Re: [PATCH] Add LoadPin support for eBPF program loading

Next message: Sebastian Ene: "Re: [PATCH v6 5/6] KVM: arm64: Validate the offset to the mem access descriptor"
Previous message: Christian Brauner: "[GIT PULL 11/16 for v7.2] vfs bh"
In reply to: David Windsor: "Re: [PATCH] Add LoadPin support for eBPF program loading"
Next in thread: Alex Roberts: "Re: [PATCH] Add LoadPin support for eBPF program loading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexei Starovoitov

Date: Fri Jun 12 2026 - 11:20:50 EST

On Thu, Jun 11, 2026 at 5:08 PM David Windsor <dwindsor@xxxxxxxxx> wrote:
>
> On Thu, Jun 11, 2026 at 01:59:10PM -0500, Alex Roberts wrote:
> > +static int loadpin_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
> > + struct bpf_token *token, bool is_kernel)
> > +{
> > + int res = 0;
> > + struct file *exe_file = NULL;
> > + struct mm_struct *mm = current->mm;
> > +
> > + if (is_kernel || !mm)
> > + return 0;
> > +
> > + exe_file = get_mm_exe_file(mm);
> > + if (!exe_file)
> > + return 0;
> > +
> > + res = loadpin_check(exe_file, READING_EBPF);
>
> Why are we checking current here? IIUC this will be whoever calls
> bpf(2), which would be the loader, which would then be able to load bpf
> programs from an untrusted source.
>
> In the kmod case loadpin_check() sees the .ko itself.

See sashiko comments:
- [High] The LoadPin eBPF trust mechanism can be trivially bypassed
using standard system interpreters like the dynamic linker (`ld.so`).
- [High] The LoadPin eBPF trust mechanism can be bypassed by a
privileged attacker using prctl(PR_SET_MM_EXE_FILE).

and the bot is correct.
This patch is pointless.