[PATCH bpf 0/2] bpf: Gate dynptr probe-read kfuncs like helpers

[PATCH bpf 0/2] bpf: Gate dynptr probe-read kfuncs like helpers

[Nuoqi Gui]

The dynptr probe-read kfuncs are registered as common kfuncs. That lets a
program with the generic kfunc privilege gate call
bpf_probe_read_kernel_dynptr(), while the legacy bpf_probe_read_kernel()
helper is exposed only with CAP_PERFMON and is blocked by kernel-read
lockdown.

Gate the four nofault probe-read dynptr kfuncs with CAP_PERFMON, and apply
the existing LOCKDOWN_BPF_READ_KERNEL policy to the kernel-read dynptr
variants. Add focused selftests that expect CAP_BPF without CAP_PERFMON
to be insufficient for bpf_probe_read_user_dynptr(),
bpf_probe_read_kernel_dynptr(), bpf_probe_read_user_str_dynptr(), and
bpf_probe_read_kernel_str_dynptr().

Bounded impact:
- Requires privileged BPF program loading with CAP_BPF.
- No unprivileged trigger, arbitrary disclosure primitive, memory
  corruption, privilege escalation, CVE, embargo, or security escalation is
  claimed.

Validation:
- The focused dynptr selftest loader exercises the CAP_BPF-only program load
  boundary for bpf_probe_read_user_dynptr(),
  bpf_probe_read_kernel_dynptr(), bpf_probe_read_user_str_dynptr(), and
  bpf_probe_read_kernel_str_dynptr().
- Unpatched bpf at 8496d9020ff37 ("Merge branch 'arena_direct_access'"):
  FAIL as expected because all four programs still load with CAP_BPF and
  without CAP_PERFMON.
- Patched with this series: PASS because all four same programs are rejected
  with -EACCES when loaded with CAP_BPF and without CAP_PERFMON.

Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs")

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
      bpf: Gate dynptr probe-read kfuncs like helpers
      selftests/bpf: Cover dynptr probe-read kfunc capability gate

 kernel/bpf/helpers.c                               | 32 +++++++++
 tools/testing/selftests/bpf/prog_tests/dynptr.c    | 66 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/dynptr_success.c | 75 ++++++++++++++++++++++
 3 files changed, 173 insertions(+)
---
base-commit: 8496d9020ff37a33c2a7b2fc84350fd03ffbde78
change-id: 20260615-f01-07-dynptr-probe-read-cap-4dee7066bf5f

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

[PATCH bpf 1/2] bpf: Gate dynptr probe-read kfuncs like helpers

[Nuoqi Gui]

The bpf_probe_read_{user,kernel}{,_str}_dynptr() kfuncs provide
probe-read style nofault copies into dynptr-backed BPF memory. Their
legacy helper counterparts are exposed only to programs with CAP_PERFMON,
and the kernel-read helpers are additionally blocked by
LOCKDOWN_BPF_READ_KERNEL.

The dynptr kfuncs are registered in the common kfunc set, so the verifier
currently allows them with the generic kfunc privilege gate. Add a common
kfunc filter that mirrors the helper policy for these probe-read dynptr
kfuncs: require CAP_PERFMON for all four nofault probe-read variants and
apply the existing lockdown check to the kernel-read variants.

This preserves the existing dynptr copy implementation while aligning the
capability policy with the legacy probe-read helpers.

Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/helpers.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 9ca195104667..fbef89196f85 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -4961,9 +4961,41 @@ BTF_ID_FLAGS(func, bpf_dynptr_file_discard)
 BTF_ID_FLAGS(func, bpf_timer_cancel_async)
 BTF_KFUNCS_END(common_btf_ids)
 
+#ifdef CONFIG_BPF_EVENTS
+BTF_KFUNCS_START(probe_read_dynptr_kfunc_ids)
+BTF_ID_FLAGS(func, bpf_probe_read_user_dynptr)
+BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr)
+BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
+BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
+BTF_KFUNCS_END(probe_read_dynptr_kfunc_ids)
+
+BTF_KFUNCS_START(probe_read_kernel_dynptr_kfunc_ids)
+BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr)
+BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
+BTF_KFUNCS_END(probe_read_kernel_dynptr_kfunc_ids)
+#endif
+
+static int common_kfunc_filter(const struct bpf_prog *prog, u32 kfunc_id)
+{
+#ifdef CONFIG_BPF_EVENTS
+	if (!btf_id_set8_contains(&probe_read_dynptr_kfunc_ids, kfunc_id))
+		return 0;
+
+	if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
+		return -EACCES;
+
+	if (btf_id_set8_contains(&probe_read_kernel_dynptr_kfunc_ids, kfunc_id) &&
+	    security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0)
+		return -EACCES;
+#endif
+
+	return 0;
+}
+
 static const struct btf_kfunc_id_set common_kfunc_set = {
 	.owner = THIS_MODULE,
 	.set   = &common_btf_ids,
+	.filter = common_kfunc_filter,
 };
 
 static int __init kfunc_init(void)

-- 
2.34.1

Re: [PATCH bpf 1/2] bpf: Gate dynptr probe-read kfuncs like helpers

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The patch fails to apply the CAP_PERFMON privilege check to the dynptr `copy_from_user` kfuncs (e.g., `bpf_copy_from_user_task_dynptr`), bypassing the security requirements enforced on cross-process memory reads.
--

commit 6b909427f5d275b8ba84a3cae17389eff1d7a985
Author: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

bpf: Gate dynptr probe-read kfuncs like helpers

This patch adds a common kfunc filter that mirrors the helper policy for
probe-read dynptr kfuncs. It requires CAP_PERFMON for all four nofault
probe-read variants and applies the lockdown check to kernel-read variants.

> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 9ca1951046679..fbef89196f851 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4961,9 +4961,41 @@ BTF_ID_FLAGS(func, bpf_dynptr_file_discard)
>  BTF_ID_FLAGS(func, bpf_timer_cancel_async)
>  BTF_KFUNCS_END(common_btf_ids)
>  
> +#ifdef CONFIG_BPF_EVENTS
> +BTF_KFUNCS_START(probe_read_dynptr_kfunc_ids)
> +BTF_ID_FLAGS(func, bpf_probe_read_user_dynptr)
> +BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr)
> +BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
> +BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
> +BTF_KFUNCS_END(probe_read_dynptr_kfunc_ids)

[Severity: High]
This is a pre-existing issue, but shouldn't the copy_from_user dynptr kfuncs
(such as bpf_copy_from_user_task_dynptr and bpf_copy_from_user_task_str_dynptr)
also be included in this set?

Because they are missing from this set, they remain available to
BPF_PROG_TYPE_SYSCALL programs, which do not require CAP_PERFMON to load.

> +
> +BTF_KFUNCS_START(probe_read_kernel_dynptr_kfunc_ids)
> +BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr)
> +BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
> +BTF_KFUNCS_END(probe_read_kernel_dynptr_kfunc_ids)
> +#endif
> +
> +static int common_kfunc_filter(const struct bpf_prog *prog, u32 kfunc_id)
> +{
> +#ifdef CONFIG_BPF_EVENTS
> +	if (!btf_id_set8_contains(&probe_read_dynptr_kfunc_ids, kfunc_id))
> +		return 0;

[Severity: High]
This is a pre-existing issue, but does this explicit return leave the sleepable
cross-task memory read kfuncs completely unrestricted?

An attacker with only CAP_BPF could load a sleepable syscall program, obtain a
task reference using the bpf_task_from_pid() kfunc, and call
bpf_copy_from_user_task_dynptr() to read memory from any process on the system
(including root-owned processes).

This bypasses security requirements because access_process_vm() does not
internally enforce ptrace_may_access checks, relying entirely on the BPF
verifier's capability gates, which are skipped here.

> +
> +	if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
> +		return -EACCES;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260615-f01-07-dynptr-probe-read-cap-v1-0-e626cd61a381@mails.tsinghua.edu.cn?part=1

[PATCH bpf 2/2] selftests/bpf: Cover dynptr probe-read kfunc capability gate

[Nuoqi Gui]

Add focused dynptr selftest programs that load socket-filter programs using
bpf_dynptr_from_mem() followed by each nofault probe-read dynptr kfunc:
bpf_probe_read_user_dynptr(), bpf_probe_read_kernel_dynptr(),
bpf_probe_read_user_str_dynptr(), and bpf_probe_read_kernel_str_dynptr().
Declare the dynptr kfuncs used by this BPF object locally in
dynptr_success.c so the dynptr BPF object builds with explicit prototypes.

The harness first verifies that the program loads with the caller's normal
capabilities. It then drops CAP_PERFMON and CAP_SYS_ADMIN while keeping
CAP_BPF effective and expects each same program load to fail with -EACCES.

This covers the policy boundary that these dynptr probe-read kfuncs should
not be callable with CAP_BPF alone.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 tools/testing/selftests/bpf/prog_tests/dynptr.c    | 66 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/dynptr_success.c | 75 ++++++++++++++++++++++
 2 files changed, 141 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/dynptr.c b/tools/testing/selftests/bpf/prog_tests/dynptr.c
index 5fda11590708..5235b47e3342 100644
--- a/tools/testing/selftests/bpf/prog_tests/dynptr.c
+++ b/tools/testing/selftests/bpf/prog_tests/dynptr.c
@@ -3,6 +3,7 @@
 
 #include <test_progs.h>
 #include <network_helpers.h>
+#include "cap_helpers.h"
 #include "dynptr_fail.skel.h"
 #include "dynptr_success.skel.h"
 
@@ -53,8 +54,66 @@ static struct {
 	{"test_copy_from_user_task_str_dynptr", SETUP_SYSCALL_SLEEP},
 };
 
+static const char * const probe_read_cap_tests[] = {
+	"test_probe_read_user_dynptr_cap",
+	"test_probe_read_kernel_dynptr_cap",
+	"test_probe_read_user_str_dynptr_cap",
+	"test_probe_read_kernel_str_dynptr_cap",
+};
+
 #define PAGE_SIZE_64K 65536
 
+static int load_probe_read_cap_prog(const char *prog_name)
+{
+	struct bpf_program *prog, *tmp;
+	struct dynptr_success *skel;
+	int err;
+
+	skel = dynptr_success__open();
+	if (!ASSERT_OK_PTR(skel, "dynptr_success__open"))
+		return -EINVAL;
+
+	bpf_object__for_each_program(tmp, skel->obj)
+		bpf_program__set_autoload(tmp, false);
+
+	prog = bpf_object__find_program_by_name(skel->obj, prog_name);
+	if (!ASSERT_OK_PTR(prog, "bpf_object__find_program_by_name")) {
+		err = -ENOENT;
+		goto cleanup;
+	}
+
+	bpf_program__set_autoload(prog, true);
+	err = dynptr_success__load(skel);
+
+cleanup:
+	dynptr_success__destroy(skel);
+	return err;
+}
+
+static void verify_probe_read_cap(const char *prog_name)
+{
+	__u64 old_caps = 0;
+	int err;
+
+	err = load_probe_read_cap_prog(prog_name);
+	if (!ASSERT_OK(err, "full_caps_load"))
+		return;
+
+	err = cap_enable_effective(1ULL << CAP_BPF, &old_caps);
+	if (!ASSERT_OK(err, "enable_cap_bpf"))
+		return;
+
+	err = cap_disable_effective(1ULL << CAP_SYS_ADMIN | 1ULL << CAP_PERFMON, NULL);
+	if (!ASSERT_OK(err, "disable_cap_sys_admin_perfmon"))
+		goto restore_cap;
+
+	err = load_probe_read_cap_prog(prog_name);
+	ASSERT_EQ(err, -EACCES, "cap_bpf_without_perfmon_load");
+
+restore_cap:
+	cap_enable_effective(old_caps, NULL);
+}
+
 static void verify_success(const char *prog_name, enum test_setup_type setup_type)
 {
 	char user_data[384] = {[0 ... 382] = 'a', '\0'};
@@ -185,6 +244,13 @@ void test_dynptr(void)
 {
 	int i;
 
+	for (i = 0; i < ARRAY_SIZE(probe_read_cap_tests); i++) {
+		if (!test__start_subtest(probe_read_cap_tests[i]))
+			continue;
+
+		verify_probe_read_cap(probe_read_cap_tests[i]);
+	}
+
 	for (i = 0; i < ARRAY_SIZE(success_tests); i++) {
 		if (!test__start_subtest(success_tests[i].prog_name))
 			continue;
diff --git a/tools/testing/selftests/bpf/progs/dynptr_success.c b/tools/testing/selftests/bpf/progs/dynptr_success.c
index e0745b6e467e..5b4e22198598 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_success.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_success.c
@@ -34,6 +34,13 @@ struct {
 	__type(value, __u32);
 } array_map SEC(".maps");
 
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, __u32);
+	__type(value, __u8[32]);
+} probe_read_map SEC(".maps");
+
 SEC("?tp/syscalls/sys_enter_nanosleep")
 int test_read_write(void *ctx)
 {
@@ -1092,6 +1099,74 @@ int test_probe_read_kernel_str_dynptr(struct xdp_md *xdp)
 	return XDP_PASS;
 }
 
+SEC("?socket")
+int test_probe_read_user_dynptr_cap(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	__u32 key = 0;
+	void *value;
+
+	value = bpf_map_lookup_elem(&probe_read_map, &key);
+	if (!value)
+		return 0;
+
+	if (bpf_dynptr_from_mem(value, 32, 0, &ptr))
+		return 0;
+
+	return bpf_probe_read_user_dynptr(&ptr, 0, 8, value);
+}
+
+SEC("?socket")
+int test_probe_read_kernel_dynptr_cap(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	__u32 key = 0;
+	void *value;
+
+	value = bpf_map_lookup_elem(&probe_read_map, &key);
+	if (!value)
+		return 0;
+
+	if (bpf_dynptr_from_mem(value, 32, 0, &ptr))
+		return 0;
+
+	return bpf_probe_read_kernel_dynptr(&ptr, 0, 8, value);
+}
+
+SEC("?socket")
+int test_probe_read_user_str_dynptr_cap(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	__u32 key = 0;
+	void *value;
+
+	value = bpf_map_lookup_elem(&probe_read_map, &key);
+	if (!value)
+		return 0;
+
+	if (bpf_dynptr_from_mem(value, 32, 0, &ptr))
+		return 0;
+
+	return bpf_probe_read_user_str_dynptr(&ptr, 0, 8, value);
+}
+
+SEC("?socket")
+int test_probe_read_kernel_str_dynptr_cap(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	__u32 key = 0;
+	void *value;
+
+	value = bpf_map_lookup_elem(&probe_read_map, &key);
+	if (!value)
+		return 0;
+
+	if (bpf_dynptr_from_mem(value, 32, 0, &ptr))
+		return 0;
+
+	return bpf_probe_read_kernel_str_dynptr(&ptr, 0, 8, value);
+}
+
 SEC("fentry.s/" SYS_PREFIX "sys_nanosleep")
 int test_copy_from_user_dynptr(void *ctx)
 {

-- 
2.34.1

Re: [PATCH bpf 2/2] selftests/bpf: Cover dynptr probe-read kfunc capability gate

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The commit message claims to declare explicit kfunc prototypes locally in `dynptr_success.c`, but the patch fails to include these declarations.
--

commit d3deda1bfd50e0af66e0dced005423edd99c0d03
Author: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

selftests/bpf: Cover dynptr probe-read kfunc capability gate

This commit adds selftest programs to verify that the nofault probe-read
dynptr kfuncs fail with -EACCES when called without CAP_PERFMON and
CAP_SYS_ADMIN. It tests the policy boundary for these kfuncs using
capabilities.

> Add focused dynptr selftest programs that load socket-filter programs using
> bpf_dynptr_from_mem() followed by each nofault probe-read dynptr kfunc:
> bpf_probe_read_user_dynptr(), bpf_probe_read_kernel_dynptr(),
> bpf_probe_read_user_str_dynptr(), and bpf_probe_read_kernel_str_dynptr().
> Declare the dynptr kfuncs used by this BPF object locally in
> dynptr_success.c so the dynptr BPF object builds with explicit prototypes.

[Severity: Medium]
Is this description accurate for the included changes?

The commit message mentions adding explicit local declarations for the dynptr
kfuncs in dynptr_success.c, but these declarations do not appear to be
included in the code. Were they accidentally omitted from this patch, or
is the commit message outdated?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260615-f01-07-dynptr-probe-read-cap-v1-0-e626cd61a381@mails.tsinghua.edu.cn?part=2

Re: Re: [PATCH bpf 2/2] selftests/bpf: Cover dynptr probe-read kfunc capability gate

[Nuoqi Gui]

> -----Original Messages-----
> From: sashiko-bot@kernel.org
> Send time:Monday, 15/06/2026 16:41:55
> To: "Nuoqi Gui" <gnq25@mails.tsinghua.edu.cn>
> Cc: bpf@vger.kernel.org
> Subject: Re: [PATCH bpf 2/2] selftests/bpf: Cover dynptr probe-read kfunc capability gate
> 
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Medium] The commit message claims to declare explicit kfunc prototypes locally in `dynptr_success.c`, but the patch fails to include these declarations.
> --
> 
> commit d3deda1bfd50e0af66e0dced005423edd99c0d03
> Author: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> 
> selftests/bpf: Cover dynptr probe-read kfunc capability gate
> 
> This commit adds selftest programs to verify that the nofault probe-read
> dynptr kfuncs fail with -EACCES when called without CAP_PERFMON and
> CAP_SYS_ADMIN. It tests the policy boundary for these kfuncs using
> capabilities.
> 
> > Add focused dynptr selftest programs that load socket-filter programs using
> > bpf_dynptr_from_mem() followed by each nofault probe-read dynptr kfunc:
> > bpf_probe_read_user_dynptr(), bpf_probe_read_kernel_dynptr(),
> > bpf_probe_read_user_str_dynptr(), and bpf_probe_read_kernel_str_dynptr().
> > Declare the dynptr kfuncs used by this BPF object locally in
> > dynptr_success.c so the dynptr BPF object builds with explicit prototypes.
> 
> [Severity: Medium]
> Is this description accurate for the included changes?
> 
> The commit message mentions adding explicit local declarations for the dynptr
> kfuncs in dynptr_success.c, but these declarations do not appear to be
> included in the code. Were they accidentally omitted from this patch, or
> is the commit message outdated?
> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260615-f01-07-dynptr-probe-read-cap-v1-0-e626cd61a381@mails.tsinghua.edu.cn?part=2

This sentence is stale from an earlier version of the patch. The
current patch no longer adds local declarations in dynptr_success.c, 
so I'll drop that sentence from the commit message.

Re: [PATCH bpf 0/2] bpf: Gate dynptr probe-read kfuncs like helpers

[Alexei Starovoitov]

On Mon Jun 15, 2026 at 1:31 AM PDT, Nuoqi Gui wrote:
> The dynptr probe-read kfuncs are registered as common kfuncs. That lets a
> program with the generic kfunc privilege gate call
> bpf_probe_read_kernel_dynptr(), while the legacy bpf_probe_read_kernel()
> helper is exposed only with CAP_PERFMON and is blocked by kernel-read
> lockdown.

It's fine as-is. Won't fix.

pw-bot: cr