I'm currently trying to write a fanotify wannabe program using libbpf + bpf LSM hooks.
What I'm trying to achieve here is to intercept a LSM event(for example lsm.s/file_open) and to send event data to user space side. On user-side I'd do some analysis and return a verdict that will be passed back to LSM module.
I know that it was not possible yet several years ago, but in recent patches sleepable bpf programs were added and they work with LSM hooks. But I still don't know if I can block bpf side until analysis results are ready. So is it possible yet?
At the current state I managed only to basically read into user ringbuf some statistics, but that's not exactly what I'm trying to achieve. I guess allocating a structure for user-space return result and checking it for a valid response returned by bpf_copy_from_user() in a cycle can be it, but I would like to hear some thoughts on that. Thanks in advance!
