From: Song Liu <song@kernel.org>
To: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, fsverity@lists.linux.dev
Cc: ebiggers@kernel.org, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, martin.lau@linux.dev, brauner@kernel.org,
viro@zeniv.linux.org.uk, casey@schaufler-ca.com,
amir73il@gmail.com, kpsingh@kernel.org, roberto.sassu@huawei.com,
kernel-team@meta.com, Song Liu <song@kernel.org>
Subject: [PATCH v15 bpf-next 3/6] Documentation/bpf: Add documentation for filesystem kfuncs
Date: Wed, 29 Nov 2023 15:44:14 -0800 [thread overview]
Message-ID: <20231129234417.856536-4-song@kernel.org> (raw)
In-Reply-To: <20231129234417.856536-1-song@kernel.org>
Add a brief introduction for file system kfuncs:
bpf_get_file_xattr()
bpf_get_fsverity_digest()
The documentation highlights the strategy to avoid recursions of these
kfuncs.
Signed-off-by: Song Liu <song@kernel.org>
---
Documentation/bpf/fs_kfuncs.rst | 21 +++++++++++++++++++++
Documentation/bpf/index.rst | 1 +
2 files changed, 22 insertions(+)
create mode 100644 Documentation/bpf/fs_kfuncs.rst
diff --git a/Documentation/bpf/fs_kfuncs.rst b/Documentation/bpf/fs_kfuncs.rst
new file mode 100644
index 000000000000..8762c3233a3d
--- /dev/null
+++ b/Documentation/bpf/fs_kfuncs.rst
@@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _fs_kfuncs-header-label:
+
+=====================
+BPF filesystem kfuncs
+=====================
+
+BPF LSM programs need to access filesystem data from LSM hooks. The following
+BPF kfuncs can be used to get these data.
+
+ * ``bpf_get_file_xattr()``
+
+ * ``bpf_get_fsverity_digest()``
+
+To avoid recursions, these kfuncs follow the following rules:
+
+1. These kfuncs are only permitted from BPF LSM function.
+2. These kfuncs should not call into other LSM hooks, i.e. security_*(). For
+ example, ``bpf_get_file_xattr()`` does not use ``vfs_getxattr()``, because
+ the latter calls LSM hook ``security_inode_getxattr``.
diff --git a/Documentation/bpf/index.rst b/Documentation/bpf/index.rst
index aeaeb35e6d4a..0bb5cb8157f1 100644
--- a/Documentation/bpf/index.rst
+++ b/Documentation/bpf/index.rst
@@ -21,6 +21,7 @@ that goes into great technical depth about the BPF Architecture.
helpers
kfuncs
cpumasks
+ fs_kfuncs
programs
maps
bpf_prog_run
--
2.34.1
next prev parent reply other threads:[~2023-11-29 23:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-29 23:44 [PATCH v15 bpf-next 0/6] bpf: File verification with LSM and fsverity Song Liu
2023-11-29 23:44 ` [PATCH v15 bpf-next 1/6] bpf: Add kfunc bpf_get_file_xattr Song Liu
2023-11-29 23:44 ` [PATCH v15 bpf-next 2/6] bpf, fsverity: Add kfunc bpf_get_fsverity_digest Song Liu
2023-11-29 23:44 ` Song Liu [this message]
2023-11-29 23:44 ` [PATCH v15 bpf-next 4/6] selftests/bpf: Sort config in alphabetic order Song Liu
2023-11-29 23:44 ` [PATCH v15 bpf-next 5/6] selftests/bpf: Add tests for filesystem kfuncs Song Liu
2023-11-29 23:44 ` [PATCH v15 bpf-next 6/6] selftests/bpf: Add test that uses fsverity and xattr to sign a file Song Liu
2023-12-02 0:30 ` [PATCH v15 bpf-next 0/6] bpf: File verification with LSM and fsverity patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231129234417.856536-4-song@kernel.org \
--to=song@kernel.org \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=kernel-team@meta.com \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=roberto.sassu@huawei.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.