Re: [PATCH v3 4/9] lsm: framework for BPF integrity verification

[Song Liu]

On Wed, Mar 25, 2026 at 11:07 PM Blaise Boscaccy
<bboscaccy@xxxxxxxxxxxxxxxxxxx> wrote:
[...]
> The first new callback, bpf_prog_load_integrity(), located within the
> security_bpf_prog_load() hook, is necessary to ensure that the integrity
> verification callbacks are executed before any of the existing LSMs
> are executed via the bpf_prog_load() callback.  Reusing the existing
> bpf_prog_load() callback for integrity verification could result in LSMs
> not having access to the integrity verification results when asked to
> authorize the BPF program load in the bpf_prog_load() callback.
>
> The new LSM hook, security_bpf_prog_load_post_integrity(), is intended
> to be called from within LSMs performing BPF program integrity
> verification.  It is used to report the verdict of the integrity
> verification to other LSMs enforcing access control policy on BPF
> program loads.  LSMs enforcing such access controls should register a
> bpf_prog_load_post_integrity() callback to receive integrity verdicts.

bpf_prog_load_post_integrity() is weird. Some questions about it:

1. Is it possible to call it from other LSMs (not hornet)? Specifically, is it
   possible to call it from BPF LSM?
2. This set does not include any LSMs that attach functions to
   bpf_prog_load_post_integrity. This is against the new LSM hook policy.
   I guess the plan is to add LSM users in follow up patches? Could you
   please include at least some of such code in this patchset? This will
   help folks understand the use case.

Thanks,
Song

[...]