[PATCH 03/12] bpf: Implement exclusive map creation
KP Singh
kpsingh at kernel.org
Wed Jun 11 21:44:46 UTC 2025
On Mon, Jun 9, 2025 at 10:58 PM Alexei Starovoitov
<alexei.starovoitov at gmail.com> wrote:
>
> On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh at kernel.org> wrote:
> >
> > Exclusive maps allow maps to only be accessed by a trusted loader
> > program with a matching hash. This allows the trusted loader program
> > to load the map and verify the integrity.
> >
> > Both maps of maps (array, hash) cannot be exclusive and exclusive maps
> > cannot be added as inner maps. This is because one would need to
> > guarantee the exclusivity of the inner maps and would require
> > significant changes in the verifier.
>
> I was back and forth on it early, but after sleeping on it
> I think we should think of exclusive maps as a generic concept and
> not tied to trusted loader and prog signatures.
> So any map type should be allowed to be exclusive and this patch
> can handle it fine without adding more complexity.
> In map-in-map case the outer map can be created exclusive
> to a particular program, but inner maps don't have to be exclusive,
> and it's fine. The lskel loader won't be using map-in-map anyway,
> so no issues there.
So the idea here is that if an outer map has exclusive access, only it
can add inner maps. I think this is a valid combination as it would
still retain exclusivity over the outer maps elements.
- KP
>
> > Signed-off-by: KP Singh <kpsingh at kernel.org>
> > ---
[...]
> >
More information about the Linux-security-module-archive
mailing list