Re: [PATCH] Add LoadPin support for eBPF program loading

From: Alex Roberts

Date: Sat Jun 13 2026 - 14:55:01 EST

>Why are we checking current here? IIUC this will be whoever calls
bpf(2), which would be the loader, which would then be able to load bpf
programs from an untrusted source.

The loader's filesystem would be pinned. If the filesystem is trusted, e.g., dm-verity with signed root hash, the loader is implicitly trusted. Would this not be similar unsigned kmodules from a load-pinned dm-verity filesystem?

Obviously, this would have to exclude the usecase of dynamically generated BPF programs from bpftrace.

________________________________________
From: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Sent: Friday, June 12, 2026 10:20 AM
To: David Windsor <dwindsor@xxxxxxxxx>
Cc: alex.roberts109@xxxxxxxxxxx <alex.roberts109@xxxxxxxxxxx>; Kees Cook <kees@xxxxxxxxxx>; Paul Moore <paul@xxxxxxxxxxxxxx>; James Morris <jmorris@xxxxxxxxx>; Serge E . Hallyn <serge@xxxxxxxxxx>; LKML <linux-kernel@xxxxxxxxxxxxxxx>; LSM List <linux-security-module@xxxxxxxxxxxxxxx>; bpf <bpf@xxxxxxxxxxxxxxx>; Alexei Starovoitov <ast@xxxxxxxxxx>; KP Singh <kpsingh@xxxxxxxxxx>
Subject: Re: [PATCH] Add LoadPin support for eBPF program loading
 
On Thu, Jun 11, 2026 at 5:08 PM David Windsor <dwindsor@xxxxxxxxx> wrote:
>
> On Thu, Jun 11, 2026 at 01:59:10PM -0500, Alex Roberts wrote:
> > +static int loadpin_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
> > +                               struct bpf_token *token, bool is_kernel)
> > +{
> > +     int res = 0;
> > +     struct file *exe_file = NULL;
> > +     struct mm_struct *mm = current->mm;
> > +
> > +     if (is_kernel || !mm)
> > +             return 0;
> > +
> > +     exe_file = get_mm_exe_file(mm);
> > +     if (!exe_file)
> > +             return 0;
> > +
> > +     res = loadpin_check(exe_file, READING_EBPF);
>
> Why are we checking current here? IIUC this will be whoever calls
> bpf(2), which would be the loader, which would then be able to load bpf
> programs from an untrusted source.
>
> In the kmod case loadpin_check() sees the .ko itself.

See sashiko comments:
- [High] The LoadPin eBPF trust mechanism can be trivially bypassed
using standard system interpreters like the dynamic linker (`ld.so`).
- [High] The LoadPin eBPF trust mechanism can be bypassed by a
privileged attacker using prctl(PR_SET_MM_EXE_FILE).

and the bot is correct.
This patch is pointless.