[PATCH bpf-next 2/3] bpf: Add bpf_kern_path and bpf_path_put kfuncs
Al Viro
viro at zeniv.linux.org.uk
Sun Nov 30 04:23:57 UTC 2025
On Wed, Nov 26, 2025 at 04:50:06PM -0800, Song Liu wrote:
> Add two new kfuncs to fs/bpf_fs_kfuncs.c that wrap kern_path() for use
> by BPF LSM programs:
>
> bpf_kern_path():
> - Resolves a pathname string to a struct path
> These kfuncs enable BPF LSM programs to resolve pathnames provided by
> hook arguments (e.g., dev_name from sb_mount) and validate or inspect
> the resolved paths. The verifier enforces proper resource management
> through acquire/release tracking.
Oh, *brilliant*. Thank you for giving a wonderful example of the reasons
why this is fundamentally worthless.
OK, your "BPF LSM" has been called and it got that dev_name. You decide
that you want to know what it resolves to (which, BTW, requries a really
non-trivial amount of parsing other arguments - just to figure out whether
it *is* a pathname of some sort). Thanks to your shiny new kfuncs you
can do that! You are a proud holder of mount/dentry pair. You stare at
those and decide whether it's OK to go on. Then you... drop that pair
and let mount(2) proceed towards the point where it will (if you parsed
the arguments correctly) repeat that pathname resolution and get a mount/dentry
pair of its own, that may very well be different from what you've got the
first time around.
Your primitive is a walking TOCTOU bug - it's impossible to use safely.
NAKed-by: Al Viro <viro at zeniv.linux.org.uk>
More information about the Linux-security-module-archive
mailing list