A bunch of new hooks for managing block devices were added a while ago
but they weren't actually appropriately classified.

* bpf_lsm_bdev_alloc() is called when the inode for the block
  device is allocated. This happens from a sleepable context so mark the
  function as sleepable. When this function is called the memory for the
  block device storage embedded into the inode is zeroed. That block
  device cannot be meaningfully reference or interacted with at this
  point. So mark it as untrusted for now.

* bpf_lsm_bdev_free() is called when the inode for the block
  device is freed. A bunch of memory associated with the block device
  has already been freed and there's dangling pointers in there. So mark
  it as untrusted. It cannot be meaningfully referenced or interacted
  with anymore. It is also called from sb->s_op->free_inode:: which
  means it runs in rcu context (most of the times). So leave it as
  non-sleepable.

* bpf_lsm_bdev_setintegrity() is called when a dm-verity device
  is instantiated (glossing over details for simplicity of the commit
  message). The block device is very much alive so it remains a trusted
  hook. It's also called with device mapper's suspend lock held and so
  the hook is able to sleep so mark it sleepable.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 kernel/bpf/bpf_lsm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 1da5585082fa..0887fcda4a9a 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -419,6 +419,8 @@ BTF_ID(func, bpf_lsm_userns_create)
 BTF_ID(func, bpf_lsm_namespace_alloc)
 BTF_ID(func, bpf_lsm_namespace_install)
 BTF_ID(func, bpf_lsm_cgroup_attach)
+BTF_ID(func, bpf_lsm_bdev_alloc)
+BTF_ID(func, bpf_lsm_bdev_setintegrity)
 BTF_SET_END(sleepable_lsm_hooks)
 
 BTF_SET_START(untrusted_lsm_hooks)
@@ -432,6 +434,8 @@ BTF_ID(func, bpf_lsm_sk_free_security)
 #endif /* CONFIG_SECURITY_NETWORK */
 BTF_ID(func, bpf_lsm_task_free)
 BTF_ID(func, bpf_lsm_namespace_free)
+BTF_ID(func, bpf_lsm_bdev_alloc)
+BTF_ID(func, bpf_lsm_bdev_free)
 BTF_SET_END(untrusted_lsm_hooks)
 
 bool bpf_lsm_is_sleepable_hook(u32 btf_id)

-- 
2.47.3

Add selftests to test block device tracking for bpf lsm programs.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 tools/testing/selftests/bpf/prog_tests/lsm_bdev.c | 221 ++++++++++++++++++++++
 tools/testing/selftests/bpf/progs/lsm_bdev.c      |  96 ++++++++++
 2 files changed, 317 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/lsm_bdev.c b/tools/testing/selftests/bpf/prog_tests/lsm_bdev.c
new file mode 100644
index 000000000000..a970798e1173
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/lsm_bdev.c
@@ -0,0 +1,221 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Christian Brauner <brauner@kernel.org> */
+
+/*
+ * Test BPF LSM block device integrity hooks with dm-verity.
+ *
+ * Creates a dm-verity device over loopback, which triggers
+ * security_bdev_setintegrity() during verity_preresume().
+ * Verifies that the BPF program correctly tracks the integrity
+ * metadata in its hashmap.
+ */
+
+#define _GNU_SOURCE
+#include <test_progs.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include "lsm_bdev.skel.h"
+
+/* Must match the definition in progs/lsm_bdev.c. */
+struct verity_info {
+	__u8  has_roothash;
+	__u8  sig_valid;
+	__u32 setintegrity_cnt;
+};
+
+#define DATA_SIZE_MB	8
+#define HASH_SIZE_MB	1
+#define DM_NAME		"bpf_test_verity"
+#define DM_DEV_PATH	"/dev/mapper/" DM_NAME
+
+/* Run a command and optionally capture the first line of stdout. */
+static int run_cmd(const char *cmd, char *out, size_t out_sz)
+{
+	FILE *fp;
+	int ret;
+
+	fp = popen(cmd, "r");
+	if (!fp)
+		return -1;
+
+	if (out && out_sz > 0) {
+		if (!fgets(out, out_sz, fp))
+			out[0] = '\0';
+		/* strip trailing newline */
+		out[strcspn(out, "\n")] = '\0';
+	}
+
+	ret = pclose(fp);
+	return WIFEXITED(ret) ? WEXITSTATUS(ret) : -1;
+}
+
+static bool has_prerequisites(void)
+{
+	if (getuid() != 0) {
+		printf("SKIP: must be root\n");
+		return false;
+	}
+
+	if (run_cmd("modprobe loop 2>/dev/null", NULL, 0) &&
+	    run_cmd("ls /dev/loop-control 2>/dev/null", NULL, 0)) {
+		printf("SKIP: no loop device support\n");
+		return false;
+	}
+
+	if (run_cmd("modprobe dm-verity 2>/dev/null", NULL, 0) &&
+	    run_cmd("dmsetup targets 2>/dev/null | grep -q verity", NULL, 0)) {
+		printf("SKIP: dm-verity module not available\n");
+		return false;
+	}
+
+	if (run_cmd("which veritysetup >/dev/null 2>&1", NULL, 0)) {
+		printf("SKIP: veritysetup not found\n");
+		return false;
+	}
+
+	return true;
+}
+
+void test_lsm_bdev(void)
+{
+	char data_img[] = "/tmp/bpf_verity_data_XXXXXX";
+	char hash_img[] = "/tmp/bpf_verity_hash_XXXXXX";
+	char data_loop[64] = {};
+	char hash_loop[64] = {};
+	char roothash[256] = {};
+	char cmd[512];
+	int data_fd = -1, hash_fd = -1;
+	struct lsm_bdev *skel = NULL;
+	struct verity_info val;
+	struct stat st;
+	__u32 dev_key;
+	int err;
+
+	if (!has_prerequisites()) {
+		test__skip();
+		return;
+	}
+
+	/* Clean up any stale device from a previous crashed run. */
+	snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME);
+	run_cmd(cmd, NULL, 0);
+
+	/* Create temporary image files. */
+	data_fd = mkstemp(data_img);
+	if (!ASSERT_OK_FD(data_fd, "mkstemp data"))
+		return;
+
+	hash_fd = mkstemp(hash_img);
+	if (!ASSERT_OK_FD(hash_fd, "mkstemp hash"))
+		goto cleanup;
+
+	if (!ASSERT_OK(ftruncate(data_fd, DATA_SIZE_MB * 1024 * 1024),
+		       "truncate data"))
+		goto cleanup;
+
+	if (!ASSERT_OK(ftruncate(hash_fd, HASH_SIZE_MB * 1024 * 1024),
+		       "truncate hash"))
+		goto cleanup;
+
+	close(data_fd);
+	data_fd = -1;
+	close(hash_fd);
+	hash_fd = -1;
+
+	/* Set up loop devices. */
+	snprintf(cmd, sizeof(cmd),
+		 "losetup --find --show %s 2>/dev/null", data_img);
+	if (!ASSERT_OK(run_cmd(cmd, data_loop, sizeof(data_loop)),
+		       "losetup data"))
+		goto teardown;
+
+	snprintf(cmd, sizeof(cmd),
+		 "losetup --find --show %s 2>/dev/null", hash_img);
+	if (!ASSERT_OK(run_cmd(cmd, hash_loop, sizeof(hash_loop)),
+		       "losetup hash"))
+		goto teardown;
+
+	/* Format the dm-verity device and capture the root hash. */
+	snprintf(cmd, sizeof(cmd),
+		 "veritysetup format %s %s 2>/dev/null | "
+		 "grep -i 'root hash' | awk '{print $NF}'",
+		 data_loop, hash_loop);
+	if (!ASSERT_OK(run_cmd(cmd, roothash, sizeof(roothash)),
+		       "veritysetup format"))
+		goto teardown;
+
+	if (!ASSERT_GT((int)strlen(roothash), 0, "roothash not empty"))
+		goto teardown;
+
+	/* Load and attach BPF program before activating dm-verity. */
+	skel = lsm_bdev__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "skel open_and_load"))
+		goto teardown;
+
+	err = lsm_bdev__attach(skel);
+	if (!ASSERT_OK(err, "skel attach"))
+		goto teardown;
+
+	/* Activate dm-verity — triggers verity_preresume() hooks. */
+	snprintf(cmd, sizeof(cmd),
+		 "veritysetup open %s %s %s %s 2>/dev/null",
+		 data_loop, DM_NAME, hash_loop, roothash);
+	if (!ASSERT_OK(run_cmd(cmd, NULL, 0), "veritysetup open"))
+		goto teardown;
+
+	/* Get the dm device's dev_t. */
+	if (!ASSERT_OK(stat(DM_DEV_PATH, &st), "stat dm dev"))
+		goto remove_dm;
+
+	dev_key = (__u32)st.st_rdev;
+
+	/* Look up the device in the BPF map and verify. */
+	err = bpf_map__lookup_elem(skel->maps.verity_devices,
+				   &dev_key, sizeof(dev_key),
+				   &val, sizeof(val), 0);
+	if (!ASSERT_OK(err, "map lookup"))
+		goto remove_dm;
+
+	ASSERT_EQ(val.has_roothash, 1, "has_roothash");
+	ASSERT_EQ(val.sig_valid, 0, "sig_valid (unsigned)");
+	/*
+	 * verity_preresume() always calls security_bdev_setintegrity()
+	 * for the roothash. The signature-validity call only happens
+	 * when CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG is enabled.
+	 */
+	ASSERT_GE(val.setintegrity_cnt, 1, "setintegrity_cnt min");
+	ASSERT_LE(val.setintegrity_cnt, 2, "setintegrity_cnt max");
+
+	/* Verify that the alloc hook fired at least once. */
+	ASSERT_GT(skel->bss->alloc_count, 0, "alloc_count");
+
+remove_dm:
+	snprintf(cmd, sizeof(cmd), "dmsetup remove %s 2>/dev/null", DM_NAME);
+	run_cmd(cmd, NULL, 0);
+
+teardown:
+	if (data_loop[0]) {
+		snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null",
+			 data_loop);
+		run_cmd(cmd, NULL, 0);
+	}
+	if (hash_loop[0]) {
+		snprintf(cmd, sizeof(cmd), "losetup -d %s 2>/dev/null",
+			 hash_loop);
+		run_cmd(cmd, NULL, 0);
+	}
+
+cleanup:
+	lsm_bdev__destroy(skel);
+	if (data_fd >= 0)
+		close(data_fd);
+	if (hash_fd >= 0)
+		close(hash_fd);
+	unlink(data_img);
+	unlink(hash_img);
+}
diff --git a/tools/testing/selftests/bpf/progs/lsm_bdev.c b/tools/testing/selftests/bpf/progs/lsm_bdev.c
new file mode 100644
index 000000000000..45554e6db605
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/lsm_bdev.c
@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Christian Brauner <brauner@kernel.org> */
+
+/*
+ * BPF LSM block device integrity tracker for dm-verity.
+ *
+ * Tracks block devices in a hashmap keyed by bd_dev.  When dm-verity
+ * calls security_bdev_setintegrity() during verity_preresume(), the
+ * setintegrity hook records the roothash and signature-validity data.
+ * The free hook cleans up when the device goes away.  The alloc hook
+ * counts allocations for test validation.
+ *
+ * The sleepable hooks exercise bpf_copy_from_user() to verify that
+ * the sleepable classification actually permits sleepable helpers.
+ */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct verity_info {
+	__u8  has_roothash;	/* LSM_INT_DMVERITY_ROOTHASH seen */
+	__u8  sig_valid;	/* LSM_INT_DMVERITY_SIG_VALID value (non-NULL = valid) */
+	__u32 setintegrity_cnt;	/* total setintegrity calls for this dev */
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 64);
+	__type(key, __u32);		/* dev_t from bdev->bd_dev */
+	__type(value, struct verity_info);
+} verity_devices SEC(".maps");
+
+/* Global counters exposed to userspace via skeleton bss. */
+int alloc_count;
+
+char _license[] SEC("license") = "GPL";
+
+SEC("lsm.s/bdev_setintegrity")
+int BPF_PROG(bdev_setintegrity, struct block_device *bdev,
+	     enum lsm_integrity_type type, const void *value, size_t size)
+{
+	struct verity_info zero = {};
+	struct verity_info *info;
+	__u32 dev;
+	char buf;
+
+	/*
+	 * Exercise a sleepable helper to confirm the verifier
+	 * allows it in this sleepable hook.
+	 */
+	(void)bpf_copy_from_user(&buf, sizeof(buf), NULL);
+
+	dev = bdev->bd_dev;
+
+	info = bpf_map_lookup_elem(&verity_devices, &dev);
+	if (!info) {
+		bpf_map_update_elem(&verity_devices, &dev, &zero, BPF_NOEXIST);
+		info = bpf_map_lookup_elem(&verity_devices, &dev);
+		if (!info)
+			return 0;
+	}
+
+	if (type == LSM_INT_DMVERITY_ROOTHASH)
+		info->has_roothash = 1;
+	else if (type == LSM_INT_DMVERITY_SIG_VALID)
+		info->sig_valid = (value != NULL);
+
+	__sync_fetch_and_add(&info->setintegrity_cnt, 1);
+
+	return 0;
+}
+
+SEC("lsm/bdev_free_security")
+void BPF_PROG(bdev_free_security, struct block_device *bdev)
+{
+	__u32 dev = bdev->bd_dev;
+
+	bpf_map_delete_elem(&verity_devices, &dev);
+}
+
+SEC("lsm.s/bdev_alloc_security")
+int BPF_PROG(bdev_alloc_security, struct block_device *bdev)
+{
+	char buf;
+
+	/*
+	 * Exercise a sleepable helper to confirm the verifier
+	 * allows it in this sleepable hook.
+	 */
+	(void)bpf_copy_from_user(&buf, sizeof(buf), NULL);
+
+	__sync_fetch_and_add(&alloc_count, 1);
+
+	return 0;
+}

-- 
2.47.3