bpf: Add BPF token support to BPF_BTF_LOAD command

Accept BPF token FD in BPF_BTF_LOAD command to allow BTF data loading
through delegated BPF token. BPF_F_TOKEN_FD flag has to be specified
when passing BPF token FD. Given BPF_BTF_LOAD command didn't have flags
field before, we also add btf_flags field.

BTF loading is a pretty straightforward operation, so as long as BPF
token is created with allow_cmds granting BPF_BTF_LOAD command, kernel
proceeds to parsing BTF data and creating BTF object.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20240124022127.2379740-6-andrii@kernel.org

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index c78cab8b462d4f0bbf70389f7ae8d83d8fcf6605..cb2c888e3bb4dee2337229a264083f43cca4e756 100644 (file)
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1632,6 +1632,11 @@ union bpf_attr {
                 * truncated), or smaller (if log buffer wasn't filled completely).
                 */
                __u32           btf_log_true_size;
+               __u32           btf_flags;
+               /* BPF token FD to use with BPF_BTF_LOAD operation.
+                * If provided, btf_flags should have BPF_F_TOKEN_FD flag set.
+                */
+               __s32           btf_token_fd;
        };
 
        struct {

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b13a4bdcd3a044d06ad0ed5c84d58ffca535f8c2..45b3a55896eba5ecaa6b8fa931cdfdfc8d7ee0bc 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4831,15 +4831,34 @@ static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
        return err;
 }
 
-#define BPF_BTF_LOAD_LAST_FIELD btf_log_true_size
+#define BPF_BTF_LOAD_LAST_FIELD btf_token_fd
 
 static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_size)
 {
+       struct bpf_token *token = NULL;
+
        if (CHECK_ATTR(BPF_BTF_LOAD))
                return -EINVAL;
 
-       if (!bpf_capable())
+       if (attr->btf_flags & ~BPF_F_TOKEN_FD)
+               return -EINVAL;
+
+       if (attr->btf_flags & BPF_F_TOKEN_FD) {
+               token = bpf_token_get_from_fd(attr->btf_token_fd);
+               if (IS_ERR(token))
+                       return PTR_ERR(token);
+               if (!bpf_token_allow_cmd(token, BPF_BTF_LOAD)) {
+                       bpf_token_put(token);
+                       token = NULL;
+               }
+       }
+
+       if (!bpf_token_capable(token, CAP_BPF)) {
+               bpf_token_put(token);
                return -EPERM;
+       }
+
+       bpf_token_put(token);
 
        return btf_new_fd(attr, uattr, uattr_size);
 }

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index c78cab8b462d4f0bbf70389f7ae8d83d8fcf6605..cb2c888e3bb4dee2337229a264083f43cca4e756 100644 (file)
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1632,6 +1632,11 @@ union bpf_attr {
                 * truncated), or smaller (if log buffer wasn't filled completely).
                 */
                __u32           btf_log_true_size;
+               __u32           btf_flags;
+               /* BPF token FD to use with BPF_BTF_LOAD operation.
+                * If provided, btf_flags should have BPF_F_TOKEN_FD flag set.
+                */
+               __s32           btf_token_fd;
        };
 
        struct {