[PATCH 03/12] bpf: Implement exclusive map creation
KP Singh
kpsingh at kernel.org
Wed Jun 11 23:05:12 UTC 2025
On Thu, Jun 12, 2025 at 12:55 AM Alexei Starovoitov
<alexei.starovoitov at gmail.com> wrote:
>
> On Wed, Jun 11, 2025 at 2:44 PM KP Singh <kpsingh at kernel.org> wrote:
> >
> > On Mon, Jun 9, 2025 at 10:58 PM Alexei Starovoitov
> > <alexei.starovoitov at gmail.com> wrote:
[...]
> > can add inner maps. I think this is a valid combination as it would
> > still retain exclusivity over the outer maps elements.
>
> I don't follow.
> What do you mean by "map can add inner maps ?"
Ah, I missed this bit, a program cannot call bpf_map_update_elem on
maps of maps and such updates happen only in userspace.
Thanks, updated the code.
- KP
> The exclusivity is a contract between prog<->map.
> It doesn't matter whether the map is outer or inner.
> The prog cannot add an inner map.
> Only the user space can and such inner maps are detached
> from anything.
> Technically we can come up with a requirement that inner maps
> have to have the same prog sha as outer map.
> This can be enforced by bpf_map_meta_equal() logic.
> But that feels like overkill.
> The user space can query prog's sha, create an inner map with
> such prog sha and add it to outer map. So the additional check
> in bpf_map_meta_equal() would be easy to bypass.
> Since so, I would not add such artificial obstacle.
> Let all types of maps have this exclusive feature.
More information about the Linux-security-module-archive
mailing list