On Sun, Apr 3, 2022 at 5:42 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > On Sat, Apr 2, 2022 at 1:55 AM Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: ... > > > > > Pinning > > > them to unreachable inodes intuitively looked the > > > way to go for achieving the stated goal. > > > > We can consider inodes in bpffs that are not unlinkable by root > > in the future, but certainly not for this use case. > > Can this not be already done by adding a BPF_LSM program to the > inode_unlink LSM hook? > Also, beside of the inode_unlink... and out of curiosity: making sysfs/bpffs/ readonly after pinning, then using bpf LSM hooks sb_mount|remount|unmount... family combining bpf() LSM hook... isn't this enough to: 1. Restrict who can pin to bpffs without using a full MAC 2. Restrict who can delete or unmount bpf filesystem ? -- https://djalal.opendz.org/
