From nobody Thu Apr 2 20:28:02 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BA574070F4; Thu, 26 Mar 2026 16:09:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774541365; cv=none; b=RpaB/DRPh8CX7g8gKG4OnZIlBa+3lhZSE2hZ06mlzwGrl8LBO02bWTi08i2X8+w/7hqhDM5/ggoQe/cFCsqDawmkSrqYGk6gI5j2f8aSM5Jym6b83hylC86NTrY7+WwvXVzS1BfQxdPWj3cn6JhZFnUygSCRJUI9KsdxapZJD8c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774541365; c=relaxed/simple; bh=7azGKc80wcX8nAE+5i2Ffor9je2LSncza6rzMUCOLVU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ekBZjph8ZDwdk/gUiRndSf/+qqm1AhAGgHOnA/GgiLjlAf4rC49lrDvIprakuRRJU2weDxMOPkTPFWYrOu2rFDepdfUSlLW022Uu6MHYP/iuaxJfzS4VzJcRJC4lnBHig6eMluZ/wfgi/eFHZAvpyGHRunkt1a+ubZev7bFYwVk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pfHmJsUA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pfHmJsUA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6CB57C19423; Thu, 26 Mar 2026 16:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774541365; bh=7azGKc80wcX8nAE+5i2Ffor9je2LSncza6rzMUCOLVU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=pfHmJsUA5j2pJdikaarJ6wFgKPNM7EqdwDnCRwfMAeQLOTjs2RrhugdYL59CT4rde bxUI2A96cZf97sN3cN/rg0YCJ/NEaVZjWrf7N1mUbFh6KpqqwxHmhiw8NZ0zi1RRnQ e56CA13rspF9CwDbVLfgfCRDt4SpxM8omn+HmOuQ2pSCxZZk+V/2fiP6mxBRYBo12N ag/ju6mhTJbkgwYit8VWRbmz+EuBVtKw+i7kzvKz+y7J3b08NATGDPX4HUw83e6qLR +DK4IJmgVUu1g3PJ3sJo1bFG+DNZg6K28D6I0i79XkR0LqNJ6L6fRSNjNdY3hNHzcE SfiQI2JF/FL/g== From: Christian Brauner Date: Thu, 26 Mar 2026 17:09:14 +0100 Subject: [PATCH RESEND v2 1/2] bpf: classify block device hooks appropriately Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260326-work-bpf-bdev-v2-1-5e3c58963987@kernel.org> References: <20260326-work-bpf-bdev-v2-0-5e3c58963987@kernel.org> In-Reply-To: <20260326-work-bpf-bdev-v2-0-5e3c58963987@kernel.org> To: Alexei Starovoitov , Daniel Borkmann , bpf@vger.kernel.org Cc: KP Singh , Andrii Nakryiko , Martin KaFai Lau , linux-kernel@vger.kernel.org, Christian Brauner X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=2241; i=brauner@kernel.org; h=from:subject:message-id; bh=7azGKc80wcX8nAE+5i2Ffor9je2LSncza6rzMUCOLVU=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWQejdJ/x3q8ymBPYGBq4/0JPlLmGmxb5v/6rZK2UiyLy fFsS8GXjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgIkkuTL8L577y1Z/IZtJql7z vJNq7rWsKvb2x9+sc2RdMTnrqG/sTkaGI1GipiFtp7fN8c/6+emtGTOzTkjqUeavIa4TdvWw2m5 kAgA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 A bunch of new hooks for managing block devices were added a while ago but they weren't actually appropriately classified. * bpf_lsm_bdev_alloc() is called when the inode for the block device is allocated. This happens from a sleepable context so mark the function as sleepable. When this function is called the memory for the block device storage embedded into the inode is zeroed. That block device cannot be meaningfully reference or interacted with at this point. So mark it as untrusted for now. * bpf_lsm_bdev_free() is called when the inode for the block device is freed. A bunch of memory associated with the block device has already been freed and there's dangling pointers in there. So mark it as untrusted. It cannot be meaningfully referenced or interacted with anymore. It is also called from sb->s_op->free_inode:: which means it runs in rcu context (most of the times). So leave it as non-sleepable. * bpf_lsm_bdev_setintegrity() is called when a dm-verity device is instantiated (glossing over details for simplicity of the commit message). The block device is very much alive so it remains a trusted hook. It's also called with device mapper's suspend lock held and so the hook is able to sleep so mark it sleepable. Signed-off-by: Christian Brauner --- kernel/bpf/bpf_lsm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 0c4a0c8e6f70..119e3942cf5a 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -383,6 +383,8 @@ BTF_ID(func, bpf_lsm_task_prctl) BTF_ID(func, bpf_lsm_task_setscheduler) BTF_ID(func, bpf_lsm_task_to_inode) BTF_ID(func, bpf_lsm_userns_create) +BTF_ID(func, bpf_lsm_bdev_alloc) +BTF_ID(func, bpf_lsm_bdev_setintegrity) BTF_SET_END(sleepable_lsm_hooks) =20 BTF_SET_START(untrusted_lsm_hooks) @@ -395,6 +397,8 @@ BTF_ID(func, bpf_lsm_sk_alloc_security) BTF_ID(func, bpf_lsm_sk_free_security) #endif /* CONFIG_SECURITY_NETWORK */ BTF_ID(func, bpf_lsm_task_free) +BTF_ID(func, bpf_lsm_bdev_alloc) +BTF_ID(func, bpf_lsm_bdev_free) BTF_SET_END(untrusted_lsm_hooks) =20 bool bpf_lsm_is_sleepable_hook(u32 btf_id) --=20 2.47.3 From nobody Thu Apr 2 20:28:02 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29CBA1D5170; Thu, 26 Mar 2026 16:09:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774541368; cv=none; b=sP/HOppBzMT1NuZCAcsSvHL9hkx/34Mc+eHAyD49+/s78SKUuCEEtx7Jjk1BNZd8KVrgJjaUgwpye84F/JcyAta4Gb4n7xZ57aQyV92bOXnfVFJ81csUPy2U8JTqYWG+3R4d1bkZZZAP5A3K0En9UT+xvhdLXiYymZ56AY3L9Xg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774541368; c=relaxed/simple; bh=elsbhCKTjyHQOR/R1/g4VdpZRWj7+gyGM6TKxJrlKVU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=sjesQp8PhGv6x7qOHu6lV7WWLMCyTW0lOfdNSBXcLYf3f2zLbIKI6JcwRkCKFRds+Xvk9ta6dCCcS9wYbs6B2ERs07Bm3GTJOtkoapLJ7KI+G9l1zvl9988COrmmjVlkW0Z77VqzXFUkVareYAFlPa8HUNtNx+clNHzSn0vFLWI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=DGy5wR0x; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="DGy5wR0x" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3735C19423; Thu, 26 Mar 2026 16:09:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774541367; bh=elsbhCKTjyHQOR/R1/g4VdpZRWj7+gyGM6TKxJrlKVU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=DGy5wR0xoaaTRCvhlyWJjU9hGNmHtEJj/R7hy0EdbhTs2kIV9GF7uQr89KyiBsYsz 9MQ//BxZcQBPwQjM546oChfbnAd0quu9h+Gqs/+3ajkrVQveSFlu8aW4T6o5vFi4yh HMRCgelAnxk9WQ/0l+cAYxZeWB8HTSTLDWNvzJ2JSQlQ3bccmsZi1wYaqTknnm0QfU opAUGY0LLl7LpcizTLwR91CurLPXpnSieWZM7JS2Dz6a58DOY+bzP/19NtjDuwoPdJ u1KHkB4u8P1Qz6TD7hZW1a+G7RoVqovrCdVLqB6JMUJV3TQtCQz38b6pCjpbJX35Sl 1CvjaG0uf4uJA== From: Christian Brauner Date: Thu, 26 Mar 2026 17:09:15 +0100 Subject: [PATCH RESEND v2 2/2] selftests/bpf: add block device management selftests Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260326-work-bpf-bdev-v2-2-5e3c58963987@kernel.org> References: <20260326-work-bpf-bdev-v2-0-5e3c58963987@kernel.org> In-Reply-To: <20260326-work-bpf-bdev-v2-0-5e3c58963987@kernel.org> To: Alexei Starovoitov , Daniel Borkmann , bpf@vger.kernel.org Cc: KP Singh , Andrii Nakryiko , Martin KaFai Lau , linux-kernel@vger.kernel.org, Christian Brauner X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=9775; i=brauner@kernel.org; h=from:subject:message-id; bh=elsbhCKTjyHQOR/R1/g4VdpZRWj7+gyGM6TKxJrlKVU=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWQejdI/fCL0bfqbOgUe96K3eyf93+Q9ybWF5WpX7eIvW 1VX3Taf1VHKwiDGxSArpsji0G4SLrecp2KzUaYGzBxWJpAhDFycAjCRe68YGc6XxP3lFODh/fc+ mS+/iD0xbmn7Kn+3UypCYn9PWGoc+MbIMLswZc+ZF+G2tfbvk0+sz5e7GMrO9vjAWbVzZ56mLev Q5AIA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add selftests to test block device tracking for bpf lsm programs. Signed-off-by: Christian Brauner --- tools/testing/selftests/bpf/prog_tests/lsm_bdev.c | 221 ++++++++++++++++++= ++++ tools/testing/selftests/bpf/progs/lsm_bdev.c | 96 ++++++++++ 2 files changed, 317 insertions(+) diff --git a/tools/testing/selftests/bpf/prog_tests/lsm_bdev.c b/tools/test= ing/selftests/bpf/prog_tests/lsm_bdev.c new file mode 100644 index 000000000000..a970798e1173 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/lsm_bdev.c @@ -0,0 +1,221 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2026 Christian Brauner */ + +/* + * Test BPF LSM block device integrity hooks with dm-verity. + * + * Creates a dm-verity device over loopback, which triggers + * security_bdev_setintegrity() during verity_preresume(). + * Verifies that the BPF program correctly tracks the integrity + * metadata in its hashmap. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include "lsm_bdev.skel.h" + +/* Must match the definition in progs/lsm_bdev.c. */ +struct verity_info { + __u8 has_roothash; + __u8 sig_valid; + __u32 setintegrity_cnt; +}; + +#define DATA_SIZE_MB 8 +#define HASH_SIZE_MB 1 +#define DM_NAME "bpf_test_verity" +#define DM_DEV_PATH "/dev/mapper/" DM_NAME + +/* Run a command and optionally capture the first line of stdout. */ +static int run_cmd(const char *cmd, char *out, size_t out_sz) +{ + FILE *fp; + int ret; + + fp =3D popen(cmd, "r"); + if (!fp) + return -1; + + if (out && out_sz > 0) { + if (!fgets(out, out_sz, fp)) + out[0] =3D '\0'; + /* strip trailing newline */ + out[strcspn(out, "\n")] =3D '\0'; + } + + ret =3D pclose(fp); + return WIFEXITED(ret) ? WEXITSTATUS(ret) : -1; +} + +static bool has_prerequisites(void) +{ + if (getuid() !=3D 0) { + printf("SKIP: must be root\n"); + return false; + } + + if (run_cmd("modprobe loop 2>/dev/null", NULL, 0) && + run_cmd("ls /dev/loop-control 2>/dev/null", NULL, 0)) { + printf("SKIP: no loop device support\n"); + return false; + } + + if (run_cmd("modprobe dm-verity 2>/dev/null", NULL, 0) && + run_cmd("dmsetup targets 2>/dev/null | grep -q verity", NULL, 0)) { + printf("SKIP: dm-verity module not available\n"); + return false; + } + + if (run_cmd("which veritysetup >/dev/null 2>&1", NULL, 0)) { + printf("SKIP: veritysetup not found\n"); + return false; + } + + return true; +} + +void test_lsm_bdev(void) +{ + char data_img[] =3D "/tmp/bpf_verity_data_XXXXXX"; + char hash_img[] =3D "/tmp/bpf_verity_hash_XXXXXX"; + char data_loop[64] =3D {}; + char hash_loop[64] =3D {}; + char roothash[256] =3D {}; + char cmd[512]; + int data_fd =3D -1, hash_fd =3D -1; + struct lsm_bdev *skel =3D NULL; + struct verity_info val; + struct stat st; + __u32 dev_key; + int err; + + if (!has_prerequisites()) { + test__skip(); + return; + } + + /* Clean up any stale device from a previous crashed run. */ + snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME); + run_cmd(cmd, NULL, 0); + + /* Create temporary image files. */ + data_fd =3D mkstemp(data_img); + if (!ASSERT_OK_FD(data_fd, "mkstemp data")) + return; + + hash_fd =3D mkstemp(hash_img); + if (!ASSERT_OK_FD(hash_fd, "mkstemp hash")) + goto cleanup; + + if (!ASSERT_OK(ftruncate(data_fd, DATA_SIZE_MB * 1024 * 1024), + "truncate data")) + goto cleanup; + + if (!ASSERT_OK(ftruncate(hash_fd, HASH_SIZE_MB * 1024 * 1024), + "truncate hash")) + goto cleanup; + + close(data_fd); + data_fd =3D -1; + close(hash_fd); + hash_fd =3D -1; + + /* Set up loop devices. */ + snprintf(cmd, sizeof(cmd), + "losetup --find --show %s 2>/dev/null", data_img); + if (!ASSERT_OK(run_cmd(cmd, data_loop, sizeof(data_loop)), + "losetup data")) + goto teardown; + + snprintf(cmd, sizeof(cmd), + "losetup --find --show %s 2>/dev/null", hash_img); + if (!ASSERT_OK(run_cmd(cmd, hash_loop, sizeof(hash_loop)), + "losetup hash")) + goto teardown; + + /* Format the dm-verity device and capture the root hash. */ + snprintf(cmd, sizeof(cmd), + "veritysetup format %s %s 2>/dev/null | " + "grep -i 'root hash' | awk '{print $NF}'", + data_loop, hash_loop); + if (!ASSERT_OK(run_cmd(cmd, roothash, sizeof(roothash)), + "veritysetup format")) + goto teardown; + + if (!ASSERT_GT((int)strlen(roothash), 0, "roothash not empty")) + goto teardown; + + /* Load and attach BPF program before activating dm-verity. */ + skel =3D lsm_bdev__open_and_load(); + if (!ASSERT_OK_PTR(skel, "skel open_and_load")) + goto teardown; + + err =3D lsm_bdev__attach(skel); + if (!ASSERT_OK(err, "skel attach")) + goto teardown; + + /* Activate dm-verity =E2=80=94 triggers verity_preresume() hooks. */ + snprintf(cmd, sizeof(cmd), + "veritysetup open %s %s %s %s 2>/dev/null", + data_loop, DM_NAME, hash_loop, roothash); + if (!ASSERT_OK(run_cmd(cmd, NULL, 0), "veritysetup open")) + goto teardown; + + /* Get the dm device's dev_t. */ + if (!ASSERT_OK(stat(DM_DEV_PATH, &st), "stat dm dev")) + goto remove_dm; + + dev_key =3D (__u32)st.st_rdev; + + /* Look up the device in the BPF map and verify. */ + err =3D bpf_map__lookup_elem(skel->maps.verity_devices, + &dev_key, sizeof(dev_key), + &val, sizeof(val), 0); + if (!ASSERT_OK(err, "map lookup")) + goto remove_dm; + + ASSERT_EQ(val.has_roothash, 1, "has_roothash"); + ASSERT_EQ(val.sig_valid, 0, "sig_valid (unsigned)"); + /* + * verity_preresume() always calls security_bdev_setintegrity() + * for the roothash. The signature-validity call only happens + * when CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG is enabled. + */ + ASSERT_GE(val.setintegrity_cnt, 1, "setintegrity_cnt min"); + ASSERT_LE(val.setintegrity_cnt, 2, "setintegrity_cnt max"); + + /* Verify that the alloc hook fired at least once. */ + ASSERT_GT(skel->bss->alloc_count, 0, "alloc_count"); + +remove_dm: + snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME); + run_cmd(cmd, NULL, 0); + +teardown: + if (data_loop[0]) { + snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null", + data_loop); + run_cmd(cmd, NULL, 0); + } + if (hash_loop[0]) { + snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null", + hash_loop); + run_cmd(cmd, NULL, 0); + } + +cleanup: + lsm_bdev__destroy(skel); + if (data_fd >=3D 0) + close(data_fd); + if (hash_fd >=3D 0) + close(hash_fd); + unlink(data_img); + unlink(hash_img); +} diff --git a/tools/testing/selftests/bpf/progs/lsm_bdev.c b/tools/testing/s= elftests/bpf/progs/lsm_bdev.c new file mode 100644 index 000000000000..45554e6db605 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/lsm_bdev.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2026 Christian Brauner */ + +/* + * BPF LSM block device integrity tracker for dm-verity. + * + * Tracks block devices in a hashmap keyed by bd_dev. When dm-verity + * calls security_bdev_setintegrity() during verity_preresume(), the + * setintegrity hook records the roothash and signature-validity data. + * The free hook cleans up when the device goes away. The alloc hook + * counts allocations for test validation. + * + * The sleepable hooks exercise bpf_copy_from_user() to verify that + * the sleepable classification actually permits sleepable helpers. + */ + +#include "vmlinux.h" +#include +#include + +struct verity_info { + __u8 has_roothash; /* LSM_INT_DMVERITY_ROOTHASH seen */ + __u8 sig_valid; /* LSM_INT_DMVERITY_SIG_VALID value (non-NULL =3D valid)= */ + __u32 setintegrity_cnt; /* total setintegrity calls for this dev */ +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 64); + __type(key, __u32); /* dev_t from bdev->bd_dev */ + __type(value, struct verity_info); +} verity_devices SEC(".maps"); + +/* Global counters exposed to userspace via skeleton bss. */ +int alloc_count; + +char _license[] SEC("license") =3D "GPL"; + +SEC("lsm.s/bdev_setintegrity") +int BPF_PROG(bdev_setintegrity, struct block_device *bdev, + enum lsm_integrity_type type, const void *value, size_t size) +{ + struct verity_info zero =3D {}; + struct verity_info *info; + __u32 dev; + char buf; + + /* + * Exercise a sleepable helper to confirm the verifier + * allows it in this sleepable hook. + */ + (void)bpf_copy_from_user(&buf, sizeof(buf), NULL); + + dev =3D bdev->bd_dev; + + info =3D bpf_map_lookup_elem(&verity_devices, &dev); + if (!info) { + bpf_map_update_elem(&verity_devices, &dev, &zero, BPF_NOEXIST); + info =3D bpf_map_lookup_elem(&verity_devices, &dev); + if (!info) + return 0; + } + + if (type =3D=3D LSM_INT_DMVERITY_ROOTHASH) + info->has_roothash =3D 1; + else if (type =3D=3D LSM_INT_DMVERITY_SIG_VALID) + info->sig_valid =3D (value !=3D NULL); + + __sync_fetch_and_add(&info->setintegrity_cnt, 1); + + return 0; +} + +SEC("lsm/bdev_free_security") +void BPF_PROG(bdev_free_security, struct block_device *bdev) +{ + __u32 dev =3D bdev->bd_dev; + + bpf_map_delete_elem(&verity_devices, &dev); +} + +SEC("lsm.s/bdev_alloc_security") +int BPF_PROG(bdev_alloc_security, struct block_device *bdev) +{ + char buf; + + /* + * Exercise a sleepable helper to confirm the verifier + * allows it in this sleepable hook. + */ + (void)bpf_copy_from_user(&buf, sizeof(buf), NULL); + + __sync_fetch_and_add(&alloc_count, 1); + + return 0; +} --=20 2.47.3