Re: [PATCH] bpf: have bpf_real_inode() take a struct file

From: Amir Goldstein

Date: Mon Jun 22 2026 - 13:16:17 EST

On Mon, Jun 22, 2026 at 3:58 PM Christian Brauner <brauner@xxxxxxxxxx> wrote:
>
> bpf_real_inode() must be usable from the bprm_check_security, mmap_file
> and file_mprotect hooks for systemd's RestrictFilesystemAccess BPF LSM
> program. It should take a file instead. The kfunc landed this cycle so
> changing the signature is safe.
>
> Fixes: 9af8c8a54f6e ("bpf: add bpf_real_inode() kfunc")
> Signed-off-by: Christian Brauner (Amutable) <brauner@xxxxxxxxxx>
> ---
> fs/bpf_fs_kfuncs.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
> index 768aca2dc0f0..f941c29d26ef 100644
> --- a/fs/bpf_fs_kfuncs.c
> +++ b/fs/bpf_fs_kfuncs.c
> @@ -360,18 +360,18 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__s
> #endif /* CONFIG_CGROUPS */
>
> /**
> - * bpf_real_inode - get the real inode backing a dentry
> - * @dentry: dentry to resolve
> + * bpf_real_inode - get the real inode backing a file
> + * @file: file to resolve
> *
> - * If the dentry is on a union/overlay filesystem, return the underlying, real
> + * If the file is on a union/overlay filesystem, return the underlying, real
> * inode that hosts the data. Otherwise return the inode attached to the
> - * dentry itself.
> + * file itself.
> *
> - * Return: The real inode backing the dentry, or NULL for a negative dentry.
> + * Return: The real inode backing the file, or NULL.
> */
> -__bpf_kfunc struct inode *bpf_real_inode(struct dentry *dentry)
> +__bpf_kfunc struct inode *bpf_real_inode(struct file *file)
> {
> - return d_real_inode(dentry);
> + return d_real_inode(file_dentry(file));
> }

The problem with this API is that for special files it is a bit ambiguous
to say "the real inode backing the file".
Is it d_real_inode(file_dentry(file))? or is it file_inode(file)?
The old API avoided this question.
BTW, did you notice that for non-regular files, this helper returns
the overlayfs inode?
This may be important information to document when exporting a kfunc.

If you take my suggestion from the previous round to name the kfunc
bpf_real_data_inode(struct file *file)
the intention becomes a little (bit) less ambiguous. huh?

Thanks,
Amir.