bpf: take into account BPF token when fetching helper protos

author Andrii Nakryiko <andrii@kernel.org>

Thu, 30 Nov 2023 18:52:19 +0000 (10:52 -0800)

committer Alexei Starovoitov <ast@kernel.org>

Wed, 6 Dec 2023 18:02:59 +0000 (10:02 -0800)
author Andrii Nakryiko <andrii@kernel.org>
Thu, 30 Nov 2023 18:52:19 +0000 (10:52 -0800)
committer Alexei Starovoitov <ast@kernel.org>
Wed, 6 Dec 2023 18:02:59 +0000 (10:02 -0800)
diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c

index fe17c7f98e8101afdae3d608ab12a2ef7f971d0e..6d07693c6b9f5d640f98cec1ed2b798350791ca5 100644 (file)
--- a/drivers/media/rc/bpf-lirc.c
+++ b/drivers/media/rc/bpf-lirc.c
@@ -110,7 +110,7 @@ lirc_mode2_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_get_prandom_u32:
                 return &bpf_get_prandom_u32_proto;
         case BPF_FUNC_trace_printk:
-               if (perfmon_capable())
+               if (bpf_token_capable(prog->aux->token, CAP_PERFMON))
                         return bpf_get_trace_printk_proto();
                 fallthrough;
         default:
diff --git a/include/linux/bpf.h b/include/linux/bpf.h

index 20af87b59d709ea536b878741a3ba97a0d86554a..2a3ab4f3dd8cb573d37b566f72bd7160360b6ade 100644 (file)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2492,7 +2492,8 @@ const char *btf_find_decl_tag_value(const struct btf *btf, const struct btf_type
  struct bpf_prog *bpf_prog_by_id(u32 id);
  struct bpf_link *bpf_link_by_id(u32 id);
  
-const struct bpf_func_proto *bpf_base_func_proto(enum bpf_func_id func_id);
+const struct bpf_func_proto *bpf_base_func_proto(enum bpf_func_id func_id,
+                                                const struct bpf_prog *prog);
  void bpf_task_storage_free(struct task_struct *task);
  void bpf_cgrp_storage_free(struct cgroup *cgroup);
  bool bpf_prog_has_kfunc_call(const struct bpf_prog *prog);
@@ -2752,7 +2753,7 @@ static inline int btf_struct_access(struct bpf_verifier_log *log,
  }
  
  static inline const struct bpf_func_proto *
-bpf_base_func_proto(enum bpf_func_id func_id)
+bpf_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
         return NULL;
  }
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c

index 491d20038cbe0cc133ce906ed035bca10b012727..98e0e3835b28b615d447d4b5ff08b10831d858e9 100644 (file)
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1630,7 +1630,7 @@ cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_perf_event_output:
                 return &bpf_event_output_data_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
@@ -2191,7 +2191,7 @@ sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_perf_event_output:
                 return &bpf_event_output_data_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
@@ -2348,7 +2348,7 @@ cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_perf_event_output:
                 return &bpf_event_output_data_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c

index ee9bdf29246a391c4fc072d9c3e7d69000920ca2..b3be5742d6f1ab709f9bcacd13f3eb041b1e589a 100644 (file)
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1679,7 +1679,7 @@ const struct bpf_func_proto bpf_probe_read_kernel_str_proto __weak;
  const struct bpf_func_proto bpf_task_pt_regs_proto __weak;
  
  const struct bpf_func_proto *
-bpf_base_func_proto(enum bpf_func_id func_id)
+bpf_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
         switch (func_id) {
         case BPF_FUNC_map_lookup_elem:
@@ -1730,7 +1730,7 @@ bpf_base_func_proto(enum bpf_func_id func_id)
                 break;
         }
  
-       if (!bpf_capable())
+       if (!bpf_token_capable(prog->aux->token, CAP_BPF))
                 return NULL;
  
         switch (func_id) {
@@ -1788,7 +1788,7 @@ bpf_base_func_proto(enum bpf_func_id func_id)
                 break;
         }
  
-       if (!perfmon_capable())
+       if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
                 return NULL;
  
         switch (func_id) {
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c

index 2c8393c21b8c66151e1a87567a0d3ade96f3c45e..1cc03f08c9cd22b7474217383024b35c82896263 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -5712,7 +5712,7 @@ static const struct bpf_func_proto bpf_sys_bpf_proto = {
  const struct bpf_func_proto * __weak
  tracing_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
-       return bpf_base_func_proto(func_id);
+       return bpf_base_func_proto(func_id, prog);
  }
  
  BPF_CALL_1(bpf_sys_close, u32, fd)
@@ -5762,7 +5762,8 @@ syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
         switch (func_id) {
         case BPF_FUNC_sys_bpf:
-               return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto;
+               return !bpf_token_capable(prog->aux->token, CAP_PERFMON)
+                      ? NULL : &bpf_sys_bpf_proto;
         case BPF_FUNC_btf_find_by_name_kind:
                 return &bpf_btf_find_by_name_kind_proto;
         case BPF_FUNC_sys_close:
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c

index 1648bde28f01aa8213ab8112f97351b3e02482fc..774cf476a892c170ff4b53c170e56b3a4b7be689 100644 (file)
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1626,7 +1626,7 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_trace_vprintk:
                 return bpf_get_trace_vprintk_proto();
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
diff --git a/net/core/filter.c b/net/core/filter.c

index 0adaa4afa35f21f4ac6d5d3e4dde9ed7c76a2a04..0bf2a03d8203e522714d12d4be033028abc95327 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -87,7 +87,7 @@
  #include "dev.h"
  
  static const struct bpf_func_proto *
-bpf_sk_base_func_proto(enum bpf_func_id func_id);
+bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog);
  
  int copy_bpf_fprog_from_user(struct sock_fprog *dst, sockptr_t src, int len)
  {
@@ -7841,7 +7841,7 @@ sock_filter_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_ktime_get_coarse_ns:
                 return &bpf_ktime_get_coarse_ns_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
@@ -7934,7 +7934,7 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
                         return NULL;
                 }
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -7953,7 +7953,7 @@ sk_filter_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_perf_event_output:
                 return &bpf_skb_event_output_proto;
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8140,7 +8140,7 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  #endif
  #endif
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8199,7 +8199,7 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  #endif
  #endif
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  
  #if IS_MODULE(CONFIG_NF_CONNTRACK) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)
@@ -8260,7 +8260,7 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
                 return &bpf_tcp_sock_proto;
  #endif /* CONFIG_INET */
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8302,7 +8302,7 @@ sk_msg_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
                 return &bpf_get_cgroup_classid_curr_proto;
  #endif
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8346,7 +8346,7 @@ sk_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
                 return &bpf_skc_lookup_tcp_proto;
  #endif
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8357,7 +8357,7 @@ flow_dissector_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_skb_load_bytes:
                 return &bpf_flow_dissector_load_bytes_proto;
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -8384,7 +8384,7 @@ lwt_out_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_skb_under_cgroup:
                 return &bpf_skb_under_cgroup_proto;
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -11215,7 +11215,7 @@ sk_reuseport_func_proto(enum bpf_func_id func_id,
         case BPF_FUNC_ktime_get_coarse_ns:
                 return &bpf_ktime_get_coarse_ns_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
@@ -11397,7 +11397,7 @@ sk_lookup_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_sk_release:
                 return &bpf_sk_release_proto;
         default:
-               return bpf_sk_base_func_proto(func_id);
+               return bpf_sk_base_func_proto(func_id, prog);
         }
  }
  
@@ -11731,7 +11731,7 @@ const struct bpf_func_proto bpf_sock_from_file_proto = {
  };
  
  static const struct bpf_func_proto *
-bpf_sk_base_func_proto(enum bpf_func_id func_id)
+bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
         const struct bpf_func_proto *func;
  
@@ -11760,10 +11760,10 @@ bpf_sk_base_func_proto(enum bpf_func_id func_id)
         case BPF_FUNC_ktime_get_coarse_ns:
                 return &bpf_ktime_get_coarse_ns_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  
-       if (!perfmon_capable())
+       if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
                 return NULL;
  
         return func;
diff --git a/net/ipv4/bpf_tcp_ca.c b/net/ipv4/bpf_tcp_ca.c

index 39dcccf0f174b95f2ec4cd7bed3cc86a73dede3b..c7bbd8f3c708ba258446a9f204bd7d15176370c9 100644 (file)
--- a/net/ipv4/bpf_tcp_ca.c
+++ b/net/ipv4/bpf_tcp_ca.c
@@ -191,7 +191,7 @@ bpf_tcp_ca_get_func_proto(enum bpf_func_id func_id,
         case BPF_FUNC_ktime_get_coarse_ns:
                 return &bpf_ktime_get_coarse_ns_proto;
         default:
-               return bpf_base_func_proto(func_id);
+               return bpf_base_func_proto(func_id, prog);
         }
  }
  
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c

index e502ec00b2fe1e4a806568fe078ef328e4f15ac7..1969facac91c2d8a010ff9a1a928ce9980a57539 100644 (file)
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -314,7 +314,7 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type,
  static const struct bpf_func_proto *
  bpf_nf_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
  {
-       return bpf_base_func_proto(func_id);
+       return bpf_base_func_proto(func_id, prog);
  }
  
  const struct bpf_verifier_ops netfilter_verifier_ops = {
author	Andrii Nakryiko <andrii@kernel.org>
	Thu, 30 Nov 2023 18:52:19 +0000 (10:52 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Wed, 6 Dec 2023 18:02:59 +0000 (10:02 -0800)
drivers/media/rc/bpf-lirc.c		patch \| blob \| history
include/linux/bpf.h		patch \| blob \| history
kernel/bpf/cgroup.c		patch \| blob \| history
kernel/bpf/helpers.c		patch \| blob \| history
kernel/bpf/syscall.c		patch \| blob \| history
kernel/trace/bpf_trace.c		patch \| blob \| history
net/core/filter.c		patch \| blob \| history
net/ipv4/bpf_tcp_ca.c		patch \| blob \| history
net/netfilter/nf_bpf_link.c		patch \| blob \| history