[PATCH bpf-next v2 1/2] bpf: Add struct bpf_token_info

[PATCH bpf-next v2 1/2] bpf: Add struct bpf_token_info

[Tao Chen]

The 'commit 35f96de04127 ("bpf: Introduce BPF token object")' added
BPF token as a new kind of BPF kernel object. And BPF_OBJ_GET_INFO_BY_FD
already used to get BPF object info, so we can also get token info with
this cmd.
One usage scenario, when program runs failed with token, because of
the permission failure, we can report what BPF token is allowing with
this API for debugging.

Signed-off-by: Tao Chen <chen.dylane@linux.dev>
---
 include/linux/bpf.h            | 11 +++++++++++
 include/uapi/linux/bpf.h       |  8 ++++++++
 kernel/bpf/syscall.c           | 18 ++++++++++++++++++
 kernel/bpf/token.c             | 28 +++++++++++++++++++++++++++-
 tools/include/uapi/linux/bpf.h |  8 ++++++++
 5 files changed, 72 insertions(+), 1 deletion(-)

Change list:
 v1 -> v2:
  - fix compilation warning reported by kernel test robot
 v1: https://lore.kernel.org/bpf/20250711094517.931999-1-chen.dylane@linux.dev

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 34dd90ec7fa..2c772f1556d 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2350,6 +2350,7 @@ extern const struct super_operations bpf_super_ops;
 extern const struct file_operations bpf_map_fops;
 extern const struct file_operations bpf_prog_fops;
 extern const struct file_operations bpf_iter_fops;
+extern const struct file_operations bpf_token_fops;
 
 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
 	extern const struct bpf_prog_ops _name ## _prog_ops; \
@@ -2546,6 +2547,9 @@ void bpf_token_inc(struct bpf_token *token);
 void bpf_token_put(struct bpf_token *token);
 int bpf_token_create(union bpf_attr *attr);
 struct bpf_token *bpf_token_get_from_fd(u32 ufd);
+int bpf_token_get_info_by_fd(struct bpf_token *token,
+			     const union bpf_attr *attr,
+			     union bpf_attr __user *uattr);
 
 bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd);
 bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type);
@@ -2944,6 +2948,13 @@ static inline struct bpf_token *bpf_token_get_from_fd(u32 ufd)
 	return ERR_PTR(-EOPNOTSUPP);
 }
 
+static inline int bpf_token_get_info_by_fd(struct bpf_token *token,
+					   const union bpf_attr *attr,
+					   union bpf_attr __user *uattr)
+{
+	return -EOPNOTSUPP;
+}
+
 static inline void __dev_flush(struct list_head *flush_list)
 {
 }
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0670e15a610..233de867738 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -450,6 +450,7 @@ union bpf_iter_link_info {
  *		* **struct bpf_map_info**
  *		* **struct bpf_btf_info**
  *		* **struct bpf_link_info**
+ *		* **struct bpf_token_info**
  *
  *	Return
  *		Returns zero on success. On error, -1 is returned and *errno*
@@ -6803,6 +6804,13 @@ struct bpf_link_info {
 	};
 } __attribute__((aligned(8)));
 
+struct bpf_token_info {
+	__u64 allowed_cmds;
+	__u64 allowed_maps;
+	__u64 allowed_progs;
+	__u64 allowed_attachs;
+} __attribute__((aligned(8)));
+
 /* User bpf_sock_addr struct to access socket fields and sockaddr struct passed
  * by user and intended to be used by socket (e.g. to bind to, depends on
  * attach type).
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 3f36bfe1326..c21b6bba62a 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -5234,6 +5234,21 @@ static int bpf_link_get_info_by_fd(struct file *file,
 }
 
 
+static int token_get_info_by_fd(struct file *file,
+				struct bpf_token *token,
+				const union bpf_attr *attr,
+				union bpf_attr __user *uattr)
+{
+	struct bpf_token_info __user *uinfo = u64_to_user_ptr(attr->info.info);
+	u32 info_len = attr->info.info_len;
+	int err;
+
+	err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(*uinfo), info_len);
+	if (err)
+		return err;
+	return bpf_token_get_info_by_fd(token, attr, uattr);
+}
+
 #define BPF_OBJ_GET_INFO_BY_FD_LAST_FIELD info.info
 
 static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
@@ -5257,6 +5272,9 @@ static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
 	else if (fd_file(f)->f_op == &bpf_link_fops || fd_file(f)->f_op == &bpf_link_fops_poll)
 		return bpf_link_get_info_by_fd(fd_file(f), fd_file(f)->private_data,
 					      attr, uattr);
+	else if (fd_file(f)->f_op == &bpf_token_fops)
+		return token_get_info_by_fd(fd_file(f), fd_file(f)->private_data,
+					    attr, uattr);
 	return -EINVAL;
 }
 
diff --git a/kernel/bpf/token.c b/kernel/bpf/token.c
index 26057aa1350..fda67d417c2 100644
--- a/kernel/bpf/token.c
+++ b/kernel/bpf/token.c
@@ -103,7 +103,7 @@ static void bpf_token_show_fdinfo(struct seq_file *m, struct file *filp)
 
 static const struct inode_operations bpf_token_iops = { };
 
-static const struct file_operations bpf_token_fops = {
+const struct file_operations bpf_token_fops = {
 	.release	= bpf_token_release,
 	.show_fdinfo	= bpf_token_show_fdinfo,
 };
@@ -210,6 +210,32 @@ int bpf_token_create(union bpf_attr *attr)
 	return err;
 }
 
+int bpf_token_get_info_by_fd(struct bpf_token *token,
+			     const union bpf_attr *attr,
+			     union bpf_attr __user *uattr)
+{
+	struct bpf_token_info __user *uinfo;
+	struct bpf_token_info info;
+	u32 info_copy, uinfo_len;
+
+	uinfo = u64_to_user_ptr(attr->info.info);
+	uinfo_len = attr->info.info_len;
+
+	info_copy = min_t(u32, uinfo_len, sizeof(info));
+	memset(&info, 0, sizeof(info));
+
+	info.allowed_cmds = token->allowed_cmds;
+	info.allowed_maps = token->allowed_maps;
+	info.allowed_progs = token->allowed_progs;
+	info.allowed_attachs = token->allowed_attachs;
+
+	if (copy_to_user(uinfo, &info, info_copy) ||
+	    put_user(info_copy, &uattr->info.info_len))
+		return -EFAULT;
+
+	return 0;
+}
+
 struct bpf_token *bpf_token_get_from_fd(u32 ufd)
 {
 	CLASS(fd, f)(ufd);
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 0670e15a610..233de867738 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -450,6 +450,7 @@ union bpf_iter_link_info {
  *		* **struct bpf_map_info**
  *		* **struct bpf_btf_info**
  *		* **struct bpf_link_info**
+ *		* **struct bpf_token_info**
  *
  *	Return
  *		Returns zero on success. On error, -1 is returned and *errno*
@@ -6803,6 +6804,13 @@ struct bpf_link_info {
 	};
 } __attribute__((aligned(8)));
 
+struct bpf_token_info {
+	__u64 allowed_cmds;
+	__u64 allowed_maps;
+	__u64 allowed_progs;
+	__u64 allowed_attachs;
+} __attribute__((aligned(8)));
+
 /* User bpf_sock_addr struct to access socket fields and sockaddr struct passed
  * by user and intended to be used by socket (e.g. to bind to, depends on
  * attach type).
-- 
2.48.1

[PATCH bpf-next v2 2/2] bpf/selftests: Add selftests for token info

[Tao Chen]

A previous change added bpf_token_info to get token info with
bpf_get_obj_info_by_fd, this patch adds a new test for token info.

 #461/12  token/bpf_token_info:OK

Signed-off-by: Tao Chen <chen.dylane@linux.dev>
---
 .../testing/selftests/bpf/prog_tests/token.c  | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c
index cfc032b910c..a16f25bdd4c 100644
--- a/tools/testing/selftests/bpf/prog_tests/token.c
+++ b/tools/testing/selftests/bpf/prog_tests/token.c
@@ -1047,6 +1047,36 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l
 
 #define bit(n) (1ULL << (n))
 
+static int userns_bpf_token_info(int mnt_fd, struct token_lsm *lsm_skel)
+{
+	int err, token_fd = -1;
+	struct bpf_token_info info;
+	u32 len = sizeof(struct bpf_token_info);
+
+	/* create BPF token from BPF FS mount */
+	token_fd = bpf_token_create(mnt_fd, NULL);
+	if (!ASSERT_GT(token_fd, 0, "token_create")) {
+		err = -EINVAL;
+		goto cleanup;
+	}
+
+	memset(&info, 0, len);
+	err = bpf_obj_get_info_by_fd(token_fd, &info, &len);
+	if (!ASSERT_ERR(err, "bpf_obj_get_token_info"))
+		goto cleanup;
+	if (!ASSERT_EQ(info.allowed_cmds, bit(BPF_MAP_CREATE), "token_info_cmds_map_create"))
+		goto cleanup;
+	if (!ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_XDP), "token_info_progs_xdp"))
+		goto cleanup;
+
+	/* The BPF_PROG_TYPE_EXT is not set in token */
+	ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_EXT), "token_info_progs_ext");
+
+cleanup:
+	zclose(token_fd);
+	return err;
+}
+
 void test_token(void)
 {
 	if (test__start_subtest("map_token")) {
@@ -1150,4 +1180,13 @@ void test_token(void)
 
 		subtest_userns(&opts, userns_obj_priv_implicit_token_envvar);
 	}
+	if (test__start_subtest("bpf_token_info")) {
+		struct bpffs_opts opts = {
+			.cmds = bit(BPF_MAP_CREATE),
+			.progs = bit(BPF_PROG_TYPE_XDP),
+			.attachs = ~0ULL,
+		};
+
+		subtest_userns(&opts, userns_bpf_token_info);
+	}
 }
-- 
2.48.1

Re: [PATCH bpf-next v2 2/2] bpf/selftests: Add selftests for token info

[Andrii Nakryiko]

On Mon, Jul 14, 2025 at 8:59 PM Tao Chen <chen.dylane@linux.dev> wrote:
>
> A previous change added bpf_token_info to get token info with
> bpf_get_obj_info_by_fd, this patch adds a new test for token info.
>
>  #461/12  token/bpf_token_info:OK
>
> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
> ---
>  .../testing/selftests/bpf/prog_tests/token.c  | 39 +++++++++++++++++++
>  1 file changed, 39 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c
> index cfc032b910c..a16f25bdd4c 100644
> --- a/tools/testing/selftests/bpf/prog_tests/token.c
> +++ b/tools/testing/selftests/bpf/prog_tests/token.c
> @@ -1047,6 +1047,36 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l
>
>  #define bit(n) (1ULL << (n))
>
> +static int userns_bpf_token_info(int mnt_fd, struct token_lsm *lsm_skel)
> +{
> +       int err, token_fd = -1;
> +       struct bpf_token_info info;
> +       u32 len = sizeof(struct bpf_token_info);
> +
> +       /* create BPF token from BPF FS mount */
> +       token_fd = bpf_token_create(mnt_fd, NULL);
> +       if (!ASSERT_GT(token_fd, 0, "token_create")) {
> +               err = -EINVAL;
> +               goto cleanup;
> +       }
> +
> +       memset(&info, 0, len);
> +       err = bpf_obj_get_info_by_fd(token_fd, &info, &len);
> +       if (!ASSERT_ERR(err, "bpf_obj_get_token_info"))
> +               goto cleanup;
> +       if (!ASSERT_EQ(info.allowed_cmds, bit(BPF_MAP_CREATE), "token_info_cmds_map_create"))
> +               goto cleanup;
> +       if (!ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_XDP), "token_info_progs_xdp"))
> +               goto cleanup;

nit: there is no harm in just doing a few ASSERT_EQ() checks
unconditionally, it's cleaner and more succinct (and either way you
return err == 0 in this case)

> +
> +       /* The BPF_PROG_TYPE_EXT is not set in token */
> +       ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_EXT), "token_info_progs_ext");
> +
> +cleanup:
> +       zclose(token_fd);
> +       return err;
> +}
> +
>  void test_token(void)
>  {
>         if (test__start_subtest("map_token")) {
> @@ -1150,4 +1180,13 @@ void test_token(void)
>
>                 subtest_userns(&opts, userns_obj_priv_implicit_token_envvar);
>         }
> +       if (test__start_subtest("bpf_token_info")) {
> +               struct bpffs_opts opts = {
> +                       .cmds = bit(BPF_MAP_CREATE),
> +                       .progs = bit(BPF_PROG_TYPE_XDP),
> +                       .attachs = ~0ULL,
> +               };
> +
> +               subtest_userns(&opts, userns_bpf_token_info);
> +       }
>  }
> --
> 2.48.1
>

Re: [PATCH bpf-next v2 1/2] bpf: Add struct bpf_token_info

[Andrii Nakryiko]

On Mon, Jul 14, 2025 at 8:59 PM Tao Chen <chen.dylane@linux.dev> wrote:
>
> The 'commit 35f96de04127 ("bpf: Introduce BPF token object")' added
> BPF token as a new kind of BPF kernel object. And BPF_OBJ_GET_INFO_BY_FD
> already used to get BPF object info, so we can also get token info with
> this cmd.
> One usage scenario, when program runs failed with token, because of
> the permission failure, we can report what BPF token is allowing with
> this API for debugging.
>
> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
> ---
>  include/linux/bpf.h            | 11 +++++++++++
>  include/uapi/linux/bpf.h       |  8 ++++++++
>  kernel/bpf/syscall.c           | 18 ++++++++++++++++++
>  kernel/bpf/token.c             | 28 +++++++++++++++++++++++++++-
>  tools/include/uapi/linux/bpf.h |  8 ++++++++
>  5 files changed, 72 insertions(+), 1 deletion(-)
>

LGTM, but see a nit below and in selftest patch

Acked-by: Andrii Nakryiko <andrii@kernel.org>

[...]

>
> +int bpf_token_get_info_by_fd(struct bpf_token *token,
> +                            const union bpf_attr *attr,
> +                            union bpf_attr __user *uattr)
> +{
> +       struct bpf_token_info __user *uinfo;
> +       struct bpf_token_info info;
> +       u32 info_copy, uinfo_len;
> +
> +       uinfo = u64_to_user_ptr(attr->info.info);
> +       uinfo_len = attr->info.info_len;
> +
> +       info_copy = min_t(u32, uinfo_len, sizeof(info));

you don't use info_len past this point, so just reassign it instead of
adding another variable (info_copy); seems like some other
get_info_by_fd functions use the same approach

> +       memset(&info, 0, sizeof(info));
> +
> +       info.allowed_cmds = token->allowed_cmds;
> +       info.allowed_maps = token->allowed_maps;
> +       info.allowed_progs = token->allowed_progs;
> +       info.allowed_attachs = token->allowed_attachs;
> +
> +       if (copy_to_user(uinfo, &info, info_copy) ||
> +           put_user(info_copy, &uattr->info.info_len))
> +               return -EFAULT;
> +
> +       return 0;
> +}
> +

[...]

Re: [PATCH bpf-next v2 2/2] bpf/selftests: Add selftests for token info

[Tao Chen]

在 2025/7/16 05:51, Andrii Nakryiko 写道:
> On Mon, Jul 14, 2025 at 8:59 PM Tao Chen <chen.dylane@linux.dev> wrote:
>>
>> A previous change added bpf_token_info to get token info with
>> bpf_get_obj_info_by_fd, this patch adds a new test for token info.
>>
>>   #461/12  token/bpf_token_info:OK
>>
>> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
>> ---
>>   .../testing/selftests/bpf/prog_tests/token.c  | 39 +++++++++++++++++++
>>   1 file changed, 39 insertions(+)
>>
>> diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c
>> index cfc032b910c..a16f25bdd4c 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/token.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/token.c
>> @@ -1047,6 +1047,36 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l
>>
>>   #define bit(n) (1ULL << (n))
>>
>> +static int userns_bpf_token_info(int mnt_fd, struct token_lsm *lsm_skel)
>> +{
>> +       int err, token_fd = -1;
>> +       struct bpf_token_info info;
>> +       u32 len = sizeof(struct bpf_token_info);
>> +
>> +       /* create BPF token from BPF FS mount */
>> +       token_fd = bpf_token_create(mnt_fd, NULL);
>> +       if (!ASSERT_GT(token_fd, 0, "token_create")) {
>> +               err = -EINVAL;
>> +               goto cleanup;
>> +       }
>> +
>> +       memset(&info, 0, len);
>> +       err = bpf_obj_get_info_by_fd(token_fd, &info, &len);
>> +       if (!ASSERT_ERR(err, "bpf_obj_get_token_info"))
>> +               goto cleanup;
>> +       if (!ASSERT_EQ(info.allowed_cmds, bit(BPF_MAP_CREATE), "token_info_cmds_map_create"))
>> +               goto cleanup;
>> +       if (!ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_XDP), "token_info_progs_xdp"))
>> +               goto cleanup;
> 
> nit: there is no harm in just doing a few ASSERT_EQ() checks
> unconditionally, it's cleaner and more succinct (and either way you
> return err == 0 in this case)
>

It seems necessary to assign the err when ASSERT_EQ fails, will fix it 
in v3, thanks.

>> +
>> +       /* The BPF_PROG_TYPE_EXT is not set in token */
>> +       ASSERT_EQ(info.allowed_progs, bit(BPF_PROG_TYPE_EXT), "token_info_progs_ext");
>> +
>> +cleanup:
>> +       zclose(token_fd);
>> +       return err;
>> +}
>> +
>>   void test_token(void)
>>   {
>>          if (test__start_subtest("map_token")) {
>> @@ -1150,4 +1180,13 @@ void test_token(void)
>>
>>                  subtest_userns(&opts, userns_obj_priv_implicit_token_envvar);
>>          }
>> +       if (test__start_subtest("bpf_token_info")) {
>> +               struct bpffs_opts opts = {
>> +                       .cmds = bit(BPF_MAP_CREATE),
>> +                       .progs = bit(BPF_PROG_TYPE_XDP),
>> +                       .attachs = ~0ULL,
>> +               };
>> +
>> +               subtest_userns(&opts, userns_bpf_token_info);
>> +       }
>>   }
>> --
>> 2.48.1
>>


-- 
Best Regards
Tao Chen

Re: [PATCH bpf-next v2 1/2] bpf: Add struct bpf_token_info

[Tao Chen]

在 2025/7/16 05:52, Andrii Nakryiko 写道:
> On Mon, Jul 14, 2025 at 8:59 PM Tao Chen <chen.dylane@linux.dev> wrote:
>>
>> The 'commit 35f96de04127 ("bpf: Introduce BPF token object")' added
>> BPF token as a new kind of BPF kernel object. And BPF_OBJ_GET_INFO_BY_FD
>> already used to get BPF object info, so we can also get token info with
>> this cmd.
>> One usage scenario, when program runs failed with token, because of
>> the permission failure, we can report what BPF token is allowing with
>> this API for debugging.
>>
>> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
>> ---
>>   include/linux/bpf.h            | 11 +++++++++++
>>   include/uapi/linux/bpf.h       |  8 ++++++++
>>   kernel/bpf/syscall.c           | 18 ++++++++++++++++++
>>   kernel/bpf/token.c             | 28 +++++++++++++++++++++++++++-
>>   tools/include/uapi/linux/bpf.h |  8 ++++++++
>>   5 files changed, 72 insertions(+), 1 deletion(-)
>>
> 
> LGTM, but see a nit below and in selftest patch
> 
> Acked-by: Andrii Nakryiko <andrii@kernel.org>
> 
> [...]
> 
>>
>> +int bpf_token_get_info_by_fd(struct bpf_token *token,
>> +                            const union bpf_attr *attr,
>> +                            union bpf_attr __user *uattr)
>> +{
>> +       struct bpf_token_info __user *uinfo;
>> +       struct bpf_token_info info;
>> +       u32 info_copy, uinfo_len;
>> +
>> +       uinfo = u64_to_user_ptr(attr->info.info);
>> +       uinfo_len = attr->info.info_len;
>> +
>> +       info_copy = min_t(u32, uinfo_len, sizeof(info));
> 
> you don't use info_len past this point, so just reassign it instead of
> adding another variable (info_copy); seems like some other
> get_info_by_fd functions use the same approach
> 

will change it in v3, thanks.

>> +       memset(&info, 0, sizeof(info));
>> +
>> +       info.allowed_cmds = token->allowed_cmds;
>> +       info.allowed_maps = token->allowed_maps;
>> +       info.allowed_progs = token->allowed_progs;
>> +       info.allowed_attachs = token->allowed_attachs;
>> +
>> +       if (copy_to_user(uinfo, &info, info_copy) ||
>> +           put_user(info_copy, &uattr->info.info_len))
>> +               return -EFAULT;
>> +
>> +       return 0;
>> +}
>> +
> 
> [...]


-- 
Best Regards
Tao Chen