| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f956664e-24a2-410a-be9b-4d90e08c7c64@kernel.org>
Date: Tue, 22 Jul 2025 10:23:53 +0100
From: Quentin Monnet <qmo@...nel.org>
To: Tao Chen <chen.dylane@...ux.dev>, ast@...nel.org, daniel@...earbox.net,
andrii@...nel.org, martin.lau@...ux.dev, eddyz87@...il.com, song@...nel.org,
yonghong.song@...ux.dev, john.fastabend@...il.com, kpsingh@...nel.org,
sdf@...ichev.me, haoluo@...gle.com, jolsa@...nel.org, davem@...emloft.net,
kuba@...nel.org, hawk@...nel.org
Cc: linux-kernel@...r.kernel.org, bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next 1/2] bpftool: Add bpf_token show
2025-07-22 13:48 UTC+0800 ~ Tao Chen <chen.dylane@...ux.dev>
> 在 2025/7/22 00:23, Quentin Monnet 写道:
>> Thanks a lot for this!
>>
>
> Hi Quenin,
>
>>
>> 2025-07-21 01:33 UTC+0800 ~ Tao Chen <chen.dylane@...ux.dev>
>>> Add `bpftool token show` command to get token info
>>> from bpf fs in /proc/mounts.
>>>
>>> Example plain output for `token show`:
>>> token_info:
>>> /sys/fs/bpf/token
>>>
>>> allowed_cmds:
>>> map_create prog_load
>>>
>>> allowed_maps:
>>>
>>> allowed_progs:
>>> kprobe
>>>
>>> allowed_attachs:
>>> xdp
>>>
>>> Example json output for `token show`:
>>> {
>>> "token_info": "/sys/fs/bpf/token",
>>> "allowed_cmds": ["map_create","prog_load"
>>> ],
>>> "allowed_maps":
>>
>>
>> This is not valid JSON. You're missing a value for "allowed_maps" (here
>> it should likely be an empty array), and the comma:
>>
>> "allowed_maps": [],
>>
>>
>>> "allowed_progs": ["kprobe"
>>> ],
>>> "allowed_attachs": ["xdp"
>>> ]
>>> }
>>>
>>> Signed-off-by: Tao Chen <chen.dylane@...ux.dev>
>>> ---
>>> tools/bpf/bpftool/main.c | 3 +-
>>> tools/bpf/bpftool/main.h | 1 +
>>> tools/bpf/bpftool/token.c | 229 ++++++++++++++++++++++++++++++++++++++
>>> 3 files changed, 232 insertions(+), 1 deletion(-)
>>> create mode 100644 tools/bpf/bpftool/token.c
>>>
[...]
>>> diff --git a/tools/bpf/bpftool/token.c b/tools/bpf/bpftool/token.c
>>> new file mode 100644
>>> index 00000000000..2fcaff4f2ba
>>> --- /dev/null
>>> +++ b/tools/bpf/bpftool/token.c
[...]
>>> + if (has_delegate_options(ent->mnt_opts)) {
>>> + hit = true;
>>> + break;
>>
>>
>> Apologies, my knowledge of BPF tokens is limited. Can you have only one
>> token exposed through a bpffs at a time? Asking because I know you can
>> have several bpffs on your system, if each can have delegate options
>> then why stop after the first bpffs mount point you find?
>>
>
> Yes it is, only the first bpffs with token info will be showed above.
> Actually, it will not be limited how many bpffs ceated in kernel, it
> depends on the user scenarios. In most cases, only one will be created.
> But, maybe it's better to show all. I will change it in v2.
Yes please. If there are several tokens available, bpftool should "list"
them all, as the command name implies. The user scenarios don't really
count here, we should just dump all token info we can see. In the
future, we could then add the possibility to take an argument (likely a
path to a bpffs) to show info for a particular mountpoint; a bit like
you can list all existing programs with "bpftool prog show" but can also
chose to pick one with "bpftool prog show id ...".
If we print info for several mountpoint, I'd suggest adjusting the
format for the plain output slightly: I'd remove the blank lines between
the different sections to get something more compact, maybe play with
the indent as well, like when we list programs or maps.
Thanks,
Quentin
Powered by blists - more mailing lists