[PATCH v10 bpf-next 03/17] bpf: introduce BPF token object
Christian Brauner
brauner at kernel.org
Mon Nov 27 16:05:31 UTC 2023
> + if (path.mnt->mnt_root != path.dentry) {
You want to verify that you can only create tokens from the root of the
bpffs mount. So for
sudo mount -t bpf bpf /mnt
you want bpf tokens to be creatable from:
fd = open("/mnt")
or from bind-mounts of the fs root:
sudo mount --bind /mnt /srv
fd = open("/srv")
but not from
sudo mount --bind /mnt/foo /opt
fd = open("/opt")
But I think your current check allows for that because if you bind-mount
/mnt/foo to /opt then fd = open("/opt")
path.mnt->mnt_root == foo and path.dentry == foo
I think
path.dentry != path.mnt->mnt_sb->s_root
should give you what you want.
More information about the Linux-security-module-archive
mailing list