On Jun 20, 2025, at 7:44 PM, Tejun Heo [off-list ref] wrote:

On Thu, Jun 19, 2025 at 03:01:11PM -0700, Song Liu wrote:

quoted

BPF programs, such as LSM and sched_ext, would benefit from tags on
cgroups. One common practice to apply such tags is to set xattrs on
cgroupfs folders.

Introduce kfunc bpf_cgroup_read_xattr, which allows reading cgroup's
xattr.

Note that, we already have bpf_get_[file|dentry]_xattr. However, these
two APIs are not ideal for reading cgroupfs xattrs, because:

 1) These two APIs only works in sleepable contexts;
 2) There is no kfunc that matches current cgroup to cgroupfs dentry.

Signed-off-by: Song Liu <song@kernel.org>

...

quoted

+__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__str,
+ struct bpf_dynptr *value_p)
+{
+ struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
+ u32 value_len;
+ void *value;
+
+ /* Only allow reading "user.*" xattrs */
+ if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ return -EPERM;

Just out of curiosity, what security holes are there if we allow BPF
programs to read other xattrs? Given how priviledged BPF programs already
are, does this make meaningful difference?

There are some xatters that we shouldn’t read, for example, other 
security.* xattrs (security.selinux etc.). 

We can probably allow BPF LSM programs to read security.bpf.* xattrs, 
on cgroup nodes, just like bpf_get_[file|dentry]_xattr. But that 
requires some extra logic. 

Thanks,
Song