Documentation/bpf: Add documentation for filesystem kfuncs

Add a brief introduction for file system kfuncs:

  bpf_get_file_xattr()
  bpf_get_fsverity_digest()

The documentation highlights the strategy to avoid recursions of these
kfuncs.

Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20231129234417.856536-4-song@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
Song Liu 2023-11-29 15:44:14 -08:00 committed by Alexei Starovoitov
parent 67814c00de
commit 0de267d9ec
2 changed files with 22 additions and 0 deletions

View File

@ -0,0 +1,21 @@
.. SPDX-License-Identifier: GPL-2.0
.. _fs_kfuncs-header-label:
=====================
BPF filesystem kfuncs
=====================
BPF LSM programs need to access filesystem data from LSM hooks. The following
BPF kfuncs can be used to get these data.
* ``bpf_get_file_xattr()``
* ``bpf_get_fsverity_digest()``
To avoid recursions, these kfuncs follow the following rules:
1. These kfuncs are only permitted from BPF LSM function.
2. These kfuncs should not call into other LSM hooks, i.e. security_*(). For
example, ``bpf_get_file_xattr()`` does not use ``vfs_getxattr()``, because
the latter calls LSM hook ``security_inode_getxattr``.

View File

@ -21,6 +21,7 @@ that goes into great technical depth about the BPF Architecture.
helpers helpers
kfuncs kfuncs
cpumasks cpumasks
fs_kfuncs
programs programs
maps maps
bpf_prog_run bpf_prog_run