[PATCH v10 bpf-next 03/17] bpf: introduce BPF token object

Christian Brauner brauner at kernel.org
Mon Nov 27 16:05:31 UTC 2023


> +	if (path.mnt->mnt_root != path.dentry) {

You want to verify that you can only create tokens from the root of the
bpffs mount. So for

  sudo mount -t bpf bpf /mnt

you want bpf tokens to be creatable from:

  fd = open("/mnt")

or from bind-mounts of the fs root:

  sudo mount --bind /mnt /srv
  fd = open("/srv")

but not from

  sudo mount --bind /mnt/foo /opt
  fd = open("/opt")

But I think your current check allows for that because if you bind-mount
/mnt/foo to /opt then fd = open("/opt")

  path.mnt->mnt_root == foo and path.dentry == foo

I think

path.dentry != path.mnt->mnt_sb->s_root

should give you what you want.



More information about the Linux-security-module-archive mailing list