Re: [PATCH v12 bpf-next 00/17] BPF token and BPF FS-based delegation

From: patchwork-bot+netdevbpf@kernel.org
Date: 2023-12-06 18:20:31
Also in: bpf, linux-fsdevel, linux-security-module

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov [off-list ref]:

On Thu, 30 Nov 2023 10:52:12 -0800 you wrote:

This patch set introduces an ability to delegate a subset of BPF subsystem
functionality from privileged system-wide daemon (e.g., systemd or any other
container manager) through special mount options for userns-bound BPF FS to
a *trusted* unprivileged application. Trust is the key here. This
functionality is not about allowing unconditional unprivileged BPF usage.
Establishing trust, though, is completely up to the discretion of respective
privileged application that would create and mount a BPF FS instance with
delegation enabled, as different production setups can and do achieve it
through a combination of different means (signing, LSM, code reviews, etc),
and it's undesirable and infeasible for kernel to enforce any particular way
of validating trustworthiness of particular process.

[...]

Here is the summary with links:
  - [v12,bpf-next,01/17] bpf: align CAP_NET_ADMIN checks with bpf_capable() approach
    https://git.kernel.org/bpf/bpf-next/c/909fa05dd3c1
  - [v12,bpf-next,02/17] bpf: add BPF token delegation mount options to BPF FS
    https://git.kernel.org/bpf/bpf-next/c/40bba140c60f
  - [v12,bpf-next,03/17] bpf: introduce BPF token object
    https://git.kernel.org/bpf/bpf-next/c/4527358b7686
  - [v12,bpf-next,04/17] bpf: add BPF token support to BPF_MAP_CREATE command
    https://git.kernel.org/bpf/bpf-next/c/688b7270b3cb
  - [v12,bpf-next,05/17] bpf: add BPF token support to BPF_BTF_LOAD command
    https://git.kernel.org/bpf/bpf-next/c/ee54b1a910e4
  - [v12,bpf-next,06/17] bpf: add BPF token support to BPF_PROG_LOAD command
    https://git.kernel.org/bpf/bpf-next/c/e1cef620f598
  - [v12,bpf-next,07/17] bpf: take into account BPF token when fetching helper protos
    https://git.kernel.org/bpf/bpf-next/c/4cbb270e115b
  - [v12,bpf-next,08/17] bpf: consistently use BPF token throughout BPF verifier logic
    https://git.kernel.org/bpf/bpf-next/c/8062fb12de99
  - [v12,bpf-next,09/17] bpf,lsm: refactor bpf_prog_alloc/bpf_prog_free LSM hooks
    https://git.kernel.org/bpf/bpf-next/c/c3dd6e94df71
  - [v12,bpf-next,10/17] bpf,lsm: refactor bpf_map_alloc/bpf_map_free LSM hooks
    https://git.kernel.org/bpf/bpf-next/c/66d636d70a79
  - [v12,bpf-next,11/17] bpf,lsm: add BPF token LSM hooks
    https://git.kernel.org/bpf/bpf-next/c/d734ca7b33db
  - [v12,bpf-next,12/17] libbpf: add bpf_token_create() API
    https://git.kernel.org/bpf/bpf-next/c/ecd435143eb0
  - [v12,bpf-next,13/17] libbpf: add BPF token support to bpf_map_create() API
    https://git.kernel.org/bpf/bpf-next/c/37891cea6699
  - [v12,bpf-next,14/17] libbpf: add BPF token support to bpf_btf_load() API
    https://git.kernel.org/bpf/bpf-next/c/1a8df7fa00aa
  - [v12,bpf-next,15/17] libbpf: add BPF token support to bpf_prog_load() API
    https://git.kernel.org/bpf/bpf-next/c/1571740a9ba0
  - [v12,bpf-next,16/17] selftests/bpf: add BPF token-enabled tests
    https://git.kernel.org/bpf/bpf-next/c/dc5196fac40c
  - [v12,bpf-next,17/17] bpf,selinux: allocate bpf_security_struct per BPF token
    https://git.kernel.org/bpf/bpf-next/c/36fb94944b35

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help