162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci/* 462306a36Sopenharmony_ci * Copyright 2020 Google LLC. 562306a36Sopenharmony_ci */ 662306a36Sopenharmony_ci 762306a36Sopenharmony_ci#include "vmlinux.h" 862306a36Sopenharmony_ci#include <errno.h> 962306a36Sopenharmony_ci#include <bpf/bpf_core_read.h> 1062306a36Sopenharmony_ci#include <bpf/bpf_helpers.h> 1162306a36Sopenharmony_ci#include <bpf/bpf_tracing.h> 1262306a36Sopenharmony_ci#include "bpf_misc.h" 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_cistruct { 1562306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 1662306a36Sopenharmony_ci __uint(max_entries, 1); 1762306a36Sopenharmony_ci __type(key, __u32); 1862306a36Sopenharmony_ci __type(value, __u64); 1962306a36Sopenharmony_ci} array SEC(".maps"); 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_cistruct { 2262306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 2362306a36Sopenharmony_ci __uint(max_entries, 1); 2462306a36Sopenharmony_ci __type(key, __u32); 2562306a36Sopenharmony_ci __type(value, __u64); 2662306a36Sopenharmony_ci} hash SEC(".maps"); 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_cistruct { 2962306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_LRU_HASH); 3062306a36Sopenharmony_ci __uint(max_entries, 1); 3162306a36Sopenharmony_ci __type(key, __u32); 3262306a36Sopenharmony_ci __type(value, __u64); 3362306a36Sopenharmony_ci} lru_hash SEC(".maps"); 3462306a36Sopenharmony_ci 3562306a36Sopenharmony_cistruct { 3662306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); 3762306a36Sopenharmony_ci __uint(max_entries, 1); 3862306a36Sopenharmony_ci __type(key, __u32); 3962306a36Sopenharmony_ci __type(value, __u64); 4062306a36Sopenharmony_ci} percpu_array SEC(".maps"); 4162306a36Sopenharmony_ci 4262306a36Sopenharmony_cistruct { 4362306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_PERCPU_HASH); 4462306a36Sopenharmony_ci __uint(max_entries, 1); 4562306a36Sopenharmony_ci __type(key, __u32); 4662306a36Sopenharmony_ci __type(value, __u64); 4762306a36Sopenharmony_ci} percpu_hash SEC(".maps"); 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_cistruct { 5062306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_LRU_PERCPU_HASH); 5162306a36Sopenharmony_ci __uint(max_entries, 1); 5262306a36Sopenharmony_ci __type(key, __u32); 5362306a36Sopenharmony_ci __type(value, __u64); 5462306a36Sopenharmony_ci} lru_percpu_hash SEC(".maps"); 5562306a36Sopenharmony_ci 5662306a36Sopenharmony_cistruct inner_map { 5762306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 5862306a36Sopenharmony_ci __uint(max_entries, 1); 5962306a36Sopenharmony_ci __type(key, int); 6062306a36Sopenharmony_ci __type(value, __u64); 6162306a36Sopenharmony_ci} inner_map SEC(".maps"); 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_cistruct outer_arr { 6462306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS); 6562306a36Sopenharmony_ci __uint(max_entries, 1); 6662306a36Sopenharmony_ci __uint(key_size, sizeof(int)); 6762306a36Sopenharmony_ci __uint(value_size, sizeof(int)); 6862306a36Sopenharmony_ci __array(values, struct inner_map); 6962306a36Sopenharmony_ci} outer_arr SEC(".maps") = { 7062306a36Sopenharmony_ci .values = { [0] = &inner_map }, 7162306a36Sopenharmony_ci}; 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_cistruct outer_hash { 7462306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH_OF_MAPS); 7562306a36Sopenharmony_ci __uint(max_entries, 1); 7662306a36Sopenharmony_ci __uint(key_size, sizeof(int)); 7762306a36Sopenharmony_ci __array(values, struct inner_map); 7862306a36Sopenharmony_ci} outer_hash SEC(".maps") = { 7962306a36Sopenharmony_ci .values = { [0] = &inner_map }, 8062306a36Sopenharmony_ci}; 8162306a36Sopenharmony_ci 8262306a36Sopenharmony_cichar _license[] SEC("license") = "GPL"; 8362306a36Sopenharmony_ci 8462306a36Sopenharmony_ciint monitored_pid = 0; 8562306a36Sopenharmony_ciint mprotect_count = 0; 8662306a36Sopenharmony_ciint bprm_count = 0; 8762306a36Sopenharmony_ci 8862306a36Sopenharmony_ciSEC("lsm/file_mprotect") 8962306a36Sopenharmony_ciint BPF_PROG(test_int_hook, struct vm_area_struct *vma, 9062306a36Sopenharmony_ci unsigned long reqprot, unsigned long prot, int ret) 9162306a36Sopenharmony_ci{ 9262306a36Sopenharmony_ci if (ret != 0) 9362306a36Sopenharmony_ci return ret; 9462306a36Sopenharmony_ci 9562306a36Sopenharmony_ci __u32 pid = bpf_get_current_pid_tgid() >> 32; 9662306a36Sopenharmony_ci int is_stack = 0; 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_ci is_stack = (vma->vm_start <= vma->vm_mm->start_stack && 9962306a36Sopenharmony_ci vma->vm_end >= vma->vm_mm->start_stack); 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_ci if (is_stack && monitored_pid == pid) { 10262306a36Sopenharmony_ci mprotect_count++; 10362306a36Sopenharmony_ci ret = -EPERM; 10462306a36Sopenharmony_ci } 10562306a36Sopenharmony_ci 10662306a36Sopenharmony_ci return ret; 10762306a36Sopenharmony_ci} 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ciSEC("lsm.s/bprm_committed_creds") 11062306a36Sopenharmony_ciint BPF_PROG(test_void_hook, struct linux_binprm *bprm) 11162306a36Sopenharmony_ci{ 11262306a36Sopenharmony_ci __u32 pid = bpf_get_current_pid_tgid() >> 32; 11362306a36Sopenharmony_ci struct inner_map *inner_map; 11462306a36Sopenharmony_ci char args[64]; 11562306a36Sopenharmony_ci __u32 key = 0; 11662306a36Sopenharmony_ci __u64 *value; 11762306a36Sopenharmony_ci 11862306a36Sopenharmony_ci if (monitored_pid == pid) 11962306a36Sopenharmony_ci bprm_count++; 12062306a36Sopenharmony_ci 12162306a36Sopenharmony_ci bpf_copy_from_user(args, sizeof(args), (void *)bprm->vma->vm_mm->arg_start); 12262306a36Sopenharmony_ci bpf_copy_from_user(args, sizeof(args), (void *)bprm->mm->arg_start); 12362306a36Sopenharmony_ci 12462306a36Sopenharmony_ci value = bpf_map_lookup_elem(&array, &key); 12562306a36Sopenharmony_ci if (value) 12662306a36Sopenharmony_ci *value = 0; 12762306a36Sopenharmony_ci value = bpf_map_lookup_elem(&hash, &key); 12862306a36Sopenharmony_ci if (value) 12962306a36Sopenharmony_ci *value = 0; 13062306a36Sopenharmony_ci value = bpf_map_lookup_elem(&lru_hash, &key); 13162306a36Sopenharmony_ci if (value) 13262306a36Sopenharmony_ci *value = 0; 13362306a36Sopenharmony_ci value = bpf_map_lookup_elem(&percpu_array, &key); 13462306a36Sopenharmony_ci if (value) 13562306a36Sopenharmony_ci *value = 0; 13662306a36Sopenharmony_ci value = bpf_map_lookup_elem(&percpu_hash, &key); 13762306a36Sopenharmony_ci if (value) 13862306a36Sopenharmony_ci *value = 0; 13962306a36Sopenharmony_ci value = bpf_map_lookup_elem(&lru_percpu_hash, &key); 14062306a36Sopenharmony_ci if (value) 14162306a36Sopenharmony_ci *value = 0; 14262306a36Sopenharmony_ci inner_map = bpf_map_lookup_elem(&outer_arr, &key); 14362306a36Sopenharmony_ci if (inner_map) { 14462306a36Sopenharmony_ci value = bpf_map_lookup_elem(inner_map, &key); 14562306a36Sopenharmony_ci if (value) 14662306a36Sopenharmony_ci *value = 0; 14762306a36Sopenharmony_ci } 14862306a36Sopenharmony_ci inner_map = bpf_map_lookup_elem(&outer_hash, &key); 14962306a36Sopenharmony_ci if (inner_map) { 15062306a36Sopenharmony_ci value = bpf_map_lookup_elem(inner_map, &key); 15162306a36Sopenharmony_ci if (value) 15262306a36Sopenharmony_ci *value = 0; 15362306a36Sopenharmony_ci } 15462306a36Sopenharmony_ci 15562306a36Sopenharmony_ci return 0; 15662306a36Sopenharmony_ci} 15762306a36Sopenharmony_ciSEC("lsm/task_free") /* lsm/ is ok, lsm.s/ fails */ 15862306a36Sopenharmony_ciint BPF_PROG(test_task_free, struct task_struct *task) 15962306a36Sopenharmony_ci{ 16062306a36Sopenharmony_ci return 0; 16162306a36Sopenharmony_ci} 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_ciint copy_test = 0; 16462306a36Sopenharmony_ci 16562306a36Sopenharmony_ciSEC("fentry.s/" SYS_PREFIX "sys_setdomainname") 16662306a36Sopenharmony_ciint BPF_PROG(test_sys_setdomainname, struct pt_regs *regs) 16762306a36Sopenharmony_ci{ 16862306a36Sopenharmony_ci void *ptr = (void *)PT_REGS_PARM1_SYSCALL(regs); 16962306a36Sopenharmony_ci int len = PT_REGS_PARM2_SYSCALL(regs); 17062306a36Sopenharmony_ci int buf = 0; 17162306a36Sopenharmony_ci long ret; 17262306a36Sopenharmony_ci 17362306a36Sopenharmony_ci ret = bpf_copy_from_user(&buf, sizeof(buf), ptr); 17462306a36Sopenharmony_ci if (len == -2 && ret == 0 && buf == 1234) 17562306a36Sopenharmony_ci copy_test++; 17662306a36Sopenharmony_ci if (len == -3 && ret == -EFAULT) 17762306a36Sopenharmony_ci copy_test++; 17862306a36Sopenharmony_ci if (len == -4 && ret == -EFAULT) 17962306a36Sopenharmony_ci copy_test++; 18062306a36Sopenharmony_ci return 0; 18162306a36Sopenharmony_ci} 182