1 // SPDX-License-Identifier: GPL-2.0
2 
3 /*
4  * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
5  *
6  * Author: Roberto Sassu <roberto.sassu@huawei.com>
7  */
8 
9 #include "vmlinux.h"
10 #include <errno.h>
11 #include <bpf/bpf_helpers.h>
12 #include <bpf/bpf_tracing.h>
13 #include "bpf_misc.h"
14 
15 extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym;
16 extern void bpf_key_put(struct bpf_key *key) __ksym;
17 extern int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_ptr,
18 				      struct bpf_dynptr *sig_ptr,
19 				      struct bpf_key *trusted_keyring) __ksym;
20 
21 struct {
22 	__uint(type, BPF_MAP_TYPE_RINGBUF);
23 	__uint(max_entries, 4096);
24 } ringbuf SEC(".maps");
25 
26 struct {
27 	__uint(type, BPF_MAP_TYPE_ARRAY);
28 	__uint(max_entries, 1);
29 	__type(key, __u32);
30 	__type(value, __u32);
31 } array_map SEC(".maps");
32 
33 int err, pid;
34 
35 char _license[] SEC("license") = "GPL";
36 
37 SEC("?lsm.s/bpf")
38 __failure __msg("cannot pass in dynptr at an offset=-8")
39 int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
40 {
41 	unsigned long val;
42 
43 	return bpf_verify_pkcs7_signature((struct bpf_dynptr *)&val,
44 					  (struct bpf_dynptr *)&val, NULL);
45 }
46 
47 SEC("?lsm.s/bpf")
48 __failure __msg("arg#0 expected pointer to stack or dynptr_ptr")
49 int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
50 {
51 	unsigned long val;
52 
53 	return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
54 					  (struct bpf_dynptr *)val, NULL);
55 }
56 
57 SEC("lsm.s/bpf")
58 int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size)
59 {
60 	struct bpf_key *trusted_keyring;
61 	struct bpf_dynptr ptr;
62 	__u32 *value;
63 	int ret, zero = 0;
64 
65 	if (bpf_get_current_pid_tgid() >> 32 != pid)
66 		return 0;
67 
68 	value = bpf_map_lookup_elem(&array_map, &zero);
69 	if (!value)
70 		return 0;
71 
72 	/* Pass invalid flags. */
73 	ret = bpf_dynptr_from_mem(value, sizeof(*value), ((__u64)~0ULL), &ptr);
74 	if (ret != -EINVAL)
75 		return 0;
76 
77 	trusted_keyring = bpf_lookup_system_key(0);
78 	if (!trusted_keyring)
79 		return 0;
80 
81 	err = bpf_verify_pkcs7_signature(&ptr, &ptr, trusted_keyring);
82 
83 	bpf_key_put(trusted_keyring);
84 
85 	return 0;
86 }
87