17 bool bpf_token_capable(const struct bpf_token *token, int cap)  in bpf_token_capable()  argument
21 	/* BPF token allows ns_capable() level of capabilities */  in bpf_token_capable()
22 	userns = token ? token->userns : &init_user_ns;  in bpf_token_capable()
25 	if (token && security_bpf_token_capable(token, cap) < 0)  in bpf_token_capable()
30 void bpf_token_inc(struct bpf_token *token)  in bpf_token_inc()  argument
32 	atomic64_inc(&token->refcnt);  in bpf_token_inc()
35 static void bpf_token_free(struct bpf_token *token)  in bpf_token_free()  argument
37 	security_bpf_token_free(token);  in bpf_token_free()
38 	put_user_ns(token->userns);  in bpf_token_free()
39 	kfree(token);  in bpf_token_free()
44 	struct bpf_token *token = container_of(work, struct bpf_token, work);  in bpf_token_put_deferred()  local
46 	bpf_token_free(token);  in bpf_token_put_deferred()
49 void bpf_token_put(struct bpf_token *token)  in bpf_token_put()  argument
51 	if (!token)  in bpf_token_put()
54 	if (!atomic64_dec_and_test(&token->refcnt))  in bpf_token_put()
57 	INIT_WORK(&token->work, bpf_token_put_deferred);  in bpf_token_put()
58 	schedule_work(&token->work);  in bpf_token_put()
63 	struct bpf_token *token = filp->private_data;  in bpf_token_release()  local
65 	bpf_token_put(token);  in bpf_token_release()
71 	struct bpf_token *token = filp->private_data;  in bpf_token_show_fdinfo()  local
76 	if ((token->allowed_cmds & mask) == mask)  in bpf_token_show_fdinfo()
79 		seq_printf(m, "allowed_cmds:\t0x%llx\n", token->allowed_cmds);  in bpf_token_show_fdinfo()
83 	if ((token->allowed_maps & mask) == mask)  in bpf_token_show_fdinfo()
86 		seq_printf(m, "allowed_maps:\t0x%llx\n", token->allowed_maps);  in bpf_token_show_fdinfo()
90 	if ((token->allowed_progs & mask) == mask)  in bpf_token_show_fdinfo()
93 		seq_printf(m, "allowed_progs:\t0x%llx\n", token->allowed_progs);  in bpf_token_show_fdinfo()
97 	if ((token->allowed_attachs & mask) == mask)  in bpf_token_show_fdinfo()
100 		seq_printf(m, "allowed_attachs:\t0x%llx\n", token->allowed_attachs);  in bpf_token_show_fdinfo()
103 #define BPF_TOKEN_INODE_NAME "bpf-token"
114 	struct bpf_token *token __free(kfree) = NULL;  in bpf_token_create()
149 	/* Creating BPF token in init_user_ns doesn't make much sense. */  in bpf_token_create()
158 		return -ENOENT; /* no BPF token delegation is set up */  in bpf_token_create()
175 	token = kzalloc_obj(*token, GFP_USER);  in bpf_token_create()
176 	if (!token)  in bpf_token_create()
179 	atomic64_set(&token->refcnt, 1);  in bpf_token_create()
182 	token->userns = userns;  in bpf_token_create()
183 	token->allowed_cmds = mnt_opts->delegate_cmds;  in bpf_token_create()
184 	token->allowed_maps = mnt_opts->delegate_maps;  in bpf_token_create()
185 	token->allowed_progs = mnt_opts->delegate_progs;  in bpf_token_create()
186 	token->allowed_attachs = mnt_opts->delegate_attachs;  in bpf_token_create()
188 	err = security_bpf_token_create(token, attr, &path);  in bpf_token_create()
192 	get_user_ns(token->userns);  in bpf_token_create()
193 	fd_prepare_file(fdf)->private_data = no_free_ptr(token);  in bpf_token_create()
197 int bpf_token_get_info_by_fd(struct bpf_token *token,  in bpf_token_get_info_by_fd()  argument
208 	info.allowed_cmds = token->allowed_cmds;  in bpf_token_get_info_by_fd()
209 	info.allowed_maps = token->allowed_maps;  in bpf_token_get_info_by_fd()
210 	info.allowed_progs = token->allowed_progs;  in bpf_token_get_info_by_fd()
211 	info.allowed_attachs = token->allowed_attachs;  in bpf_token_get_info_by_fd()
223 	struct bpf_token *token;  in bpf_token_get_from_fd()  local
230 	token = fd_file(f)->private_data;  in bpf_token_get_from_fd()
231 	bpf_token_inc(token);  in bpf_token_get_from_fd()
233 	return token;  in bpf_token_get_from_fd()
236 bool bpf_token_allow_cmd(const struct bpf_token *token, enum bpf_cmd cmd)  in bpf_token_allow_cmd()  argument
238 	if (!token)  in bpf_token_allow_cmd()
240 	if (!(token->allowed_cmds & BIT_ULL(cmd)))  in bpf_token_allow_cmd()
242 	return security_bpf_token_cmd(token, cmd) == 0;  in bpf_token_allow_cmd()
245 bool bpf_token_allow_map_type(const struct bpf_token *token, enum bpf_map_type type)  in bpf_token_allow_map_type()  argument
247 	if (!token || type >= __MAX_BPF_MAP_TYPE)  in bpf_token_allow_map_type()
250 	return token->allowed_maps & BIT_ULL(type);  in bpf_token_allow_map_type()
253 bool bpf_token_allow_prog_type(const struct bpf_token *token,  in bpf_token_allow_prog_type()  argument
257 	if (!token || prog_type >= __MAX_BPF_PROG_TYPE || attach_type >= __MAX_BPF_ATTACH_TYPE)  in bpf_token_allow_prog_type()
260 	return (token->allowed_progs & BIT_ULL(prog_type)) &&  in bpf_token_allow_prog_type()
261 	       (token->allowed_attachs & BIT_ULL(attach_type));  in bpf_token_allow_prog_type()