Re: [PATCH 1/2] bpf: classify block device hooks appropriately
From: Christian Brauner
Date: Mon Feb 23 2026 - 08:49:35 EST
On Fri, Feb 20, 2026 at 10:28:24AM -0800, Christoph Hellwig wrote:
> On Fri, Feb 20, 2026 at 06:48:48PM +0100, Christian Brauner wrote:
> > A bunch of new hooks for managing block devices were added a while ago
> > but they weren't actually appropriately classified.
>
> >
> > * bpf_lsm_bdev_alloc() is called when the inode for the block
> > device is allocated. This happens from a sleepable context so mark the
> > function as sleepable. When this function is called the memory for the
> > block device storage embedded into the inode is zeroed. That block
> > device cannot be meaningfully reference or interacted with at this
> > point. So mark it as untrusted for now.
> >
> > * bpf_lsm_bdev_free() is called when the inode for the block
> > device is freed. A bunch of memory associated with the block device
> > has already been freed and there's dangling pointers in there. So mark
> > it as untrusted. It cannot be meaningfully referenced or interacted
> > with anymore. It is also called from sb->s_op->free_inode:: which
> > means it runs in rcu context (most of the times). So leave it as
> > non-sleepable.
>
> How did this even get added? None of this should be of any business
> to LSM hooks :(
Fyi, it had nothing to do with bpf. That came as part of IPE about 2
years ago and gives that particular LSM the ability to track the
dm-verity status via the underlying block device so binary execution is
restricted to binaries from non-writable and dm-verity protected
filesystems (ignoring scripts for a second...).
This just appropriately classifies the hook for the verifier. It's the
same mechanism as security_alloc_*(). The fun part is though that while
the traditional LSM needs a pointer in struct block_device to allocate
storage for it a bpf lsm doesn't need that at all. It only needs the
hook itself and a hashmap. Or to say it more directly: this could've
always been a bpf lsm only without any additional in-kernel code for
this. But anyway, I'm using it.