From 9fe93c136fac812c64e659cfe6a98b9bcf80828f Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 21 Oct 2024 22:19:08 +0000 Subject: [PATCH] tetragon: Make sure lsm programs return bounded value There's recent kernel change forcing LSM bpf programs return value range [-4095, 0]. Making sure we follow that in generic lsm sensor. [1] 5d99e198be27 bpf, lsm: Add check for BPF LSM return value Fixes: 41b88890141e ("bpf: Add lsm.s/* bpf programs for IMA hash collection") Signed-off-by: Jiri Olsa --- bpf/process/bpf_generic_lsm_core.c | 15 +-------------- bpf/process/bpf_generic_lsm_output.c | 15 +-------------- bpf/process/types/basic.h | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/bpf/process/bpf_generic_lsm_core.c b/bpf/process/bpf_generic_lsm_core.c index 4c71e87cb10..8849dc5024b 100644 --- a/bpf/process/bpf_generic_lsm_core.c +++ b/bpf/process/bpf_generic_lsm_core.c @@ -79,19 +79,6 @@ static struct generic_maps maps = { .override = (struct bpf_map_def *)&override_tasks, }; -FUNC_INLINE int try_override(void *ctx) -{ - __u64 id = get_current_pid_tgid(); - __s32 *error; - - error = map_lookup_elem(&override_tasks, &id); - if (!error) - return 0; - - map_delete_elem(&override_tasks, &id); - return (long)*error; -} - #define MAIN "lsm/generic_lsm_core" __attribute__((section((MAIN)), used)) int @@ -172,7 +159,7 @@ generic_lsm_actions(void *ctx) // If NoPost action is set, check for Override action here if (!e->lsm.post) - return try_override(ctx); + return try_override(ctx, (struct bpf_map_def *)&override_tasks); return 0; } diff --git a/bpf/process/bpf_generic_lsm_output.c b/bpf/process/bpf_generic_lsm_output.c index b8d079264d0..886ae61b7d3 100644 --- a/bpf/process/bpf_generic_lsm_output.c +++ b/bpf/process/bpf_generic_lsm_output.c @@ -50,19 +50,6 @@ struct { __type(value, struct event_config); } config_map SEC(".maps"); -FUNC_INLINE int try_override(void *ctx) -{ - __u64 id = get_current_pid_tgid(); - __s32 *error; - - error = map_lookup_elem(&override_tasks, &id); - if (!error) - return 0; - - map_delete_elem(&override_tasks, &id); - return (long)*error; -} - __attribute__((section("lsm/generic_lsm_output"), used)) int generic_lsm_output(void *ctx) { @@ -89,5 +76,5 @@ generic_lsm_output(void *ctx) #endif if (e->lsm.post) generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_LSM); - return try_override(ctx); + return try_override(ctx, (struct bpf_map_def *)&override_tasks); } diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index dea49981378..bfa7547c64a 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -2656,4 +2656,30 @@ read_call_arg(void *ctx, struct msg_generic_kprobe *e, int index, int type, return copy_path(args, path_arg); } +#define __STR(x) #x + +#define set_if_not_errno_or_zero(x, y) \ + ({ \ + asm volatile("if %0 s< -4095 goto +1\n" \ + "if %0 s<= 0 goto +1\n" \ + "%0 = " __STR(y) "\n" \ + : "+r"(x)); \ + }) + +FUNC_INLINE int try_override(void *ctx, struct bpf_map_def *override_tasks) +{ + __u64 id = get_current_pid_tgid(); + __s32 *error; + int err; + + error = map_lookup_elem(override_tasks, &id); + if (!error) + return 0; + + map_delete_elem(override_tasks, &id); + err = (int)*error; + set_if_not_errno_or_zero(err, -1); + return err; +} + #endif /* __BASIC_H__ */