diff options
author | Andrii Nakryiko <andrii@kernel.org> | 2024-01-24 03:21:01 +0100 |
---|---|---|
committer | Alexei Starovoitov <ast@kernel.org> | 2024-01-25 01:21:01 +0100 |
commit | a177fc2bf6fd83704854feaf7aae926b1df4f0b9 (patch) | |
tree | 74cafa2a721c24e10f9cbbeacd7acf518584edcb /kernel/bpf/inode.c | |
parent | bpf: Introduce BPF token object (diff) | |
download | linux-a177fc2bf6fd83704854feaf7aae926b1df4f0b9.tar.xz linux-a177fc2bf6fd83704854feaf7aae926b1df4f0b9.zip |
bpf: Add BPF token support to BPF_MAP_CREATE command
Allow providing token_fd for BPF_MAP_CREATE command to allow controlled
BPF map creation from unprivileged process through delegated BPF token.
New BPF_F_TOKEN_FD flag is added to specify together with BPF token FD
for BPF_MAP_CREATE command.
Wire through a set of allowed BPF map types to BPF token, derived from
BPF FS at BPF token creation time. This, in combination with allowed_cmds
allows to create a narrowly-focused BPF token (controlled by privileged
agent) with a restrictive set of BPF maps that application can attempt
to create.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20240124022127.2379740-5-andrii@kernel.org
Diffstat (limited to 'kernel/bpf/inode.c')
-rw-r--r-- | kernel/bpf/inode.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c index 565be1f3f1ea..034b7e4d8f19 100644 --- a/kernel/bpf/inode.c +++ b/kernel/bpf/inode.c @@ -620,7 +620,8 @@ static int bpf_show_options(struct seq_file *m, struct dentry *root) else if (opts->delegate_cmds) seq_printf(m, ",delegate_cmds=0x%llx", opts->delegate_cmds); - if (opts->delegate_maps == ~0ULL) + mask = (1ULL << __MAX_BPF_MAP_TYPE) - 1; + if ((opts->delegate_maps & mask) == mask) seq_printf(m, ",delegate_maps=any"); else if (opts->delegate_maps) seq_printf(m, ",delegate_maps=0x%llx", opts->delegate_maps); |