Re: [RFC PATCH 08/20] bpf: Add Landlock ruleset map type

[Song Liu]

On Fri, Apr 17, 2026 at 7:09 AM Justin Suess <utilityemal77@xxxxxxxxx> wrote:
>
> On Thu, Apr 16, 2026 at 04:47:40PM -0700, Song Liu wrote:
> > On Thu, Apr 16, 2026 at 2:53 PM Justin Suess <utilityemal77@xxxxxxxxx> wrote:
> > [...]
> > > I don't think we can pass the FD number via a map, since the FD is
> > > process specific. And it needs to be done in a way where we can lookup
> > > the specific ruleset the FD points to safely.
> > >
> > > So we'd need some other way to load the ruleset from a file descriptor,
> > > either through a new userspace side BPF call or similar mechanism.
> > >
> > > Is there some other common pattern for FDs --> kptr I can follow?
> >
> > I didn't find an exact example like this. There must be a way to achieve
> > this. In the worst case, we can add a kfunc for this.
> >
>
> I think new kfunc is a doable approach. I could make a kfunc taking a struct
> *task_struct and an FD that looks up a landlock ruleset within a given
> task that returns a trusted kptr.
>
> Something like:
>
> struct bpf_landlock_ruleset* bpf_landlock_get_ruleset_from_fd(struct
> task_struct* task, int fd)
>
> And tagging it with KF_ACQUIRE + KF_RET_NULL.
>
> Then keep the existing kfunc for putting the ruleset and enforcing it on
> a struct linux_binprm.
>
> The BPF program would need to get a reference to a task struct
> of the program creating the rulesets with bpf_task_from_pid for
> instance. Then they could use the task_struct with another plain integer
> map to store FD numbers and then use the rulesets or store them in a map
> of __kptr objects for later usage.
>
> Would this be more acceptable?

Maybe we don't need bpf_task_from_pid(), as we only need to work
with current task?

I will need to read landlock code more give a better recommendation
on this.

Thanks,
Song