From: Daniel Borkmann <daniel@iogearbox.net>
To: Edwin Peer <epeer@juniper.net>
Cc: Y Song <ys114321@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"ast@kernel.org" <ast@kernel.org>, bpf <bpf@vger.kernel.org>
Subject: Re: [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN
Date: Thu, 19 Dec 2019 16:47:04 +0100 [thread overview]
Message-ID: <20191219154704.GC4198@linux-9.fritz.box> (raw)
In-Reply-To: <69266F42-6D0B-4F0B-805C-414880AC253D@juniper.net>
On Thu, Dec 19, 2019 at 02:50:42PM +0000, Edwin Peer wrote:
> On 12/18/19, 23:19, "Y Song" <ys114321@gmail.com> wrote:
>
> > Added cc to bpf@vger.kernel.org.
>
> Thank you, I will remember to do this next time.
>
> > Have you tried your patch with some bpf programs? verifier and jit put some
> > restrictions on unpriv programs. To truely test the program, most if not all these
> > restrictions should be lifted, so the same tested program should be able to
> > run on production server and vice verse.
>
> Agreed, I am aware of some of these differences in the load/verifier behavior with and without
> CAP_SYS_ADMIN. In particular, without CAP_SYS_ADMIN programs are still restricted to 4k, some helpers are not available (spin locks, trace printk) and there are some differences in context access checks.
>
> I think these can be addressed incrementally, assuming folk are on board with this approach in general?
What about CAP_BPF? IIRC, there are also other issues e.g. you could abuse
the test interface as a packet generator (bpf_clone_redirect) which is not
something fully unpriv should be doing.
Thanks,
Daniel
next prev parent reply other threads:[~2019-12-19 15:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-19 1:36 [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN Edwin Peer
2019-12-19 1:36 ` [RFC PATCH bpf-next 2/2] bpf: relax CAP_SYS_ADMIN requirement for BPF_PROG_TEST_RUN Edwin Peer
2019-12-19 1:36 ` [RFC PATCH bpf-next 1/2] bpf: defer capability checks until program attach Edwin Peer
2019-12-19 7:19 ` [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN Y Song
2019-12-19 14:50 ` Edwin Peer
2019-12-19 15:47 ` Daniel Borkmann [this message]
2019-12-19 17:05 ` Edwin Peer
2019-12-19 19:26 ` Alexei Starovoitov
2019-12-19 20:06 ` Edwin Peer
2019-12-19 21:52 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191219154704.GC4198@linux-9.fritz.box \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=epeer@juniper.net \
--cc=netdev@vger.kernel.org \
--cc=ys114321@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.