Re: [RFC PATCH 08/20] bpf: Add Landlock ruleset map type

Next message: Onat Baker: "[PATCH] accel/habanalabs: simplify function pointer checks in mmu.c"
Previous message: Tomasz Wolski: "Re: [PATCH v8 0/9] dax/hmem, cxl: Coordinate Soft Reserved handling with CXL and HMEM"
In reply to: Justin Suess: "Re: [RFC PATCH 08/20] bpf: Add Landlock ruleset map type"
Next in thread: Justin Suess: "Re: [RFC PATCH 08/20] bpf: Add Landlock ruleset map type"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Song Liu

Date: Thu Apr 16 2026 - 19:50:14 EST

On Thu, Apr 16, 2026 at 2:53 PM Justin Suess <utilityemal77@xxxxxxxxx> wrote:
[...]
> I don't think we can pass the FD number via a map, since the FD is
> process specific. And it needs to be done in a way where we can lookup
> the specific ruleset the FD points to safely.
>
> So we'd need some other way to load the ruleset from a file descriptor,
> either through a new userspace side BPF call or similar mechanism.
>
> Is there some other common pattern for FDs --> kptr I can follow?

I didn't find an exact example like this. There must be a way to achieve
this. In the worst case, we can add a kfunc for this.

> Basically the pattern I need is userspace must create the file
> descriptor, BPF converts that FD into a refcounted kernel object, and
> even if userspace closes the FD BPF needs to hold a reference on the
> underlying ruleset structure.
>
> (In this patch this was accomplished through the map_ops)
>
> Let me know what you think Song. I do understand the benefit of having a
> __kptr instead, the refcounting is all there, and it would allow storing
> rulesets in multiple map types. (and one less map type to maintain).

A new type of map for each FD referenced kernel type is non-starter.
It is impossible to add UAPI for a specific use case.

Thanks,
Song

> Mickaël, do you have any thoughts on this? I have v2 basically ready,
> although it uses the BPF_MAP_TYPE_LANDLOCK_RULESET it changes a lot on
> the Landlock side.