Re: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc
From: Alexei Starovoitov
Date: Fri Nov 21 2025 - 20:17:14 EST
On Tue, Nov 18, 2025 at 4:58 AM Tao Chen <chen.dylane@xxxxxxxxx> wrote:
>
> Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
> production environments, there are often short-lived script tasks executed,
> and sometimes these tasks may cause stability issues. It is desirable to
> detect these script tasks via eBPF. The common approach is to check
> the process name, but it can be difficult to distinguish specific
> tasks in some cases. Take the shell as an example: some tasks are
> started via bash xxx.sh – their process name is bash, but the script
> name of the task can be obtained through the cmdline. Additionally,
> myabe this is helpful for security auditing purposes.
maybe
>
> Signed-off-by: Tao Chen <chen.dylane@xxxxxxxxx>
> ---
> kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 865b0dae38d..7cac17d58d5 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
> return p;
> }
>
> +/*
> + * bpf_get_task_cmdline - Get the cmdline to a buffer
> + *
> + * @task: The task whose cmdline to get.
> + * @buffer: The buffer to save cmdline info.
> + * @len: The length of the buffer.
> + *
> + * Return: the size of the cmdline field copied. Note that the copy does
> + * not guarantee an ending NULL byte. A negative error code on failure.
> + */
> +__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
'size_t len' doesn't make the verifier track the size of the buffer.
while 'char *buffer' tells the verifier to check that _one_ byte is available.
So this is buggy.
In general the kfunc seems useful, but selftest in patch 2 is just bad
+ ret = bpf_get_task_cmdline(task, buf, sizeof(buf));
+ if (ret < 0)
+ err = 1;
+
+ return 0;
+}
it's not testing much.
Also you must explain the true motivation for the kfunc.
"maybe helpful for security" is too vague.
Do you have a proprietary bpf-lsm that needs it?
What is the exact use case?
pw-bot: cr