88 lines
2.7 KiB
C
88 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
|
|
|
|
#include "vmlinux.h"
|
|
#include <errno.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_tracing.h>
|
|
#include "bpf_kfuncs.h"
|
|
#include "err.h"
|
|
|
|
char _license[] SEC("license") = "GPL";
|
|
|
|
#ifndef SHA256_DIGEST_SIZE
|
|
#define SHA256_DIGEST_SIZE 32
|
|
#endif
|
|
|
|
#define MAX_SIG_SIZE 1024
|
|
|
|
/* By default, "fsverity sign" signs a file with fsverity_formatted_digest
|
|
* of the file. fsverity_formatted_digest on the kernel side is only used
|
|
* with CONFIG_FS_VERITY_BUILTIN_SIGNATURES. However, BPF LSM doesn't not
|
|
* require CONFIG_FS_VERITY_BUILTIN_SIGNATURES, so vmlinux.h may not have
|
|
* fsverity_formatted_digest. In this test, we intentionally avoid using
|
|
* fsverity_formatted_digest.
|
|
*
|
|
* Luckily, fsverity_formatted_digest is simply 8-byte magic followed by
|
|
* fsverity_digest. We use a char array of size fsverity_formatted_digest
|
|
* plus SHA256_DIGEST_SIZE. The magic part of it is filled by user space,
|
|
* and the rest of it is filled by bpf_get_fsverity_digest.
|
|
*
|
|
* Note that, generating signatures based on fsverity_formatted_digest is
|
|
* the design choice of this selftest (and "fsverity sign"). With BPF
|
|
* LSM, we have the flexibility to generate signature based on other data
|
|
* sets, for example, fsverity_digest or only the digest[] part of it.
|
|
*/
|
|
#define MAGIC_SIZE 8
|
|
#define SIZEOF_STRUCT_FSVERITY_DIGEST 4 /* sizeof(struct fsverity_digest) */
|
|
char digest[MAGIC_SIZE + SIZEOF_STRUCT_FSVERITY_DIGEST + SHA256_DIGEST_SIZE];
|
|
|
|
__u32 monitored_pid;
|
|
char sig[MAX_SIG_SIZE];
|
|
__u32 sig_size;
|
|
__u32 user_keyring_serial;
|
|
|
|
SEC("lsm.s/file_open")
|
|
int BPF_PROG(test_file_open, struct file *f)
|
|
{
|
|
struct bpf_dynptr digest_ptr, sig_ptr;
|
|
struct bpf_key *trusted_keyring;
|
|
__u32 pid;
|
|
int ret;
|
|
|
|
pid = bpf_get_current_pid_tgid() >> 32;
|
|
if (pid != monitored_pid)
|
|
return 0;
|
|
|
|
/* digest_ptr points to fsverity_digest */
|
|
bpf_dynptr_from_mem(digest + MAGIC_SIZE, sizeof(digest) - MAGIC_SIZE, 0, &digest_ptr);
|
|
|
|
ret = bpf_get_fsverity_digest(f, &digest_ptr);
|
|
/* No verity, allow access */
|
|
if (ret < 0)
|
|
return 0;
|
|
|
|
/* Move digest_ptr to fsverity_formatted_digest */
|
|
bpf_dynptr_from_mem(digest, sizeof(digest), 0, &digest_ptr);
|
|
|
|
/* Read signature from xattr */
|
|
bpf_dynptr_from_mem(sig, sizeof(sig), 0, &sig_ptr);
|
|
ret = bpf_get_file_xattr(f, "user.sig", &sig_ptr);
|
|
/* No signature, reject access */
|
|
if (ret < 0)
|
|
return -EPERM;
|
|
|
|
trusted_keyring = bpf_lookup_user_key(user_keyring_serial, 0);
|
|
if (!trusted_keyring)
|
|
return -ENOENT;
|
|
|
|
/* Verify signature */
|
|
ret = bpf_verify_pkcs7_signature(&digest_ptr, &sig_ptr, trusted_keyring);
|
|
|
|
bpf_key_put(trusted_keyring);
|
|
|
|
set_if_not_errno_or_zero(ret, -EFAULT);
|
|
|
|
return ret;
|
|
}
|