Re: [PATCH bpf-next 09/13] lsm: add bpf_prog_load_post_integrity hook
From: Paul Moore <paul@paul-moore.com>
Date: 2026-05-24 00:55:39
Also in:
bpf
On Thu, May 21, 2026 at 10:32 PM KP Singh [off-list ref] wrote:
Add a companion to security_bpf_prog_load. The existing hook fires at PROG_LOAD entry where the verdict is at most BPF_SIG_OK; the new hook fires from bpf_loader_verify_metadata after the in-kernel metadata check, just before sig.verdict is promoted to BPF_SIG_METADATA_VERIFIED. Policy LSMs that want to gate on metadata verification (not just signature presence) register here. Signed-off-by: KP Singh <kpsingh@kernel.org> --- include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 6 ++++++ security/security.c | 17 +++++++++++++++++ 3 files changed, 24 insertions(+)
...
+/**
+ * security_bpf_prog_load_post_integrity() - Notify LSMs that a signed loader
+ * has just verified its metadata map.
+ * @prog: the loader BPF program whose metadata check passed.
+ *
+ * Invoked by bpf_loader_verify_metadata() after the kernel-side hash check
+ * succeeds, before prog->aux->sig_verdict is promoted to
+ * BPF_SIG_METADATA_VERIFIED. A non-zero return aborts the kfunc and leaves
+ * the verdict at BPF_SIG_OK.
+ *
+ * Return: 0 on success, negative errno to deny.
+ */
+int security_bpf_prog_load_post_integrity(struct bpf_prog *prog)
+{
+ return call_int_hook(bpf_prog_load_post_integrity, prog);
+}Since you're using essentially the same LSM infrastructure and IPE work that Blaise, Fan, and I developed for policy-based enforcement of BPF signature verification, perhaps this is where we can find some common ground to start working together once again. I would be happy to support and maintain a security_bpf_prog_load_post_integrity() kfunc wrapper as part of the LSM framework, similar to what the VFS folks do with fs/bpf_fs_kfuncs.c, so that either a lskel loader, or a BPF LSM program if you like, could register a BPF integrity verification verdict with the LSM. This would provide a single unified approach for LSMs, including BPF LSMs, to build their BPF program integrity controls regardless of what the system builder, or admin, chooses for a BPF signature verification scheme: the loader based scheme you developed, or Hornet. There is no technical reason we can't support these things, e.g. multiple coexisting verification schemes supported by a single LSM enforcement interface, we just need to be willing to accept that we have different needs and show a willingness to accept different solutions as a result. -- paul-moore.com