Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp585599yba; Fri, 5 Apr 2019 12:40:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxGxzg+i+urPYc9jCwFs3yePa0jiaO7OvhyFAlFOsLhM1IEuhZWOrzIcJFy6Duwatvwrmjo X-Received: by 2002:a63:c145:: with SMTP id p5mr13467923pgi.339.1554493213136; Fri, 05 Apr 2019 12:40:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554493213; cv=none; d=google.com; s=arc-20160816; b=hEpmbSiIu6EzLAEzJ/e41LERIgTYlIl+6zdT6eDHFICzgAHwHhMiJdpMBVAECoRnJc fEuqi1R6AzdhCkBciDkI/9BcBWx5pT4dFJZnqKAxQKEBPwaq0lxWswsZ/DIEGVy/hn80 fZ9hLv/Sodcrpng8zs5ZEkcCKB6ytZiT6OxGbhytVGwMcyP7MUTLPGY3IRTX+mFMXJr/ j9nKlnoApqhlTBFPM4sKmg8n6dnqHO3h4EKkxhukK8s3D/OJ4eA1ove5jUahiD3eoO5E Aq/fno3Gq9TwIgwMImn093s9ArOnAINuC5mgPJIAfRLUWvIMK9WRDh1ix6bg+VsryD6c 0Nqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:smtp-origin-cluster:cc:to :smtp-origin-hostname:from:smtp-origin-hostprefix:dkim-signature; bh=mO5DVqwI0JJLsbB2La9m8oK/98/gdlRYfe+GgHEYOiw=; b=Yc7KYIGZsNAV0tkmUzlpd2cCZ2m+GG6qlh5AZH+k3kvFkutYGEH1eZa7GI+gfutZ8O bohXoP3gEYdqO+16HS5SaUG0zplMzlt6H38K5I1E4esEm/5OJHH4VU0cutsRknO9x/GJ K3pMkJnhe3XwTr+ybANz/Nb1gLm+IUh0BMK4vx/97EHtp4NLBkjEjHGGdI31/a/NDnfz WCd4IFwd+x5B7v+8TVg8hKDYzT7vf+K0dZVu8YtPkIWfG35kZeK6ZY0mdJDvhWXV1Ox9 1V53cBzdUTWlzPqG285RDm8iCTdp0dwfSjosiW0PixmkrI7S0XjvTmf3niUbDnZ35eF0 Acng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b=PyHSlZiy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=fb.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v77si19993312pfa.219.2019.04.05.12.39.57; Fri, 05 Apr 2019 12:40:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b=PyHSlZiy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=fb.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732220AbfDETip (ORCPT + 99 others); Fri, 5 Apr 2019 15:38:45 -0400 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:34108 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731928AbfDETgt (ORCPT ); Fri, 5 Apr 2019 15:36:49 -0400 Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.16.0.27/8.16.0.27) with SMTP id x35Jahfq015755 for ; Fri, 5 Apr 2019 12:36:47 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=facebook; bh=mO5DVqwI0JJLsbB2La9m8oK/98/gdlRYfe+GgHEYOiw=; b=PyHSlZiyg2gdkzi0YhV1ju33ckX7VWrqI8w4TY0863WSmtVUcLVctPlNqMoG85TFvdiB aER2XDSH2dlGQZvFUaPkWuQOmp8KPefu3BPNSn1Y0vOo1cJqt3sOryhguM/fenjCoc68 v+V4FqgY+nnx7/V0Y6ZZC5T6ZwyBu2fU0Vs= Received: from maileast.thefacebook.com ([199.201.65.23]) by m0089730.ppops.net with ESMTP id 2rpchfr612-10 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Fri, 05 Apr 2019 12:36:47 -0700 Received: from mx-out.facebook.com (2620:10d:c0a1:3::13) by mail.thefacebook.com (2620:10d:c021:18::175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.1.1713.5; Fri, 5 Apr 2019 12:36:31 -0700 Received: by dev082.prn2.facebook.com (Postfix, from userid 572249) id 9168C3701752; Fri, 5 Apr 2019 12:36:29 -0700 (PDT) Smtp-Origin-Hostprefix: dev From: Andrey Ignatov Smtp-Origin-Hostname: dev082.prn2.facebook.com To: CC: Andrey Ignatov , , , , , Luis Chamberlain , Kees Cook , Alexey Dobriyan , , Smtp-Origin-Cluster: prn2c23 Subject: [PATCH v3 bpf-next 04/21] bpf: Introduce bpf_sysctl_get_current_value helper Date: Fri, 5 Apr 2019 12:35:26 -0700 Message-ID: <58f9bd2581d39ba20258cd0968680ae8235323b7.1554485409.git.rdna@fb.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-FB-Internal: Safe MIME-Version: 1.0 Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-04-05_15:,, signatures=0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add bpf_sysctl_get_current_value() helper to copy current sysctl value into provided by BPF_PROG_TYPE_CGROUP_SYSCTL program buffer. It provides same string as user space can see by reading corresponding file in /proc/sys/, including new line, etc. Documentation for the new helper is provided in bpf.h UAPI. Since current value is kept in ctl_table->data in a parsed form, ctl_table->proc_handler() with write=0 is called to read that data and convert it to a string. Such a string can later be parsed by a program using helpers that will be introduced separately. Unfortunately it's not trivial to provide API to access parsed data due to variety of data representations (string, intvec, uintvec, ulongvec, custom structures, even NULL, etc). Instead it's assumed that user know how to handle specific sysctl they're interested in and appropriate helpers can be used. Since ctl_table->proc_handler() expects __user buffer, conversion to __user happens for kernel allocated one where the value is stored. Signed-off-by: Andrey Ignatov --- include/linux/filter.h | 2 ++ include/uapi/linux/bpf.h | 22 +++++++++++++- kernel/bpf/cgroup.c | 65 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+), 1 deletion(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index a17732057880..f254ff92819f 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -1182,6 +1182,8 @@ struct bpf_sock_ops_kern { struct bpf_sysctl_kern { struct ctl_table_header *head; struct ctl_table *table; + void *cur_val; + size_t cur_len; int write; }; diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index c9e8a1f22c14..481e66cce8dc 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -2495,6 +2495,25 @@ union bpf_attr { * * **-E2BIG** if the buffer wasn't big enough (*buf* will contain * truncated name in this case). + * + * int bpf_sysctl_get_current_value(struct bpf_sysctl *ctx, char *buf, size_t buf_len) + * Description + * Get current value of sysctl as it is presented in /proc/sys + * (incl. newline, etc), and copy it as a string into provided + * by program buffer *buf* of size *buf_len*. + * + * The whole value is copied, no matter what file position user + * space issued e.g. sys_read at. + * + * The buffer is always NUL terminated, unless it's zero-sized. + * Return + * Number of character copied (not including the trailing NUL). + * + * **-E2BIG** if the buffer wasn't big enough (*buf* will contain + * truncated name in this case). + * + * **-EINVAL** if current value was unavailable, e.g. because + * sysctl is uninitialized and read returns -EIO for it. */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -2598,7 +2617,8 @@ union bpf_attr { FN(get_listener_sock), \ FN(skc_lookup_tcp), \ FN(tcp_check_syncookie), \ - FN(sysctl_get_name), + FN(sysctl_get_name), \ + FN(sysctl_get_current_value), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index a68387043244..c6b2cf29a54b 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -794,15 +794,37 @@ int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head, .head = head, .table = table, .write = write, + .cur_val = NULL, + .cur_len = PAGE_SIZE, }; struct cgroup *cgrp; int ret; + ctx.cur_val = kmalloc_track_caller(ctx.cur_len, GFP_KERNEL); + if (ctx.cur_val) { + mm_segment_t old_fs; + loff_t pos = 0; + + old_fs = get_fs(); + set_fs(KERNEL_DS); + if (table->proc_handler(table, 0, (void __user *)ctx.cur_val, + &ctx.cur_len, &pos)) { + /* Let BPF program decide how to proceed. */ + ctx.cur_len = 0; + } + set_fs(old_fs); + } else { + /* Let BPF program decide how to proceed. */ + ctx.cur_len = 0; + } + rcu_read_lock(); cgrp = task_dfl_cgroup(current); ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN); rcu_read_unlock(); + kfree(ctx.cur_val); + return ret == 1 ? 0 : -EPERM; } EXPORT_SYMBOL(__cgroup_bpf_run_filter_sysctl); @@ -869,12 +891,55 @@ static const struct bpf_func_proto bpf_sysctl_get_name_proto = { .arg4_type = ARG_ANYTHING, }; +static int copy_sysctl_value(char *dst, size_t dst_len, char *src, + size_t src_len) +{ + if (!dst) + return -EINVAL; + + if (!dst_len) + return -E2BIG; + + if (!src || !src_len) { + memset(dst, 0, dst_len); + return -EINVAL; + } + + memcpy(dst, src, min(dst_len, src_len)); + + if (dst_len > src_len) { + memset(dst + src_len, '\0', dst_len - src_len); + return src_len; + } + + dst[dst_len - 1] = '\0'; + + return -E2BIG; +} + +BPF_CALL_3(bpf_sysctl_get_current_value, struct bpf_sysctl_kern *, ctx, + char *, buf, size_t, buf_len) +{ + return copy_sysctl_value(buf, buf_len, ctx->cur_val, ctx->cur_len); +} + +static const struct bpf_func_proto bpf_sysctl_get_current_value_proto = { + .func = bpf_sysctl_get_current_value, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, + .arg2_type = ARG_PTR_TO_UNINIT_MEM, + .arg3_type = ARG_CONST_SIZE, +}; + static const struct bpf_func_proto * sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { switch (func_id) { case BPF_FUNC_sysctl_get_name: return &bpf_sysctl_get_name_proto; + case BPF_FUNC_sysctl_get_current_value: + return &bpf_sysctl_get_current_value_proto; default: return cgroup_base_func_proto(func_id, prog); } -- 2.17.1