[PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

[PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

[Tao Chen]

Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
production environments, there are often short-lived script tasks executed,
and sometimes these tasks may cause stability issues. It is desirable to
detect these script tasks via eBPF. The common approach is to check
the process name, but it can be difficult to distinguish specific
tasks in some cases. Take the shell as an example: some tasks are
started via bash xxx.sh – their process name is bash, but the script
name of the task can be obtained through the cmdline. Additionally,
myabe this is helpful for security auditing purposes.

Signed-off-by: Tao Chen <chen.dylane@linux.dev>
---
 kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 865b0dae38d..7cac17d58d5 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
 	return p;
 }
 
+/*
+ * bpf_get_task_cmdline - Get the cmdline to a buffer
+ *
+ * @task: The task whose cmdline to get.
+ * @buffer: The buffer to save cmdline info.
+ * @len: The length of the buffer.
+ *
+ * Return: the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte. A negative error code on failure.
+ */
+__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
+{
+	int ret;
+
+	ret = get_cmdline(task, buffer, len);
+	if (ret < 0)
+		memset(buffer, 0, len);
+
+	return ret;
+}
+
 /**
  * bpf_task_from_vpid - Find a struct task_struct from its vpid by looking it up
  * in the pid namespace of the current task. If a task is returned, it must
@@ -4421,6 +4442,7 @@ BTF_ID_FLAGS(func, bpf_task_get_cgroup1, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
+BTF_ID_FLAGS(func, bpf_get_task_cmdline, KF_SLEEPABLE | KF_TRUSTED_ARGS)
 #ifdef CONFIG_BPF_EVENTS
 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
 #endif
-- 
2.48.1

[PATCH bpf-next 2/2] selftests/bpf: Add bpf_get_task_cmdline test case

[Tao Chen]

Create a task, call bpf_get_task_cmdline to retrieve
the cmdline, and check if it succeeds.

Signed-off-by: Tao Chen <chen.dylane@linux.dev>
---
 tools/testing/selftests/bpf/prog_tests/task_kfunc.c | 11 +++++++++++
 .../selftests/bpf/progs/task_kfunc_success.c        | 13 +++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/task_kfunc.c b/tools/testing/selftests/bpf/prog_tests/task_kfunc.c
index 83b90335967..c23c0be357d 100644
--- a/tools/testing/selftests/bpf/prog_tests/task_kfunc.c
+++ b/tools/testing/selftests/bpf/prog_tests/task_kfunc.c
@@ -156,6 +156,10 @@ static const char * const vpid_success_tests[] = {
 	"test_task_from_vpid_invalid",
 };
 
+static const char * const cmdline_success_tests[] = {
+	"test_get_task_cmdline",
+};
+
 void test_task_kfunc(void)
 {
 	int i;
@@ -174,5 +178,12 @@ void test_task_kfunc(void)
 		run_vpid_success_test(vpid_success_tests[i]);
 	}
 
+	for (i = 0; i < ARRAY_SIZE(cmdline_success_tests); i++) {
+		if (!test__start_subtest(cmdline_success_tests[i]))
+			continue;
+
+		run_success_test(cmdline_success_tests[i]);
+	}
+
 	RUN_TESTS(task_kfunc_failure);
 }
diff --git a/tools/testing/selftests/bpf/progs/task_kfunc_success.c b/tools/testing/selftests/bpf/progs/task_kfunc_success.c
index 5fb4fc19d26..a7c42e693da 100644
--- a/tools/testing/selftests/bpf/progs/task_kfunc_success.c
+++ b/tools/testing/selftests/bpf/progs/task_kfunc_success.c
@@ -367,6 +367,19 @@ int BPF_PROG(task_kfunc_acquire_trusted_walked, struct task_struct *task, u64 cl
 	return 0;
 }
 
+SEC("lsm.s/task_alloc")
+int BPF_PROG(test_get_task_cmdline, struct task_struct *task)
+{
+	char buf[64];
+	int ret;
+
+	ret = bpf_get_task_cmdline(task, buf, sizeof(buf));
+	if (ret < 0)
+		err = 1;
+
+	return 0;
+}
+
 SEC("syscall")
 int test_task_from_vpid_current(const void *ctx)
 {
-- 
2.48.1

Re: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

[Alexei Starovoitov]

On Tue, Nov 18, 2025 at 4:58 AM Tao Chen <chen.dylane@linux.dev> wrote:
>
> Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
> production environments, there are often short-lived script tasks executed,
> and sometimes these tasks may cause stability issues. It is desirable to
> detect these script tasks via eBPF. The common approach is to check
> the process name, but it can be difficult to distinguish specific
> tasks in some cases. Take the shell as an example: some tasks are
> started via bash xxx.sh – their process name is bash, but the script
> name of the task can be obtained through the cmdline. Additionally,
> myabe this is helpful for security auditing purposes.

maybe

>
> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
> ---
>  kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 865b0dae38d..7cac17d58d5 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
>         return p;
>  }
>
> +/*
> + * bpf_get_task_cmdline - Get the cmdline to a buffer
> + *
> + * @task: The task whose cmdline to get.
> + * @buffer: The buffer to save cmdline info.
> + * @len: The length of the buffer.
> + *
> + * Return: the size of the cmdline field copied. Note that the copy does
> + * not guarantee an ending NULL byte. A negative error code on failure.
> + */
> +__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)

'size_t len' doesn't make the verifier track the size of the buffer.
while 'char *buffer' tells the verifier to check that _one_ byte is available.
So this is buggy.

In general the kfunc seems useful, but selftest in patch 2 is just bad

+ ret = bpf_get_task_cmdline(task, buf, sizeof(buf));
+ if (ret < 0)
+    err = 1;
+
+ return 0;
+}

it's not testing much.

Also you must explain the true motivation for the kfunc.
"maybe helpful for security" is too vague.
Do you have a proprietary bpf-lsm that needs it?
What is the exact use case?

pw-bot: cr

Re: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

[Andrii Nakryiko]

On Fri, Nov 21, 2025 at 5:17 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Tue, Nov 18, 2025 at 4:58 AM Tao Chen <chen.dylane@linux.dev> wrote:
> >
> > Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
> > production environments, there are often short-lived script tasks executed,
> > and sometimes these tasks may cause stability issues. It is desirable to
> > detect these script tasks via eBPF. The common approach is to check
> > the process name, but it can be difficult to distinguish specific
> > tasks in some cases. Take the shell as an example: some tasks are
> > started via bash xxx.sh – their process name is bash, but the script
> > name of the task can be obtained through the cmdline. Additionally,
> > myabe this is helpful for security auditing purposes.
>
> maybe
>
> >
> > Signed-off-by: Tao Chen <chen.dylane@linux.dev>
> > ---
> >  kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
> >  1 file changed, 22 insertions(+)
> >
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index 865b0dae38d..7cac17d58d5 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
> >         return p;
> >  }
> >
> > +/*
> > + * bpf_get_task_cmdline - Get the cmdline to a buffer
> > + *
> > + * @task: The task whose cmdline to get.
> > + * @buffer: The buffer to save cmdline info.
> > + * @len: The length of the buffer.
> > + *
> > + * Return: the size of the cmdline field copied. Note that the copy does
> > + * not guarantee an ending NULL byte. A negative error code on failure.
> > + */
> > +__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
>
> 'size_t len' doesn't make the verifier track the size of the buffer.
> while 'char *buffer' tells the verifier to check that _one_ byte is available.
> So this is buggy.
>
> In general the kfunc seems useful, but selftest in patch 2 is just bad
>

Besides that mm->arg_lock spinlock (which I don't think matters all
that much for BPF programs), is there anything special in
get_cmdline() that BPF program cannot just implemented? Ultimately,
it's just copying mm->arg_start and mm->env_start zero-separated
strings, no? We have bpf_copy_from_user_task_str() and also
dynptr-based equivalent of it for even more variable-length
flexibility. That should be all one needs, no?

> + ret = bpf_get_task_cmdline(task, buf, sizeof(buf));
> + if (ret < 0)
> +    err = 1;
> +
> + return 0;
> +}
>
> it's not testing much.
>
> Also you must explain the true motivation for the kfunc.
> "maybe helpful for security" is too vague.
> Do you have a proprietary bpf-lsm that needs it?
> What is the exact use case?
>
> pw-bot: cr

Re: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

[Tao Chen]

在 2025/11/26 07:32, Andrii Nakryiko 写道:
> On Fri, Nov 21, 2025 at 5:17 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
>>
>> On Tue, Nov 18, 2025 at 4:58 AM Tao Chen <chen.dylane@linux.dev> wrote:
>>>
>>> Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
>>> production environments, there are often short-lived script tasks executed,
>>> and sometimes these tasks may cause stability issues. It is desirable to
>>> detect these script tasks via eBPF. The common approach is to check
>>> the process name, but it can be difficult to distinguish specific
>>> tasks in some cases. Take the shell as an example: some tasks are
>>> started via bash xxx.sh – their process name is bash, but the script
>>> name of the task can be obtained through the cmdline. Additionally,
>>> myabe this is helpful for security auditing purposes.
>>
>> maybe
>>
>>>
>>> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
>>> ---
>>>   kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
>>>   1 file changed, 22 insertions(+)
>>>
>>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>>> index 865b0dae38d..7cac17d58d5 100644
>>> --- a/kernel/bpf/helpers.c
>>> +++ b/kernel/bpf/helpers.c
>>> @@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
>>>          return p;
>>>   }
>>>
>>> +/*
>>> + * bpf_get_task_cmdline - Get the cmdline to a buffer
>>> + *
>>> + * @task: The task whose cmdline to get.
>>> + * @buffer: The buffer to save cmdline info.
>>> + * @len: The length of the buffer.
>>> + *
>>> + * Return: the size of the cmdline field copied. Note that the copy does
>>> + * not guarantee an ending NULL byte. A negative error code on failure.
>>> + */
>>> +__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
>>
>> 'size_t len' doesn't make the verifier track the size of the buffer.
>> while 'char *buffer' tells the verifier to check that _one_ byte is available.
>> So this is buggy.
>>
>> In general the kfunc seems useful, but selftest in patch 2 is just bad
>>
> 
> Besides that mm->arg_lock spinlock (which I don't think matters all
> that much for BPF programs), is there anything special in
> get_cmdline() that BPF program cannot just implemented? Ultimately,
> it's just copying mm->arg_start and mm->env_start zero-separated
> strings, no? We have bpf_copy_from_user_task_str() and also
> dynptr-based equivalent of it for even more variable-length
> flexibility. That should be all one needs, no?
> 

 From a quick look at how both are implemented, it seems that way.
Hold off on this patch for now. I will move forward if we find something 
new.

>> + ret = bpf_get_task_cmdline(task, buf, sizeof(buf));
>> + if (ret < 0)
>> +    err = 1;
>> +
>> + return 0;
>> +}
>>
>> it's not testing much.
>>
>> Also you must explain the true motivation for the kfunc.
>> "maybe helpful for security" is too vague.
>> Do you have a proprietary bpf-lsm that needs it?
>> What is the exact use case?
>>
>> pw-bot: cr


-- 
Best Regards
Tao Chen