RE: [PATCH v3 bpf-next 00/10] BPF token support in libbpf's BPF object

BPF List
 help / color / mirror / Atom feed

From: John Fastabend <john.fastabend@gmail.com>
To: Andrii Nakryiko <andrii@kernel.org>,
	 bpf@vger.kernel.org,  ast@kernel.org,  daniel@iogearbox.net,
	 martin.lau@kernel.org
Cc: andrii@kernel.org,  kernel-team@meta.com
Subject: RE: [PATCH v3 bpf-next 00/10] BPF token support in libbpf's BPF object
Date: Wed, 13 Dec 2023 16:45:32 -0800	[thread overview]
Message-ID: <657a502ca6c3f_4415620819@john.notmuch> (raw)
In-Reply-To: <20231213190842.3844987-1-andrii@kernel.org>

Andrii Nakryiko wrote:
> Add fuller support for BPF token in high-level BPF object APIs. This is the
> most frequently used way to work with BPF using libbpf, so supporting BPF
> token there is critical.
> 
> Patch #1 is improving kernel-side BPF_TOKEN_CREATE behavior by rejecting to
> create "empty" BPF token with no delegation. This seems like saner behavior
> which also makes libbpf's caching better overall. If we ever want to create
> BPF token with no delegate_xxx options set on BPF FS, we can use a new flag to
> enable that.
> 
> Patches #2-#5 refactor libbpf internals, mostly feature detection code, to
> prepare it from BPF token FD.
> 
> Patch #6 adds options to pass BPF token into BPF object open options. It also
> adds implicit BPF token creation logic to BPF object load step, even without
> any explicit involvement of the user. If the environment is setup properly,
> BPF token will be created transparently and used implicitly. This allows for
> all existing application to gain BPF token support by just linking with
> latest version of libbpf library. No source code modifications are required.
> All that under assumption that privileged container management agent properly
> set up default BPF FS instance at /sys/bpf/fs to allow BPF token creation.
> 
> Patches #7-#8 adds more selftests, validating BPF object APIs work as expected
> under unprivileged user namespaced conditions in the presence of BPF token.
> 
> Patch #9 extends libbpf with LIBBPF_BPF_TOKEN_PATH envvar knowledge, which can
> be used to override custom BPF FS location used for implicit BPF token
> creation logic without needing to adjust application code. This allows admins
> or container managers to mount BPF token-enabled BPF FS at non-standard
> location without the need to coordinate with applications.
> LIBBPF_BPF_TOKEN_PATH can also be used to disable BPF token implicit creation
> by setting it to an empty value. Patch #10 tests this new envvar functionality.
> 
> v2->v3:
>   - move some stray feature cache refactorings into patch #4 (Alexei);
>   - add LIBBPF_BPF_TOKEN_PATH envvar support (Alexei);

We can do same thing from golang ebpf lib when we get around to adding it.
Looks good to me.

I see its merged but, Ack for me.

> v1->v2:
>   - remove minor code redundancies (Eduard, John);
>   - add acks and rebase.
> 
> Andrii Nakryiko (10):
>   bpf: fail BPF_TOKEN_CREATE if no delegation option was set on BPF FS
>   libbpf: split feature detectors definitions from cached results
>   libbpf: further decouple feature checking logic from bpf_object
>   libbpf: move feature detection code into its own file
>   libbpf: wire up token_fd into feature probing logic
>   libbpf: wire up BPF token support at BPF object level
>   selftests/bpf: add BPF object loading tests with explicit token
>     passing
>   selftests/bpf: add tests for BPF object load with implicit token
>   libbpf: support BPF token path setting through LIBBPF_BPF_TOKEN_PATH
>     envvar
>   selftests/bpf: add tests for LIBBPF_BPF_TOKEN_PATH envvar
> 
>  kernel/bpf/token.c                            |  10 +-
>  tools/lib/bpf/Build                           |   2 +-
>  tools/lib/bpf/bpf.c                           |   9 +-
>  tools/lib/bpf/btf.c                           |   7 +-
>  tools/lib/bpf/elf.c                           |   2 -
>  tools/lib/bpf/features.c                      | 478 +++++++++++++++
>  tools/lib/bpf/libbpf.c                        | 573 ++++--------------
>  tools/lib/bpf/libbpf.h                        |  37 +-
>  tools/lib/bpf/libbpf_internal.h               |  36 +-
>  tools/lib/bpf/libbpf_probes.c                 |   8 +-
>  tools/lib/bpf/str_error.h                     |   3 +
>  .../testing/selftests/bpf/prog_tests/token.c  | 347 +++++++++++
>  tools/testing/selftests/bpf/progs/priv_map.c  |  13 +
>  tools/testing/selftests/bpf/progs/priv_prog.c |  13 +
>  14 files changed, 1065 insertions(+), 473 deletions(-)
>  create mode 100644 tools/lib/bpf/features.c
>  create mode 100644 tools/testing/selftests/bpf/progs/priv_map.c
>  create mode 100644 tools/testing/selftests/bpf/progs/priv_prog.c
> 
> -- 
> 2.34.1
> 
>

     prev parent reply	other threads:[~2023-12-14  0:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-13 19:08 [PATCH v3 bpf-next 00/10] BPF token support in libbpf's BPF object Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 01/10] bpf: fail BPF_TOKEN_CREATE if no delegation option was set on BPF FS Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 02/10] libbpf: split feature detectors definitions from cached results Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 03/10] libbpf: further decouple feature checking logic from bpf_object Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 04/10] libbpf: move feature detection code into its own file Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 05/10] libbpf: wire up token_fd into feature probing logic Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 06/10] libbpf: wire up BPF token support at BPF object level Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 07/10] selftests/bpf: add BPF object loading tests with explicit token passing Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 08/10] selftests/bpf: add tests for BPF object load with implicit token Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 09/10] libbpf: support BPF token path setting through LIBBPF_BPF_TOKEN_PATH envvar Andrii Nakryiko
2023-12-13 19:08 ` [PATCH v3 bpf-next 10/10] selftests/bpf: add tests for " Andrii Nakryiko
2023-12-14  0:00 ` [PATCH v3 bpf-next 00/10] BPF token support in libbpf's BPF object patchwork-bot+netdevbpf
2023-12-14  0:45 ` John Fastabend [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=657a502ca6c3f_4415620819@john.notmuch \
    --to=john.fastabend@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kernel-team@meta.com \
    --cc=martin.lau@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox