On Thu, Dec 07, 2023 at 10:54:36AM -0800, Andrii Nakryiko wrote: > It's quite confusing in practice when it's possible to successfully > create a BPF token from BPF FS that didn't have any of delegate_xxx > mount options set up. While it's not wrong, it's actually more > meaningful to reject BPF_TOKEN_CREATE with specific error code (-ENOENT) > to let user-space know that no token delegation is setup up. > > So, instead of creating empty BPF token that will be always ignored > because it doesn't have any of the allow_xxx bits set, reject it with > -ENOENT. If we ever need empty BPF token to be possible, we can support > that with extra flag passed into BPF_TOKEN_CREATE. > > Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx> > --- Might consider EOPNOTSUPP (or whatever the correct way of spelling this is). Otherwise, Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
