};

enum bpf_attach_type {

		 * truncated), or smaller (if log buffer wasn't filled completely).

		 */

		__u32		log_true_size;

		/* BPF token FD to use with BPF_PROG_LOAD operation.

		 * If provided, prog_flags should have BPF_F_TOKEN_FD flag set.

		 */

		__s32		prog_token_fd;

	};

	struct { /* anonymous struct used by BPF_OBJ_* commands */

	if (aux->dst_prog)

		bpf_prog_put(aux->dst_prog);

	bpf_token_put(aux->token);

	INIT_WORK(&aux->work, bpf_prog_free_deferred);

	schedule_work(&aux->work);

}

	else if (opts->delegate_maps)

		seq_printf(m, ",delegate_maps=0x%llx", opts->delegate_maps);

	if (opts->delegate_progs == ~0ULL)

	mask = (1ULL << __MAX_BPF_PROG_TYPE) - 1;

	if ((opts->delegate_progs & mask) == mask)

		seq_printf(m, ",delegate_progs=any");

	else if (opts->delegate_progs)

		seq_printf(m, ",delegate_progs=0x%llx", opts->delegate_progs);

	if (opts->delegate_attachs == ~0ULL)

	mask = (1ULL << __MAX_BPF_ATTACH_TYPE) - 1;

	if ((opts->delegate_attachs & mask) == mask)

		seq_printf(m, ",delegate_attachs=any");

	else if (opts->delegate_attachs)

		seq_printf(m, ",delegate_attachs=0x%llx", opts->delegate_attachs);

}

/* last field in 'union bpf_attr' used by this command */

#define	BPF_PROG_LOAD_LAST_FIELD log_true_size

#define BPF_PROG_LOAD_LAST_FIELD prog_token_fd

static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)

{

	enum bpf_prog_type type = attr->prog_type;

	struct bpf_prog *prog, *dst_prog = NULL;

	struct btf *attach_btf = NULL;

	struct bpf_token *token = NULL;

	bool bpf_cap;

	int err;

	char license[128];

				 BPF_F_TEST_RND_HI32 |

				 BPF_F_XDP_HAS_FRAGS |

				 BPF_F_XDP_DEV_BOUND_ONLY |

				 BPF_F_TEST_REG_INVARIANTS))

				 BPF_F_TEST_REG_INVARIANTS |

				 BPF_F_TOKEN_FD))

		return -EINVAL;

	bpf_prog_load_fixup_attach_type(attr);

	if (attr->prog_flags & BPF_F_TOKEN_FD) {

		token = bpf_token_get_from_fd(attr->prog_token_fd);

		if (IS_ERR(token))

			return PTR_ERR(token);

		/* if current token doesn't grant prog loading permissions,

		 * then we can't use this token, so ignore it and rely on

		 * system-wide capabilities checks

		 */

		if (!bpf_token_allow_cmd(token, BPF_PROG_LOAD) ||

		    !bpf_token_allow_prog_type(token, attr->prog_type,

					       attr->expected_attach_type)) {

			bpf_token_put(token);

			token = NULL;

		}

	}

	bpf_cap = bpf_token_capable(token, CAP_BPF);

	err = -EPERM;

	if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) &&

	    (attr->prog_flags & BPF_F_ANY_ALIGNMENT) &&

	    !bpf_capable())

		return -EPERM;

	    !bpf_cap)

		goto put_token;

	/* Intent here is for unprivileged_bpf_disabled to block BPF program

	 * creation for unprivileged users; other actions depend

	 * capability checks are still carried out for these

	 * and other operations.

	 */

	if (sysctl_unprivileged_bpf_disabled && !bpf_capable())

		return -EPERM;

	if (sysctl_unprivileged_bpf_disabled && !bpf_cap)

		goto put_token;

	if (attr->insn_cnt == 0 ||

	    attr->insn_cnt > (bpf_capable() ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))

		return -E2BIG;

	    attr->insn_cnt > (bpf_cap ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS)) {

		err = -E2BIG;

		goto put_token;

	}

	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&

	    type != BPF_PROG_TYPE_CGROUP_SKB &&

	    !bpf_capable())

		return -EPERM;

	    !bpf_cap)

		goto put_token;

	if (is_net_admin_prog_type(type) && !bpf_net_capable())

		return -EPERM;

	if (is_perfmon_prog_type(type) && !perfmon_capable())

		return -EPERM;

	if (is_net_admin_prog_type(type) && !bpf_token_capable(token, CAP_NET_ADMIN))

		goto put_token;

	if (is_perfmon_prog_type(type) && !bpf_token_capable(token, CAP_PERFMON))

		goto put_token;

	/* attach_prog_fd/attach_btf_obj_fd can specify fd of either bpf_prog

	 * or btf, we need to check which one it is

		if (IS_ERR(dst_prog)) {

			dst_prog = NULL;

			attach_btf = btf_get_by_fd(attr->attach_btf_obj_fd);

			if (IS_ERR(attach_btf))

				return -EINVAL;

			if (IS_ERR(attach_btf)) {

				err = -EINVAL;

				goto put_token;

			}

			if (!btf_is_kernel(attach_btf)) {

				/* attaching through specifying bpf_prog's BTF

				 * objects directly might be supported eventually

				 */

				btf_put(attach_btf);

				return -ENOTSUPP;

				err = -ENOTSUPP;

				goto put_token;

			}

		}

	} else if (attr->attach_btf_id) {

		/* fall back to vmlinux BTF, if BTF type ID is specified */

		attach_btf = bpf_get_btf_vmlinux();

		if (IS_ERR(attach_btf))

			return PTR_ERR(attach_btf);

		if (!attach_btf)

			return -EINVAL;

		if (IS_ERR(attach_btf)) {

			err = PTR_ERR(attach_btf);

			goto put_token;

		}

		if (!attach_btf) {

			err = -EINVAL;

			goto put_token;

		}

		btf_get(attach_btf);

	}

	bpf_prog_load_fixup_attach_type(attr);

	if (bpf_prog_load_check_attach(type, attr->expected_attach_type,

				       attach_btf, attr->attach_btf_id,

				       dst_prog)) {

			bpf_prog_put(dst_prog);

		if (attach_btf)

			btf_put(attach_btf);

		return -EINVAL;

		err = -EINVAL;

		goto put_token;

	}

	/* plain bpf_prog allocation */

			bpf_prog_put(dst_prog);

		if (attach_btf)

			btf_put(attach_btf);

		return -ENOMEM;

		err = -EINVAL;

		goto put_token;

	}

	prog->expected_attach_type = attr->expected_attach_type;

	prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE;

	prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS;

	/* move token into prog->aux, reuse taken refcnt */

	prog->aux->token = token;

	token = NULL;

	err = security_bpf_prog_alloc(prog->aux);

	if (err)

		goto free_prog;

	if (prog->aux->attach_btf)

		btf_put(prog->aux->attach_btf);

	bpf_prog_free(prog);

put_token:

	bpf_token_put(token);

	return err;

}

	case BPF_PROG_TYPE_SK_LOOKUP:

		return attach_type == prog->expected_attach_type ? 0 : -EINVAL;

	case BPF_PROG_TYPE_CGROUP_SKB:

		if (!bpf_net_capable())

		if (!bpf_token_capable(prog->aux->token, CAP_NET_ADMIN))

			/* cg-skb progs can be loaded by unpriv user.

			 * check permissions at attach time.

			 */