[PATCH v5 bpf-next 03/13] bpf: introduce BPF token object
Andrii Nakryiko
andrii.nakryiko at gmail.com
Tue Oct 10 00:23:19 UTC 2023
On Mon, Oct 9, 2023 at 3:53 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Wed, Sep 27, 2023 at 12:03 PM Andrii Nakryiko
> <andrii.nakryiko at gmail.com> wrote:
> > On Wed, Sep 27, 2023 at 2:52 AM Christian Brauner <brauner at kernel.org> wrote:
>
> ...
>
> > > IOW, everything stays the same apart from the fact that bpf token fds
> > > are actually file descriptors referring to a detached bpffs file instead
> > > of an anonymous inode file. IOW, bpf tokens are actual bpffs objects
> > > tied to a bpffs instance.
> >
> > Ah, ok, this is a much smaller change than what I was about to make.
> > I'm glad I asked and thanks for elaborating! I'll use
> > alloc_file_pseudo() using bpffs mount in the next revision.
>
> Just a FYI, I'm still looking at v6 now, but moving from an anon_inode
> to a bpffs inode may mean we need to drop a LSM hook in
> bpf_token_create() to help mark the inode as a BPF token. Not a big
> deal either way, and I think it makes sense to use a bpffs inode as
> opposed to an anonymous inode, just wanted to let you know.
Thanks for the heads up. I was about to post a new revision rebased on
the latest bpf-next and with an unrelated selftest fix, but I'll give
it a bit more time to get your feedback and incorporate it into the
next revision. Thanks!
>
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list