MatteoNardi
commented
1 year ago The set of "sleepable" LSM hook points is quite limited. In particular it doesn't contain the CONFIG_SECURITY_PATH hooks we use.
Even for kfuncs it's limited to the whitelisted list.
The bpf-helper
bpf_d_path, available since kernel 5.10, would be a better alternative to our path extraction code, as it would remove the MAX_COMPONENTS limitation.It only works with BTF enabled eBPF programs (kfuncs would be ok, kprobes would not) and a subset of LSM hooks. See https://github.com/torvalds/linux/blob/76f598ba7d8e2bfb4855b5298caedd5af0c374a8/kernel/trace/bpf_trace.c#L936-L947
We should research if we can make use of it.