[RFC PATCH 08/20] bpf: Add Landlock ruleset map type
Song Liu
song at kernel.org
Fri Apr 17 20:42:02 UTC 2026
On Fri, Apr 17, 2026 at 1:33 PM Justin Suess <utilityemal77 at gmail.com> wrote:
[...]
> > > > to the caller) and pass them as file descriptor?
> > > This "pass them as a file descriptor" is the tricky part. It would be
> > > very convenient if we could send the fd to bpf from userspace and have
> > > it be implicitly converted (like in the BPF_MAP_TYPE_LANDLOCK_RULESET
> > > implementation) in one step, but I just don't see a way to do that with
> > > the bpf_landlock_get_ruleset_from_fd kfunc approach.
> >
> > Song's idea to have a generic FD map looks promising.
> >
>
> I agree the generic FD map sounds like a good fit.
Well, I am not 100% sure a generic FD map adds enough value
on top of current __kptr solutions. This will be more tricky if we
have to touch file_operations.
> So this would be three parts like:
>
> 1. The new point-of-no-return flags for NNP and staging domain to
> execution time in Landlock. Selftests and doc updates.
> 2. The generic FD map implementation for bpf. Selftests and doc updates.
> 3. The BPF kfunc implementations for Landlock using the same point-of-no
> return staging. Selftests and doc updates.
>
> The scope of which is probably too big for one series.
>
> Luckily part 1 is pretty close to being done as part of my work for v2
> of this series, and can standalone as a preparatory series for Landlock,
> since it adds flags and features that have utility outside of BPF.
>
> Open for ideas on how to split this up (or even better, for some help in
> implementation or prior works).
>
> I'd like to get some feedback and figue out what this generic fd map
> should look like and get some more eyes on that idea to avoid wasting
> reviewer time on an unsuitable implementation.
I will think more about 2. If it indeed adds good value, the upcoming
LSF/MM/BPF is a good opportunity to move this forward.
In the meanwhile, we still need kfuncs to access landlock ruleset.
Therefore, any work on that front should be useful.
Thanks,
Song
More information about the Linux-security-module-archive
mailing list