libbpf: support BPF token path setting through LIBBPF_BPF_TOKEN_PATH envvar

To allow external admin authority to override default BPF FS location
(/sys/fs/bpf) for implicit BPF token creation, teach libbpf to recognize
LIBBPF_BPF_TOKEN_PATH envvar. If it is specified and user application
didn't explicitly specify neither bpf_token_path nor bpf_token_fd
option, it will be treated exactly like bpf_token_path option,
overriding default /sys/fs/bpf location and making BPF token mandatory.

Suggested-by: Alexei Starovoitov <[email protected]>
Signed-off-by: Andrii Nakryiko <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>

Author: anakryiko

tools/lib/bpf/libbpf.c

@@ -7171,11 +7171,17 @@ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf,
 	/* non-empty token path can't be combined with invalid token FD */
 	if (token_path && token_path[0] != '\0' && token_fd < 0)
 		return ERR_PTR(-EINVAL);
+	/* empty token path can't be combined with valid token FD */
+	if (token_path && token_path[0] == '\0' && token_fd > 0)
+		return ERR_PTR(-EINVAL);
+	/* if user didn't specify bpf_token_path/bpf_token_fd explicitly,
+	 * check if LIBBPF_BPF_TOKEN_PATH envvar was set and treat it as
+	 * bpf_token_path option
+	 */
+	if (token_fd == 0 && !token_path)
+		token_path = getenv("LIBBPF_BPF_TOKEN_PATH");
+	/* empty token_path is equivalent to invalid token_fd */
 	if (token_path && token_path[0] == '\0') {
-		/* empty token path can't be combined with valid token FD */
-		if (token_fd > 0)
-			return ERR_PTR(-EINVAL);
-		/* empty token_path is equivalent to invalid token_fd */
 		token_path = NULL;
 		token_fd = -1;
 	}

tools/lib/bpf/libbpf.h

@@ -185,8 +185,16 @@ struct bpf_object_open_opts {
 	 * attempt to create BPF token from default BPF FS mount point
 	 * (/sys/fs/bpf), in case this default behavior is undesirable.
 	 *
+	 * If bpf_token_path and bpf_token_fd are not specified, libbpf will
+	 * consult LIBBPF_BPF_TOKEN_PATH environment variable. If set, it will
+	 * be taken as a value of bpf_token_path option and will force libbpf
+	 * to either create BPF token from provided custom BPF FS path, or
+	 * will disable implicit BPF token creation, if envvar value is an
+	 * empty string.
+	 *
 	 * bpf_token_path and bpf_token_fd are mutually exclusive and only one
-	 * of those options should be set.
+	 * of those options should be set. Either of them overrides
+	 * LIBBPF_BPF_TOKEN_PATH envvar.
 	 */
 	int bpf_token_fd;
 	/* Path to BPF FS mount point to derive BPF token from.
@@ -200,7 +208,8 @@ struct bpf_object_open_opts {
 	 * point (/sys/fs/bpf), in case this default behavior is undesirable.
 	 *
 	 * bpf_token_path and bpf_token_fd are mutually exclusive and only one
-	 * of those options should be set.
+	 * of those options should be set. Either of them overrides
+	 * LIBBPF_BPF_TOKEN_PATH envvar.
 	 */
 	const char *bpf_token_path;