bpf: Add a BPF helper for getting the IMA hash of an inode

Provide a wrapper function to get the IMA hash of an inode. This helper is useful in fingerprinting files (e.g executables on execution) and using these fingerprints in detections like an executable unlinking itself. Since the ima_inode_hash can sleep, it's only allowed for sleepable LSM hooks. Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20201124151210.1081188-3-kpsingh@chromium.org
2025-06-21 14:11:20 +00:00 · 2020-11-24 15:12:09 +00:00 · 2020-11-24 15:12:09 +00:00 · 27672f0d28
commit 27672f0d28
parent 403319be5d
4 changed files with 50 additions and 0 deletions
--- a/scripts/bpf_helpers_doc.py
+++ b/scripts/bpf_helpers_doc.py
@ -436,6 +436,7 @@ class PrinterHelpers(Printer):
            'struct xdp_md',
            'struct path',
            'struct btf_ptr',
+            'struct inode',
    ]
    known_types = {
            '...',
@ -480,6 +481,7 @@ class PrinterHelpers(Printer):
            'struct task_struct',
            'struct path',
            'struct btf_ptr',
+            'struct inode',
    }
    mapped_types = {
            'u8': '__u8',