libbpf: support BPF token path setting through LIBBPF_BPF_TOKEN_PATH envvar

To allow external admin authority to override default BPF FS location
(/sys/fs/bpf) for implicit BPF token creation, teach libbpf to recognize
LIBBPF_BPF_TOKEN_PATH envvar. If it is specified and user application
didn't explicitly specify neither bpf_token_path nor bpf_token_fd
option, it will be treated exactly like bpf_token_path option,
overriding default /sys/fs/bpf location and making BPF token mandatory.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231213190842.3844987-10-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index db94bbe163e3ebfd765bfe275fc7b3b05dfdf620..4b5ff9508e18fd93ea442b5f8beeb73daf342a43 100644 (file)
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -7171,11 +7171,17 @@ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf,
        /* non-empty token path can't be combined with invalid token FD */
        if (token_path && token_path[0] != '\0' && token_fd < 0)
                return ERR_PTR(-EINVAL);
+       /* empty token path can't be combined with valid token FD */
+       if (token_path && token_path[0] == '\0' && token_fd > 0)
+               return ERR_PTR(-EINVAL);
+       /* if user didn't specify bpf_token_path/bpf_token_fd explicitly,
+        * check if LIBBPF_BPF_TOKEN_PATH envvar was set and treat it as
+        * bpf_token_path option
+        */
+       if (token_fd == 0 && !token_path)
+               token_path = getenv("LIBBPF_BPF_TOKEN_PATH");
+       /* empty token_path is equivalent to invalid token_fd */
        if (token_path && token_path[0] == '\0') {
-               /* empty token path can't be combined with valid token FD */
-               if (token_fd > 0)
-                       return ERR_PTR(-EINVAL);
-               /* empty token_path is equivalent to invalid token_fd */
                token_path = NULL;
                token_fd = -1;
        }

diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
index d3de39b537f3f63d0bd5382fb7bdbe5176a96458..916904bd2a7ad1d928c4915617a2591034fc72df 100644 (file)
--- a/tools/lib/bpf/libbpf.h
+++ b/tools/lib/bpf/libbpf.h
@@ -185,8 +185,16 @@ struct bpf_object_open_opts {
         * attempt to create BPF token from default BPF FS mount point
         * (/sys/fs/bpf), in case this default behavior is undesirable.
         *
+        * If bpf_token_path and bpf_token_fd are not specified, libbpf will
+        * consult LIBBPF_BPF_TOKEN_PATH environment variable. If set, it will
+        * be taken as a value of bpf_token_path option and will force libbpf
+        * to either create BPF token from provided custom BPF FS path, or
+        * will disable implicit BPF token creation, if envvar value is an
+        * empty string.
+        *
         * bpf_token_path and bpf_token_fd are mutually exclusive and only one
-        * of those options should be set.
+        * of those options should be set. Either of them overrides
+        * LIBBPF_BPF_TOKEN_PATH envvar.
         */
        int bpf_token_fd;
        /* Path to BPF FS mount point to derive BPF token from.
@@ -200,7 +208,8 @@ struct bpf_object_open_opts {
         * point (/sys/fs/bpf), in case this default behavior is undesirable.
         *
         * bpf_token_path and bpf_token_fd are mutually exclusive and only one
-        * of those options should be set.
+        * of those options should be set. Either of them overrides
+        * LIBBPF_BPF_TOKEN_PATH envvar.
         */
        const char *bpf_token_path;