From: Daniel Borkmann <daniel@iogearbox.net>
To: Alexei Starovoitov <ast@plumgrid.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"David S. Miller" <davem@davemloft.net>
Cc: Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Kees Cook <keescook@chromium.org>,
linux-api@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs
Date: Fri, 09 Oct 2015 19:45:00 +0200 [thread overview]
Message-ID: <5617FD1C.2030702@iogearbox.net> (raw)
In-Reply-To: <5617F9C9.10407@plumgrid.com>
On 10/09/2015 07:30 PM, Alexei Starovoitov wrote:
...
> Openstack use case is different. There it will be prog_type_sched_cls
> that can mangle packets, change skb metadata, etc under TC framework.
> These are not suitable for all users and this patch leaves
> them root-only. If you're proposing to add CAP_BPF_TC to let containers
> use them without being CAP_SYS_ADMIN, then I agree, it is useful, but
> needs a lot more safety analysis on tc side.
Well, I think if so, then this would need to be something generic for
tc instead of being specific to a single (out of various) entities
inside the tc framework, but I currently doubt that this makes much
sense. If we allow to operate already at that level, then restricting
to CAP_SYS_ADMIN makes more sense in that specific context/subsys to me.
Best,
Daniel
next prev parent reply other threads:[~2015-10-09 17:45 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-08 5:23 [PATCH v2 net-next 0/3] bpf: unprivileged Alexei Starovoitov
2015-10-08 5:23 ` Alexei Starovoitov
[not found] ` <1444281803-24274-1-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-08 5:23 ` [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs Alexei Starovoitov
2015-10-08 5:23 ` Alexei Starovoitov
2015-10-08 17:45 ` Kees Cook
2015-10-08 18:20 ` Hannes Frederic Sowa
[not found] ` <1444328452.3935641.405110585.76554E06-2RFepEojUI2N1INw9kWLP6GC3tUn3ZHUQQ4Iyu8u01E@public.gmane.org>
2015-10-08 22:05 ` Alexei Starovoitov
2015-10-08 22:05 ` Alexei Starovoitov
[not found] ` <5616E8A8.5020809-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-09 11:45 ` Hannes Frederic Sowa
2015-10-09 11:45 ` Hannes Frederic Sowa
2015-10-09 17:30 ` Alexei Starovoitov
2015-10-09 17:45 ` Daniel Borkmann [this message]
2015-10-09 17:59 ` Alexei Starovoitov
2015-10-09 9:28 ` Thomas Graf
2015-10-09 9:28 ` Thomas Graf
2015-10-13 2:22 ` [PATCH v2 net-next 0/3] bpf: unprivileged David Miller
2015-10-13 2:22 ` David Miller
2015-10-08 5:23 ` [PATCH v2 net-next 2/3] bpf: charge user for creation of BPF maps and programs Alexei Starovoitov
2015-10-08 5:23 ` [PATCH v2 net-next 3/3] bpf: add unprivileged bpf tests Alexei Starovoitov
2015-10-08 17:46 ` Kees Cook
[not found] ` <CAGXu5j+QA2uyvrNteoP1zQ5Cx6tAjVxR2zqmCi8148jS+_YW4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-08 17:55 ` Alexei Starovoitov
2015-10-08 17:55 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5617FD1C.2030702@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hannes@stressinduktion.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.