// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) /* Copyright (c) 2019 Netronome Systems, Inc. */ #include #include #include #include #include #include #include #include #include "main.h" #ifndef PROC_SUPER_MAGIC # define PROC_SUPER_MAGIC 0x9fa0 #endif enum probe_component { COMPONENT_UNSPEC, COMPONENT_KERNEL, }; /* Miscellaneous utility functions */ static bool check_procfs(void) { struct statfs st_fs; if (statfs("/proc", &st_fs) < 0) return false; if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC) return false; return true; } /* Printing utility functions */ static void print_bool_feature(const char *feat_name, const char *plain_name, bool res) { if (json_output) jsonw_bool_field(json_wtr, feat_name, res); else printf("%s is %savailable\n", plain_name, res ? "" : "NOT "); } static void print_start_section(const char *json_title, const char *plain_title) { if (json_output) { jsonw_name(json_wtr, json_title); jsonw_start_object(json_wtr); } else { printf("%s\n", plain_title); } } /* Probing functions */ static int read_procfs(const char *path) { char *endptr, *line = NULL; size_t len = 0; FILE *fd; int res; fd = fopen(path, "r"); if (!fd) return -1; res = getline(&line, &len, fd); fclose(fd); if (res < 0) return -1; errno = 0; res = strtol(line, &endptr, 10); if (errno || *line == '\0' || *endptr != '\n') res = -1; free(line); return res; } static void probe_unprivileged_disabled(void) { int res; res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled"); if (json_output) { jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res); } else { switch (res) { case 0: printf("bpf() syscall for unprivileged users is enabled\n"); break; case 1: printf("bpf() syscall restricted to privileged users\n"); break; case -1: printf("Unable to retrieve required privileges for bpf() syscall\n"); break; default: printf("bpf() syscall restriction has unknown value %d\n", res); } } } static void probe_jit_enable(void) { int res; res = read_procfs("/proc/sys/net/core/bpf_jit_enable"); if (json_output) { jsonw_int_field(json_wtr, "bpf_jit_enable", res); } else { switch (res) { case 0: printf("JIT compiler is disabled\n"); break; case 1: printf("JIT compiler is enabled\n"); break; case 2: printf("JIT compiler is enabled with debugging traces in kernel logs\n"); break; case -1: printf("Unable to retrieve JIT-compiler status\n"); break; default: printf("JIT-compiler status has unknown value %d\n", res); } } } static void probe_jit_harden(void) { int res; res = read_procfs("/proc/sys/net/core/bpf_jit_harden"); if (json_output) { jsonw_int_field(json_wtr, "bpf_jit_harden", res); } else { switch (res) { case 0: printf("JIT compiler hardening is disabled\n"); break; case 1: printf("JIT compiler hardening is enabled for unprivileged users\n"); break; case 2: printf("JIT compiler hardening is enabled for all users\n"); break; case -1: printf("Unable to retrieve JIT hardening status\n"); break; default: printf("JIT hardening status has unknown value %d\n", res); } } } static void probe_jit_kallsyms(void) { int res; res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms"); if (json_output) { jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res); } else { switch (res) { case 0: printf("JIT compiler kallsyms exports are disabled\n"); break; case 1: printf("JIT compiler kallsyms exports are enabled for root\n"); break; case -1: printf("Unable to retrieve JIT kallsyms export status\n"); break; default: printf("JIT kallsyms exports status has unknown value %d\n", res); } } } static void probe_jit_limit(void) { int res; res = read_procfs("/proc/sys/net/core/bpf_jit_limit"); if (json_output) { jsonw_int_field(json_wtr, "bpf_jit_limit", res); } else { switch (res) { case -1: printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n"); break; default: printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res); } } } static bool probe_bpf_syscall(void) { bool res; bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0); res = (errno != ENOSYS); print_bool_feature("have_bpf_syscall", "bpf() syscall", res); return res; } static int do_probe(int argc, char **argv) { enum probe_component target = COMPONENT_UNSPEC; /* Detection assumes user has sufficient privileges (CAP_SYS_ADMIN). * Let's approximate, and restrict usage to root user only. */ if (geteuid()) { p_err("please run this command as root user"); return -1; } set_max_rlimit(); while (argc) { if (is_prefix(*argv, "kernel")) { if (target != COMPONENT_UNSPEC) { p_err("component to probe already specified"); return -1; } target = COMPONENT_KERNEL; NEXT_ARG(); } else { p_err("expected no more arguments, 'kernel', got: '%s'?", *argv); return -1; } } if (json_output) jsonw_start_object(json_wtr); switch (target) { case COMPONENT_KERNEL: case COMPONENT_UNSPEC: print_start_section("system_config", "Scanning system configuration..."); if (check_procfs()) { probe_unprivileged_disabled(); probe_jit_enable(); probe_jit_harden(); probe_jit_kallsyms(); probe_jit_limit(); } else { p_info("/* procfs not mounted, skipping related probes */"); } if (json_output) jsonw_end_object(json_wtr); else printf("\n"); break; } print_start_section("syscall_config", "Scanning system call availability..."); probe_bpf_syscall(); if (json_output) { /* End current "section" of probes */ jsonw_end_object(json_wtr); /* End root object */ jsonw_end_object(json_wtr); } return 0; } static int do_help(int argc, char **argv) { if (json_output) { jsonw_null(json_wtr); return 0; } fprintf(stderr, "Usage: %s %s probe [kernel]\n" " %s %s help\n" "", bin_name, argv[-2], bin_name, argv[-2]); return 0; } static const struct cmd cmds[] = { { "help", do_help }, { "probe", do_probe }, { 0 } }; int do_feature(int argc, char **argv) { return cmd_select(cmds, argc, argv, do_help); }