Documentation/bpf: Add documentation for filesystem kfuncs

Add a brief introduction for file system kfuncs: bpf_get_file_xattr() bpf_get_fsverity_digest() The documentation highlights the strategy to avoid recursions of these kfuncs. Signed-off-by: Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20231129234417.856536-4-song@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-10-31 08:44:41 +00:00 · 2023-11-29 15:44:14 -08:00 · 2023-11-29 15:44:14 -08:00 · 0de267d9ec
commit 0de267d9ec
parent 67814c00de
2 changed files with 22 additions and 0 deletions
--- a/Documentation/bpf/fs_kfuncs.rst
+++ b/Documentation/bpf/fs_kfuncs.rst
@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _fs_kfuncs-header-label:
+
+=====================
+BPF filesystem kfuncs
+=====================
+
+BPF LSM programs need to access filesystem data from LSM hooks. The following
+BPF kfuncs can be used to get these data.
+
+ * ``bpf_get_file_xattr()``
+
+ * ``bpf_get_fsverity_digest()``
+
+To avoid recursions, these kfuncs follow the following rules:
+
+1. These kfuncs are only permitted from BPF LSM function.
+2. These kfuncs should not call into other LSM hooks, i.e. security_*(). For
+   example, ``bpf_get_file_xattr()`` does not use ``vfs_getxattr()``, because
+   the latter calls LSM hook ``security_inode_getxattr``.
--- a/Documentation/bpf/index.rst
+++ b/Documentation/bpf/index.rst
@ -21,6 +21,7 @@ that goes into great technical depth about the BPF Architecture.
   helpers
   kfuncs
   cpumasks
+   fs_kfuncs
   programs
   maps
   bpf_prog_run