From: Tao Chen <chen.dylane@linux.dev>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
jolsa@kernel.org, willemb@google.com, kerneljasonxing@gmail.com,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info
Date: Mon, 14 Jul 2025 21:15:45 +0800 [thread overview]
Message-ID: <f580b139-a08b-4705-addd-31f104fd570c@linux.dev> (raw)
In-Reply-To: <CAEf4BzZzsqu1=Q-3+6uJvgvKd52o+FR=DFp28w+vT5knP9NyCQ@mail.gmail.com>
在 2025/7/12 01:10, Andrii Nakryiko 写道:
Hi Andrri,
> On Fri, Jul 11, 2025 at 2:45 AM Tao Chen <chen.dylane@linux.dev> wrote:
>>
>> The 'commit 35f96de04127 ("bpf: Introduce BPF token object")' added
>> BPF token as a new kind of BPF kernel object. And BPF_OBJ_GET_INFO_BY_FD
>> already used to get BPF object info, so we can also get token info with
>> this cmd.
>>
>
> Do you have a specific use case in mind for this API? I can see how
> this might be useful for some hypothetical cases, but I have a few
> reservations as of right now:
>
> - we don't allow iterating all BPF token objects in the system the
> same way we do it for progs, maps, and btfs, so bpftool cannot take
> advantage of this to list all available tokens and their info, which
> makes this API a bit less useful, IMO;
>
> - BPF token was designed in a way that users don't really need to
> know allowed_* values (and if they do, they can get it from BPF FS's
> mount information (e.g., from /proc/mounts).
>
> As I said, I can come up with some hypothetical situations where a
> user might want to avoid doing something that otherwise they'd do
> outside of userns, but I'm wondering what your motivations are for
> this?
>
Sorry for the delay. Recentlly, i tried to use bpf_token feature in our
production environment, in fact, bpf_token grants permission to prog,
map, cmd, etc. It would be great if it could indicate which specific
permission is the issue to user. So i wanted to provide a token info
query interface. As you said, "mount | grep bpf" may solve it, but
functionally, can we make it more complete?
>> Signed-off-by: Tao Chen <chen.dylane@linux.dev>
>> ---
>> include/linux/bpf.h | 11 +++++++++++
>> include/uapi/linux/bpf.h | 8 ++++++++
>> kernel/bpf/syscall.c | 18 ++++++++++++++++++
>> kernel/bpf/token.c | 30 ++++++++++++++++++++++++++++--
>> tools/include/uapi/linux/bpf.h | 8 ++++++++
>> 5 files changed, 73 insertions(+), 2 deletions(-)
>>
>
> [...]
--
Best Regards
Tao Chen
next prev parent reply other threads:[~2025-07-14 13:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-11 9:45 [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info Tao Chen
2025-07-11 9:45 ` [PATCH bpf-next 2/2] bpf/selftests: Add selftests for token info Tao Chen
2025-07-11 17:10 ` [PATCH bpf-next 1/2] bpf: Add struct bpf_token_info Andrii Nakryiko
2025-07-14 13:15 ` Tao Chen [this message]
2025-07-14 21:06 ` Andrii Nakryiko
2025-07-15 2:21 ` Tao Chen
2025-07-12 15:18 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f580b139-a08b-4705-addd-31f104fd570c@linux.dev \
--to=chen.dylane@linux.dev \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).