From: Edwin Peer <epeer@juniper.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Y Song <ys114321@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"ast@kernel.org" <ast@kernel.org>, bpf <bpf@vger.kernel.org>
Subject: Re: [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN
Date: Thu, 19 Dec 2019 20:06:21 +0000 [thread overview]
Message-ID: <9A7BE6FA-92FD-411F-BF8C-80484F1B0FBA@juniper.net> (raw)
In-Reply-To: <20191219192645.5tbvxlhuugstokxf@ast-mbp.dhcp.thefacebook.com>
On 12/19/19, 11:26, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
> On Thu, Dec 19, 2019 at 05:05:42PM +0000, Edwin Peer wrote:
>> On 12/19/19, 07:47, "Daniel Borkmann" <daniel@iogearbox.net> wrote:
>>
>> > What about CAP_BPF?
>>
>> What is the status of this? It might solve some of the problems, but it is still puts testing
>> BPF outside reach of normal users.
>
> why?
> I think CAP_BPF is solving exactly what you're trying to achieve.
I'm trying to provide access to BPF testing infrastructure for unprivileged
users (assuming it can be done in a safe way, which I'm as yet unsure of).
CAP_BPF is not the same thing, because at least some kind of root
intervention is required to attain CAP_BPF in the first place.
> Whether bpf_clone_redirect() is such helper is still tbd. Unpriv user can flood netdevs
> without any bpf.
True, but presumably such would still be subject to administrator
controlled QoS and firewall policy? Also unprivileged users presumably
can't create arbitrary packets coming from spoofed IPs / MACs, which I
believe requires CAP_NET_RAW?
>> Are there other helpers of concern that come immediately to mind? A first stab might
>> add these to the list in the verifier that require privilege. This has the drawback that
>> programs that actually need this kind of functionality are beyond the test framework.
>
> So far majority of programs require root-only verifier features. The programs are
> getting more complex and benefit the most from testing. Relaxing test_run for unpriv
> progs is imo very narrow use case. I'd rather use CAP_BPF.
The more elaborate proposal called for mocking these aspects for
testing, which could conceivably resolve this? That said, I see an
incremental path to this, adding such as needed. The narrowness
of the use case really depends on exactly what you're trying to do.
Something in XDP, for example, has very little kernel dependencies
(possibly none that would be affected here) and represents an entire
class of use cases that could have unprivileged testing be supported.
Regards,
Edwin Peer
next prev parent reply other threads:[~2019-12-19 21:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191219013534.125342-1-epeer@juniper.net>
2019-12-19 7:19 ` [RFC PATCH bpf-next 0/2] unprivileged BPF_PROG_TEST_RUN Y Song
2019-12-19 14:50 ` Edwin Peer
2019-12-19 15:47 ` Daniel Borkmann
2019-12-19 17:05 ` Edwin Peer
2019-12-19 19:26 ` Alexei Starovoitov
2019-12-19 20:06 ` Edwin Peer [this message]
2019-12-19 21:52 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9A7BE6FA-92FD-411F-BF8C-80484F1B0FBA@juniper.net \
--to=epeer@juniper.net \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=netdev@vger.kernel.org \
--cc=ys114321@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox