[PATCH bpf-next 1/8] bpf: fail BPF_TOKEN_CREATE if no delegation option was set on BPF FS
Christian Brauner
brauner at kernel.org
Fri Dec 8 21:49:52 UTC 2023
On Thu, Dec 07, 2023 at 10:54:36AM -0800, Andrii Nakryiko wrote:
> It's quite confusing in practice when it's possible to successfully
> create a BPF token from BPF FS that didn't have any of delegate_xxx
> mount options set up. While it's not wrong, it's actually more
> meaningful to reject BPF_TOKEN_CREATE with specific error code (-ENOENT)
> to let user-space know that no token delegation is setup up.
>
> So, instead of creating empty BPF token that will be always ignored
> because it doesn't have any of the allow_xxx bits set, reject it with
> -ENOENT. If we ever need empty BPF token to be possible, we can support
> that with extra flag passed into BPF_TOKEN_CREATE.
>
> Signed-off-by: Andrii Nakryiko <andrii at kernel.org>
> ---
Might consider EOPNOTSUPP (or whatever the correct way of spelling this
is). Otherwise,
Acked-by: Christian Brauner <brauner at kernel.org>
More information about the Linux-security-module-archive
mailing list