Re: [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexei Starovoitov <ast@plumgrid.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	"David S. Miller" <davem@davemloft.net>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Ingo Molnar <mingo@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Kees Cook <keescook@chromium.org>,
	linux-api@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs
Date: Fri, 9 Oct 2015 10:59:23 -0700	[thread overview]
Message-ID: <5618007B.70907@plumgrid.com> (raw)
In-Reply-To: <5617FD1C.2030702@iogearbox.net>

On 10/9/15 10:45 AM, Daniel Borkmann wrote:
> On 10/09/2015 07:30 PM, Alexei Starovoitov wrote:
> ...
>> Openstack use case is different. There it will be prog_type_sched_cls
>> that can mangle packets, change skb metadata, etc under TC framework.
>> These are not suitable for all users and this patch leaves
>> them root-only. If you're proposing to add CAP_BPF_TC to let containers
>> use them without being CAP_SYS_ADMIN, then I agree, it is useful, but
>> needs a lot more safety analysis on tc side.
>
> Well, I think if so, then this would need to be something generic for
> tc instead of being specific to a single (out of various) entities
> inside the tc framework, but I currently doubt that this makes much
> sense. If we allow to operate already at that level, then restricting
> to CAP_SYS_ADMIN makes more sense in that specific context/subsys to me.

Let me rephrase. I think it would be useful, but I have my doubts that
it's manageable, since analyzing dark corners of TC is not trivial.
Probably easier to allow prog_type_sched_cls/act under CAP_NET_ADMIN
and grant that to trusted apps. Though only tiny bit better than
requiring CAP_SYS_ADMIN.

next prev parent reply	other threads:[~2015-10-09 17:59 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-08  5:23 [PATCH v2 net-next 0/3] bpf: unprivileged Alexei Starovoitov
2015-10-08  5:23 ` Alexei Starovoitov
2015-10-08  5:23 ` [PATCH v2 net-next 2/3] bpf: charge user for creation of BPF maps and programs Alexei Starovoitov
2015-10-08  5:23 ` [PATCH v2 net-next 3/3] bpf: add unprivileged bpf tests Alexei Starovoitov
2015-10-08 17:46   ` Kees Cook
     [not found]     ` <CAGXu5j+QA2uyvrNteoP1zQ5Cx6tAjVxR2zqmCi8148jS+_YW4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-08 17:55       ` Alexei Starovoitov
2015-10-08 17:55         ` Alexei Starovoitov
     [not found] ` <1444281803-24274-1-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-08  5:23   ` [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs Alexei Starovoitov
2015-10-08  5:23     ` Alexei Starovoitov
2015-10-08 17:45     ` Kees Cook
2015-10-08 18:20     ` Hannes Frederic Sowa
     [not found]       ` <1444328452.3935641.405110585.76554E06-2RFepEojUI2N1INw9kWLP6GC3tUn3ZHUQQ4Iyu8u01E@public.gmane.org>
2015-10-08 22:05         ` Alexei Starovoitov
2015-10-08 22:05           ` Alexei Starovoitov
     [not found]           ` <5616E8A8.5020809-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-09 11:45             ` Hannes Frederic Sowa
2015-10-09 11:45               ` Hannes Frederic Sowa
2015-10-09 17:30               ` Alexei Starovoitov
2015-10-09 17:45                 ` Daniel Borkmann
2015-10-09 17:59                   ` Alexei Starovoitov [this message]
2015-10-09  9:28         ` Thomas Graf
2015-10-09  9:28           ` Thomas Graf
2015-10-13  2:22   ` [PATCH v2 net-next 0/3] bpf: unprivileged David Miller
2015-10-13  2:22     ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5618007B.70907@plumgrid.com \
    --to=ast@plumgrid.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=hannes@stressinduktion.org \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.