> On Aug 7, 2019, at 2:03 AM, Lorenz Bauer <l...@cloudflare.com> wrote: > >> On Wed, 7 Aug 2019 at 06:24, Andy Lutomirski <l...@kernel.org> wrote: >> a) Those that, by design, control privileged operations. This >> includes most attach calls, but it also includes allow_ptr_leaks, >> bpf_probe_read(), and quite a few other things. It also includes all >> of the by_id calls, I think, unless some clever modification to the >> way they worked would isolate different users' objects. I think that >> persistent objects can do pretty much everything that by_id users >> would need, so this isn't a big deal. > > Slightly OT, since this is an implementation question: GET_MAP_FD_BY_ID > is useful to iterate a nested map. This isn't covered by rights to > persistent objects, > so it would need some thought. > >
A call to get an fd to a map referenced by a map to which you already have an fd seems reasonable to me. The new fd would inherit the old fd’s access mode.
