On Fri, Dec 8, 2023 at 1:49 PM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > On Thu, Dec 07, 2023 at 10:54:36AM -0800, Andrii Nakryiko wrote: > > It's quite confusing in practice when it's possible to successfully > > create a BPF token from BPF FS that didn't have any of delegate_xxx > > mount options set up. While it's not wrong, it's actually more > > meaningful to reject BPF_TOKEN_CREATE with specific error code (-ENOENT) > > to let user-space know that no token delegation is setup up. > > > > So, instead of creating empty BPF token that will be always ignored > > because it doesn't have any of the allow_xxx bits set, reject it with > > -ENOENT. If we ever need empty BPF token to be possible, we can support > > that with extra flag passed into BPF_TOKEN_CREATE. > > > > Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx> > > --- > > Might consider EOPNOTSUPP (or whatever the correct way of spelling this I thought about that, but it felt wrong to return "unsupported" error code, because BPF token is supported, it's just not setup/delegated on that particular instance of BPF FS. So in that sense it felt like "BPF token is not there" is more appropriate, which is why I went with -ENOENT. And also I was worried that we might add -EOPNOTSUPP for some unsupported combinations of flags or something, and then it will become confusing to detect when some functionality is really not supported, or if BPF token delegation isn't set on BPF FS. I hope that makes sense and is not too contrived an argument. > is). Otherwise, > Acked-by: Christian Brauner <brauner@xxxxxxxxxx>