Jesper Dangaard Brouer <bro...@redhat.com> writes:
> On Thu, 06 Jun 2019 15:24:14 +0200
> Toke Høiland-Jørgensen <t...@redhat.com> wrote:
>
>> From: Toke Høiland-Jørgensen <t...@redhat.com>
>>
>> We don't currently allow lookups into a devmap from eBPF, because the map
>> lookup returns a pointer directly to the dev->ifindex, which shouldn't be
>> modifiable from eBPF.
>>
>> However, being able to do lookups in devmaps is useful to know (e.g.)
>> whether forwarding to a specific interface is enabled. Currently, programs
>> work around this by keeping a shadow map of another type which indicates
>> whether a map index is valid.
>>
>> Since we now have a flag to make maps read-only from the eBPF side, we can
>> simply lift the lookup restriction if we make sure this flag is always set.
>
> Nice, I didn't know this was possible. I like it! :-)
Me neither; discovered it while looking through the verifier code to
figure out what would be needed to get the verifier to enforce read-only
semantics. Not much, as it turned out :)
The functionality was introduced in:
591fe9888d78 ("bpf: add program side {rd, wr}only support for maps") by
Daniel from April 9th.
-Toke
