Re: [PATCH v3 4/9] lsm: framework for BPF integrity verification

[Blaise Boscaccy]

Song Liu <song@xxxxxxxxxx> writes:

> On Wed, Mar 25, 2026 at 11:07 PM Blaise Boscaccy
> <bboscaccy@xxxxxxxxxxxxxxxxxxx> wrote:
> [...]
>> The first new callback, bpf_prog_load_integrity(), located within the
>> security_bpf_prog_load() hook, is necessary to ensure that the integrity
>> verification callbacks are executed before any of the existing LSMs
>> are executed via the bpf_prog_load() callback.  Reusing the existing
>> bpf_prog_load() callback for integrity verification could result in LSMs
>> not having access to the integrity verification results when asked to
>> authorize the BPF program load in the bpf_prog_load() callback.
>>
>> The new LSM hook, security_bpf_prog_load_post_integrity(), is intended
>> to be called from within LSMs performing BPF program integrity
>> verification.  It is used to report the verdict of the integrity
>> verification to other LSMs enforcing access control policy on BPF
>> program loads.  LSMs enforcing such access controls should register a
>> bpf_prog_load_post_integrity() callback to receive integrity verdicts.
>
> bpf_prog_load_post_integrity() is weird. Some questions about it:
>
> 1. Is it possible to call it from other LSMs (not hornet)? Specifically, is it
>    possible to call it from BPF LSM?

There is nothing hornet exclusive about that security hook. If the BPF
LSM folks wanted to use it they would probably need to implement a
kfunc to invoke it.  

> 2. This set does not include any LSMs that attach functions to
>    bpf_prog_load_post_integrity. This is against the new LSM hook policy.
>    I guess the plan is to add LSM users in follow up patches? Could you
>    please include at least some of such code in this patchset? This will
>    help folks understand the use case.
>

Sure thing. I will be sending out a v4 with additional patches that has
a concrete user of bpf_prog_load_post_integrity.

> Thanks,
> Song
>
> [...]