Linux Audio

Check our new training course

Open Menu / tools / testing / selftests / bpf / progs / test_sig_in_xattr.c
Loading...
v6.13.7
 1// SPDX-License-Identifier: GPL-2.0
 2/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
 3
 4#include "vmlinux.h"
 5#include <errno.h>
 6#include <bpf/bpf_helpers.h>
 7#include <bpf/bpf_tracing.h>
 8#include "bpf_kfuncs.h"
 9#include "err.h"
10
11char _license[] SEC("license") = "GPL";
12
13#ifndef SHA256_DIGEST_SIZE
14#define SHA256_DIGEST_SIZE      32
15#endif
16
17#define MAX_SIG_SIZE 1024
18
19/* By default, "fsverity sign" signs a file with fsverity_formatted_digest
20 * of the file. fsverity_formatted_digest on the kernel side is only used
21 * with CONFIG_FS_VERITY_BUILTIN_SIGNATURES. However, BPF LSM doesn't not
22 * require CONFIG_FS_VERITY_BUILTIN_SIGNATURES, so vmlinux.h may not have
23 * fsverity_formatted_digest. In this test, we intentionally avoid using
24 * fsverity_formatted_digest.
25 *
26 * Luckily, fsverity_formatted_digest is simply 8-byte magic followed by
27 * fsverity_digest. We use a char array of size fsverity_formatted_digest
28 * plus SHA256_DIGEST_SIZE. The magic part of it is filled by user space,
29 * and the rest of it is filled by bpf_get_fsverity_digest.
30 *
31 * Note that, generating signatures based on fsverity_formatted_digest is
32 * the design choice of this selftest (and "fsverity sign"). With BPF
33 * LSM, we have the flexibility to generate signature based on other data
34 * sets, for example, fsverity_digest or only the digest[] part of it.
35 */
36#define MAGIC_SIZE 8
37#define SIZEOF_STRUCT_FSVERITY_DIGEST 4  /* sizeof(struct fsverity_digest) */
38char digest[MAGIC_SIZE + SIZEOF_STRUCT_FSVERITY_DIGEST + SHA256_DIGEST_SIZE];
39
40__u32 monitored_pid;
41char sig[MAX_SIG_SIZE];
42__u32 sig_size;
43__u32 user_keyring_serial;
44
45SEC("lsm.s/file_open")
46int BPF_PROG(test_file_open, struct file *f)
47{
48	struct bpf_dynptr digest_ptr, sig_ptr;
49	struct bpf_key *trusted_keyring;
50	__u32 pid;
51	int ret;
52
53	pid = bpf_get_current_pid_tgid() >> 32;
54	if (pid != monitored_pid)
55		return 0;
56
57	/* digest_ptr points to fsverity_digest */
58	bpf_dynptr_from_mem(digest + MAGIC_SIZE, sizeof(digest) - MAGIC_SIZE, 0, &digest_ptr);
59
60	ret = bpf_get_fsverity_digest(f, &digest_ptr);
61	/* No verity, allow access */
62	if (ret < 0)
63		return 0;
64
65	/* Move digest_ptr to fsverity_formatted_digest */
66	bpf_dynptr_from_mem(digest, sizeof(digest), 0, &digest_ptr);
67
68	/* Read signature from xattr */
69	bpf_dynptr_from_mem(sig, sizeof(sig), 0, &sig_ptr);
70	ret = bpf_get_file_xattr(f, "user.sig", &sig_ptr);
71	/* No signature, reject access */
72	if (ret < 0)
73		return -EPERM;
74
75	trusted_keyring = bpf_lookup_user_key(user_keyring_serial, 0);
76	if (!trusted_keyring)
77		return -ENOENT;
78
79	/* Verify signature */
80	ret = bpf_verify_pkcs7_signature(&digest_ptr, &sig_ptr, trusted_keyring);
81
82	bpf_key_put(trusted_keyring);
83
84	set_if_not_errno_or_zero(ret, -EFAULT);
85
86	return ret;
87}
v6.8
 1// SPDX-License-Identifier: GPL-2.0
 2/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
 3
 4#include "vmlinux.h"
 5#include <errno.h>
 6#include <bpf/bpf_helpers.h>
 7#include <bpf/bpf_tracing.h>
 8#include "bpf_kfuncs.h"
 
 9
10char _license[] SEC("license") = "GPL";
11
12#ifndef SHA256_DIGEST_SIZE
13#define SHA256_DIGEST_SIZE      32
14#endif
15
16#define MAX_SIG_SIZE 1024
17
18/* By default, "fsverity sign" signs a file with fsverity_formatted_digest
19 * of the file. fsverity_formatted_digest on the kernel side is only used
20 * with CONFIG_FS_VERITY_BUILTIN_SIGNATURES. However, BPF LSM doesn't not
21 * require CONFIG_FS_VERITY_BUILTIN_SIGNATURES, so vmlinux.h may not have
22 * fsverity_formatted_digest. In this test, we intentionally avoid using
23 * fsverity_formatted_digest.
24 *
25 * Luckily, fsverity_formatted_digest is simply 8-byte magic followed by
26 * fsverity_digest. We use a char array of size fsverity_formatted_digest
27 * plus SHA256_DIGEST_SIZE. The magic part of it is filled by user space,
28 * and the rest of it is filled by bpf_get_fsverity_digest.
29 *
30 * Note that, generating signatures based on fsverity_formatted_digest is
31 * the design choice of this selftest (and "fsverity sign"). With BPF
32 * LSM, we have the flexibility to generate signature based on other data
33 * sets, for example, fsverity_digest or only the digest[] part of it.
34 */
35#define MAGIC_SIZE 8
36#define SIZEOF_STRUCT_FSVERITY_DIGEST 4  /* sizeof(struct fsverity_digest) */
37char digest[MAGIC_SIZE + SIZEOF_STRUCT_FSVERITY_DIGEST + SHA256_DIGEST_SIZE];
38
39__u32 monitored_pid;
40char sig[MAX_SIG_SIZE];
41__u32 sig_size;
42__u32 user_keyring_serial;
43
44SEC("lsm.s/file_open")
45int BPF_PROG(test_file_open, struct file *f)
46{
47	struct bpf_dynptr digest_ptr, sig_ptr;
48	struct bpf_key *trusted_keyring;
49	__u32 pid;
50	int ret;
51
52	pid = bpf_get_current_pid_tgid() >> 32;
53	if (pid != monitored_pid)
54		return 0;
55
56	/* digest_ptr points to fsverity_digest */
57	bpf_dynptr_from_mem(digest + MAGIC_SIZE, sizeof(digest) - MAGIC_SIZE, 0, &digest_ptr);
58
59	ret = bpf_get_fsverity_digest(f, &digest_ptr);
60	/* No verity, allow access */
61	if (ret < 0)
62		return 0;
63
64	/* Move digest_ptr to fsverity_formatted_digest */
65	bpf_dynptr_from_mem(digest, sizeof(digest), 0, &digest_ptr);
66
67	/* Read signature from xattr */
68	bpf_dynptr_from_mem(sig, sizeof(sig), 0, &sig_ptr);
69	ret = bpf_get_file_xattr(f, "user.sig", &sig_ptr);
70	/* No signature, reject access */
71	if (ret < 0)
72		return -EPERM;
73
74	trusted_keyring = bpf_lookup_user_key(user_keyring_serial, 0);
75	if (!trusted_keyring)
76		return -ENOENT;
77
78	/* Verify signature */
79	ret = bpf_verify_pkcs7_signature(&digest_ptr, &sig_ptr, trusted_keyring);
80
81	bpf_key_put(trusted_keyring);
 
 
 
82	return ret;
83}