From: Tao Chen <chen.dylane@linux.dev>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
jolsa@kernel.org, willemb@google.com, kerneljasonxing@gmail.com,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info
Date: Mon, 14 Jul 2025 21:15:45 +0800 [thread overview]
Message-ID: <f580b139-a08b-4705-addd-31f104fd570c@linux.dev> (raw)
In-Reply-To: <CAEf4BzZzsqu1=Q-3+6uJvgvKd52o+FR=DFp28w+vT5knP9NyCQ@mail.gmail.com>
在 2025/7/12 01:10, Andrii Nakryiko 写道:
Hi Andrri,
> On Fri, Jul 11, 2025 at 2:45 AM Tao Chen <chen.dylane@linux.dev> wrote:
>>
>> The 'commit 35f96de04127 ("bpf: Introduce BPF token object")' added
>> BPF token as a new kind of BPF kernel object. And BPF_OBJ_GET_INFO_BY_FD
>> already used to get BPF object info, so we can also get token info with
>> this cmd.
>>
>
> Do you have a specific use case in mind for this API? I can see how
> this might be useful for some hypothetical cases, but I have a few
> reservations as of right now:
>
> - we don't allow iterating all BPF token objects in the system the
> same way we do it for progs, maps, and btfs, so bpftool cannot take
> advantage of this to list all available tokens and their info, which
> makes this API a bit less useful, IMO;
>
> - BPF token was designed in a way that users don't really need to
> know allowed_* values (and if they do, they can get it from BPF FS's
> mount information (e.g., from /proc/mounts).
>
> As I said, I can come up with some hypothetical situations where a
> user might want to avoid doing something that otherwise they'd do
> outside of userns, but I'm wondering what your motivations are for
> this?
>
Sorry for the delay. Recentlly, i tried to use bpf_token feature in our
production environment, in fact, bpf_token grants permission to prog,
map, cmd, etc. It would be great if it could indicate which specific
permission is the issue to user. So i wanted to provide a token info
query interface. As you said, "mount | grep bpf" may solve it, but
functionally, can we make it more complete?
>> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
>> ---
>> include/linux/bpf.h | 11 +++++++++++
>> include/uapi/linux/bpf.h | 8 ++++++++
>> kernel/bpf/syscall.c | 18 ++++++++++++++++++
>> kernel/bpf/token.c | 30 ++++++++++++++++++++++++++++--
>> tools/include/uapi/linux/bpf.h | 8 ++++++++
>> 5 files changed, 73 insertions(+), 2 deletions(-)
>>
>
> [...]
--
Best Regards
Tao Chen
next prev parent reply other threads:[~2025-07-14 13:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-11 9:45 [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info Tao Chen
2025-07-11 9:45 ` [PATCH bpf-next 2/2] bpf/selftests: Add selftests for token info Tao Chen
2025-07-11 17:10 ` [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info Andrii Nakryiko
2025-07-14 13:15 ` Tao Chen [this message]
2025-07-14 21:06 ` Andrii Nakryiko
2025-07-15 2:21 ` Tao Chen
2025-07-12 15:18 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f580b139-a08b-4705-addd-31f104fd570c@linux.dev \
--to=chen.dylane@linux.dev \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.