BPF programs, such as LSM and sched_ext, would benefit from tags on
cgroups. One common practice to apply such tags is to set xattrs on
cgroupfs folders.
Introduce kfunc bpf_cgroup_read_xattr, which allows reading cgroup's
xattr.
Note that, we already have bpf_get_[file|dentry]_xattr. However, these
two APIs are not ideal for reading cgroupfs xattrs, because:
1) These two APIs only works in sleepable contexts;
2) There is no kfunc that matches current cgroup to cgroupfs dentry.
Signed-off-by: Song Liu <song@kernel.org>
---
fs/bpf_fs_kfuncs.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
index 08412532db1b..9f3f9bd0f6f7 100644
--- a/fs/bpf_fs_kfuncs.c
+++ b/fs/bpf_fs_kfuncs.c
@@ -9,6 +9,7 @@
#include <linux/fs.h>
#include <linux/fsnotify.h>
#include <linux/file.h>
+#include <linux/kernfs.h>
#include <linux/mm.h>
#include <linux/xattr.h>
@@ -322,6 +323,37 @@ __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry *dentry, const char *name_
return ret;
}
+/**
+ * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs
+ * @cgroup: cgroup to get xattr from
+ * @name__str: name of the xattr
+ * @value_p: output buffer of the xattr value
+ *
+ * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*.
+ *
+ * For security reasons, only *name__str* with prefix "user." is allowed.
+ *
+ * Return: length of the xattr value on success, a negative value on error.
+ */
+__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
+ struct bpf_dynptr *value_p)
+{
+ struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
+ u32 value_len;
+ void *value;
+
+ /* Only allow reading "user.*" xattrs */
+ if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ return -EPERM;
+
+ value_len = __bpf_dynptr_size(value_ptr);
+ value = __bpf_dynptr_data_rw(value_ptr, value_len);
+ if (!value)
+ return -EINVAL;
+
+ return kernfs_xattr_get(cgroup->kn, name__str, value, value_len);
+}
+
__bpf_kfunc_end_defs();
BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
@@ -333,6 +365,7 @@ BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
--
2.47.1On Thu, Jun 19, 2025 at 03:01:11PM -0700, Song Liu wrote:
> BPF programs, such as LSM and sched_ext, would benefit from tags on
> cgroups. One common practice to apply such tags is to set xattrs on
> cgroupfs folders.
>
> Introduce kfunc bpf_cgroup_read_xattr, which allows reading cgroup's
> xattr.
>
> Note that, we already have bpf_get_[file|dentry]_xattr. However, these
> two APIs are not ideal for reading cgroupfs xattrs, because:
>
> 1) These two APIs only works in sleepable contexts;
> 2) There is no kfunc that matches current cgroup to cgroupfs dentry.
>
> Signed-off-by: Song Liu <song@kernel.org>
...
> +__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
> + struct bpf_dynptr *value_p)
> +{
> + struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
> + u32 value_len;
> + void *value;
> +
> + /* Only allow reading "user.*" xattrs */
> + if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
> + return -EPERM;
Just out of curiosity, what security holes are there if we allow BPF
programs to read other xattrs? Given how priviledged BPF programs already
are, does this make meaningful difference?
From cgroup POV:
Acked-by: Tejun Heo <tj@kernel.org>
Thanks.
--
tejun
> On Jun 20, 2025, at 7:44 PM, Tejun Heo <tj@kernel.org> wrote:
>
> On Thu, Jun 19, 2025 at 03:01:11PM -0700, Song Liu wrote:
>> BPF programs, such as LSM and sched_ext, would benefit from tags on
>> cgroups. One common practice to apply such tags is to set xattrs on
>> cgroupfs folders.
>>
>> Introduce kfunc bpf_cgroup_read_xattr, which allows reading cgroup's
>> xattr.
>>
>> Note that, we already have bpf_get_[file|dentry]_xattr. However, these
>> two APIs are not ideal for reading cgroupfs xattrs, because:
>>
>> 1) These two APIs only works in sleepable contexts;
>> 2) There is no kfunc that matches current cgroup to cgroupfs dentry.
>>
>> Signed-off-by: Song Liu <song@kernel.org>
> ...
>> +__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
>> + struct bpf_dynptr *value_p)
>> +{
>> + struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
>> + u32 value_len;
>> + void *value;
>> +
>> + /* Only allow reading "user.*" xattrs */
>> + if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
>> + return -EPERM;
>
> Just out of curiosity, what security holes are there if we allow BPF
> programs to read other xattrs? Given how priviledged BPF programs already
> are, does this make meaningful difference?
There are some xatters that we shouldn’t read, for example, other
security.* xattrs (security.selinux etc.).
We can probably allow BPF LSM programs to read security.bpf.* xattrs,
on cgroup nodes, just like bpf_get_[file|dentry]_xattr. But that
requires some extra logic.
Thanks,
Song
© 2016 - 2025 Red Hat, Inc.