summaryrefslogtreecommitdiffstats
path: root/kernel/bpf/inode.c
diff options
context:
space:
mode:
authorAndrii Nakryiko <andrii@kernel.org>2024-01-24 03:21:01 +0100
committerAlexei Starovoitov <ast@kernel.org>2024-01-25 01:21:01 +0100
commita177fc2bf6fd83704854feaf7aae926b1df4f0b9 (patch)
tree74cafa2a721c24e10f9cbbeacd7acf518584edcb /kernel/bpf/inode.c
parentbpf: Introduce BPF token object (diff)
downloadlinux-a177fc2bf6fd83704854feaf7aae926b1df4f0b9.tar.xz
linux-a177fc2bf6fd83704854feaf7aae926b1df4f0b9.zip
bpf: Add BPF token support to BPF_MAP_CREATE command
Allow providing token_fd for BPF_MAP_CREATE command to allow controlled BPF map creation from unprivileged process through delegated BPF token. New BPF_F_TOKEN_FD flag is added to specify together with BPF token FD for BPF_MAP_CREATE command. Wire through a set of allowed BPF map types to BPF token, derived from BPF FS at BPF token creation time. This, in combination with allowed_cmds allows to create a narrowly-focused BPF token (controlled by privileged agent) with a restrictive set of BPF maps that application can attempt to create. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20240124022127.2379740-5-andrii@kernel.org
Diffstat (limited to 'kernel/bpf/inode.c')
-rw-r--r--kernel/bpf/inode.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index 565be1f3f1ea..034b7e4d8f19 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -620,7 +620,8 @@ static int bpf_show_options(struct seq_file *m, struct dentry *root)
else if (opts->delegate_cmds)
seq_printf(m, ",delegate_cmds=0x%llx", opts->delegate_cmds);
- if (opts->delegate_maps == ~0ULL)
+ mask = (1ULL << __MAX_BPF_MAP_TYPE) - 1;
+ if ((opts->delegate_maps & mask) == mask)
seq_printf(m, ",delegate_maps=any");
else if (opts->delegate_maps)
seq_printf(m, ",delegate_maps=0x%llx", opts->delegate_maps);