[PATCH bpf-next 1/8] bpf: fail BPF_TOKEN_CREATE if no delegation option was set on BPF FS

Andrii Nakryiko andrii.nakryiko at gmail.com
Fri Dec 8 22:42:28 UTC 2023


On Fri, Dec 8, 2023 at 1:49 PM Christian Brauner <brauner at kernel.org> wrote:
>
> On Thu, Dec 07, 2023 at 10:54:36AM -0800, Andrii Nakryiko wrote:
> > It's quite confusing in practice when it's possible to successfully
> > create a BPF token from BPF FS that didn't have any of delegate_xxx
> > mount options set up. While it's not wrong, it's actually more
> > meaningful to reject BPF_TOKEN_CREATE with specific error code (-ENOENT)
> > to let user-space know that no token delegation is setup up.
> >
> > So, instead of creating empty BPF token that will be always ignored
> > because it doesn't have any of the allow_xxx bits set, reject it with
> > -ENOENT. If we ever need empty BPF token to be possible, we can support
> > that with extra flag passed into BPF_TOKEN_CREATE.
> >
> > Signed-off-by: Andrii Nakryiko <andrii at kernel.org>
> > ---
>
> Might consider EOPNOTSUPP (or whatever the correct way of spelling this

I thought about that, but it felt wrong to return "unsupported" error
code, because BPF token is supported, it's just not setup/delegated on
that particular instance of BPF FS. So in that sense it felt like "BPF
token is not there" is more appropriate, which is why I went with
-ENOENT. And also I was worried that we might add -EOPNOTSUPP for some
unsupported combinations of flags or something, and then it will
become confusing to detect when some functionality is really not
supported, or if BPF token delegation isn't set on BPF FS. I hope that
makes sense and is not too contrived an argument.


> is). Otherwise,
> Acked-by: Christian Brauner <brauner at kernel.org>



More information about the Linux-security-module-archive mailing list