Use bpf-helper `bpf_d_path()` when available

Question

Use bpf-helper `bpf_d_path()` when available

Closed this issue 2 years ago · 1 comments

The bpf-helper bpf_d_path, available since kernel 5.10, would be a better alternative to our path extraction code, as it would remove the MAX_COMPONENTS limitation.

It only works with BTF enabled eBPF programs (kfuncs would be ok, kprobes would not) and a subset of LSM hooks.
See https://github.com/torvalds/linux/blob/76f598ba7d8e2bfb4855b5298caedd5af0c374a8/kernel/trace/bpf_trace.c#L936-L947

We should research if we can make use of it.

Answer 1 · 2023-04-06T15:25:45.000Z

The set of "sleepable" LSM hook points is quite limited. In particular it doesn't contain the CONFIG_SECURITY_PATH hooks we use.

Even for kfuncs it's limited to the whitelisted list.