Re: [PATCH] bpf: have bpf_real_inode() take a struct file

From: Christian Brauner

Date: Tue Jun 23 2026 - 04:44:48 EST

On 2026-06-22 19:15 +0200, Amir Goldstein wrote:
> On Mon, Jun 22, 2026 at 3:58 PM Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > bpf_real_inode() must be usable from the bprm_check_security, mmap_file
> > and file_mprotect hooks for systemd's RestrictFilesystemAccess BPF LSM
> > program. It should take a file instead. The kfunc landed this cycle so
> > changing the signature is safe.
> >
> > Fixes: 9af8c8a54f6e ("bpf: add bpf_real_inode() kfunc")
> > Signed-off-by: Christian Brauner (Amutable) <brauner@xxxxxxxxxx>
> > ---
> > fs/bpf_fs_kfuncs.c | 14 +++++++-------
> > 1 file changed, 7 insertions(+), 7 deletions(-)
> >
> > diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
> > index 768aca2dc0f0..f941c29d26ef 100644
> > --- a/fs/bpf_fs_kfuncs.c
> > +++ b/fs/bpf_fs_kfuncs.c
> > @@ -360,18 +360,18 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__s
> > #endif /* CONFIG_CGROUPS */
> >
> > /**
> > - * bpf_real_inode - get the real inode backing a dentry
> > - * @dentry: dentry to resolve
> > + * bpf_real_inode - get the real inode backing a file
> > + * @file: file to resolve
> > *
> > - * If the dentry is on a union/overlay filesystem, return the underlying, real
> > + * If the file is on a union/overlay filesystem, return the underlying, real
> > * inode that hosts the data. Otherwise return the inode attached to the
> > - * dentry itself.
> > + * file itself.
> > *
> > - * Return: The real inode backing the dentry, or NULL for a negative dentry.
> > + * Return: The real inode backing the file, or NULL.
> > */
> > -__bpf_kfunc struct inode *bpf_real_inode(struct dentry *dentry)
> > +__bpf_kfunc struct inode *bpf_real_inode(struct file *file)
> > {
> > - return d_real_inode(dentry);
> > + return d_real_inode(file_dentry(file));
> > }
>
> The problem with this API is that for special files it is a bit ambiguous
> to say "the real inode backing the file".
> Is it d_real_inode(file_dentry(file))? or is it file_inode(file)?
> The old API avoided this question.
> BTW, did you notice that for non-regular files, this helper returns
> the overlayfs inode?

Yes. Very aware.

> This may be important information to document when exporting a kfunc.

Ok.

> If you take my suggestion from the previous round to name the kfunc
> bpf_real_data_inode(struct file *file)
> the intention becomes a little (bit) less ambiguous. huh?

I don't remember that suggestion. Maybe I missed this. I like it!
Let me send a new version.